Regarding RedHat vulnerability CVE-2018-1111

Michael McNally mcnally at isc.org
Tue May 15 21:46:32 UTC 2018


Today RedHat announced CVE-2018-1111, a critical vulnerability in
their DHCP client package that is being referred to generically
in some discussions as a "DHCP vulnerability."   In order to
address any concerns that might arise we thought we ought to send
a short statement concerning the impact on ISC DHCP packages.

  We have examined the RedHat vulnerability and conclude that
  users of stock ISC DHCP should not be at risk.

Details on the RedHat vulnerability are available from RedHat:

  https://access.redhat.com/security/vulnerabilities/3442151

but the most important bit to know is that the vulnerability which
permits command injection is present in a client script which was
provided by RedHat.  RedHat does use dhclient code derived from ISC's
but the vulnerability is in an extension that they added; it's not
present in a build from source of DHCP packages distributed by ISC
and we wanted to reassure you that unless you are using the additional
client scripts provided by RedHat you are not vulnerable to this issue.

Additionally, we'd like to thank RedHat for informing us about their
vulnerability announcement -- giving us the chance to issue this
clarification and hopefully avoid confusion and worry among those
who are not at risk.

Sincerely yours,

Michael McNally
ISC Security Officer


More information about the dhcp-users mailing list