Protect your Fedora system against this DHCP flaw

A critical security vulnerability was discovered and disclosed earlier today in dhcp-client. This DHCP flaw carries a high risk to your system and data, especially if you use untrusted networks such as a WiFi access point you don’t own. Read more here for how to protect your Fedora system.

Dynamic Host Control Protocol (DHCP) allows your system to get configuration from a network it joins. Your system will make a request for DHCP data, and typically a server such as a router answers. The server provides the necessary data for your system to configure itself. This is how, for instance, your system configures itself properly for networking when it joins a wireless network.

However, an attacker on the local network may be able to exploit this vulnerability. Using a flaw in a dhcp-client script that runs under NetworkManager, the attacker may be able to run arbitrary commands with root privileges on your system. This DHCP flaw puts your system and your data at high risk. The flaw has been assigned CVE-2018-1111 and has a Bugzilla tracking bug.

Guarding against this DHCP flaw

New dhcp packages contain fixes for Fedora 26, 27, and 28, as well as Rawhide. The maintainers have submitted these updates to the updates-testing repositories. They should show up in stable repos within a day or so of this post for most users. The desired packages are:

  • Fedora 26: dhcp-4.3.5-11.fc26
  • Fedora 27: dhcp-4.3.6-10.fc27
  • Fedora 28: dhcp-4.3.6-20.fc28
  • Rawhide: dhcp-4.3.6-21.fc29

Updating a stable Fedora system

To update immediately on a stable Fedora release, use this command with sudo. Type your password at the prompt, if necessary:

sudo dnf --refresh --enablerepo=updates-testing update dhcp-client

Later, use the standard stable repos to update. To update your Fedora system from the stable repos, use this command:

sudo dnf --refresh update dhcp-client

Updating a Rawhide system

If your system is on Rawhide, use these commands to download and update the packages immediately:

mkdir dhcp && cd dhcp
koji download-build --arch={x86_64,noarch} dhcp-4.3.6-21.fc29
sudo dnf update ./dhcp-*.rpm

After the nightly Rawhide compose, simply run sudo dnf update to get the update.

Fedora Atomic Host

The fixes for Fedora Atomic Host are in ostree version 28.20180515.1. To get the update, run this command:

atomic host upgrade -r

This command reboots your system to apply the upgrade.


Photo by Markus Spiske on Unsplash.

Fedora Project community

16 Comments

  1. It seems to me we will need to reboot after updating. Can anyone confirm?

    • You have to make sure that any running dhclient process is terminated. Thus, a

      pkill dhclient

      is sufficient. The network-manager then automatically restarts the dhclient, after a short timeout.

      A reboot is an alternative way to make sure that the update is effective.

  2. Flo

    https://apps.fedoraproject.org/packages/dhcp is confusing. The fixed version has been pushed to

    stable

    already. However, if right now people add

    --enablerepo=updates-testing

    to their dnf command they actually get an older version that still contains the flaw.

    • @Flo: This could happen if your mirror is out of sync. You can try waiting a short while for the sync to catch up, or pull packages from another mirror.

  3. Already in

    updates

    for Fedora 28

  4. murph

    The rawhide instructions didn’t quite work. Got some great help on IRC, they directed me to https://koji.fedoraproject.org/koji/buildinfo?buildID=1081949 where I downloaded the common and libs packages, then got everything to install fine.

    A few rough edges when installing brand new patches on Rawhide should be expected, so no problem.

  5. Costa A.

    A “dnf upgrade -y” today was enough to get the updated dhcp-client version.

  6. Eddie G. O'Connor Jr.

    Just wanna say “Thanks” to all the folks who help keep my Fedora systems up and running smoothly. Will be applying this update to my systems just as soon as we get power restored. (High winds knocked down trees which took out the power lines in my neighborhood!) SO by then?…(Fri. evening!) everything should be in place for a smooth update for me!
    Fedora? ROCKS!!!

  7. Eddie G. O'Connor Jr.

    Also…..dows anyone know if this will affect CEntOS servers as well? Wondering if I have to pull them offline and perform updates on ’em too?

  8. Michael J Gruber

    The rpm package name is dhcp-client, not dhcp.

    (dhcp is the source package from which various dhcp related rpm packages are built – including dhcp-client, but not dhcp.)

    • @Michael: The dhcp-client package comes from the dhcp source package. It also requires dhcp-common and dhcp-libs. That is why the overall dhcp source package version is used in the article.

      • Michael J Gruber

        @Paul Yes, that is what I wrote. We are in complete agreement 🙂

        It’s just that the natural “rpm -q dhcp” does not work as a check whether you are affected.

  9. Some of us are forced to run older versions of Fedora. Any chance this thread could include the offending text from the script and some ways to edit it away or improve it?

  10. Mike

    Is this working for Fedora 25?

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions