Hello, welcome to the Thursday, May 17th, 2018 edition of the Sans and it storms on a stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Today's critical vulnerability affects Linux systems, in particular Redhead and its derivatives like SendOS. The problem originates from the DHCP client.

So what happens here is that a malicious DHCP server would send a string to the DHCP client

that's then being passed to shell scripts that leads to arbitrary code execution.

DHCP clients had similar vulnerabilities in the past.

The problem with DHCP is that it receives a number of different items from a DHCP server

and then passes them to various scripts that reconfigure the network or other parameters. And of course, these scripts

typically have to run as root in order to do their job. Now, in order to be affected by this

vulnerability, you have to connect to a network with a malicious DHCP server. So this vulnerability

could be exploited by an attacker who already has a foothold

in a particular network by essentially setting up a rogue DHCP server. Or then of course,

if you do have Linux client systems, laptops and the like that connect to wireless access points

and the like. But again, note that this affects Redhead Enterprise Linux 6 and 7, with that probably also

SendOS, so this doesn't affect things like Ubuntu or Android, which you're more likely

going to find on a desktop or a laptop. Universal Plug-in-play or the unling protocol, the SSDP or a simple

service discovery protocol have been abused for many years now in denial of service attacks. Like so many

UDP-based protocols, you can send a small request from a spoofed IP to a vulnerable system and it

will reply with a large packet which can then be used to amplify and of course also

anonymize denial of service attack. But Imperva now discovered a different use of Universal Plug and Play to launch Denial of Service

Attacks.

The reason Universal Plug and Play exists is to allow devices behind NAD to reconfigure

...