Login Sign Up

CVE-2011-1930

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2011-1930 is a command injection vulnerability in klibc's DHCP client (ipconfig) where specially crafted DHCP responses can execute arbitrary code. This affects systems using klibc 1.5.20-1.5.21 for network initialization, potentially allowing remote attackers to gain root privileges on vulnerable systems during boot.

💻 Affected Systems

Products:
  • klibc
Versions: 1.5.20 through 1.5.21
Operating Systems: Linux distributions using klibc for initramfs/early boot
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems using klibc's ipconfig DHCP client during early boot (initramfs). Common in Debian, Gentoo, Red Hat derivatives.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Klibc by Klibc Project

View all CVEs affecting Klibc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains root privileges on vulnerable system during network initialization, leading to complete system compromise.

🟠

Likely Case

Attacker on local network sends malicious DHCP response during system boot, executing arbitrary code with root privileges.

🟢

If Mitigated

Systems not using klibc DHCP client or with updated versions are unaffected; isolated networks reduce exposure.

🌐 Internet-Facing: MEDIUM - Requires attacker to control DHCP server, but internet-facing systems could be targeted if DHCP is exposed.
🏢 Internal Only: HIGH - Internal DHCP servers could be compromised to exploit this during system boot across the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires control of DHCP server or ability to spoof DHCP responses. Public exploit details exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: klibc 1.5.22 and later

Vendor Advisory: https://security-tracker.debian.org/tracker/CVE-2011-1930

Restart Required: Yes

Instructions:

1. Update klibc package to version 1.5.22 or later. 2. Update initramfs: 'update-initramfs -u' (Debian/Ubuntu) or 'dracut --force' (RHEL). 3. Reboot system.

🔧 Temporary Workarounds

Disable klibc DHCP client

linux

Configure system to use alternative DHCP client or static IP during boot

Edit initramfs configuration to remove ipconfig or set static IP

Network segmentation

all

Isolate DHCP servers and restrict DHCP traffic to trusted sources

🧯 If You Can't Patch

  • Implement strict network controls: allow DHCP only from trusted servers using firewall rules
  • Monitor DHCP traffic for anomalies and consider using static IP addresses for critical systems

🔍 How to Verify

Check if Vulnerable:

Check klibc version: 'dpkg -l | grep klibc' (Debian) or 'rpm -qa | grep klibc' (RHEL). If version is 1.5.20 or 1.5.21, system is vulnerable.

Check Version:

dpkg -l | grep klibc  # Debian/Ubuntu
rpm -qa | grep klibc  # RHEL/CentOS

Verify Fix Applied:

Verify klibc version is 1.5.22 or later and check that initramfs has been regenerated.

📡 Detection & Monitoring

Log Indicators:

  • Unusual DHCP responses in system logs during boot
  • Failed network initialization attempts

Network Indicators:

  • Malformed DHCP packets with shell metacharacters
  • DHCP responses from untrusted sources

SIEM Query:

source="dhcp" AND (command="*" OR shell="*" OR metacharacter="*" OR unusual_option="*")

📊 Metadata

CVE ID: CVE-2011-1930
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 14, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON