FreeBSD dhclient Remote Code Execution Vulnerability via Malicious DHCP Options
Vulnerability
A remote code execution vulnerability has been identified in the dhclient utility, which is the default IPv4 DHCP client on FreeBSD. This issue affects all supported versions of FreeBSD. The vulnerability arises because the BOOTP file field is written to the lease file without properly escaping embedded double quotes. This flaw allows for the injection of arbitrary directives that can be executed by dhclient-script, potentially leading to the execution of malicious code as root. The vulnerability can be exploited by a rogue DHCP server on the same broadcast domain that responds to DHCP requests.
Impact
Exploitation of this vulnerability could allow a rogue DHCP server to execute arbitrary code with root privileges on the affected system.
Remediation
Users can upgrade to a supported FreeBSD stable or release branch dated after the correction date. Instructions for updating via the pkg utility, freebsd-update utility, or by applying a source code patch are available in the FreeBSD Security Advisory.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.