ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-44932 — Indirect Shell Command Injection via SUSE Wicked DHCP Client

A brief summary of CVE-2026-44932, a high severity command injection vulnerability in SUSE's wicked DHCP client that allows adjacent network attackers to inject shell commands through unsanitized DHCP option values. Includes patch details, detection methods, and affected product versions.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-16

Quick Look: CVE-2026-44932 — Indirect Shell Command Injection via SUSE Wicked DHCP Client
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A rogue DHCP server on your local network segment could achieve root level code execution on any SUSE Linux Enterprise or openSUSE host running the wicked network configuration framework, simply by responding to a routine DHCP request with a crafted option value. CVE-2026-44932 exposes a classic but often overlooked attack surface: the trust boundary between network protocol data and shell evaluation contexts, this time in the DHCP client that ships as the default networking stack across SUSE's enterprise product line.

Wicked is SUSE's default network configuration framework, replacing the older sysconfig package for managing network interfaces on SUSE Linux Enterprise Server, SUSE Linux Enterprise Desktop, SLE Micro, and openSUSE distributions. It is developed under the openSUSE project on GitHub and is present on virtually every SUSE based system that uses DHCP for network configuration. The vulnerability carries a CVSS 3.1 score of 8.8 (High) and is classified under CWE-78 (OS Command Injection).

Technical Information

Root Cause: Unsanitized DHCP Option Strings in Leaseinfo Files

The vulnerability resides in the function __ni_leaseinfo_print_string() within wicked's src/leaseinfo.c. This function writes DHCP option values received from a DHCP server into files located at /run/wicked/leaseinfo.*, using a shell compatible KEY='value' format. Prior to version 0.6.79, the function used a naive pattern:

fprintf(out, "%s='%s'\n", ...);

This wraps values in single quotes without any validation or escaping of shell metacharacters. Any single quote character embedded in a DHCP server's response terminates the quoting context, allowing arbitrary content to be appended. Backticks, command separators (;), subshell invocations ($()), and other shell special characters also pass through unmodified.

DHCP options such as POSIXTZSTRING (option 100, per RFC 4833) and POSIXTZDBNAME (option 101) are string valued fields that an attacker can populate with arbitrary content. When a malicious DHCP server includes shell metacharacters in these fields, the resulting leaseinfo file contains syntactically broken shell variable assignments that, when sourced by a shell script, execute the injected commands.

The Exploitation Chain

The attack proceeds through four stages:

Stage 1: Attacker Positioning. The attacker must operate on the local or adjacent network, either by running a malicious DHCP server or by sending spoofed DHCP responses. The CVSS vector (AV:A/AC:L/PR:N/UI:N) confirms that no privileges, authentication, or user interaction are required.

Stage 2: Malicious DHCP Response. When the wicked DHCP client (dhcp4 or dhcp6) requests network configuration, the attacker's server responds with DHCP options containing embedded shell metacharacters. A single quote in a timezone string value, for example, breaks out of the enclosing quotes in the leaseinfo file.

Stage 3: Unsanitized File Write. The __ni_leaseinfo_print_string() function writes these values verbatim into /run/wicked/leaseinfo.* files. The resulting file contains a line where the attacker controlled content has escaped the quoting context and can include arbitrary shell commands.

Stage 4: Indirect Execution. This is where the vulnerability becomes dangerous. Wicked itself does not source these leaseinfo files as shell scripts. However, third party scripts that do source them will execute the injected commands. The SUSE Bugzilla entry (bsc#1265221) specifically identifies dracut's network-legacy module, particularly its ifup.sh script used in SLE 15 SP7, as a consumer that inadvertently evaluates the unsanitized input. Because dracut operates during early boot and initrd initialization, the injected commands execute with root privileges.

The "Indirect" Nature of the Vulnerability

The classification as "indirect" command injection is significant. Wicked creates a latent attack surface by writing attacker controlled data into files that follow shell variable assignment conventions, but it never evaluates those files itself. The actual code execution depends entirely on downstream consumers. This indirectness makes the vulnerability harder to identify through code review of wicked alone and explains the divergence between the CVSS 3.1 score of 8.8 and the CVSS 4.0 score of 5.8 (which discounts secondary impacts). Organizations should prioritize based on the 8.8 score given the demonstrated real world exploitability of this pattern.

Historical Precedent: CVE-2018-1111 (DynoRoot)

CVE-2026-44932 closely parallels CVE-2018-1111 (DynoRoot), a DHCP command injection vulnerability in Red Hat Enterprise Linux 6 and 7 analyzed by Palo Alto Unit 42. In that case, dhclient requested the WPAD option (Code 252), and while dhclient initially sanitized values with backslashes, the 11-dhclient script's read command (without the -r flag) unescaped the characters, allowing an eval() statement to execute arbitrary commands with root privileges. A working Metasploit module (exploit/unix/dhcp/rhel_dhcp_client_command_injection) was developed for DynoRoot, demonstrating that this class of vulnerability is straightforwardly exploitable. Both vulnerabilities share the identical fundamental flaw: DHCP client data from an untrusted network source flows through insufficient sanitization into a shell evaluation context.

Patch Information

The definitive fix is updating to wicked version 0.6.79, released on June 15, 2026. The patch, authored by Marius Tomaschewski, spans 11 commits across 10 files and addresses the vulnerability through three complementary strategies.

Strategy 1: Proper Single Quote Escaping in Leaseinfo Output

The most critical change lands in src/leaseinfo.c, where a new function ni_leaseinfo_quote_string_value() was introduced. When it encounters a single quote, it closes the current quoted section, emits an escaped \', and reopens the quoted section. This is the standard POSIX safe approach to embedding literal single quotes within single quoted strings. An additional ni_check_printable() call acts as a secondary gate before any escaping is attempted.

Strategy 2: Stricter Input Validation for DHCP String Options

Rather than relying solely on output escaping, the patch also hardens the input path. A new generic utility function was added in src/util.c:

ni_bool_t ni_check_string_characters(const char *str, size_t len, int (*valid)(int)) { const unsigned char *ptr = (const unsigned char *)str; if (!str || len == 0) return FALSE; for ( ; *ptr && len-- > 0; ++ptr) { if (!valid(*ptr)) return FALSE; } return TRUE; }

This function accepts a custom character validation callback, which enabled three new specialized validators in src/dhcp.c:

  • ni_dhcp_check_printable_string(): allows printable characters and tab, but explicitly rejects single quote ('). This replaces the old ni_check_printable() in all DHCPv4 and DHCPv6 string option processing paths.
  • ni_dhcp_check_posix_tzdbname(): whitelists only alphanumerics plus +, -, _, and / for timezone database names (e.g., America/New_York), aligned with RFC 4833 and IEEE Std 1003.1-2024.
  • ni_dhcp_check_posix_tzstring(): whitelists the character set required for POSIX TZ expanded format strings (e.g., EST5EDT,M3.2.0,M11.1.0), permitting <, >, +, -, /, :, ., , and alphanumerics.

In src/dhcp4/protocol.c, the DHCP4_POSIX_TZ_STRING and DHCP4_POSIX_TZ_DBNAME cases were rerouted through dedicated parsing functions that apply the respective validators. Six call sites in src/dhcp6/protocol.c were similarly updated.

Strategy 3: Initrd Regeneration Trigger

Because wicked binaries may be embedded inside the system's initrd image, the RPM spec file (wicked.spec.in) was updated with %pre, %post, and %posttrans scriptlets that detect upgrades from wicked versions 0.6.78 or earlier and trigger an initrd regeneration. This ensures the vulnerable binary is not left in the boot image. A simple package update alone is insufficient if the initrd is not regenerated.

Applying the Patches

SUSE published four coordinated security advisories on June 10, 2026:

Advisory IDAffected ProductsFixed Package Version
SUSE-SU-2026:2349-1SLE 15 SP7 (Desktop, Real Time, Server, SAP), Basesystem Module 15 SP70.6.79-150700.3.3.1
SUSE-SU-2026:2350-1SLES 12 SP5 LTSS0.6.79-2.23.1
SUSE-SU-2026:2353-1SLE 15 SP5 (Server, LTSS, SAP, HPC), SLE Micro 5.5, openSUSE Leap 15.50.6.79-150500.3.21.1
SUSE-SU-2026:2354-1SLE 15 SP4 (Server, LTSS, SAP), SLE Micro 5.3/5.4, openSUSE Leap 15.40.6.79-150400.3.39.1

For SLE 15 SP7, apply via: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP7-2026-2349=1. For other product lines, use zypper patch or YaST online_update.

Network Level Compensating Controls

While patching is the primary mitigation, the following controls reduce exposure: enable DHCP snooping on managed switches to block unauthorized DHCP responses; segment DHCP broadcast domains to limit the adjacent network attack surface; audit any custom scripts that source /run/wicked/leaseinfo.* files; and verify after patching that the initrd has been regenerated.

Detection Methods

Leaseinfo File Inspection (Host Based IoC)

The most direct way to detect active exploitation or past compromise is to examine the contents of /run/wicked/leaseinfo.* files on affected systems. In vulnerable versions (before 0.6.79), DHCP option values are written verbatim without escaping. Defenders should inspect all leaseinfo files for:

  • Values containing unescaped single quotes ('), which would break the key='value' format and enable command injection
  • Shell metacharacters such as ;, |, $(), or backticks within any DHCP sourced fields
  • Unexpected commands or file paths embedded in option values like POSIXTZSTRING, POSIXTZDBNAME, or any other string type DHCP parameters

Additionally, monitoring the outputs of wicked test dhcp4 and wicked test dhcp6 can surface suspicious DHCP responses before they reach leaseinfo files.

Side Effect Indicators

Because the injection occurs indirectly when a third party script sources the leaseinfo file, defenders should also look for unexpected side effects indicating a payload has executed. The Bugzilla report demonstrates a payload targeting /etc/shadow, so examples include unexpected permission changes on sensitive files, creation of unexpected files, or unexplained process executions running as root during network interface bring up or initrd initialization.

Package Version Checks

The most reliable way to identify vulnerable systems is to verify the installed wicked package version. All versions prior to 0.6.79 are affected. On SUSE/openSUSE systems, check via rpm -q wicked. The fixed version numbers by distribution:

  • SLES/SLED 15 SP7: wicked-0.6.79-150700.3.3.1
  • SLES 15 SP4 LTSS: wicked-0.6.79-150400.3.39.1
  • SLES 15 SP5 LTSS: wicked-0.6.79-150500.3.42.1
  • SLES 12 SP5 LTSS: wicked-0.6.79-3.56.1

Tenable Nessus Plugins

Tenable has released multiple Nessus plugins targeting this vulnerability, all published on June 14, 2026. These are local, package version based checks in the "SuSE Local Security Checks" family:

  • Plugin ID 321025 (suse_SU-2026-2349-1.nasl): Covers SUSE SLED15 / SLES15
  • Additional plugins cover SUSE-SU-2026:2350-1 (SLES12), SUSE-SU-2026:2353-1 (SLES15 SP5), SUSE-SU-2026:2354-1 (openSUSE Leap 15.4/Micro 5.x), and openSUSE-SU-2026:20949-1 (openSUSE 16)

These plugins support Agentless Assessment, Continuous Assessment, Frictionless Assessment (AWS/Azure), Nessus Agent, and standard Nessus scanning. They rely on the application's self reported version number and do not perform active exploitation testing.

Network Level Detection

While no published Snort, Suricata, YARA, or Sigma rules currently exist for this CVE, monitoring for rogue DHCP servers is valuable. Specifically, watch for DHCP servers sending unusual values in option 100 (POSIX Timezone String) or option 101 (TZ Database Name). Any DHCP option values containing shell metacharacters or single quote characters in timezone related fields should be treated as highly suspicious, as legitimate values for these options are constrained to specific character sets defined in RFC 4833.

Affected Systems and Versions

All versions of wicked prior to 0.6.79 are vulnerable. The affected SUSE product lines, as covered by the four security advisories, include:

  • SUSE Linux Enterprise Server 12 SP5 LTSS
  • SUSE Linux Enterprise Server 15 SP4 LTSS and SLE 15 SP4 SAP
  • SUSE Linux Enterprise Server 15 SP5 LTSS, SLE 15 SP5 SAP, and SLE 15 SP5 HPC
  • SUSE Linux Enterprise Server 15 SP7 (Desktop, Real Time, Server, SAP), Basesystem Module 15 SP7
  • SUSE Linux Enterprise Micro 5.3, 5.4, and 5.5
  • openSUSE Leap 15.4 and 15.5
  • openSUSE Leap 16.0 (fixed package version 0.6.79-bp160.1.1)

The vulnerability is particularly impactful on systems where dracut's network-legacy module is used (notably SLE 15 SP7), as this module's ifup.sh script sources the leaseinfo files and provides the indirect execution path for injected commands.

Vendor Security History

The recurrence of DHCP command injection vulnerabilities across Linux distributions is notable. CVE-2018-1111 (DynoRoot) affected RHEL's dhclient with the same fundamental pattern, and a Metasploit module was developed for it. SUSE's wicked now joins dhclient in the list of DHCP clients that have been vulnerable to this class of attack. Both CWE-78 classifications confirm this as a well understood and demonstrably exploitable weakness category.

SUSE's security response for this specific vulnerability was well executed. The issue was discovered internally by SUSE's own security personnel, the fix was developed and released concurrently across four product lines with specific patch commands and initrd regeneration triggers, and advisories were published ahead of the NVD entry. However, the vulnerability's existence in a core networking component across multiple SLE versions (12 SP5 through 15 SP7) and SLE Micro editions underscores the importance of comprehensive inventory and patching across all affected hosts.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization