CVE-2018-3963
Description
An exploitable command injection vulnerability exists in the DHCP daemon configuration of the CUJO Smart Firewall. When adding a new static DHCP address, its corresponding hostname is inserted into the dhcpd.conf file without prior sanitization, allowing for arbitrary execution of system commands. To trigger this vulnerability, an attacker can send a DHCP request message and set up the corresponding static DHCP entry.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The CUJO Smart Firewall DHCP daemon allows command injection via unsanitized hostnames in static DHCP entries, enabling authenticated adjacent attackers to execute arbitrary commands.
Vulnerability
The CUJO Smart Firewall firmware version 7003 contains a command injection vulnerability in the DHCP daemon configuration. When a static DHCP address is added, the corresponding hostname is inserted into the dhcpd.conf file without proper sanitization [1]. This allows arbitrary system command execution because the hostname is interpreted as part of the configuration file. The vulnerable code path is reachable through the web management interface or the mobile application when a user with administrative privileges adds a static DHCP lease with a crafted hostname [1].
Exploitation
An attacker requires adjacent network access (same local network as the CUJO device) and valid administrator credentials for the CUJO Smart Firewall management interface [1]. The attacker can send a DHCP request with a malicious hostname containing command injection payloads (e.g., using backticks or semicolons), and an administrator must then add that host as a static DHCP entry via the management application. Alternatively, an attacker with admin credentials can directly add a static DHCP entry with an arbitrary hostname. The hostname is written into the dhcpd.conf file and executed when the DHCP daemon processes the configuration [1].
Impact
Successful exploitation allows the attacker to execute arbitrary system commands as the root user on the CUJO Smart Firewall device. This leads to full compromise of the device, including complete loss of confidentiality, integrity, and availability. The attacker gains control over network traffic inspection and filtering capabilities, potentially affecting all devices on the monitored network [1].
Mitigation
According to Cisco Talos, the vendor was contacted and acknowledged the vulnerability, but no fix was released before the disclosure date (March 21, 2019) [1]. As of the publication date, no patched firmware version was available. Users should avoid adding static DHCP entries with untrusted hostnames and restrict administrative access to trusted users only. The affected version is firmware 7003; updating to a newer version that addresses this issue should be applied if available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sanitization of DHCP hostname before insertion into dhcpd.conf allows command injection via ISC DHCP's execute() statement."
Attack vector
An attacker on the local network sends a crafted DHCP request containing a malicious hostname payload. The hostname is relayed to the remote CUJO servers, which later generate a new `dhcpd.conf` file incorporating the unsanitized hostname. When a user with valid credentials uses the smartphone application to set the corresponding device as a static DHCP entry, the remote server pushes the malicious configuration to the device. The device's agent process writes the configuration and executes `/bin/dhcpd_conf`, which triggers the injected command with root privileges [ref_id=1].
Affected code
The vulnerability lies in the DHCP daemon configuration process. The hostname from a client's DHCP request is inserted into `/config/dhcpd.conf` without sanitization. The script `/bin/dhcpd_conf` writes the decoded payload (containing the unsanitized hostname) to a temporary file and then moves it to `/config/dhcpd.conf` after a syntax check [ref_id=1].
What the fix does
The Talos advisory does not include a patch or specific remediation from the vendor. The recommended fix would be to sanitize or validate the hostname field from DHCP requests before inserting it into the `dhcpd.conf` configuration file, preventing injection of special characters or ISC DHCP `execute()` statements. As of the public release date (2019-03-19), no fix was confirmed available [ref_id=1].
Preconditions
- networkAttacker must be on the same local network as the CUJO Smart Firewall to send DHCP requests
- authA user with valid CUJO account credentials must set the attacker's device as a static DHCP entry via the smartphone application
- configThe CUJO device must be operating in DHCP mode
- inputAttacker sends a DHCP request with a malicious hostname payload
Reproduction
The advisory includes a Python proof of concept using Scapy. Send a DHCP request with a malicious hostname payload: `'u{}}}execute("sh","-c","nc -c sh -l -p 3333 &");group{group{host k'`. After sending the request, use the smartphone application to set the corresponding device as a static DHCP entry. The injected `nc` command will execute with root privileges, spawning a listening shell on port 3333, which can be accessed with `nc 192.168.0.1 3333` [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2018-0627mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.