Credit: Sebastian Krahmer and Marius Tomaschewski
The ISC dhclient did not strip or escape certain shell meta-characters in responses from the DHCP server before passing the responses on to a shell script. Depending on the script used by the OS, this could result in arbitrary code execution on the client. Using this vulnerability, a single rogue DHCP server could exploit the entire local network.