Wow, that’s pretty nasty. The attacker is essentially spoofing the DHCP server’s response, which the DHCP client accepts because the client’s XID is generated by an inadequately-seeded RNG. Since e.g. the public key of the root user is ultimately fetched from a server configured via DHCP (with no further authentication, etc.), pwnage follows.