Buffer overflow in BusyBox

#VU37005 Buffer overflow in BusyBox

Published: 2018-06-26 | Updated: 2020-08-08

Vulnerability identifier: #VU37005

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1000517

CWE-ID: CWE-120

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
BusyBox
Universal components / Libraries / Software for developers

Vendor: busybox.net

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.

Mitigation
Install update from vendor's website.

Vulnerable software versions

BusyBox: 1.0.0 - 1.28.4

External links
http://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e
http://lists.debian.org/debian-lts-announce/2018/07/msg00037.html
http://usn.ubuntu.com/3935-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for busybox

Buffer overflow in busybox.net BusyBox