SB2022112858 - SUSE update for busybox

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2022112858

SB2022112858 - SUSE update for busybox

Published: November 28, 2022

Security Bulletin ID SB2022112858
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2014-9645)

The vulnerability allows a local authenticated user to manipulate data.

The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.


2) Buffer overflow (CVE-ID: CVE-2018-1000517)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.


Remediation

Install update from vendor's website.

References