Main Vulnerability Database Vulnerabilities #VU37004

#VU37004 Improper Certificate Validation in BusyBox - CVE-2018-1000500

Published: June 26, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU37004

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-1000500

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
BusyBox

Software vendor:
busybox.net

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".

Remediation

Install update from vendor's website.

External links

http://lists.busybox.net/pipermail/busybox/2018-May/086462.html
https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91

#VU37004 Improper Certificate Validation in BusyBox - CVE-2018-1000500

Description

Remediation

External links

Please verify you're human