#VU18673 Heap-based buffer overflow in BusyBox - CVE-2016-2148
Published: June 4, 2019
Vulnerability identifier: #VU18673
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-2148
CWE-ID: CWE-122
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
BusyBox
BusyBox
Software vendor:
busybox.net
busybox.net
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in udhcpc client when parsing DHCP packets with specially crafted OPTION_6RD option. A remote attacker can trick the victim to connect to malicious DHCP server, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
External links
- http://www.openwall.com/lists/oss-security/2016/03/11/16
- https://busybox.net/news.html
- https://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2
- https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html
- https://security.gentoo.org/glsa/201612-04
- https://usn.ubuntu.com/3935-1/