CVE-2014-9645 — Improper Input Validation in Busybox

CWE-20 — Improper Input Validation CWE-228 — Improper Handling of Syntactically Invalid Structure10 documents8 sources

Severity

5.5MEDIUMNVD

OSV7.5

EPSS

0.4%

top 40.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox

Timeline

PublishedMar 12

Latest updateDec 29

Description

The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/busybox< busybox 1:1.22.0-15 (bookworm)

▶Debianbusybox/busybox< 1:1.22.0-15+3

▶Ubuntubusybox/busybox< 1:1.21.0-1ubuntu1.4+2

▶NVDbusybox/busybox1.22.1

Patches

Patch: git.busybox.net ↗Patch: openwall.com ↗Patch: plus.google.com ↗

🔴Vulnerability Details

GHSA

GHSA-mm29-9f96-hjfh: The add_probe function in modutils/modprobe↗2022-05-14

▶

OSV

busybox vulnerabilities↗2019-04-03

▶

OSV

CVE-2014-9645: The add_probe function in modutils/modprobe↗2017-03-12

▶

📋Vendor Advisories

Ubuntu

BusyBox vulnerabilities↗2019-04-03

▶

Red Hat

busybox: unprivileged arbitrary module load via basename abuse↗2014-11-19

▶

Debian

CVE-2014-9645: busybox - The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows lo...↗2014

▶

📄Research Papers

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2014-9645 busybox: unprivileged arbitrary module load via basename abuse [fedora-all]↗2015-03-03

▶

Bugzilla

CVE-2014-9645 busybox: unprivileged arbitrary module load via basename abuse↗2015-01-26

▶