cbcvebase.
CVE-2016-2148
published 2017-02-09

CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.43%
97.9th percentile
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.

Affected

15 ranges
VendorProductVersion rangeFixed in
busyboxbusybox<= 1.24.2
busyboxbusybox>= 0 < 1:1.27.2-11:1.27.2-1
busyboxbusybox>= 0 < 1:1.27.2-11:1.27.2-1
busyboxbusybox>= 0 < 1:1.27.2-11:1.27.2-1
busyboxbusybox>= 0 < 1:1.27.2-11:1.27.2-1
busyboxbusybox>= 0 < 1:1.21.0-1ubuntu1.41:1.21.0-1ubuntu1.4
busyboxbusybox>= 0 < 1:1.22.0-15ubuntu1.41:1.22.0-15ubuntu1.4
busyboxbusybox>= 0 < 1:1.27.2-2ubuntu3.21:1.27.2-2ubuntu3.2
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianbusybox< busybox 1:1.27.2-1 (bookworm)busybox 1:1.27.2-1 (bookworm)
debiandebian_linux
debiandebian_linux

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://git.busybox.net/busybox/commit/?id=352f79
  • Monitor for maliciously crafted DHCP response packets containing a malformed OPTION_6RD (IPv6 Rapid Deployment) option, which can trigger a heap-based buffer overflow in BusyBox udhcpc (versions before 1.25.0).
  • Focus detection on DHCP response traffic targeting hosts running BusyBox udhcpc; anomalous or oversized OPTION_6RD fields in DHCP replies are the attack vector.
  • ·Red Hat Enterprise Linux 5 and 6 are marked 'Will not fix', meaning vulnerable BusyBox versions may remain deployed on those platforms indefinitely.
  • ·The vulnerability is exploitable remotely via a rogue DHCP server responding to a client's DHCP request — no prior authentication or access to the target is required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.