CVE-2016-2148
published 2017-02-09CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.43%
97.9th percentile
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| busybox | busybox | <= 1.24.2 | — |
| busybox | busybox | >= 0 < 1:1.27.2-1 | 1:1.27.2-1 |
| busybox | busybox | >= 0 < 1:1.27.2-1 | 1:1.27.2-1 |
| busybox | busybox | >= 0 < 1:1.27.2-1 | 1:1.27.2-1 |
| busybox | busybox | >= 0 < 1:1.27.2-1 | 1:1.27.2-1 |
| busybox | busybox | >= 0 < 1:1.21.0-1ubuntu1.4 | 1:1.21.0-1ubuntu1.4 |
| busybox | busybox | >= 0 < 1:1.22.0-15ubuntu1.4 | 1:1.22.0-15ubuntu1.4 |
| busybox | busybox | >= 0 < 1:1.27.2-2ubuntu3.2 | 1:1.27.2-2ubuntu3.2 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | busybox | < busybox 1:1.27.2-1 (bookworm) | busybox 1:1.27.2-1 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for maliciously crafted DHCP response packets containing a malformed OPTION_6RD (IPv6 Rapid Deployment) option, which can trigger a heap-based buffer overflow in BusyBox udhcpc (versions before 1.25.0). ↗
- →Focus detection on DHCP response traffic targeting hosts running BusyBox udhcpc; anomalous or oversized OPTION_6RD fields in DHCP replies are the attack vector. ↗
- ·Red Hat Enterprise Linux 5 and 6 are marked 'Will not fix', meaning vulnerable BusyBox versions may remain deployed on those platforms indefinitely. ↗
- ·The vulnerability is exploitable remotely via a rogue DHCP server responding to a client's DHCP request — no prior authentication or access to the target is required. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
BusyBox vulnerabilities
vendor_ubuntu·2019-04-03·CVSS 7.5
CVE-2011-5325 [HIGH] BusyBox vulnerabilities
Title: BusyBox vulnerabilities
Summary: Several security issues were fixed in BusyBox.
Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar
archives. If a user or automated system were tricked into processing a
specially crafted tar archive, a remote attacker could overwrite arbitrary
files outside of the current directory. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)
Mathias Krause discovered that BusyBox incorrectly handled kernel module
loading restrictions. A local attacker could possibly use this issue to
bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-9645)
It was discovered that BusyBox incorrectly handled certain ZIP archives. If
a user or automated system were tricked into processing a
Red Hat
busybox: heap-based buffer overflow in OPTION_6RD parsing
vendor_redhat·2016-03-10·CVSS 9.8
CVE-2016-2148 [CRITICAL] CWE-122 busybox: heap-based buffer overflow in OPTION_6RD parsing
busybox: heap-based buffer overflow in OPTION_6RD parsing
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
Package: busybox (Red Hat Enterprise Linux 5) - Will not fix
Package: busybox (Red Hat Enterprise Linux 6) - Will not fix
Debian
CVE-2016-2148: busybox - Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 ...
vendor_debian·2016·CVSS 9.8
CVE-2016-2148 [CRITICAL] CVE-2016-2148: busybox - Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 ...
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
Scope: local
bookworm: resolved (fixed in 1:1.27.2-1)
bullseye: resolved (fixed in 1:1.27.2-1)
forky: resolved (fixed in 1:1.27.2-1)
sid: resolved (fixed in 1:1.27.2-1)
trixie: resolved (fixed in 1:1.27.2-1)
GHSA
GHSA-xch5-p4j5-66mj: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1
ghsa_unreviewed·2022-05-13
CVE-2016-2148 [CRITICAL] CWE-119 GHSA-xch5-p4j5-66mj: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
OSV
busybox vulnerabilities
osv·2019-04-03·CVSS 7.5
CVE-2011-5325 [HIGH] busybox vulnerabilities
busybox vulnerabilities
Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar
archives. If a user or automated system were tricked into processing a
specially crafted tar archive, a remote attacker could overwrite arbitrary
files outside of the current directory. This issue only affected Ubuntu
14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)
Mathias Krause discovered that BusyBox incorrectly handled kernel module
loading restrictions. A local attacker could possibly use this issue to
bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-9645)
It was discovered that BusyBox incorrectly handled certain ZIP archives. If
a user or automated system were tricked into processing a specially crafted
ZIP archive, a remote attacker could cause Bu
OSV
CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1
osv·2017-02-09·CVSS 9.8
CVE-2016-2148 [CRITICAL] CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-2147 CVE-2016-2148 busybox: various flaws [fedora-all]
bugzilla·2016-03-10·CVSS 7.5
CVE-2016-2147 [HIGH] CVE-2016-2147 CVE-2016-2148 busybox: various flaws [fedora-all]
CVE-2016-2147 CVE-2016-2148 busybox: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While
Bugzilla
CVE-2016-2148 busybox: heap-based buffer overflow in OPTION_6RD parsing
bugzilla·2016-03-10·CVSS 9.8
CVE-2016-2148 [CRITICAL] CVE-2016-2148 busybox: heap-based buffer overflow in OPTION_6RD parsing
CVE-2016-2148 busybox: heap-based buffer overflow in OPTION_6RD parsing
A heap based buffer overflow was discovered in udhcpc when parsing IPv6 Rapid Deployment DHCP option. An attacker could send a maliciously crafted packet as an answer to a DHCP request, to overwrite the heap, resulting in crash or remote code execution.
Upstream patch:
https://git.busybox.net/busybox/commit/?id=352f79
Discussion:
Acknowledgments:
Name: Nico Golde (Qualcomm Product Security Initiative)
---
Created busybox tracking bugs for this issue:
Affects: fedora-all [bug 1316558]
http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.htmlhttp://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.htmlhttp://seclists.org/fulldisclosure/2019/Jun/18http://seclists.org/fulldisclosure/2019/Sep/7http://seclists.org/fulldisclosure/2020/Aug/20http://www.openwall.com/lists/oss-security/2016/03/11/16https://busybox.net/news.htmlhttps://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2https://lists.debian.org/debian-lts-announce/2018/07/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2021/02/msg00020.htmlhttps://seclists.org/bugtraq/2019/Jun/14https://seclists.org/bugtraq/2019/Sep/7https://security.gentoo.org/glsa/201612-04https://usn.ubuntu.com/3935-1/http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.htmlhttp://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.htmlhttp://seclists.org/fulldisclosure/2019/Jun/18http://seclists.org/fulldisclosure/2019/Sep/7http://seclists.org/fulldisclosure/2020/Aug/20http://www.openwall.com/lists/oss-security/2016/03/11/16https://busybox.net/news.htmlhttps://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2https://lists.debian.org/debian-lts-announce/2018/07/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2021/02/msg00020.htmlhttps://seclists.org/bugtraq/2019/Jun/14https://seclists.org/bugtraq/2019/Sep/7https://security.gentoo.org/glsa/201612-04https://usn.ubuntu.com/3935-1/
2017-02-09
Published