cbcvebase.
CVE-2018-1000517
published 2018-06-26

CVE-2018-1000517: BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
32.38%
98.1th percentile
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e.

Affected

15 ranges
VendorProductVersion rangeFixed in
busyboxbusybox< 1.29.01.29.0
busyboxbusybox>= 0 < 1:1.27.2-31:1.27.2-3
busyboxbusybox>= 0 < 1:1.27.2-31:1.27.2-3
busyboxbusybox>= 0 < 1:1.27.2-31:1.27.2-3
busyboxbusybox>= 0 < 1:1.27.2-31:1.27.2-3
busyboxbusybox>= 0 < 1:1.21.0-1ubuntu1.41:1.21.0-1ubuntu1.4
busyboxbusybox>= 0 < 1:1.22.0-15ubuntu1.41:1.22.0-15ubuntu1.4
busyboxbusybox>= 0 < 1:1.27.2-2ubuntu3.21:1.27.2-2ubuntu3.2
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianbusybox< busybox 1:1.27.2-3 (bookworm)busybox 1:1.27.2-3 (bookworm)
debiandebian_linux
debiandebian_linux

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e
processbusybox wget (retrieve_file_data)
  • The vulnerability is only triggerable during HTTP chunked transfer encoding. Monitor for HTTP chunked responses delivered to BusyBox wget clients, particularly where chunk sizes are attacker-controlled and abnormally large.
  • The exploit mechanism involves sending an HTTP chunk with a size value that, when cast to a signed off_t, bypasses length checks and passes a large attacker-controlled value to fread(), causing a heap buffer overflow. Look for oversized or sign-boundary chunk length values in HTTP chunked responses targeting embedded/IoT devices running BusyBox wget.
  • Exploitation requires network connectivity — flag inbound HTTP responses with malformed or oversized chunked Transfer-Encoding headers directed at BusyBox wget processes on IoT/embedded firmware.
  • ·The vulnerability only affects BusyBox wget prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e (fixed in BusyBox 1.29.0, released 1 July 2018). GNU wget shipped in RHEL/Fedora is a separate codebase and is NOT affected.
  • ·RHEL 5 and RHEL 6 are listed as Not Affected. The vulnerable chunked-transmission code path is gated by G.got_clen logic that prevents exploitation on those builds.
  • ·Debian fixed this in busybox package version 1:1.27.2-3 across bookworm, bullseye, forky, sid, and trixie.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.