CVE-2018-20679 — Out-of-bounds Read in Busybox
Severity
7.5HIGHNVD
EPSS
12.0%
top 6.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 9
Latest updateDec 29
Description
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages4 packages
Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10
Patches
🔴Vulnerability Details
5📋Vendor Advisories
6Red Hat
▶
Debian▶
CVE-2019-5747: busybox - An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhc...↗2019
Red Hat
▶
📄Research Papers
1arXiv▶
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29
💬Community
3Bugzilla▶
CVE-2019-5747 busybox: Out of bounds read in udhcp components resulting in information disclosure↗2019-01-17
Bugzilla▶
CVE-2018-20679 busybox: Out of bounds read in udhcp components resulting in information disclosure [fedora-all]↗2019-01-16
Bugzilla▶
CVE-2018-20679 busybox: Out of bounds read in udhcp components resulting in information disclosure↗2019-01-16