Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

BusyBox udhcpc Response Processing Remote Code Execution Vulnerability

 
Threat Type:CWE-94: Code Injection
IntelliShield ID:25238
Version:4
First Published:2012 February 23 19:57 GMT
Last Published:2013 March 01 15:29 GMT
Port: Not available
CVE:CVE-2011-2716
BugTraq ID:48879
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:6.8 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:5.0
 
 
Version Summary:Intellishield has modified updated software to address the BusyBox udhcpc response processing remote code execution vulnerability.
 
 
Description
BusyBox versions prior to 1.20.0 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists because of insufficient sanitization of certain input by the affected software. An unauthenticated, remote attacker could exploit this vulnerability by transmitting malicious DHCP server responses to a targeted system. Successful exploitation could allow the attacker to execute arbitrary code on the system.

BusyBox.net has confirmed this vulnerability and has released updated software.
 
Warning Indicators
BusyBox versions prior to 1.20.0 are vulnerable.
 
IntelliShield Analysis
Systems that do not use udhcpc by default are not affected by this vulnerability.

Exploiting this vulnerability is difficult because the attacker would need to access to a network adjacent to an affected system and the capability to return malicious DHCP responses to the DHCP client. These requirements decrease the likelihood of a successful exploit.

This vulnerability was remediated by sanitizing the HOST_NAME, DOMAIN_NAME, NIS_DOMAIN, and TFTP_SERVER_NAME options that contain malicious characters.
 
Vendor Announcements
Busybox.net has published a release announcement at the following link: 28 May 2012 -- BusyBox 1.20.1

Red Hat has released security advisories at the following links: RHSA-2012:0308 and RHSA-2012:0810
 
Impact
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code on a targeted system. Successful exploitation could lead to a complete system compromise.
 
Technical Information
The vulnerability exists because the BusyBox udhcpc client performs insufficient input sanitization while handling DHCP server responses. The affected software improperly passes certain shell metacharacters received via the HOSTNAME DHCP server responses.

An unauthenticated, remote attacker could exploit this vulnerability by transmitting malicious server responses to a targeted BusyBox udhcpc client. Successful exploitation could allow an attacker to execute arbitrary code on the client.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to monitor affected systems.
 
Patches/Software
Busybox.net has released updated software at the following link: BusyBox 1.20.1

CentOS packages can be updated using the up2date or yum command.

Red Hat packages can be updated using the up2date or yum command.
 
Alert History
 

Version 3, July 12, 2012, 9:00 AM: CentOS has released updated packages to address the BusyBox udhcpc response processing remote code execution vulnerability.

Version 2, June 25, 2012, 3:12 PM: BusyBox has released an announcement and updated software to address the BusyBox udhcpc response processing remote code execution vulnerability.  Red Hat has released an additional security advisory and updated packages to address the vulnerability.

Version 1, February 23, 2012, 2:52 PM: BusyBox contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.  Third-party updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Vlasenko, DenisBusyBox 1.0 .01, Base | 1.1 .0, .1, .2, .3, .11 | 1.2 .0, .1, .2.1 | 1.4 .0, .2 | 1.5 .1 | 1.6 .0, .1 | 1.7 .0, .2 | 1.8 .1, .2 | 1.9 .0, .1, .2 | 1.10 .1, .2, .3, .4 | 1.11 Base, .1, .3 | 1.12 .1, .4 | 1.13 Base, .1, .2, .3, .4 | 1.14 .1, .2 | 1.15 Base, .0, .1, .2, .3 | 1.16 .0, .1, .2 | 1.17 .1, .3, .4 | 1.18 .0, .1, .2, .3, .4, .5 | 1.19 .0, .1, .2, .3, .4, Base

Associated Products:
CentOS ProjectCentOS 6 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop 5 IA-32, x86_64 | 6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux HPC Node 6 x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server 6 IA-32, PPC, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation 6 IA-32, x86_64




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield