Debian DLA-2559-1 : busybox security update

critical Nessus Plugin ID 146504

Synopsis

The remote Debian host is missing a security update.

Description

Busybox, utility programs for small and embedded systems, was affected by several security vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues.

CVE-2011-5325

A path traversal vulnerability was found in Busybox implementation of tar. tar will extract a symlink that points outside of the current working directory and then follow that symlink when extracting other files. This allows for a directory traversal attack when extracting untrusted tarballs.

CVE-2013-1813

When device node or symlink in /dev should be created inside 2-or-deeper subdirectory (/dev/dir1/dir2.../node), the intermediate directories are created with incorrect permissions.

CVE-2014-4607

An integer overflow may occur when processing any variant of a 'literal run' in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes. This exposes the code that copies literals to memory corruption.

CVE-2014-9645

The add_probe function in modutils/modprobe.c in BusyBox allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an 'ifconfig /usbserial up' command or a 'mount -t /snd_pcm none /' command.

CVE-2016-2147

Integer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.

CVE-2016-2148

Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.

CVE-2017-15873

The get_next_block function in archival/libarchive /decompress_bunzip2.c in BusyBox has an Integer Overflow that may lead to a write access violation.

CVE-2017-16544

In the add_match function in libbb/lineedit.c in BusyBox, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

CVE-2018-1000517

BusyBox contains a Buffer Overflow vulnerability in Busybox wget that can result in a heap-based buffer overflow. This attack appears to be exploitable via network connectivity.

CVE-2015-9621

Unziping a specially crafted zip file results in a computation of an invalid pointer and a crash reading an invalid address.

For Debian 9 stretch, these problems have been fixed in version 1:1.22.0-19+deb9u1.

We recommend that you upgrade your busybox packages.

For the detailed security status of busybox please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/busybox

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2021/02/msg00020.html

https://packages.debian.org/source/stretch/busybox

https://security-tracker.debian.org/tracker/source-package/busybox

Plugin Details

Severity: Critical

ID: 146504

File Name: debian_DLA-2559.nasl

Version: 1.3

Type: local

Agent: unix

Published: 2/16/2021

Updated: 1/22/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2018-1000517

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:busybox-udeb, p-cpe:/a:debian:debian_linux:udhcpc, p-cpe:/a:debian:debian_linux:busybox, cpe:/o:debian:debian_linux:9.0, p-cpe:/a:debian:debian_linux:busybox-syslogd, p-cpe:/a:debian:debian_linux:busybox-static, p-cpe:/a:debian:debian_linux:udhcpd

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/15/2021

Vulnerability Publication Date: 2/9/2017

Reference Information

CVE: CVE-2011-5325, CVE-2015-9261, CVE-2016-2147, CVE-2016-2148, CVE-2017-15873, CVE-2017-16544, CVE-2018-1000517