CVE-2018-1000500
Published: 26 June 2018
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".
Notes
Author | Note |
---|---|
mdeslaur | per Red Hat, SSL support was added in 1.23.0. Older versions don't support https at all. |
Priority
Status
Package | Release | Status |
---|---|---|
busybox Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Released
(1:1.27.2-2ubuntu3.3)
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Released
(1:1.30.1-4ubuntu6.2)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(code not present)
|
|
Patches: upstream: https://git.busybox.net/busybox/commit/?id=0972c7f7a570c38edb68e1c60a45614b7a7c7d55 upstream: https://git.busybox.net/busybox/commit/?id=dbe95682b4bf1192d2860646617f157e6c44f2d1 upstream: https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000500
- http://lists.busybox.net/pipermail/busybox/2018-May/086462.html
- https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74
- https://ubuntu.com/security/notices/USN-4531-1
- NVD
- Launchpad
- Debian