Vulnerabilities > CVE-2011-2716 - Improper Input Validation vulnerability in multiple products

047910
CVSS 6.8 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
high complexity
t-mobile
busybox
CWE-20
nessus

Summary

The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.

Vulnerable Configurations

Part Description Count
OS
T-Mobile
1
Application
Busybox
120

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2012-129.NASL
    descriptionMultiple vulnerabilities was found and corrected in busybox : The decompress function in ncompress allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow (CVE-2006-1168). A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients. This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters. Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted (CVE-2011-2716). Additionally for Mandriva Enterprise Server 5 various problems in the ka-deploy and uClibc packages was discovered and fixed with this advisory. The updated packages have been patched to correct these issues. Update : The wrong set of packages was sent out with the MDVSA-2012:129 advisory that lacked the fix for CVE-2006-1168. This advisory provides the correct packages.
    last seen2020-06-01
    modified2020-06-02
    plugin id61978
    published2012-09-06
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/61978
    titleMandriva Linux Security Advisory : busybox (MDVSA-2012:129-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2012:129. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(61978);
      script_version("1.5");
      script_cvs_date("Date: 2019/08/02 13:32:54");
    
      script_cve_id("CVE-2006-1168", "CVE-2011-2716");
      script_xref(name:"MDVSA", value:"2012:129-1");
    
      script_name(english:"Mandriva Linux Security Advisory : busybox (MDVSA-2012:129-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities was found and corrected in busybox :
    
    The decompress function in ncompress allows remote attackers to cause
    a denial of service (crash), and possibly execute arbitrary code, via
    crafted data that leads to a buffer underflow (CVE-2006-1168).
    
    A missing DHCP option checking / sanitization flaw was reported for
    multiple DHCP clients. This flaw may allow DHCP server to trick DHCP
    clients to set e.g. system hostname to a specially crafted value
    containing shell special characters. Various scripts assume that
    hostname is trusted, which may lead to code execution when hostname is
    specially crafted (CVE-2011-2716).
    
    Additionally for Mandriva Enterprise Server 5 various problems in the
    ka-deploy and uClibc packages was discovered and fixed with this
    advisory.
    
    The updated packages have been patched to correct these issues.
    
    Update :
    
    The wrong set of packages was sent out with the MDVSA-2012:129
    advisory that lacked the fix for CVE-2006-1168. This advisory provides
    the correct packages."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected busybox and / or busybox-static packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:busybox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:busybox-static");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2011");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/08/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2011", reference:"busybox-1.18.4-3.2-mdv2011.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2011", reference:"busybox-static-1.18.4-3.2-mdv2011.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-0810.NASL
    descriptionFrom Red Hat Security Advisory 2012:0810 : Updated busybox packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option
    last seen2020-06-01
    modified2020-06-02
    plugin id68550
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68550
    titleOracle Linux 6 : busybox (ELSA-2012-0810)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2012:0810 and 
    # Oracle Linux Security Advisory ELSA-2012-0810 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68550);
      script_version("1.9");
      script_cvs_date("Date: 2019/09/30 10:58:17");
    
      script_cve_id("CVE-2006-1168", "CVE-2011-2716");
      script_bugtraq_id(48879);
      script_xref(name:"RHSA", value:"2012:0810");
    
      script_name(english:"Oracle Linux 6 : busybox (ELSA-2012-0810)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2012:0810 :
    
    Updated busybox packages that fix two security issues and several bugs
    are now available for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having low
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    BusyBox provides a single binary that includes versions of a large
    number of system commands, including a shell. This can be very useful
    for recovering from certain types of system failures, particularly
    those involving broken shared libraries.
    
    A buffer underflow flaw was found in the way the uncompress utility of
    BusyBox expanded certain archive files compressed using Lempel-Ziv
    compression. If a user were tricked into expanding a specially crafted
    archive file with uncompress, it could cause BusyBox to crash or,
    potentially, execute arbitrary code with the privileges of the user
    running BusyBox. (CVE-2006-1168)
    
    The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain
    options provided in DHCP server replies, such as the client hostname.
    A malicious DHCP server could send such an option with a specially
    crafted value to a DHCP client. If this option's value was saved on
    the client system, and then later insecurely evaluated by a process
    that assumes the option is trusted, it could lead to arbitrary code
    execution with the privileges of that process. Note: udhcpc is not
    used on Red Hat Enterprise Linux by default, and no DHCP client script
    is provided with the busybox packages. (CVE-2011-2716)
    
    This update also fixes the following bugs :
    
    * Prior to this update, the 'findfs' command did not recognize Btrfs
    partitions. As a consequence, an error message could occur when
    dumping a core file. This update adds support for recognizing such
    partitions so the problem no longer occurs. (BZ#751927)
    
    * If the 'grep' command was used with the '-F' and '-i' options at the
    same time, the '-i' option was ignored. As a consequence, the 'grep
    -iF' command incorrectly performed a case-sensitive search instead of
    an insensitive search. A patch has been applied to ensure that the
    combination of the '-F' and '-i' options works as expected.
    (BZ#752134)
    
    * Prior to this update, the msh shell did not support the 'set -o
    pipefail' command. This update adds support for this command.
    (BZ#782018)
    
    * Previously, the msh shell could terminate unexpectedly with a
    segmentation fault when attempting to execute an empty command as a
    result of variable substitution (for example msh -c
    '$nonexistent_variable'). With this update, msh has been modified to
    correctly interpret such commands and no longer crashes in this
    scenario. (BZ#809092)
    
    * Previously, the msh shell incorrectly executed empty loops. As a
    consequence, msh never exited such a loop even if the loop condition
    was false, which could cause scripts using the loop to become
    unresponsive. With this update, msh has been modified to execute and
    exit empty loops correctly, so that hangs no longer occur. (BZ#752132)
    
    All users of busybox are advised to upgrade to these updated packages,
    which contain backported patches to fix these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2012-July/002902.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected busybox packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:busybox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:busybox-petitboot");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"busybox-1.15.1-15.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"busybox-petitboot-1.15.1-15.el6")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "busybox / busybox-petitboot");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-0168.NASL
    descriptionAn updated rhev-hypervisor5 package that fixes several security issues and various bugs is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor5 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) A divide-by-zero flaw was found in the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id79283
    published2014-11-17
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79283
    titleRHEL 5 : rhev-hypervisor5 (RHSA-2012:0168)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2012:0168. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(79283);
      script_version("1.11");
      script_cvs_date("Date: 2019/10/24 15:35:35");
    
      script_cve_id("CVE-2006-1168", "CVE-2009-5029", "CVE-2009-5064", "CVE-2010-0830", "CVE-2010-4008", "CVE-2011-0216", "CVE-2011-1083", "CVE-2011-1089", "CVE-2011-1526", "CVE-2011-2716", "CVE-2011-2834", "CVE-2011-3638", "CVE-2011-3905", "CVE-2011-3919", "CVE-2011-4086", "CVE-2011-4109", "CVE-2011-4127", "CVE-2011-4347", "CVE-2011-4576", "CVE-2011-4619", "CVE-2012-0028", "CVE-2012-0029", "CVE-2012-0207");
      script_bugtraq_id(51281, 51343, 51642);
      script_xref(name:"RHSA", value:"2012:0168");
    
      script_name(english:"RHEL 5 : rhev-hypervisor5 (RHSA-2012:0168)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An updated rhev-hypervisor5 package that fixes several security issues
    and various bugs is now available.
    
    The Red Hat Security Response Team has rated this update as having
    important security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    The rhev-hypervisor5 package provides a Red Hat Enterprise
    Virtualization Hypervisor ISO disk image. The Red Hat Enterprise
    Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine
    (KVM) hypervisor. It includes everything necessary to run and manage
    virtual machines: A subset of the Red Hat Enterprise Linux operating
    environment and the Red Hat Enterprise Virtualization Agent.
    
    Note: Red Hat Enterprise Virtualization Hypervisor is only available
    for the Intel 64 and AMD64 architectures with virtualization
    extensions.
    
    A heap overflow flaw was found in the way QEMU-KVM emulated the e1000
    network interface card. A privileged guest user in a virtual machine
    whose network interface is configured to use the e1000 emulated driver
    could use this flaw to crash the host or, possibly, escalate their
    privileges on the host. (CVE-2012-0029)
    
    A divide-by-zero flaw was found in the Linux kernel's
    igmp_heard_query() function. An attacker able to send certain IGMP
    (Internet Group Management Protocol) packets to a target system could
    use this flaw to cause a denial of service. (CVE-2012-0207)
    
    A double free flaw was discovered in the policy checking code in
    OpenSSL. A remote attacker could use this flaw to crash an application
    that uses OpenSSL by providing an X.509 certificate that has specially
    crafted policy extension data. (CVE-2011-4109)
    
    An information leak flaw was found in the SSL 3.0 protocol
    implementation in OpenSSL. Incorrect initialization of SSL record
    padding bytes could cause an SSL client or server to send a limited
    amount of possibly sensitive data to its SSL peer via the encrypted
    connection. (CVE-2011-4576)
    
    It was discovered that OpenSSL did not limit the number of TLS/SSL
    handshake restarts required to support Server Gated Cryptography. A
    remote attacker could use this flaw to make a TLS/SSL server using
    OpenSSL consume an excessive amount of CPU by continuously restarting
    the handshake. (CVE-2011-4619)
    
    Red Hat would like to thank Nicolae Mogoreanu for reporting
    CVE-2012-0029, and Simon McVittie for reporting CVE-2012-0207.
    
    This updated package provides updated components that include fixes
    for various security issues. These issues have no security impact on
    Red Hat Enterprise Virtualization Hypervisor itself, however. The
    security fixes included in this update address the following CVE
    numbers :
    
    CVE-2006-1168 and CVE-2011-2716 (busybox issues)
    
    CVE-2009-5029, CVE-2009-5064, CVE-2010-0830 and CVE-2011-1089 (glibc
    issues)
    
    CVE-2011-1083, CVE-2011-3638, CVE-2011-4086, CVE-2011-4127 and
    CVE-2012-0028 (kernel issues)
    
    CVE-2011-1526 (krb5 issue)
    
    CVE-2011-4347 (kvm issue)
    
    CVE-2010-4008, CVE-2011-0216, CVE-2011-2834, CVE-2011-3905,
    CVE-2011-3919 and CVE-2011-1944 (libxml2 issues)
    
    CVE-2011-1749 (nfs-utils issue)
    
    CVE-2011-4108 (openssl issue)
    
    CVE-2011-0010 (sudo issue)
    
    CVE-2011-1675 and CVE-2011-1677 (util-linux issues)
    
    CVE-2010-0424 (vixie-cron issue)
    
    This updated rhev-hypervisor5 package fixes various bugs.
    Documentation of these changes will be available shortly in the
    Technical Notes document :
    
    https://docs.redhat.com/docs/en-US/
    Red_Hat_Enterprise_Virtualization_for_Servers/2.2/html/Technical_Notes
    / index.html
    
    Users of Red Hat Enterprise Virtualization Hypervisor are advised to
    upgrade to this updated package, which fixes these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2011-4109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2011-4576"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2011-4619"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2012-0029"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2012-0207"
      );
      # https://docs.redhat.com/docs/en-US/
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/documentation/en-US/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2012:0168"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Update the affected rhev-hypervisor5 and / or rhev-hypervisor5-tools
    packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhev-hypervisor5-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2012:0168";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", reference:"rhev-hypervisor5-5.8-20120202.0.el5")) flag++;
      if (rpm_check(release:"RHEL5", reference:"rhev-hypervisor5-tools-5.8-20120202.0.el5")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rhev-hypervisor5 / rhev-hypervisor5-tools");
      }
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-0308.NASL
    descriptionUpdated busybox packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option
    last seen2020-04-16
    modified2012-02-21
    plugin id58062
    published2012-02-21
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58062
    titleRHEL 5 : busybox (RHSA-2012:0308)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2012:0308. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(58062);
      script_version ("1.18");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/15");
    
      script_cve_id("CVE-2006-1168", "CVE-2011-2716");
      script_bugtraq_id(19455, 48879);
      script_xref(name:"RHSA", value:"2012:0308");
    
      script_name(english:"RHEL 5 : busybox (RHSA-2012:0308)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated busybox packages that fix two security issues and two bugs are
    now available for Red Hat Enterprise Linux 5.
    
    The Red Hat Security Response Team has rated this update as having low
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    BusyBox provides a single binary that includes versions of a large
    number of system commands, including a shell. This can be very useful
    for recovering from certain types of system failures, particularly
    those involving broken shared libraries.
    
    A buffer underflow flaw was found in the way the uncompress utility of
    BusyBox expanded certain archive files compressed using Lempel-Ziv
    compression. If a user were tricked into expanding a specially crafted
    archive file with uncompress, it could cause BusyBox to crash or,
    potentially, execute arbitrary code with the privileges of the user
    running BusyBox. (CVE-2006-1168)
    
    The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain
    options provided in DHCP server replies, such as the client hostname.
    A malicious DHCP server could send such an option with a specially
    crafted value to a DHCP client. If this option's value was saved on
    the client system, and then later insecurely evaluated by a process
    that assumes the option is trusted, it could lead to arbitrary code
    execution with the privileges of that process. Note: udhcpc is not
    used on Red Hat Enterprise Linux by default, and no DHCP client script
    is provided with the busybox packages. (CVE-2011-2716)
    
    This update also fixes the following bugs :
    
    * Prior to this update, the cp command wrongly returned the exit code
    0 to indicate success if a device ran out of space while attempting to
    copy files of more than 4 gigabytes. This update modifies BusyBox, so
    that in such situations, the exit code 1 is returned. Now, the cp
    command shows correctly whether a process failed. (BZ#689659)
    
    * Prior to this update, the findfs command failed to check all
    existing block devices on a system with thousands of block device
    nodes in '/dev/'. This update modifies BusyBox so that findfs checks
    all block devices even in this case. (BZ#756723)
    
    All users of busybox are advised to upgrade to these updated packages,
    which correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2012:0308"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1168"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2011-2716"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected busybox and / or busybox-anaconda packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:busybox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:busybox-anaconda");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2012:0308";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"busybox-1.2.0-13.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"busybox-1.2.0-13.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"busybox-1.2.0-13.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"busybox-anaconda-1.2.0-13.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"busybox-anaconda-1.2.0-13.el5")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"busybox-anaconda-1.2.0-13.el5")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "busybox / busybox-anaconda");
      }
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2012-103.NASL
    descriptionA buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option
    last seen2020-06-01
    modified2020-06-02
    plugin id69593
    published2013-09-04
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69593
    titleAmazon Linux AMI : busybox (ALAS-2012-103)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2012-103.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(69593);
      script_version("1.6");
      script_cvs_date("Date: 2018/04/18 15:09:34");
    
      script_cve_id("CVE-2006-1168", "CVE-2011-2716");
      script_xref(name:"ALAS", value:"2012-103");
      script_xref(name:"RHSA", value:"2012:0810");
    
      script_name(english:"Amazon Linux AMI : busybox (ALAS-2012-103)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A buffer underflow flaw was found in the way the uncompress utility of
    BusyBox expanded certain archive files compressed using Lempel-Ziv
    compression. If a user were tricked into expanding a specially crafted
    archive file with uncompress, it could cause BusyBox to crash or,
    potentially, execute arbitrary code with the privileges of the user
    running BusyBox. (CVE-2006-1168)
    
    The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain
    options provided in DHCP server replies, such as the client hostname.
    A malicious DHCP server could send such an option with a specially
    crafted value to a DHCP client. If this option's value was saved on
    the client system, and then later insecurely evaluated by a process
    that assumes the option is trusted, it could lead to arbitrary code
    execution with the privileges of that process. (CVE-2011-2716)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2012-103.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update busybox' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:busybox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:busybox-petitboot");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2012/07/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/04");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"busybox-1.19.3-2.11.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"busybox-petitboot-1.19.3-2.11.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "busybox / busybox-petitboot");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-0810.NASL
    descriptionUpdated busybox packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option
    last seen2020-06-01
    modified2020-06-02
    plugin id59586
    published2012-06-20
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59586
    titleRHEL 6 : busybox (RHSA-2012:0810)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2012:0810. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(59586);
      script_version ("1.18");
      script_cvs_date("Date: 2019/10/24 15:35:35");
    
      script_cve_id("CVE-2006-1168", "CVE-2011-2716");
      script_bugtraq_id(48879);
      script_xref(name:"RHSA", value:"2012:0810");
    
      script_name(english:"RHEL 6 : busybox (RHSA-2012:0810)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated busybox packages that fix two security issues and several bugs
    are now available for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having low
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    BusyBox provides a single binary that includes versions of a large
    number of system commands, including a shell. This can be very useful
    for recovering from certain types of system failures, particularly
    those involving broken shared libraries.
    
    A buffer underflow flaw was found in the way the uncompress utility of
    BusyBox expanded certain archive files compressed using Lempel-Ziv
    compression. If a user were tricked into expanding a specially crafted
    archive file with uncompress, it could cause BusyBox to crash or,
    potentially, execute arbitrary code with the privileges of the user
    running BusyBox. (CVE-2006-1168)
    
    The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain
    options provided in DHCP server replies, such as the client hostname.
    A malicious DHCP server could send such an option with a specially
    crafted value to a DHCP client. If this option's value was saved on
    the client system, and then later insecurely evaluated by a process
    that assumes the option is trusted, it could lead to arbitrary code
    execution with the privileges of that process. Note: udhcpc is not
    used on Red Hat Enterprise Linux by default, and no DHCP client script
    is provided with the busybox packages. (CVE-2011-2716)
    
    This update also fixes the following bugs :
    
    * Prior to this update, the 'findfs' command did not recognize Btrfs
    partitions. As a consequence, an error message could occur when
    dumping a core file. This update adds support for recognizing such
    partitions so the problem no longer occurs. (BZ#751927)
    
    * If the 'grep' command was used with the '-F' and '-i' options at the
    same time, the '-i' option was ignored. As a consequence, the 'grep
    -iF' command incorrectly performed a case-sensitive search instead of
    an insensitive search. A patch has been applied to ensure that the
    combination of the '-F' and '-i' options works as expected.
    (BZ#752134)
    
    * Prior to this update, the msh shell did not support the 'set -o
    pipefail' command. This update adds support for this command.
    (BZ#782018)
    
    * Previously, the msh shell could terminate unexpectedly with a
    segmentation fault when attempting to execute an empty command as a
    result of variable substitution (for example msh -c
    '$nonexistent_variable'). With this update, msh has been modified to
    correctly interpret such commands and no longer crashes in this
    scenario. (BZ#809092)
    
    * Previously, the msh shell incorrectly executed empty loops. As a
    consequence, msh never exited such a loop even if the loop condition
    was false, which could cause scripts using the loop to become
    unresponsive. With this update, msh has been modified to execute and
    exit empty loops correctly, so that hangs no longer occur. (BZ#752132)
    
    All users of busybox are advised to upgrade to these updated packages,
    which contain backported patches to fix these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2012:0810"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1168"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2011-2716"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected busybox and / or busybox-petitboot packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:busybox");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:busybox-petitboot");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/06/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2012:0810";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"busybox-1.15.1-15.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"busybox-1.15.1-15.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"busybox-1.15.1-15.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"busybox-petitboot-1.15.1-15.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"busybox-petitboot-1.15.1-15.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"busybox-petitboot-1.15.1-15.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "busybox / busybox-petitboot");
      }
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201312-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201312-02 (BusyBox: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in BusyBox. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted DHCP request to possibly execute arbitrary code or cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id71168
    published2013-12-03
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/71168
    titleGLSA-201312-02 : BusyBox: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201312-02.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(71168);
      script_version("1.6");
      script_cvs_date("Date: 2018/07/12 19:01:15");
    
      script_cve_id("CVE-2006-1168", "CVE-2011-2716", "CVE-2013-1813");
      script_bugtraq_id(19455, 48879, 58249);
      script_xref(name:"GLSA", value:"201312-02");
    
      script_name(english:"GLSA-201312-02 : BusyBox: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201312-02
    (BusyBox: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in BusyBox. Please review
          the CVE identifiers referenced below for details.
      
    Impact :
    
        A remote attacker could send a specially crafted DHCP request to
          possibly execute arbitrary code or cause Denial of Service.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201312-02"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All BusyBox users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=sys-apps/busybox-1.21.0'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:busybox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/12/03");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"sys-apps/busybox", unaffected:make_list("ge 1.21.0"), vulnerable:make_list("lt 1.21.0"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "BusyBox");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2012-0810.NASL
    descriptionUpdated busybox packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option
    last seen2020-06-01
    modified2020-06-02
    plugin id59921
    published2012-07-11
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59921
    titleCentOS 6 : busybox (CESA-2012:0810)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-0308.NASL
    descriptionFrom Red Hat Security Advisory 2012:0308 : Updated busybox packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option
    last seen2020-06-01
    modified2020-06-02
    plugin id68479
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68479
    titleOracle Linux 5 : busybox (ELSA-2012-0308)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20120620_BUSYBOX_ON_SL6_X.NASL
    descriptionBusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option
    last seen2020-03-18
    modified2012-08-01
    plugin id61337
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/61337
    titleScientific Linux Security Update : busybox on SL6.x i386/x86_64 (20120620)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20120221_BUSYBOX_ON_SL5_X.NASL
    descriptionBusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option
    last seen2020-03-18
    modified2012-08-01
    plugin id61257
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/61257
    titleScientific Linux Security Update : busybox on SL5.x i386/x86_64 (20120221)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/153278/SA-20190612-0.txt
idPACKETSTORM:153278
last seen2019-06-17
published2019-06-13
reporterT. Weber
sourcehttps://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html
titleWAGO 852 Industrial Managed Switch Series Code Execution / Hardcoded Credentials

Redhat

advisories
  • bugzilla
    id725364
    titleCVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentbusybox is earlier than 1:1.2.0-13.el5
            ovaloval:com.redhat.rhsa:tst:20120308001
          • commentbusybox is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20120308002
        • AND
          • commentbusybox-anaconda is earlier than 1:1.2.0-13.el5
            ovaloval:com.redhat.rhsa:tst:20120308003
          • commentbusybox-anaconda is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20120308004
    rhsa
    idRHSA-2012:0308
    released2012-02-21
    severityLow
    titleRHSA-2012:0308: busybox security and bug fix update (Low)
  • bugzilla
    id809092
    titlemsh crasher bug
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentbusybox-petitboot is earlier than 1:1.15.1-15.el6
            ovaloval:com.redhat.rhsa:tst:20120810001
          • commentbusybox-petitboot is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120810002
        • AND
          • commentbusybox is earlier than 1:1.15.1-15.el6
            ovaloval:com.redhat.rhsa:tst:20120810003
          • commentbusybox is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20120810004
    rhsa
    idRHSA-2012:0810
    released2012-06-19
    severityLow
    titleRHSA-2012:0810: busybox security and bug fix update (Low)
rpms
  • busybox-1:1.2.0-13.el5
  • busybox-anaconda-1:1.2.0-13.el5
  • busybox-1:1.15.1-15.el6
  • busybox-petitboot-1:1.15.1-15.el6