SB2012081515 - Input validation error in busybox (Alpine package)
Published: August 15, 2012
Security Bulletin ID
SB2012081515
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2011-2716)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=35391fccc49c6bf75e21ca4c3c56fb7ed15fab02
- https://git.alpinelinux.org/aports/commit/?id=df0a65d0ab72c95b02064109fa31ca5ae3aa1331
- https://git.alpinelinux.org/aports/commit/?id=536d842626052ad957a4f1cdd516e5e314bff21c
- https://git.alpinelinux.org/aports/commit/?id=ca7ac8544fc13692b8d955b644e988a935b38fad