CVE-2018-1000500
Published: 26 June 2018
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".
Priority
Medium
CVSS 3 base score: 8.1
Status
| Package | Release | Status |
|---|---|---|
|
busybox Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 20.10 (Groovy Gorilla) |
Released
(1:1.30.1-4ubuntu9)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Released
(1:1.30.1-4ubuntu6.2)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(1:1.27.2-2ubuntu3.3)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(code not present)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(code not present)
|
|
| Ubuntu 12.04 ESM (Precise Pangolin) |
Not vulnerable
(code not present)
|
|
|
Patches: Upstream: https://git.busybox.net/busybox/commit/?id=0972c7f7a570c38edb68e1c60a45614b7a7c7d55 Upstream: https://git.busybox.net/busybox/commit/?id=dbe95682b4bf1192d2860646617f157e6c44f2d1 Upstream: https://git.busybox.net/busybox/commit/?id=45fa3f18adf57ef9d743038743d9c90573aeeb91 |
||
Notes
| Author | Note |
|---|---|
| mdeslaur | per Red Hat, SSL support was added in 1.23.0. Older versions don't support https at all. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000500
- http://lists.busybox.net/pipermail/busybox/2018-May/086462.html
- https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74
- https://usn.ubuntu.com/usn/usn-4531-1
- NVD
- Launchpad
- Debian