Busybox wget vulnerability

Vulnerability13/2018

Published 31.12.2018 10:29

BusyBox project has fixed a vulnerability in BusyBox wget that may allow an attacker to execute arbitrary commands in the target system.

BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It is generally used in embedded operating systems with limited resources.

Vulnerability coordination:

The vulnerability was found by Antti Levomäki, Christian Jalio, and Joonas Pihlaja from Forcepoint. NCSC-FI would like to thank Forcepoint and the BusyBox project for participating in the coordination.

Target

Embedded systems
Servers and server applications

Attack vector

Remote

Impact

Denial-of-service attack
Execution of arbitrary commands

Remediation

Software update patch

Subject of vulnerability

BusyBox versions prior to 1.29.0

What is it about?

Update BusyBox to the latest version.

What can I do?

https://busybox.net/about.html (External link)
https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e (External link)
CVE-2018-1000517 (External link)