CVE-2016-2148
Cisco Device Hardcoded Credentials / GNU glibc / BusyBox
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
9Exploited in Wild
-Decision
Descriptions
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
Desbordamiento de búfer basado en memoria dinámica en el cliente DHCP (udhcpc) en BusyBox en versiones anteriores a 1.25.0 permite a atacantes remotos tener un impacto no especificado a través de vectores que implican el análisis de OPTION_6RD.
Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar archives. If a user or automated system were tricked into processing a specially crafted tar archive, a remote attacker could overwrite arbitrary files outside of the current directory. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Mathias Krause discovered that BusyBox incorrectly handled kernel module loading restrictions. A local attacker could possibly use this issue to bypass intended restrictions. This issue only affected Ubuntu 14.04 LTS. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-01-29 CVE Reserved
- 2016-12-05 CVE Published
- 2019-06-13 First Exploit
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (16)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2021/02/msg00020.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/03/11/16 | 2021-02-22 | |
| https://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2 | 2021-02-22 |
| URL | Date | SRC |
|---|---|---|
| https://busybox.net/news.html | 2021-02-22 | |
| https://security.gentoo.org/glsa/201612-04 | 2021-02-22 | |
| https://usn.ubuntu.com/3935-1 | 2021-02-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Busybox Search vendor "Busybox" | Busybox Search vendor "Busybox" for product "Busybox" | <= 1.24.2 Search vendor "Busybox" for product "Busybox" and version " <= 1.24.2" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | esm |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10" | - |
Affected
| ||||||