First published: Wed Jan 09 2019(Updated: )
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Busybox Busybox | <1.30.0 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Advantech Spectre RT ERT351 firmware Versions 5.1.3 and prior | ||
debian/busybox | 1:1.30.1-6 1:1.35.0-4 1:1.37.0-4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-20679 is a vulnerability in BusyBox before version 1.30.0 that allows a remote attacker to leak sensitive information from the stack.
CVE-2018-20679 has a severity rating of 7.5 (high).
The affected software is BusyBox before version 1.30.0 on various Ubuntu and Canonical Ubuntu Linux versions.
To fix CVE-2018-20679, update BusyBox to version 1.30.0 or later.
You can find more information about CVE-2018-20679 at the following references: [1] [2] [3].