HoT-TAI-0005: Insecure 3rd party components / Vulnerable services
Summary:
- This vulnerability type includes vulnerabilities in 3rd party components, such as BusyBox and similar utilities. BusyBox combines tiny versions of many common UNIX utilities into a single small executable, making it the "Swiss Army Knife of Embedded Linux" and a target for attackers. Other issues with 3rd party components include the use of outdated software and libraries (think SSL and Heartbleed or bash and Shellshock). Utilities such as BusyBox can contain vulnerable network services (e.g. web, ssh, telnet, ftp, tftp etc.). When considering vulnerable services, ensure that you are looking at TCP, UDP, and SCTP network facing services. Vulnerabilities covered herein may also be covered by other vulnerability types.
- This vulnerability type also includes hidden / test / development services that the developer forgot to remove.
Estimated Overall Risk Assessment: MED
Technical Impacts:
HIGHBusiness Impacts:
HIGHDetectability:
EASY(If known); HARD (If unknown)Prevalence:
COMMONExploitability:
COMPONENT and VULNERABILITY DEPENDENT
Attack Surfaces Grouped By Layer of Cyberspace
- Physical Network Layer
- Device Firmware
- Device Network Services
Known Intrusion / Exploit / Attack Cases and Threats
- Bashlite
- Description: Utilizes the ShellShock vulnerability found in the Bash command shell. Subsequent bot is utilized a part of a botnet for DDoS. Bashlite was the precursor to Mirai. Target: DVRs and IP cameras (95%) and home routers (4%).1
Identify, Detect, Protect, Respond, and Recover (NIST FICIC)
TBD
Analysis Tools and Training
TBD
Associated CVEs / Manufacturers / Devices
| Application | CVE ID | VULN TYPE & SCORE | DESCRIPTION |
|---|---|---|---|
| BusyBox | CVE-2011-2716 | Exec Code: 6.8 | The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. |
| BusyBox | CVE-2016-6301 | Remote DoS: 7.8 | The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. |
| BusyBox | CVE-2016-2147 | Remote DoS Overflow: 5.0 | Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. |
| BusyBox | CVE-2016-2148 | Remote Overflow: 7.5 | Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. |
| BusyBox | CVE-2016-2147 | Remote DoS Overflow: 5.0 | Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. |
| BusyBox | CVE-2014-9645 | Local Bypass: 2.1 | The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. |
| coreutils | CVE-2016-2781 | Not Available | chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. |
| coreutils | CVE-2014-9471 | DoS Exec Code: 7.5 | The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command. |
| GoAhead web server | CVE-2017-5674 | A vulnerability in a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models allows an attacker to craft a malformed HTTP ("GET system.ini HTTP/1.1\n\n" - note the lack of "/" in the path field of the request) request that will disclose the configuration file with the login password. | |
| GoAhead web server | CVE-2017-5675 | Command Injection (Web) | A command-injection vulnerability exists in a web application on a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models. The mail-sending form in the mail.htm page allows an attacker to inject a command into the receiver1 field in the form; it will be executed with root privileges.A command-injection vulnerability exists in a web application on a custom-built GoAhead web server used on Foscam, Vstarcam, and multiple white-label IP camera models. The mail-sending form in the mail.htm page allows an attacker to inject a command into the receiver1 field in the form; it will be executed with root privileges. |
| Fisher-Price Smart Toy Bear API | CVE-2015-8269 | The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network's coverage area and entering an account number.The API on Fisher-Price Smart Toy Bear devices allows remote attackers to obtain sensitive information or modify data by leveraging presence in an 802.11 network's coverage area and entering an account number. | |
| CVE-2015-2884 | |||
| CVE-2015-2884 | |||
| CVE-2015-2886 | |||
| CVE-2015-2887 | |||
| CVE-2015-2888 | |||
| CVE-2015-2889 | |||
| CVE-2015-3036 | |||
| CVE-2017-7911 | |||
| CVE-2015-2247 | |||
| CVE-2015-4080 | |||
| CVE-2017-7243 | |||
| CVE-2017-7240 |