CVE-2018-1000500

NameCVE-2018-1000500
DescriptionBusybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file".
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
busybox (PTS)jessie1:1.22.0-9+deb8u1vulnerable
jessie (security)1:1.22.0-9+deb8u4vulnerable
stretch1:1.22.0-19vulnerable
buster, sid1:1.27.2-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
busyboxsource(unstable)(unfixed)unimportant

Notes

Intentional design decision:
https://git.busybox.net/busybox/tree/networking/wget.c?id=8bc418f07eab79a9c8d26594629799f6157a9466#n74
https://git.busybox.net/busybox/commit/networking/wget.c?id=0972c7f7a570c38edb68e1c60a45614b7a7c7d55
Starting with 1:1.27.2-3 in unstable wget emmits a message that certificate
verification is not implemented.

Search for package or bug name: Reporting problems