ID CVE-2016-6301
Summary The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.
References
Vulnerable Configurations
  • BusyBox 0.38
    cpe:2.3:a:busybox:busybox:0.38
  • BusyBox 0.39
    cpe:2.3:a:busybox:busybox:0.39
  • BusyBox 0.40
    cpe:2.3:a:busybox:busybox:0.40
  • BusyBox 0.41
    cpe:2.3:a:busybox:busybox:0.41
  • BusyBox 0.42
    cpe:2.3:a:busybox:busybox:0.42
  • BusyBox 0.43
    cpe:2.3:a:busybox:busybox:0.43
  • BusyBox 0.43pre
    cpe:2.3:a:busybox:busybox:0.43:pre
  • BusyBox 0.45
    cpe:2.3:a:busybox:busybox:0.45
  • BusyBox 0.46
    cpe:2.3:a:busybox:busybox:0.46
  • BusyBox 0.47
    cpe:2.3:a:busybox:busybox:0.47
  • BusyBox 0.48
    cpe:2.3:a:busybox:busybox:0.48
  • BusyBox 0.49
    cpe:2.3:a:busybox:busybox:0.49
  • BusyBox 0.50
    cpe:2.3:a:busybox:busybox:0.50
  • BusyBox 0.51
    cpe:2.3:a:busybox:busybox:0.51
  • BusyBox 0.52
    cpe:2.3:a:busybox:busybox:0.52
  • BusyBox 0.60.0
    cpe:2.3:a:busybox:busybox:0.60.0
  • BusyBox 0.60.1
    cpe:2.3:a:busybox:busybox:0.60.1
  • BusyBox 0.60.2
    cpe:2.3:a:busybox:busybox:0.60.2
  • BusyBox 0.60.3
    cpe:2.3:a:busybox:busybox:0.60.3
  • BusyBox 0.60.4
    cpe:2.3:a:busybox:busybox:0.60.4
  • BusyBox 0.60.5
    cpe:2.3:a:busybox:busybox:0.60.5
  • BusyBox 1.00
    cpe:2.3:a:busybox:busybox:1.00
  • BusyBox 1.0.0 pre1
    cpe:2.3:a:busybox:busybox:1.0.0:pre1
  • BusyBox 1.0.0 pre10
    cpe:2.3:a:busybox:busybox:1.0.0:pre10
  • BusyBox 1.0.0 pre2
    cpe:2.3:a:busybox:busybox:1.0.0:pre2
  • BusyBox 1.0.0 pre3
    cpe:2.3:a:busybox:busybox:1.0.0:pre3
  • BusyBox 1.0.0 pre4
    cpe:2.3:a:busybox:busybox:1.0.0:pre4
  • BusyBox 1.0.0 pre5
    cpe:2.3:a:busybox:busybox:1.0.0:pre5
  • BusyBox 1.0.0 pre6
    cpe:2.3:a:busybox:busybox:1.0.0:pre6
  • BusyBox 1.0.0 pre7
    cpe:2.3:a:busybox:busybox:1.0.0:pre7
  • BusyBox 1.0.0 pre8
    cpe:2.3:a:busybox:busybox:1.0.0:pre8
  • BusyBox 1.0.0 pre9
    cpe:2.3:a:busybox:busybox:1.0.0:pre9
  • BusyBox 1.0.0 release candidate 1
    cpe:2.3:a:busybox:busybox:1.0.0:rc1
  • BusyBox 1.0.0 release candidate 2
    cpe:2.3:a:busybox:busybox:1.0.0:rc2
  • BusyBox 1.0.0 release candidate 3
    cpe:2.3:a:busybox:busybox:1.0.0:rc3
  • BusyBox 1.01
    cpe:2.3:a:busybox:busybox:1.01
  • BusyBox 1.1.0
    cpe:2.3:a:busybox:busybox:1.1.0
  • BusyBox 1.1.0 pre1
    cpe:2.3:a:busybox:busybox:1.1.0:pre1
  • BusyBox 1.1.1
    cpe:2.3:a:busybox:busybox:1.1.1
  • BusyBox 1.1.2
    cpe:2.3:a:busybox:busybox:1.1.2
  • BusyBox 1.1.3
    cpe:2.3:a:busybox:busybox:1.1.3
  • BusyBox 1.2.0
    cpe:2.3:a:busybox:busybox:1.2.0
  • BusyBox 1.2.1
    cpe:2.3:a:busybox:busybox:1.2.1
  • BusyBox 1.2.2
    cpe:2.3:a:busybox:busybox:1.2.2
  • BusyBox 1.2.2.1
    cpe:2.3:a:busybox:busybox:1.2.2.1
  • BusyBox 1.3.0
    cpe:2.3:a:busybox:busybox:1.3.0
  • BusyBox 1.3.1
    cpe:2.3:a:busybox:busybox:1.3.1
  • BusyBox 1.3.2
    cpe:2.3:a:busybox:busybox:1.3.2
  • BusyBox 1.4.0
    cpe:2.3:a:busybox:busybox:1.4.0
  • BusyBox 1.4.1
    cpe:2.3:a:busybox:busybox:1.4.1
  • BusyBox 1.4.2
    cpe:2.3:a:busybox:busybox:1.4.2
  • BusyBox 1.5.0
    cpe:2.3:a:busybox:busybox:1.5.0
  • BusyBox 1.5.1
    cpe:2.3:a:busybox:busybox:1.5.1
  • BusyBox 1.5.2
    cpe:2.3:a:busybox:busybox:1.5.2
  • BusyBox 1.6.0
    cpe:2.3:a:busybox:busybox:1.6.0
  • BusyBox 1.6.1
    cpe:2.3:a:busybox:busybox:1.6.1
  • BusyBox 1.6.2
    cpe:2.3:a:busybox:busybox:1.6.2
  • BusyBox 1.7.0
    cpe:2.3:a:busybox:busybox:1.7.0
  • BusyBox 1.7.1
    cpe:2.3:a:busybox:busybox:1.7.1
  • BusyBox 1.7.2
    cpe:2.3:a:busybox:busybox:1.7.2
  • BusyBox 1.7.3
    cpe:2.3:a:busybox:busybox:1.7.3
  • BusyBox 1.7.4
    cpe:2.3:a:busybox:busybox:1.7.4
  • BusyBox 1.7.5
    cpe:2.3:a:busybox:busybox:1.7.5
  • BusyBox 1.8.0
    cpe:2.3:a:busybox:busybox:1.8.0
  • BusyBox 1.8.1
    cpe:2.3:a:busybox:busybox:1.8.1
  • BusyBox 1.8.2
    cpe:2.3:a:busybox:busybox:1.8.2
  • BusyBox 1.8.3
    cpe:2.3:a:busybox:busybox:1.8.3
  • BusyBox 1.9.0
    cpe:2.3:a:busybox:busybox:1.9.0
  • BusyBox 1.9.1
    cpe:2.3:a:busybox:busybox:1.9.1
  • BusyBox 1.9.2
    cpe:2.3:a:busybox:busybox:1.9.2
  • BusyBox 1.10.0
    cpe:2.3:a:busybox:busybox:1.10.0
  • BusyBox 1.10.1
    cpe:2.3:a:busybox:busybox:1.10.1
  • BusyBox 1.10.2
    cpe:2.3:a:busybox:busybox:1.10.2
  • BusyBox 1.10.3
    cpe:2.3:a:busybox:busybox:1.10.3
  • BusyBox 1.10.4
    cpe:2.3:a:busybox:busybox:1.10.4
  • BusyBox 1.11.0
    cpe:2.3:a:busybox:busybox:1.11.0
  • BusyBox 1.11.1
    cpe:2.3:a:busybox:busybox:1.11.1
  • BusyBox 1.11.2
    cpe:2.3:a:busybox:busybox:1.11.2
  • BusyBox 1.11.3
    cpe:2.3:a:busybox:busybox:1.11.3
  • BusyBox 1.12.0
    cpe:2.3:a:busybox:busybox:1.12.0
  • BusyBox 1.12.1
    cpe:2.3:a:busybox:busybox:1.12.1
  • BusyBox 1.12.2
    cpe:2.3:a:busybox:busybox:1.12.2
  • BusyBox 1.12.3
    cpe:2.3:a:busybox:busybox:1.12.3
  • BusyBox 1.12.4
    cpe:2.3:a:busybox:busybox:1.12.4
  • BusyBox 1.13.0
    cpe:2.3:a:busybox:busybox:1.13.0
  • BusyBox 1.13.1
    cpe:2.3:a:busybox:busybox:1.13.1
  • BusyBox 1.13.2
    cpe:2.3:a:busybox:busybox:1.13.2
  • BusyBox 1.13.3
    cpe:2.3:a:busybox:busybox:1.13.3
  • BusyBox 1.13.4
    cpe:2.3:a:busybox:busybox:1.13.4
  • BusyBox 1.14.0
    cpe:2.3:a:busybox:busybox:1.14.0
  • BusyBox 1.14.1
    cpe:2.3:a:busybox:busybox:1.14.1
  • BusyBox 1.14.2
    cpe:2.3:a:busybox:busybox:1.14.2
  • BusyBox 1.14.3
    cpe:2.3:a:busybox:busybox:1.14.3
  • BusyBox 1.14.4
    cpe:2.3:a:busybox:busybox:1.14.4
  • BusyBox 1.15.0
    cpe:2.3:a:busybox:busybox:1.15.0
  • BusyBox 1.15.1
    cpe:2.3:a:busybox:busybox:1.15.1
  • BusyBox 1.15.2
    cpe:2.3:a:busybox:busybox:1.15.2
  • BusyBox 1.15.3
    cpe:2.3:a:busybox:busybox:1.15.3
  • BusyBox 1.16.0
    cpe:2.3:a:busybox:busybox:1.16.0
  • BusyBox 1.16.1
    cpe:2.3:a:busybox:busybox:1.16.1
  • BusyBox 1.16.2
    cpe:2.3:a:busybox:busybox:1.16.2
  • BusyBox 1.17.0
    cpe:2.3:a:busybox:busybox:1.17.0
  • BusyBox 1.17.1
    cpe:2.3:a:busybox:busybox:1.17.1
  • BusyBox 1.17.2
    cpe:2.3:a:busybox:busybox:1.17.2
  • BusyBox 1.17.3
    cpe:2.3:a:busybox:busybox:1.17.3
  • BusyBox 1.17.4
    cpe:2.3:a:busybox:busybox:1.17.4
  • BusyBox 1.18.0
    cpe:2.3:a:busybox:busybox:1.18.0
  • BusyBox 1.18.1
    cpe:2.3:a:busybox:busybox:1.18.1
  • BusyBox 1.18.2
    cpe:2.3:a:busybox:busybox:1.18.2
  • BusyBox 1.18.3
    cpe:2.3:a:busybox:busybox:1.18.3
  • BusyBox 1.18.4
    cpe:2.3:a:busybox:busybox:1.18.4
  • BusyBox 1.18.5
    cpe:2.3:a:busybox:busybox:1.18.5
  • BusyBox 1.19.0
    cpe:2.3:a:busybox:busybox:1.19.0
  • BusyBox 1.19.1
    cpe:2.3:a:busybox:busybox:1.19.1
  • BusyBox 1.19.2
    cpe:2.3:a:busybox:busybox:1.19.2
  • BusyBox 1.19.3
    cpe:2.3:a:busybox:busybox:1.19.3
  • BusyBox 1.19.4
    cpe:2.3:a:busybox:busybox:1.19.4
  • BusyBox 1.20.0
    cpe:2.3:a:busybox:busybox:1.20.0
  • BusyBox 1.20.1
    cpe:2.3:a:busybox:busybox:1.20.1
  • BusyBox 1.20.2
    cpe:2.3:a:busybox:busybox:1.20.2
  • BusyBox 1.21.0
    cpe:2.3:a:busybox:busybox:1.21.0
  • BusyBox 1.21.1
    cpe:2.3:a:busybox:busybox:1.21.1
  • BusyBox 1.22.0
    cpe:2.3:a:busybox:busybox:1.22.0
  • BusyBox 1.22.1
    cpe:2.3:a:busybox:busybox:1.22.1
  • BusyBox 1.23.0
    cpe:2.3:a:busybox:busybox:1.23.0
  • BusyBox 1.23.1
    cpe:2.3:a:busybox:busybox:1.23.1
  • BusyBox 1.23.2
    cpe:2.3:a:busybox:busybox:1.23.2
  • BusyBox 1.24.0
    cpe:2.3:a:busybox:busybox:1.24.0
  • BusyBox 1.24.1
    cpe:2.3:a:busybox:busybox:1.24.1
  • BusyBox 1.24.2
    cpe:2.3:a:busybox:busybox:1.24.2
  • BusyBox 1.25.0
    cpe:2.3:a:busybox:busybox:1.25.0
CVSS
Base: 7.8 (as of 13-12-2016 - 14:20)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
NASL family Gentoo Local Security Checks
NASL id GENTOO_GLSA-201701-05.NASL
description The remote host is affected by the vulnerability described in GLSA-201701-05 (BusyBox: Denial of Service) The recv_and_process_client_pkt function in networking/ntpd.c in BusyBox allows remote attackers to cause a Denial of Service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. Impact : A remote attacker might send a specially crafted package to a machine running BusyBox ntpd, possibly resulting in a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen 2019-02-21
modified 2017-01-03
plugin id 96236
published 2017-01-03
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=96236
title GLSA-201701-05 : BusyBox: Denial of Service
refmap via4
bid 92277
confirm
gentoo GLSA-201701-05
mlist [oss-security] 20160803 CVE-2016-6301: busybox: NTP server denial of service flaw
Last major update 14-12-2016 - 10:47
Published 09-12-2016 - 15:59
Last modified 13-06-2019 - 17:29
Back to Top