Allele Security Alert
BusyBox command injection vulnerability
VMware vSphere ESXi
VMware vSphere ESXi 6.7 versions before ESXi670-201904101-SG
VMware vSphere ESXi 6.5 versions before ESXi650-201907101-SG
VMware vSphere ESXi 6.0 versions before ESXi600-201909101-SG
VMware vSphere ESXi 6.7 version ESXi670-201904101-SG
VMware vSphere ESXi 6.5 version ESXi650-201907101-SG
VMware vSphere ESXi 6.0 version ESXi600-201909101-SG
Proof of concept
ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file.
Zhouyuan Yang (Fortinet’s FortiGuard Labs)
CVE-2017-16544: A Busybox autocompletion vulnerability
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 14, 2019