Allele Security Alert
ASA-2019-00558
Identifier(s)
ASA-2019-00558, VMSA-2019-0013
Title
BusyBox command injection vulnerability
Vendor(s)
VMware
Product(s)
VMware vSphere ESXi
Affected version(s)
VMware vSphere ESXi 6.7 versions before ESXi670-201904101-SG
VMware vSphere ESXi 6.5 versions before ESXi650-201907101-SG
VMware vSphere ESXi 6.0 versions before ESXi600-201909101-SG
Fixed version(s)
VMware vSphere ESXi 6.7 version ESXi670-201904101-SG
VMware vSphere ESXi 6.5 version ESXi650-201907101-SG
VMware vSphere ESXi 6.0 version ESXi600-201909101-SG
Proof of concept
Unknown
Description
ESXi contains a command injection vulnerability due to the use of vulnerable version of busybox that does not sanitize filenames which may result into executing any escape sequence in the shell. An attacker may exploit this issue by tricking an ESXi Admin into executing shell commands by providing a malicious file.
Technical details
Unknown
Credits
Zhouyuan Yang (Fortinet’s FortiGuard Labs)
Reference(s)
VMSA-2019-0013.1
https://www.vmware.com/security/advisories/VMSA-2019-0013.html
CVE-2017-16544: A Busybox autocompletion vulnerability
https://www.twistlock.com/labs-blog/cve-2017-16544-busybox-autocompletion-vulnerability/
CVE-2017-16544
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16544
CVE-2017-16544
https://nvd.nist.gov/vuln/detail/CVE-2017-16544
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 14, 2019