CVE-2016-2147 Canonical CVE debrief

Who should care

Operators of BusyBox-based embedded Linux systems, appliances, and distro packages that include udhcpc, especially downstream Debian and Ubuntu deployments listed in NVD.

Technical summary

The issue is tracked as CWE-190 (integer overflow) with CVSS v3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The source corpus describes BusyBox versions before 1.25.0 as affected; NVD's CPE data also marks BusyBox through 1.24.2 and downstream Debian 8/9 and Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, and 18.10.

Defensive priority

High

Recommended defensive actions

• Upgrade BusyBox to a release at or above 1.25.0, or apply the vendor-fixed package provided by your distribution.
• Check whether udhcpc is present in firmware, containers, or appliance images and prioritize those that receive DHCP service on untrusted networks.
• Use the BusyBox vendor advisory and downstream distro security notices to confirm patched package versions.
• Validate remediation across all impacted images and rebuild any derived firmware or OS images that embed BusyBox.

Evidence notes

Supported by the CVE description, which cites an integer overflow in BusyBox udhcpc before 1.25.0 caused by a malformed RFC1035-encoded domain name and resulting in an out-of-bounds heap write. NVD lists CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, CWE-190, and vulnerable CPEs for BusyBox plus Debian 8/9 and Ubuntu 14.04 ESM/16.04 LTS/18.04 LTS/18.10. The supplied record includes a BusyBox vendor advisory reference and the official CVE/NVD entries.

Official resources