CVE-2019-5747: n/a in n/a
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.
AI Analysis
Technical Summary
CVE-2019-5747 is a high-severity vulnerability affecting BusyBox versions up to 1.30.0, specifically within the udhcp components used by the DHCP client, server, and relay functionalities. The vulnerability arises from an out-of-bounds read condition triggered when processing DHCP messages, particularly related to the DHCP_SUBNET option. The root cause is an incomplete fix for a previous vulnerability (CVE-2018-20679), where the code failed to properly enforce a 4-byte length check during decoding. This flaw allows a remote attacker to send a crafted DHCP message that causes the DHCP component to read beyond the intended buffer boundaries on the stack, potentially leaking sensitive information. The vulnerability does not require any authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score of 7.5 reflects the high confidentiality impact due to information disclosure, with no impact on integrity or availability. The attack vector is network-based with low complexity and no privileges required, making exploitation feasible in environments where vulnerable BusyBox DHCP components are exposed to untrusted DHCP servers or clients. BusyBox is widely used in embedded systems, routers, IoT devices, and lightweight Linux distributions, meaning this vulnerability could affect a broad range of devices that rely on its DHCP functionality. The lack of a patch link suggests that users must verify if updated BusyBox versions or vendor-specific firmware updates are available to remediate this issue. Given the nature of the vulnerability, it is primarily an information disclosure risk rather than a direct code execution or denial of service threat.
Potential Impact
For European organizations, the impact of CVE-2019-5747 can be significant, especially for those relying on embedded devices, network appliances, or IoT infrastructure that incorporate BusyBox DHCP components. Information leakage from the stack could expose sensitive data such as memory contents, configuration details, or cryptographic material, which attackers could leverage for further attacks or reconnaissance. Critical infrastructure sectors, including telecommunications, manufacturing, and energy, often deploy embedded systems with BusyBox, increasing the risk profile. Additionally, enterprises using network equipment or industrial control systems with vulnerable BusyBox versions may face increased exposure to targeted attacks. The vulnerability's remote exploitability without authentication means attackers can attempt to exploit devices simply by sending crafted DHCP messages, potentially from within the local network or via compromised upstream DHCP servers. This could lead to privacy breaches, intellectual property theft, or facilitate lateral movement within corporate networks. While no known exploits are reported in the wild, the ease of exploitation and widespread use of BusyBox in embedded devices necessitate proactive mitigation to prevent potential data leakage incidents.
Mitigation Recommendations
To mitigate CVE-2019-5747, European organizations should: 1) Identify and inventory all devices and systems using BusyBox DHCP components, particularly embedded systems, routers, IoT devices, and lightweight Linux distributions. 2) Apply vendor-supplied patches or firmware updates that address this vulnerability; if no official patches exist, consider upgrading BusyBox to versions beyond 1.30.0 where the issue is fixed. 3) Implement network segmentation and restrict DHCP traffic to trusted sources only, minimizing exposure to untrusted or external DHCP servers. 4) Employ DHCP snooping and filtering on network switches to prevent malicious DHCP messages from reaching vulnerable devices. 5) Monitor network traffic for anomalous DHCP messages that could indicate exploitation attempts. 6) For critical systems where patching is not immediately feasible, consider disabling DHCP client/server/relay functionality if not required or replacing vulnerable devices with secure alternatives. 7) Engage with device vendors to confirm patch availability and timelines, ensuring timely remediation. 8) Incorporate this vulnerability into vulnerability management and incident response workflows to detect and respond to potential exploitation.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Finland
CVE-2019-5747: n/a in n/a
Description
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.
AI-Powered Analysis
Technical Analysis
CVE-2019-5747 is a high-severity vulnerability affecting BusyBox versions up to 1.30.0, specifically within the udhcp components used by the DHCP client, server, and relay functionalities. The vulnerability arises from an out-of-bounds read condition triggered when processing DHCP messages, particularly related to the DHCP_SUBNET option. The root cause is an incomplete fix for a previous vulnerability (CVE-2018-20679), where the code failed to properly enforce a 4-byte length check during decoding. This flaw allows a remote attacker to send a crafted DHCP message that causes the DHCP component to read beyond the intended buffer boundaries on the stack, potentially leaking sensitive information. The vulnerability does not require any authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score of 7.5 reflects the high confidentiality impact due to information disclosure, with no impact on integrity or availability. The attack vector is network-based with low complexity and no privileges required, making exploitation feasible in environments where vulnerable BusyBox DHCP components are exposed to untrusted DHCP servers or clients. BusyBox is widely used in embedded systems, routers, IoT devices, and lightweight Linux distributions, meaning this vulnerability could affect a broad range of devices that rely on its DHCP functionality. The lack of a patch link suggests that users must verify if updated BusyBox versions or vendor-specific firmware updates are available to remediate this issue. Given the nature of the vulnerability, it is primarily an information disclosure risk rather than a direct code execution or denial of service threat.
Potential Impact
For European organizations, the impact of CVE-2019-5747 can be significant, especially for those relying on embedded devices, network appliances, or IoT infrastructure that incorporate BusyBox DHCP components. Information leakage from the stack could expose sensitive data such as memory contents, configuration details, or cryptographic material, which attackers could leverage for further attacks or reconnaissance. Critical infrastructure sectors, including telecommunications, manufacturing, and energy, often deploy embedded systems with BusyBox, increasing the risk profile. Additionally, enterprises using network equipment or industrial control systems with vulnerable BusyBox versions may face increased exposure to targeted attacks. The vulnerability's remote exploitability without authentication means attackers can attempt to exploit devices simply by sending crafted DHCP messages, potentially from within the local network or via compromised upstream DHCP servers. This could lead to privacy breaches, intellectual property theft, or facilitate lateral movement within corporate networks. While no known exploits are reported in the wild, the ease of exploitation and widespread use of BusyBox in embedded devices necessitate proactive mitigation to prevent potential data leakage incidents.
Mitigation Recommendations
To mitigate CVE-2019-5747, European organizations should: 1) Identify and inventory all devices and systems using BusyBox DHCP components, particularly embedded systems, routers, IoT devices, and lightweight Linux distributions. 2) Apply vendor-supplied patches or firmware updates that address this vulnerability; if no official patches exist, consider upgrading BusyBox to versions beyond 1.30.0 where the issue is fixed. 3) Implement network segmentation and restrict DHCP traffic to trusted sources only, minimizing exposure to untrusted or external DHCP servers. 4) Employ DHCP snooping and filtering on network switches to prevent malicious DHCP messages from reaching vulnerable devices. 5) Monitor network traffic for anomalous DHCP messages that could indicate exploitation attempts. 6) For critical systems where patching is not immediately feasible, consider disabling DHCP client/server/relay functionality if not required or replacing vulnerable devices with secure alternatives. 7) Engage with device vendors to confirm patch availability and timelines, ensuring timely remediation. 8) Incorporate this vulnerability into vulnerability management and incident response workflows to detect and respond to potential exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2019-01-09T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68487f5d1b0bd07c3938ed57
Added to database: 6/10/2025, 6:54:21 PM
Last enriched: 7/10/2025, 8:33:13 PM
Last updated: 8/17/2025, 4:45:52 PM
Views: 20
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.