CVE-2014-9645
MEDIUMBusyBox < 1.22.1 - Local Kernel Module Loading Restriction Bypass via Slash in Module Name
Title source: llmDescription
The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.
References (10)
Core 10
Core References
Patch, Third Party Advisory x_refsource_misc
https://plus.google.com/+MathiasKrause/posts/PqFCo4bfrWu
Issue Tracking x_refsource_confirm
https://bugs.busybox.net/show_bug.cgi?id=7652
Mailing List, Patch, Third Party Advisory mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2015/01/24/4
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201503-13
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/72324
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1185707
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
http://git.busybox.net/busybox/commit/?id=4e314faa0aecb66717418e9a47a4451aec59262b
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3935-1/
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Mar/15
Scores
CVSS v3
5.5
EPSS
0.0063
EPSS Percentile
46.1%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (1)
busybox/busybox
< 1.22.1
Published
Mar 12, 2017
Tracked Since
Feb 18, 2026