Security researchers from jFrog and Claroty reported the discovery of 14 vulnerabilities in the BusyBox Linux utility.
BusyBox Linux Vulnerabilities: from CVE-2021-42373 to CVE-2021-42386
What is BusyBox? BusyBox provides commands for embedded Linux environment within Android. It consists of useful Linux utilities, known as applets, packaged as a single executable.
BusyBox also has a full-fledged shell, a DHCP client/server, and small utilities such as cp, ls, grep, and others. Many OT and IoT devices run on the program, including PLCs (programmable logic controllers), HMIs (human-machine interfaces), and RTUs (remote terminal units).
The vulnerabilities, from CVE-2021-42373 to CVE-2021-42386, affect BusyBox versions from 1.16 to 1.33.1. they could cause denial-of-service conditions, and in specific circumstances could even cause data leaks and remote code execution, the researchers warned.
“Since the affected applets are not daemons, each vulnerability can only be exploited if the vulnerable applet is fed with untrusted data (usually through a command-line argument),” the researchers said.
The conclusion of the report is that, overall, the vulnerabilities do not pose great security risks due to the following reasons:
1. The DoS vulnerabilities are trivial to exploit, but the impact is usually mitigated by the fact that applets almost always run as a separate forked process.
2. The information leak vulnerability is nontrivial to exploit (see, next section).
3. The use-after-free vulnerabilities may be exploitable for remote code execution, but currently we did not attempt to create a weaponized exploit for them. In addition, it is quite rare (and inherently unsafe) to process an awk pattern from external input.
Nonetheless, patching is necessary. The good news is that all 14 flaws have been fixed in BusyBox 1.34.0.
“If upgrading BusyBox is not possible (due to specific version compatibility needs), BusyBox 1.33.1 and earlier versions can be compiled without the vulnerable functionality (applets) as a workaround,” the report pointed out.
Earlier this month, a security vulnerability in the Linux Kernel’s Transparent Inter Process Communication (TIPC) was discovered. The flaw can be exploited both locally and remotely, allowing for arbitrary code execution within the kernel. The result of this would be taking over vulnerable devices. The CVSS score of CVE-2021-43267 is 9.8, making the vulnerability highly severe and dangerous.