On Tuesday, November 9th, 2021, a senior cybersecurity researcher from JFrog discovered 14 critical vulnerabilities in the “BusyBox” Linux utility that could be exploited to cause a denial of service (DoS) condition and, in some cases, lead to information leaks and remote code execution.
The security flaws tracked from CVE-2021-42373 to CVE-2021-42386, affect multiple versions of the tool ranging from 1.16 to 1.33. Acording to a joint report from DevOps company JFrog and industrial cybersecurity company Claroy.
Its being labelled as the The Swiss Army knife of Embedded Linux. BusyBox is a popular software suite that combines several common Unix utilities or applets (eg, cp, ls, grep) into s single executable file that can run on Linux systems such as programmable logic controllers (PLC), human-machine interfaces (HMI) and remote terminal units (RTU).
How it works
Successful exploitation of the flaws is triggered by supplying untrusted data via command line to the vulnerable applets which could result into denial of service, unintended disclosure of sensitive and potentially code execution. Regarding outcome, the vulnerabilities were fixed in BusyBox version 1.34.0, which was released on August 19th, 2021.
However, these new vulnerabilities that were discovered, only manifested themselves in specific cases but can be extremely problematic when exploited.
Update all versions to 1.34.0.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
New security flaws found in BusyBox Linux utility for embedded devices (9th November 2021). Retrieved from JFrog.
New security flaws found in BusyBox Linux utility for embedded devices (10th November 2021). Retrieved from thehackernews.