BusyBox is an open-source utility that combines several standard Unix tools such as cp, ls, grep into a single binary or executable file.
DevOps firm JFrog and industrial cybersecurity company, Claroty’s researchers have published a joint report to share details of fourteen vulnerabilities they identified in the BusyBox Linux utility.
About the Flaws
These security vulnerabilities are tracked from CVE-2021-42373 through CVE-2021-42386. Reportedly, these security weaknesses impact multiple versions of BusyBox, ranging from 1.16 through1.33.1. BusyBox developers patched all the flaws in August with the release of version 1.34.0.
According to researchers, these security flaws can be exploited by threat actors to launch DoS (denial-of-service) attacks. In some cases, if exploited, these can also lead to remote code execution and information disclosure.
However, the flaws were assigned a Medium severity rating because researchers believe they are least likely to be exploited for malicious purposes.
What is BusyBox?
BusyBox is an open-source utility that combines several standard Unix tools such as cp, ls, grep into a single binary or executable file. BusyBox is generally used by embedded devices like IoT products or ICS (industrial control systems).
Also known as the Swiss Army Knife of Embedded Linux, the tool runs on Linux systems like human-machine interfaces (HMIs), programmable logic controllers (PLCs), and remote terminal units (RTUs).
How Could Attackers Exploit the Flaws?
Researchers revealed that to exploit these flaws, attackers must meet specific requirements. These include gaining control of all parameters passed to a vulnerable applet and supplying specially created command lines and a specially created file. During their investigation, researchers manually reviewed the BusyBox source code and used fuzzing to identify these weaknesses.
Moreover, to examine the threat level of these flaws, researchers inspected JFrog’s database comprising over 10,000 embedded firmware images. The database was composed of publicly available firmware messages instead of the ones uploaded to JFrog Artifactory.
“We found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware,” researchers wrote in their blog post.
They further noted that though DoS flaws are easier to exploit, applets can mitigate the threat by running as a separate forked process.