New Security Flaws Found in BusyBox Linux Utility for Embedded Devices (15th November 2021)

Ref# AL2021_42 | Date: Nov 15th 2021

On Tuesday, November 9th, 2021, a senior cybersecurity researcher from JFrog discovered 14 critical vulnerabilities in the “BusyBox” Linux utility that could be exploited to cause a denial of service (DoS) condition and, in some cases, lead to information leaks and remote code execution.

Summary

The security flaws tracked from CVE-2021-42373 to CVE-2021-42386, affect multiple versions of the tool ranging from 1.16 to 1.33. Acording to a joint report from DevOps company JFrog and industrial cybersecurity company Claroy.

Its being labelled as the The Swiss Army knife of Embedded Linux. BusyBox is a popular software suite that combines several common Unix utilities or applets (eg, cp, ls, grep) into s single executable file that can run on Linux systems such as programmable logic controllers (PLC), human-machine interfaces (HMI) and remote terminal units (RTU).

How it works

Successful exploitation of the flaws is triggered by supplying untrusted data via command line to the vulnerable applets which could result into denial of service, unintended disclosure of sensitive and potentially code execution. Regarding outcome, the vulnerabilities were fixed in BusyBox version 1.34.0, which was released on August 19th, 2021.

However, these new vulnerabilities that were discovered, only manifested themselves in specific cases but can be extremely problematic when exploited.

Remediation

Update all versions to 1.34.0.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: New Security Flaws Found in BusyBox Linux Utility for Embedded Devices.pdf

Reference