Cybersecurity researchers discovered 14 critical vulnerabilities in the BusyBox Linux utility. The hackers can exploit the vulnerability for carrying out a denial-of-service (DoS) attack, and in some cases, the vulnerability can lead to information leaks and remote code execution.
DevOps company JFrog and industrial cybersecurity company Claroty said in a joint report on security weaknesses, observed from CVE-2021-42373 through CVE—2021-42386, impacts various versions of the tool: 1.16—1.33.1
BusyBox labelled “the Swiss Army Knife of Embedded Linux,” is a popular software suite that merges a multitude of common Unix utilities or applets into a single executable file. The merged file can run on Linux systems: Programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs).
A list of the flaws and the applets they impact is below —
- man – CVE-2021-42373
- lzma/unlzma – CVE-2021-42374
- ash – CVE-2021-42375
- hush – CVE-2021-42376, CVE-2021-42377
- awk – CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386
“These new vulnerabilities that we’ve disclosed only manifest in specific cases, but could be extremely problematic when exploitable,” said Shachar Menashe, senior director of security research at JFrog. “The proliferation of BusyBox makes this an issue that needs to be addressed by security teams. As such, we encourage companies to upgrade their BusyBox version, or make sure they are not using any of the affected applets.”