Experts found 14 new flaws in BusyBox, millions of devices at risk

Pierluigi Paganini November 10, 2021

Researchers have identified a total of 14 new vulnerabilities in BusyBox that expose million of Unix-based devices to cyberattacks.

Researchers from software development company JFrog and industrial cybersecurity firm Claroty have identified a total of 14 new critical vulnerabilities in BusyBox. The software is used by many network appliances and embedded devices with limited memory and storage resources.

Below is the list of vulnerabilities discovered by the experts:

CVE IDDescriptionAffected appletAffected versions (inclusive)ImpactCVSS v3.1
CVE-2021-42373A NULL pointer dereference in man leads to denial of service when a section name is supplied but no page argument is givenman1.33.0-1.33.1DoS5.1
CVE-2021-42374An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.lzma/unlzma and more (see below)1.27.0 – 1.33.1 DoS & InfoLeak6.5
CVE-2021-42375An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.ash1.33.1DoS4.1
CVE-2021-42376A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.hush1.16-1.31.1DoS4.1
CVE-2021-42377An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.hush1.33.0-1.33.1DoS & Possible RCE6.4
CVE-2021-42378A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i functionawk1.16-1.33.1DoS & Possible RCE6.6
CVE-2021-42379A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file functionawk1.18-1.33.1DoS & Possible RCE6.6
CVE-2021-42380A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar functionawk1.28-1.33.1DoS & Possible RCE6.6
CVE-2021-42381A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init functionawk1.21-1.33.1DoS & Possible RCE6.6
CVE-2021-42382A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s functionawk1.26-1.33.1DoS & Possible RCE6.6
CVE-2021-42383A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate functionawk1.33.1DoS & Possible RCE6.6
CVE-2021-42384A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special functionawk1.18-1.33.1DoS & Possible RCE6.6
CVE-2021-42385A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate functionawk1.16-1.33.1DoS & Possible RCE6.6
CVE-2021-42386A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc functionawk1.16-1.33.1DoS & Possible RCE6.6

The flaws, tracked with CVE IDs from CVE-2021-42373 through CVE-2021-42386, affect multiple versions of BusyBox ranging from 1.16-1.33.1, depending on the specific vulnerability. The vulnerabilities affect a variety of applets such as “man,” “lzma/unizma”, “ash”, “hush”, “awk.”

The vulnerabilities have been rated as medium severity because their exploitation is very complex. The researchers discovered the vulnerabilities by manually reviewing the BusyBox source code, they also used a fuzzer for their analysis. The researchers also open-sourced the custom AFL fuzzer used to trigger many of the mentioned vulnerabilities.

“To assess the threat level posed by these vulnerabilities, we inspected JFrog’s database of more than 10,000 embedded firmware images (composed of only publicly available firmware images, and not ones uploaded to JFrog Artifactory).” reads the post published by the researchers, “We found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware.”

The vulnerabilities discovered by the researchers can be exploited to trigger denial-of-service (DoS) conditions and in some cases, they can lead to information disclosure or remote code execution.

Experts pointed out that the affected applets are not daemons, this means that each vulnerability can only be exploited if the vulnerable applet is fed with untrusted data 

One of the conditions for the exploitation of the flaw is that the attacker has to be able to manipulate all the parameters that are passed to a vulnerable applet.

There are certain requirements for exploiting the vulnerabilities discovered by Claroty and JFrog, including the attacker being able to control all parameters passed to a vulnerable applet, supplying crafted compressed files and specially crafted command lines.

BusyBox addressed the above vulnerabilities in August with the release of version 1.34.0, it also released workarounds for these issues.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment