Experts found 14 new flaws in BusyBox, millions of devices at risk

Researchers have identified a total of 14 new vulnerabilities in BusyBox that expose million of Unix-based devices to cyberattacks.

Researchers from software development company JFrog and industrial cybersecurity firm Claroty have identified a total of 14 new critical vulnerabilities in BusyBox. The software is used by many network appliances and embedded devices with limited memory and storage resources.

Below is the list of vulnerabilities discovered by the experts:

CVE ID	Description	Affected applet	Affected versions (inclusive)	Impact	CVSS v3.1
CVE-2021-42373	A NULL pointer dereference in man leads to denial of service when a section name is supplied but no page argument is given	man	1.33.0-1.33.1	DoS	5.1
CVE-2021-42374	An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.	lzma/unlzma and more (see below)	1.27.0 – 1.33.1	DoS & InfoLeak	6.5
CVE-2021-42375	An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.	ash	1.33.1	DoS	4.1
CVE-2021-42376	A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.	hush	1.16-1.31.1	DoS	4.1
CVE-2021-42377	An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.	hush	1.33.0-1.33.1	DoS & Possible RCE	6.4
CVE-2021-42378	A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function	awk	1.16-1.33.1	DoS & Possible RCE	6.6
CVE-2021-42379	A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function	awk	1.18-1.33.1	DoS & Possible RCE	6.6
CVE-2021-42380	A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function	awk	1.28-1.33.1	DoS & Possible RCE	6.6
CVE-2021-42381	A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function	awk	1.21-1.33.1	DoS & Possible RCE	6.6
CVE-2021-42382	A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function	awk	1.26-1.33.1	DoS & Possible RCE	6.6
CVE-2021-42383	A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function	awk	1.33.1	DoS & Possible RCE	6.6
CVE-2021-42384	A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function	awk	1.18-1.33.1	DoS & Possible RCE	6.6
CVE-2021-42385	A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function	awk	1.16-1.33.1	DoS & Possible RCE	6.6
CVE-2021-42386	A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function	awk	1.16-1.33.1	DoS & Possible RCE	6.6

The flaws, tracked with CVE IDs from CVE-2021-42373 through CVE-2021-42386, affect multiple versions of BusyBox ranging from 1.16-1.33.1, depending on the specific vulnerability. The vulnerabilities affect a variety of applets such as “man,” “lzma/unizma”, “ash”, “hush”, “awk.”

The vulnerabilities have been rated as medium severity because their exploitation is very complex. The researchers discovered the vulnerabilities by manually reviewing the BusyBox source code, they also used a fuzzer for their analysis. The researchers also open-sourced the custom AFL fuzzer used to trigger many of the mentioned vulnerabilities.

“To assess the threat level posed by these vulnerabilities, we inspected JFrog’s database of more than 10,000 embedded firmware images (composed of only publicly available firmware images, and not ones uploaded to JFrog Artifactory).” reads the post published by the researchers, “We found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware.”

The vulnerabilities discovered by the researchers can be exploited to trigger denial-of-service (DoS) conditions and in some cases, they can lead to information disclosure or remote code execution.

Experts pointed out that the affected applets are not daemons, this means that each vulnerability can only be exploited if the vulnerable applet is fed with untrusted data 

One of the conditions for the exploitation of the flaw is that the attacker has to be able to manipulate all the parameters that are passed to a vulnerable applet.

There are certain requirements for exploiting the vulnerabilities discovered by Claroty and JFrog, including the attacker being able to control all parameters passed to a vulnerable applet, supplying crafted compressed files and specially crafted command lines.

BusyBox addressed the above vulnerabilities in August with the release of version 1.34.0, it also released workarounds for these issues.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

[adrotate banner=”5″]

[adrotate banner=”13″]