BusyBox, is well known as the Swiss Army Knife of embedded Linux. It is a software suite of many useful Unix utilities, known as applets, that are packaged as a single executable file.
Because of embedded devices, such as WiFi router, always comes with limited memory and storage resources, it it common to leverage BusyBox as the utilities for the running OS. Within BusyBox you can find a full-fledged shell, a DHCP client/server, and small utilities such as cp, ls, grep, and others.
It is also very likely to find many OT and IoT devices running BusyBox,
including popular programmable logic controllers (PLCs), human-machine
interfaces (HMIs), and remote terminal units (RTUs)—many of which now run on
Linux.
By using static and dynamic techniques, Claroty’s Team82 and JFrog discovered 14 vulnerabilities affecting the latest version of BusyBox. All vulnerabilities were privately disclosed and fixed by BusyBox in version 1.34.0, which was released Aug. 19.
In most cases, the expected impact of these issues is denial of service (DoS). However, in rarer cases, these issues can also lead to information leaks and possibly remote code execution.
The Vulnerabilities
| CVE ID | Decription | Applet | Impact | CVSS |
|---|---|---|---|---|
| CVE-2021-42373 | A NULL pointer dereference in man leads to denial of service when a section name is supplied but no page argument is given | man | DoS | 5.1 |
| CVE-2021-42374 | An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression. | lzma/unlzma | DoS & InfoLeak | 6.5 |
| CVE-2021-42375 | An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input. | ash | DoS | 4.1 |
| CVE-2021-42376 | A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. | hush | DoS | 4.1 |
| CVE-2021-42377 | An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. | hush | DoS/RCE | 6.4 |
| CVE-2021-42378 | A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function | awk | DoS/RCE | 6.6 |
| CVE-2021-42379 | A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function | awk | DoS/RCE | 6.6 |
| CVE-2021-42380 | A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function | awk | DoS/RCE | 6.6 |
| CVE-2021-42381 | A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function | awk | DoS/RCE | 6.6 |
| CVE-2021-42382 | A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function | awk | DoS/RCE | 6.6 |
| CVE-2021-42383 | A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | awk | DoS/RCE | 6.6 |
| CVE-2021-42384 | A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function | awk | DoS/RCE | 6.6 |
| CVE-2021-42385 | A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function | awk | DoS/RCE | 6.6 |
| CVE-2021-42386 | A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function | awk | DoS/RCE | 6.6 |
Links:
-
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/