BusyBox vulnerabilities impact embedded Linux OS used in IoT and OT devices

BusyBox vulnerabilities impact embedded Linux OS used in IoT and OT devices

Researchers have discovered 14 BusyBox vulnerabilities that impact embedded Linux OS used in many internet of things (IoT) and operational technology (OT) devices.

BusyBox is known as the “Swiss Army Knife” of embedded Linux, a collection of useful Unix utilities packaged up into a single small executable that can run on embedded devices with limited memory and storage resources.

The researchers from Claroty’s Team82 and JFrog jointly discovered the BusyBox vulnerabilities and privately disclosed them to BusyBox. The issues were then fixed on August 19 as part of BusyBox version 1.34.0 release.

“In most cases, the expected impact of these issues is denial of service (DoS). However, in rarer cases, these issues can also lead to information leaks and possibly remote code execution,” the security team wrote in a recent blog post.

The 14 vulnerabilities (and affected applet) are listed as follows:

  1. CVE-2021-42373 (man)
  2. CVE-2021-42374 (lzma/unlzma and more)
  3. CVE-2021-42375 (ash)
  4. CVE-2021-42376 (hush)
  5. CVE-2021-42377 (hush)
  6. CVE-2021-42378 (awk)
  7. CVE-2021-42379 (awk)
  8. CVE-2021-42380 (awk)
  9. CVE-2021-42381 (awk)
  10. CVE-2021-42382 (awk)
  11. CVE-2021-42383 (awk)
  12. CVE-2021-42384 (awk)
  13. CVE-2021-42385 (awk)
  14. CVE-2021-42386 (awk)

All of the CVEs have a CVSS score ranging from 4.1 to 6.6 or Medium severity.

Each of these vulnerabilities could be exploited if the vulnerable applet is fed untrusted data (e.g., via a command-line argument).

Related Articles