BusyBox Linux utility for embedded devices comes with 15 new security flaws. According to Claroty, a cybersecurity firm, these vulnerabilities present in BusyBox Linux utility can be exploited to result in a denial-of-service (DoS) condition, in some cases leading to information leaks and remote code execution.
BusyBox, also dubbed as “the Swiss Army Knife of Embedded Linux” is a widely used software suite that comprises numerous Unix utilities or applets (e.g., cp, ls, grep). These can be used as single executable files that can run on Linux systems such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs).
The researchers at DevOps company JFrog and industrial cybersecurity company Claroty have tracked these vulnerabilities from CVE-2021-42373 through CVE-2021-42386. In a joint report, the cybersecurity firm said it affects multiple versions of the tool ranging from 1.16-1.33.1.
A list of flaws and the applets they impact
- man – CVE-2021-42373
- lzma/unlzma – CVE-2021-42374
- ash – CVE-2021-42375
- hush – CVE-2021-42376, CVE-2021-42377
- awk – CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386
The flaws can be exploited by supplying untrusted data via command line to the vulnerable applets, leading to denial-of-service, inadvertent disclosure of sensitive information, and potentially code execution. Earlier on August 19 following a responsible disclosure the vulnerabilities were addressed in BusyBox version 1.34.0.
DevOps company JFrog and industrial cybersecurity company Claroty said, “These new vulnerabilities that we’ve disclosed only manifest in specific cases, but could be extremely problematic when exploitable. The proliferation of BusyBox makes this an issue that needs to be addressed by security teams. As such, we encourage companies to upgrade their BusyBox version, or make sure they are not using any of the affected applets.”
Robinhood Trading App Security Breach Leads to Exposing 7 Million Users Information
Central Depository Services Limited Leaked 44 Million Investors Personal Information Twice
Critical Vulnerabilities in Philips TASY EMR Can Expose Patient Data