The open-source tool BusyBox is found in many embedded firmware and Linux devices worldwide. BusyBox is a software suite of many useful Unix utilities, known as applets, that are packaged as a single executable file. Researchers with JFrog and Claroty have embarked on a project to survey the security of many different open-source projects. When researchers evaluated BusyBox, 14 flaws were found to exist in the included applets. It should be noted that these applets need to be fed malicious, manipulated data by the attacker. These flaws, rated in the “medium” range, are complex, but that will not stop anyone with the skill and motivation to use BusyBox as a vector in their attack chain.
These vulnerabilities involve issues with AWK, HUSH, ASH, MAN, and lzma/unlama(compression library), with 10 CVEs containing the possibility of remote code execution. According to researchers, “Within BusyBox you can find a full-fledged shell, a DHCP client/server, and small utilities such as cp, ls, grep, and others. You’re likely to find many OT and IoT devices running BusyBox, including popular programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs)—many of which now run on Linux.” This is an important warning for companies surveying the risk in operating BusyBox unpatched.
The maintainers of this project have released a patch to address these vulnerabilities as of August. While vulnerability management teams may be on the lookout for high and critical rated flaws to address first, we have seen time after time threat actors are willing to make the extra effort in a coordinated attack, provided the target is valuable enough. As these devices often sit deep inside a network, detection most likely represents an ongoing attack. The Threat Hunt team at Binary Defense regularly operates in these layers attempting to identify any anomalous and/or suspicious behavior and can assist with detecting potential compromise.