The open-source tool BusyBox is found in many embedded firmware and Linux devices worldwide. BusyBox is a software suite of many useful Unix utilities, known as applets, that are packaged as a single executable file. Researchers with JFrog and Claroty have embarked on a project to survey the security of many different open-source projects. When researchers evaluated BusyBox, 14 flaws were found to exist in the included applets. It should be noted that these applets need to be fed malicious, manipulated data by the attacker. These flaws, rated in the “medium” range, are complex, but that will not stop anyone with the skill and motivation to use BusyBox as a vector in their attack chain.
Designated CVEs:
- CVE-2021-42373
- CVE-2021-42374
- CVE-2021-42375
- CVE-2021-42376
- CVE-2021-42377
- CVE-2021-42378
- CVE-2021-42379
- CVE-2021-42380
- CVE-2021-42381
- CVE-2021-42382
- CVE-2021-42383
- CVE-2021-42384
- CVE-2021-42385
- CVE-2021-42386
These vulnerabilities involve issues with AWK, HUSH, ASH, MAN, and lzma/unlama(compression library), with 10 CVEs containing the possibility of remote code execution. According to researchers, “Within BusyBox you can find a full-fledged shell, a DHCP client/server, and small utilities such as cp, ls, grep, and others. You’re likely to find many OT and IoT devices running BusyBox, including popular programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs)—many of which now run on Linux.” This is an important warning for companies surveying the risk in operating BusyBox unpatched.
