Cybersecurity researchers on Tuesday disclosed 14 crucial vulnerabilities within the BusyBox Linux utility that may very well be exploited to end in a denial-of-service (DoS) situation and, in choose circumstances, even result in data leaks and distant code execution.
The safety weaknesses, tracked from CVE-2021-42373 by means of CVE-2021-42386, have an effect on a number of variations of the device starting from 1.16-1.33.1, DevOps firm JFrog and industrial cybersecurity firm Claroty said in a joint report.
Dubbed “the Swiss Military Knife of Embedded Linux,” BusyBox is a extensively used software program suite combining quite a lot of widespread Unix utilities or applets (e.g., cp, ls, grep) right into a single executable file that may run on Linux programs akin to programmable logic controllers (PLCs), human-machine interfaces (HMIs), and distant terminal models (RTUs).
A fast record of the failings and the applets they affect is beneath —
- man – CVE-2021-42373
- lzma/unlzma – CVE-2021-42374
- ash – CVE-2021-42375
- hush – CVE-2021-42376, CVE-2021-42377
- awk – CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386
Triggered by supplying untrusted information by way of command line to the weak applets, profitable exploitation of the failings may end in denial-of-service, inadvertent disclosure of delicate data, and doubtlessly code execution. The weaknesses have since been addressed in BusyBox version 1.34.0, which was launched on August 19, following accountable disclosure.
“These new vulnerabilities that we have disclosed solely manifest in particular circumstances, however may very well be extraordinarily problematic when exploitable,” mentioned Shachar Menashe, senior director of safety analysis at JFrog. “The proliferation of BusyBox makes this a problem that must be addressed by safety groups. As such, we encourage corporations to improve their BusyBox model, or ensure that they don’t seem to be utilizing any of the affected applets.”