Tuesday, April 22, 2025
HomeDDOS14 New Vulnerabilities Uncovered In Linux Powered Embedded Devices

14 New Vulnerabilities Uncovered In Linux Powered Embedded Devices

Published on

SIEM as a Service

Follow Us on Google News

On Tuesday 14, the cybersecurity researchers of Claroty and JFrog have detected 14 new vulnerabilities in the BusyBox Linux utility.

BusyBox is one of the most extensively used Linux software suites, and there are several world’s leading operational technology (OT) and Internet of Things (IoT) devices that use BusyBox.

These vulnerabilities could be exploited to produce denial-of-service (DoS) conditions, not only this but there are some selected cases, that give rise to data leakages and remote code execution. The two firms are coupled up together so that they can know more about BusyBox.

- Advertisement - Google News

The Vulnerabilities

Here’s the list of 14 vulnerabilities mentioned below:-

CVE ID: CVE-2021-42373

Description: A NULL pointer dereference in man leads to denial of service when a section name is supplied but no page argument is given.

CVSS: 5.1

CVE ID: CVE-2021-42374

Description: An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.

CVSS: 6.5

CVE ID: CVE-2021-42375

Description: An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.

CVSS: 4.1

CVE ID: CVE-2021-42376

Description: A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.

CVSS: 4.1

CVE ID: CVE-2021-42377

Description: An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

CVSS: 6.4

CVE ID: CVE-2021-42378

Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function.

CVSS: 6.6

CVE ID: CVE-2021-42379

Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function.

CVSS: 6.6

CVE ID: CVE-2021-42380

Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function.

CVSS: 6.6

CVE ID: CVE-2021-42381

Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function.

CVSS: 6.6

CVE ID: CVE-2021-42382

Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function.

CVSS: 6.6

CVE ID: CVE-2021-42383

Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.

CVSS: 6.6

CVE ID: CVE-2021-42384

Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function.

CVSS: 6.6

CVE ID: CVE-2021-42385

Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.

CVSS: 6.6

CVE ID: CVE-2021-42386

Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function.

CVSS: 6.6

Triggering the Vulnerabilities

There are some conditions that must appear for each vulnerability to be triggered, and here are the triggering vulnerabilities:-

CVE-2021-42373 – Appeals if the attacker can manage all parameters passed to man.

CVE-2021-42374 – Asks if the attacker can provide a crafted compressed file, that will be decompressed by utilizing unlzma.

CVE-2021-42375 – Utilizes if the attacker can satisfy a command line to ash that includes the special characters $, {, }, #.

CVE-2021-42376 – Appeals if the attacker can provide a command line to hush that holds the special character \x03 (delimiter).

CVE-2021-42377 – Implements if the attacker can fulfill a command line to hush that carries the special character &.

CVE-2021-42378 – CVE-2021-42386 – Applies if the attacker can provide an arbitrary pattern to awk.

Research Methodology & Threat Analysis

Initially, they have used static and dynamic analysis approaches to investigate the BusyBox. However, they have started with a manual inspection of the BusyBox source code that was conveyed in a top-down method.

After that they operate for fuzzing, in this, they complied BusyBox with ASan and performed an AFL harness for all BusyBox applets. 

Here, all the daemon applets that are involved in fuzzing are HTTP, Telnet, DNS, DHCP, NTP, and many more. Apart from this, there are many steps that have been performed, and here we have listed all the steps below:-

  • Code review
  • Fuzzing
  • Reduction & Minimization
  • Triage
  • PoC
  • Testing multiple versions
  • Disclosure

In case to appraise the threat level that has been postured by this type of vulnerability, they have inspected JFrog’s database of more than 10,000 installed firmware images. 

And it has been discovered that 40% of them carry a BusyBox executable file and each of them is linked with one of the affected applets, which makes the issues very extensive among Linux-based embedded firmware.

Weaponizing ZIP Files

If we see it from the attacker’s point of view than, ZIP is a better attack vector since:-

  • Unzip invocations are much more prevalent than direct invocations of unlzma.
  • Along with this attack vector, there are no restrictions on the filename that’s performing to be unzipped.
  • The data that got leaked can be extracted and stored into files that can be later read remotely.

Fix

Along with the release of BusyBox 1.34.0, all the 14 vulnerabilities have been fixed, therefore the experts have suggested each and every user to upgrade their BusyBox immediately.

In case the upgrading of BusyBox is not possible, BusyBox 1.33.1 and its earlier versions can be assembled outwardly the vulnerable functionality as a workaround.

The vulnerabilities that have been disclosed only manifest in specific cases, but the most important point is that this could be extremely uncertain when exploitable.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Infostealer Attacks Surge 84% Weekly Through Phishing Emails

The volume of infostealer malware distributed through phishing emails has surged by 84% week-on-week...

North Korean IT Workers Use Real-Time Deepfakes to Infiltrate Organizations Through Remote Jobs

A division of Palo Alto Networks, have revealed a sophisticated scheme by North Korean...

New Phishing Technique Hides Weaponized HTML Files Within SVG Images

Cybersecurity experts have observed an alarming increase in the use of SVG (Scalable Vector...

Detecting And Blocking DNS Tunneling Techniques Using Network Analytics

DNS tunneling is a covert technique that cybercriminals use to bypass traditional network security...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

XorDDoS Malware Upgrade Enables Creation of Advanced DDoS Botnets

Cisco Talos has uncovered significant advancements in the XorDDoS malware ecosystem, revealing a multi-layered...

Hacktivist Groups Emerge With Powerful Tools for Large-Scale Cyber Operations

Hacktivism, once synonymous with symbolic website defacements and distributed denial-of-service (DDoS) attacks, has evolved...

CryptoDNA: AI-Powered Cryptojacking Defense Against DDoS Threats in Healthcare IoT

The integration of Internet of Things (IoT) and Internet of Medical (IoM) devices has...