On Tuesday 14, the cybersecurity researchers of Claroty and JFrog have detected 14 new vulnerabilities in the BusyBox Linux utility.
BusyBox is one of the most extensively used Linux software suites, and there are several world’s leading operational technology (OT) and Internet of Things (IoT) devices that use BusyBox.
These vulnerabilities could be exploited to produce denial-of-service (DoS) conditions, not only this but there are some selected cases, that give rise to data leakages and remote code execution. The two firms are coupled up together so that they can know more about BusyBox.
The Vulnerabilities
Here’s the list of 14 vulnerabilities mentioned below:-
CVE ID: CVE-2021-42373
Description: A NULL pointer dereference in man leads to denial of service when a section name is supplied but no page argument is given.
CVSS: 5.1
CVE ID: CVE-2021-42374
Description: An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.
CVSS: 6.5
CVE ID: CVE-2021-42375
Description: An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.
CVSS: 4.1
CVE ID: CVE-2021-42376
Description: A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.
CVSS: 4.1
CVE ID: CVE-2021-42377
Description: An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
CVSS: 6.4
CVE ID: CVE-2021-42378
Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function.
CVSS: 6.6
CVE ID: CVE-2021-42379
Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function.
CVSS: 6.6
CVE ID: CVE-2021-42380
Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function.
CVSS: 6.6
CVE ID: CVE-2021-42381
Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function.
CVSS: 6.6
CVE ID: CVE-2021-42382
Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function.
CVSS: 6.6
CVE ID: CVE-2021-42383
Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.
CVSS: 6.6
CVE ID: CVE-2021-42384
Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function.
CVSS: 6.6
CVE ID: CVE-2021-42385
Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function.
CVSS: 6.6
CVE ID: CVE-2021-42386
Description: A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function.
CVSS: 6.6
Triggering the Vulnerabilities
There are some conditions that must appear for each vulnerability to be triggered, and here are the triggering vulnerabilities:-
CVE-2021-42373 – Appeals if the attacker can manage all parameters passed to man.
CVE-2021-42374 – Asks if the attacker can provide a crafted compressed file, that will be decompressed by utilizing unlzma.
CVE-2021-42375 – Utilizes if the attacker can satisfy a command line to ash that includes the special characters $, {, }, #.
CVE-2021-42376 – Appeals if the attacker can provide a command line to hush that holds the special character \x03 (delimiter).
CVE-2021-42377 – Implements if the attacker can fulfill a command line to hush that carries the special character &.
CVE-2021-42378 – CVE-2021-42386 – Applies if the attacker can provide an arbitrary pattern to awk.
Research Methodology & Threat Analysis
Initially, they have used static and dynamic analysis approaches to investigate the BusyBox. However, they have started with a manual inspection of the BusyBox source code that was conveyed in a top-down method.
After that they operate for fuzzing, in this, they complied BusyBox with ASan and performed an AFL harness for all BusyBox applets.
Here, all the daemon applets that are involved in fuzzing are HTTP, Telnet, DNS, DHCP, NTP, and many more. Apart from this, there are many steps that have been performed, and here we have listed all the steps below:-
- Code review
- Fuzzing
- Reduction & Minimization
- Triage
- PoC
- Testing multiple versions
- Disclosure
In case to appraise the threat level that has been postured by this type of vulnerability, they have inspected JFrog’s database of more than 10,000 installed firmware images.
And it has been discovered that 40% of them carry a BusyBox executable file and each of them is linked with one of the affected applets, which makes the issues very extensive among Linux-based embedded firmware.
Weaponizing ZIP Files
If we see it from the attacker’s point of view than, ZIP is a better attack vector since:-
- Unzip invocations are much more prevalent than direct invocations of unlzma.
- Along with this attack vector, there are no restrictions on the filename that’s performing to be unzipped.
- The data that got leaked can be extracted and stored into files that can be later read remotely.
Fix
Along with the release of BusyBox 1.34.0, all the 14 vulnerabilities have been fixed, therefore the experts have suggested each and every user to upgrade their BusyBox immediately.
In case the upgrading of BusyBox is not possible, BusyBox 1.33.1 and its earlier versions can be assembled outwardly the vulnerable functionality as a workaround.
The vulnerabilities that have been disclosed only manifest in specific cases, but the most important point is that this could be extremely uncertain when exploitable.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.