14 Busybox vulnerabilities found “DoS, RCE vulnerability exposure concerns, update required”

14 vulnerabilities were found in BusyBox, a Linux-based firmware. Although not critical, some flaws have been identified that could lead to a Remote Code Execution (RCE) vulnerability.
ⓒ Getty Images Bank

Busybox is a software utility that collects a typical command-line tool, shell, DHCP client, and server used in Linux into one binary. Since it can execute more than 300 Linux commands as a standalone binary, it can be regarded as a standard program installed in the Linux user environment.

DevOps Platform Vendor JFrog“A variety of OT and IoT devices work on a busybox basis. Typical examples are Programmable Logic Controller (PLC), Human Machine Interface (HMI), and Remote Terminal Units (RTU). As a result of examining more than 10,000 embedded firmwares in the JFrog database, 40% of the firmware had a busybox executable that links to the applet in which the vulnerability was found. There is a risk of vulnerabilities spreading to Linux-based embedded firmware.”

JFrog has created static and dynamic analysis technology and individual developers in collaboration with a research team from cybersecurity company Claroty. Purging technologyAnalyzed the busybox. As a result of the analysis, vulnerabilities were found in man (manual pages), lzma/unlzma (compression), ash (shell), hush (shell), and awk (text manipulation/scripting), which are popular applets of Busybox.

Concerns over DoS, information leakage and RCE vulnerability attacks

All 14 vulnerabilities were found to lead to a Denial of Service (DoS) attack. Although DoS attacks are generally considered to be relatively low risk compared to other attacks, if a device such as a PLC or an OT environment is placed in a DoS state, an important part of an industrial process can be disrupted.

Exploiting a vulnerability in the busybox applet could allow an attacker to control the input processed by the applet according to a command. Depending on the functions provided by the device and how the applet is applied, it can be done remotely rather than locally.

For example, the man vulnerability (CVE-2021-42373) applies in a situation where an attacker could provide a section name by controlling any parameter passed to the man command, but not a page argument. The ash (CVE-2021-42375) and hush vulnerabilities (CVE-2021-42376, CVE-2021-42377) are the result of incorrect handling of certain special characters or strings in shell commands. Exploiting the ash and hush command vulnerabilities requires the ability to pass a specially crafted command to the shell. This will allow remote code execution with CVE-2021-42377.

The unlzma vulnerability (CVE-2021-42374) can lead to DoS or information disclosure, and is exploited by passing specially crafted LZMA-compressed input to an applet. The peculiar thing is that even if the unlzma applet is not available, if ‘CONFIG_FEATURE_SEAMLESS_LZMA’ is active, applets such as tar, unzip, rpm, dpkg, lzma, and man process lzma compressed files with vulnerable code. Since this function is enabled by default in Busybox, the attack vector is highly likely to be exploited.

The research team said, “From the attacker’s point of view, the ZIP file format is a much better attack vector because it is more common to execute unzip than to execute unlzma. The attacker saves the leaked data as a file and retrieves it remotely later. For example, in an embedded web service that can upload a ZIP compressed file along with a media resource, an attacker extracts the ZIP compressed file to an accessible location and reads the leaked data.”

The remaining nine vulnerabilities are all found in the awk command, which causes a use-after-free (UAF) memory crash when processing a specially crafted awk pattern. It is a vulnerability that can be extended to DoS and RCE vulnerability attacks. The research team said, “The RCE attack can be done by exploiting the UAF vulnerability. However, so far we have not attempted a weaponized attack. “It’s very rare and inherently dangerous to deal with awk patterns externally.”

14 vulnerabilities were fixed in Busybox version 1.34.0. Firmware developers are encouraged to update to the new version. If you can’t update due to compatibility issues, you can also disable the vulnerable applet.

Regular updates are required

Numerous IoT, OT and other embedded devices use Linux as their operating system. As a result, you have no choice but to use a number of open source utilities and services. Some components are managed by a large developer community, while others are managed by a very small team of developers or even by a single developer.

Vulnerabilities have always been found in common Linux components, which can affect hundreds of millions of devices. Linux servers and desktops can be automatically updated easily, but updating embedded systems is a manual process. It is also a problem for many embedded firmware developers to use older versions of the kernel and user tools due to compatibility issues. Therefore, businesses should enforce update policies with in-house IoT and OT devices in mind, and choose products from vendors that regularly provide security updates. [email protected]

Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!