BusyBox security analysis reveals 14 minor vulnerabilities

Researchers at Claroty and JFrog have published a security audit of BusyBox, a widely used embedded device that offers a set of standard UNIX utilities in a single executable file. During the check, 14 vulnerabilities were identified, which have already been eliminated in the August release of BusyBox 1.34 . Almost all problems are harmless and questionable from the point of view of their application in real attacks, since they require running utilities with arguments received from outside.

Separately highlighted is the CVE-2021-42374 vulnerability, which allows a denial of service when processing a specially designed compressed file by the unlzma utility, and in the case of a build with the CONFIG_FEATURE_SEAMLESS_LZMA options, also any other BusyBox components, including tar, unzip, rpm, dpkg, lzma and man …

Vulnerabilities CVE-2021-42373, CVE-2021-42375, CVE-2021-42376 and CVE-2021-42377 allow denial of service, but require the man, ash and hush utilities to be run with the parameters specified by the attacker. Vulnerabilities CVE-2021-42378 through CVE-2021-42386 affect the awk utility and can potentially lead to the execution of the code, but for this the attacker needs to make awk execute a certain pattern (you need to run awk with the data received from attacker).

Additionally, we can also note a vulnerability (CVE-2021-43523) in the uclibc and uclibc-ng libraries, related to the fact that when calling the gethostbyname (), getaddrinfo (), gethostbyaddr () and getnameinfo () functions, the domain the name returned by the DNS server. For example, in response to a certain resolving request, a DNS server controlled by an attacker can return hosts of the form “<script> alert (‘xss’) </script> .attacker.com” and they will be returned unchanged to some program, which without cleaning can display them in the web interface. The issue was fixed in the uclibc-ng 1.0.39 release by adding code to validate returned domain names, similar to Glibc.