Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Researchers discovered 14 vulnerabilities in the ‘Swiss Army Knife’ of the embedded OS used in many OT and IoT environments. They allow RCE, denial of service and data leaks.
Researchers have discovered 14 critical vulnerabilities in a popular program used in embedded Linux applications, all of which allow for denial of service (DoS) and 10 that also enable remote code execution (RCE), they said.
One of the flaws also could allow devices to leak info, according to researchers from JFrog Security and Claroty Research, in a report shared with Threatpost on Tuesday.
The two firms teamed up to take a deeper dive into BusyBox, a software suite used by many of the world’s leading operational technology (OT) and internet of things (IoT) devices—such as programmable logic controllers (PLCs), human-machine interfaces (HMIs) and remote terminal units (RTUs). Shachar Menashe, senior director security research for JFrog, partnered with Vera Mens, Uri Katz, Tal Keren and Sharon Brizinov of Claroty Research on the report.
Infosec Insiders Newsletter
Touted as a “Swiss Army Knife” of embedded Linux, BusyBox is comprised of useful Unix utilities called applets that are packaged as a single executable. The program includes a full-fledged shell, a DHCP client/server, and small utilities such as cp, ls, grep and others.
The discovery of the flaws are significant because of the proliferation of BusyBox not just for the embedded Linux world, but also for numerous Linux applications outside of devices, Menashe said in an email to Threatpost.
“These new vulnerabilities that we’ve disclosed only manifest in specific cases, but could be extremely problematic when exploitable,” he said. However, the good news for the security of devices using BusyBox is that generally the vulnerabilities require a bit of effort to exploit, researchers reported.
The vulnerabilities are being tracked with CVE IDs from CVE-2021-42373 through CVE-2021-42386, and affect different versions of BusyBox ranging from 1.16-1.33.1, depending on the flaw. They also affect a variety of applets, including one each separately affecting “man,” “lzma/unizma” and “ash”; two separate flaws affecting “hush”; and nine separate flaws affecting “awk,” the applet with the most vulnerabilities.
Because the applets are not daemons, each flaw can only be exploited if the vulnerable applet is fed with untrusted data, typically through a command-line argument, researchers wrote. The team published a comprehensive breakdown of each vulnerability, which applet it affects, and its potential for exploitation in its report.
Overall, 40 percent of the firmware using BusyBox that researchers inspected include a BusyBox executable file linked with one of the affected applets, making the problem  “extremely widespread among Linux-based embedded firmware,” they wrote. However, the vulnerabilities don’t currently pose a critical threat to affected devices for a number of reasons, researchers noted in the analysis, including the aforementioned exploit complexity.
For example, potentially the most dangerous of the flaws is CVE-2021-42374, an out-of-bounds heap read in unlzma that can lead to both DoS and an information leak. However, as researchers explained in detail, it can only be used to attack to the device when a crafted lzma-compressed input is decompressed.
Lzma is a compression algorithm that uses dictionary compression, and encodes its output using a range encoder, researchers explain. Two specific coding conditions need to be met to exploit the flaw: “buffer_pos = 0” and “rep0 = offset + dict_size,” researchers wrote.
To meet these conditions, an attacker needs to prepare a specifically crafted lzma encoded stream that, when decoded, will fulfill these conditions and ultimately leak device memory, they said.
While the DoS vulnerabilities are more trivial to exploit, their impact is usually mitigated by the fact that applets almost always run as a separate forked process, researchers added.
Finally, most of the RCE flaws—particularly those present in the “awk” applet — are also tricky to exploit because “it is quite rare (and inherently unsafe) to process an awk pattern from external input,” they wrote.
Still, Menashe recommended that devices using BusyBox be upgraded to the latest version and that developers ensure that none of affected applets are being used, in order to avoid threat actors taking advantage of any of the vulnerabilities.
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.
 
 
 
Share this article:
The distributed computing vendor patched the flaw, affecting Citrix ADC and Gateway, along with another flaw impacting availability for SD-WAN appliances.
Researchers have a working exploit for the vulnerability (now patched), which allows for unauthenticated RCE and affects an estimated 70,000+ VPN/firewalls.
Experts urged users to prioritize patches for Microsoft Exchange and Excel, those favorite platforms so frequently targeted by cybercriminals and nation-state actors.



This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
Angling Direct, the biggest fishing retailer in the U.K., gets its site hijacked and redirected to #Pornhub, and we… https://t.co/EwWFEEy8P4
4 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source