Cybersecurity scientists on Tuesday disclosed 14 critical vulnerabilities in the BusyBox Linux utility that could be exploited to consequence in a denial-of-company (DoS) condition and, in find conditions, even direct to data leaks and remote code execution.
The security weaknesses, tracked from CVE-2021-42373 through CVE-2021-42386, have an affect on a number of variations of the tool ranging from 1.16-1.33.1, DevOps firm JFrog and industrial cybersecurity company Claroty reported in a joint report.
Dubbed “the Swiss Army Knife of Embedded Linux,” BusyBox is a greatly applied application suite combining a variety of widespread Unix utilities or applets (e.g., cp, ls, grep) into a single executable file that can run on Linux systems such as programmable logic controllers (PLCs), human-equipment interfaces (HMIs), and remote terminal models (RTUs).
A fast record of the flaws and the applets they effects is down below —
- guy – CVE-2021-42373
- lzma/unlzma – CVE-2021-42374
- ash – CVE-2021-42375
- hush – CVE-2021-42376, CVE-2021-42377
- awk – CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386
Activated by supplying untrusted information by means of command line to the susceptible applets, productive exploitation of the flaws could result in denial-of-services, inadvertent disclosure of delicate information, and possibly code execution. The weaknesses have due to the fact been resolved in BusyBox version 1.34., which was introduced on August 19, pursuing accountable disclosure.
“These new vulnerabilities that we’ve disclosed only manifest in specific conditions, but could be incredibly problematic when exploitable,” reported Shachar Menashe, senior director of security analysis at JFrog. “The proliferation of BusyBox will make this an issue that wants to be dealt with by security groups. As such, we motivate companies to improve their BusyBox edition, or make positive they are not utilizing any of the affected applets.”
Uncovered this post attention-grabbing? Follow THN on Facebook, Twitter and LinkedIn to read through more unique articles we publish.
Some pieces of this short article are sourced from: