Researchers have discovered 14 critical vulnerabilities in a popular program used in embedded Linux applications, all of which allow for denial of service (DoS) & 10 that also enable remote code execution (RCE), they stated.
Researchers discovered 14 vulnerabilities in the ‘Swiss Army Knife’ of the embedded OS used in many OT & IoT environments. They allow RCE, denial of service & data leaks.
Leak Data
One of the flaws also could allow devices to leak data, explained researchers from JFrog Security & Claroty Research, in a report on Tues.
The 2 firms linked up to look into Busy Box, a software suite used by many of the world’s leading operational technology (OT) & internet of things (IoT) devices—such as programmable logic controllers (PLCs), human-machine interfaces (HMIs) & remote terminal units (RTUs).
JFrog
Shachar Menashe, Senior Director Security Research for JFrog, partnered with Vera Mens, Uri Katz, Tal Keren & Sharon Brizinov of Claroty Research on the report.
Described as a “Swiss Army Knife” of embedded Linux, Busy Box is comprised of useful Unix utilities called applets that are packaged as a single executable. The program includes a full-fledged shell, a DHCP client/server, & small utilities such as cp, ls, grep & others.
Extremely Problematic
The discovery of the flaws are significant because of the extent of Busy Box not just for the embedded Linux world, but also for numerous Linux applications outside of devices, Menashe observed.
“These new vulnerabilities that we’ve disclosed only manifest in specific cases, but could be extremely problematic when exploitable,” he stated.
However, the good news for the security of devices using Busy Box is that generally the vulnerabilities require a bit of effort to exploit, researchers reported.
Breakdown
The vulnerabilities are being tracked with CVE IDs from CVE-2021-42373 through CVE-2021-42386 & affect different versions of Busy Box ranging from 1.16-1.33.1, depending on the flaw.
They also affect a variety of applets, including 1 each separately affecting “man,” “lzma/undismal” & “ash”; 2 separate flaws affecting “hush”; & 9 separate flaws affecting “awk,” the applet with the most vulnerabilities.
Because the applets are not ‘daemons,’ each flaw can only be exploited if the vulnerable applet is fed with untrusted data, typically through a command-line argument, researchers wrote.
Executable File
The team published a comprehensive breakdown of each vulnerability, which applet it affects, and its potential for exploitation in its report.
Overall, 40% of the firmware using Busy Box that researchers inspected include a Busy Box executable file linked with 1 of the affected applets, making the problem “extremely widespread among Linux-based embedded firmware,” they wrote.
However, the vulnerabilities do not currently pose a critical threat to affected devices for assorted reasons, researchers noted in the analysis, including the exploit complexity.
Complex
For example, potentially the most dangerous of the flaws is CVE-2021-42374, an out-of-bounds heap read in unlaid that can lead to both DoS & an information leak. However, as researchers explained in detail, it can only be used to attack to the device when a crafted llama-compressed input is decompressed.
Loma is a compression algorithm that uses dictionary compression, & encodes its output using a range encoder, researchers explain. 2 specific coding conditions need to be met to exploit the flaw: “buffer_pos = 0” & “rep0 = offset + dict_size,” researchers wrote.
Encoded Stream
To meet these conditions, an attacker needs to prepare a specifically crafted lzma encoded stream that, when decoded, will fulfil these conditions & ultimately leak device memory, they explained.
While the DoS vulnerabilities are more trivial to exploit, their impact is usually limited by the fact that applets almost always run as a separate forked process, researchers added.
“Awk” Applet
Most of the RCE flaws—particularly those present in the “awk” applet — are also tricky to exploit because “it is quite rare (& inherently unsafe) to process an awk pattern from external input,” they wrote.
Menashe recommended that devices using Busy Box be upgraded to the latest version, & that developers ensure that none of affected applets are being used, in order to avoid threat players taking advantage of any of the vulnerabilities.