Security researchers have found and reported 14 vulnerabilities in the BusyBox userspace tool that’s used in millions of embedded devices running Linux-based firmware. While the flaws don’t have high criticality, some of them do have the potential to result in remote code execution (RCE).

BusyBox is a software utilities suite that its creators describe as the Swiss army knife of embedded Linux. It contains implementations of the most common Linux command-line tools, together with a shell and a DHCP client and server, all packaged as a single binary. BusyBox has become a de facto standard in the embedded Linux userspace, its standalone binary having support for over 300 common Linux commands.

“You’re likely to find many OT and IoT devices running BusyBox, including popular programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs)—many of which now run on Linux,” researchers from DevOps specialist firm JFrog said in a report. “We inspected JFrog’s database of more than 10,000 embedded firmware images […]. We found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware.

JFrog worked with researchers from industrial cybersecurity company Claroty to analyze BusyBox using static and dynamic analysis techniques, including custom fuzzing. This resulted in vulnerabilities being found in several popular BusyBox applets: man (manual pages), lzma/unlzma (compression), ash (shell), hush (shell) and awk (text manipulation/scripting).

Denial of service, information leak and RCE

All 14 vulnerabilities can be exploited to trigger denial-of-service (DoS) conditions like unusual resource consumption or process crashes on the device. While DoS is generally viewed as lower risk compared to other types of vulnerability impacts, on devices like PLCs and others found in OT environments DoS conditions can halt critical industrial processes.

That said, exploiting flaws in BusyBox applets usually involves the ability to control the input processed by those applets as a result of commands. Whether this can be done remotely without local access on the device depends on the features offered by the device and how they were implemented.

For example, the vulnerability in man (CVE-2021-42373) applies if the attacker can control all parameters passed to the man command so they can supply a section name but no page argument. The vulnerabilities in ash (CVE-2021-42375) and hush (CVE-2021-42376 and CVE-2021-42377) are the result of improper handling of certain special characters or strings of characters inside shell commands. Exploiting them requires the ability to pass specially crafted commands to the shells and CVE-2021-42377 can also potentially result in remote code execution.

The flaw in unlzma (CVE-2021-42374) can lead to DoS or information leak and can be exploited by passing specially crafted LZMA-compressed input to the applet. This vulnerability is interesting because even if the unlzma applet is not available itself, other applets such as tar, unzip, rpm, dpkg, lzma and man use the vulnerable code when handling files with lzma compression if the CONFIG_FEATURE_SEAMLESS_LZMA is enabled. This feature is enabled by default in BusyBox and significantly expands the possible attack vectors.

“From an attacker’s perspective, ZIP is a much better attack vector since unzip invocations are much more common than direct invocations of unlzma,” the researchers said. “The leaked data can be extracted and saved into files that can be later read remotely. For example, this can happen in an embedded web service that permits uploading zip files with media resources, which will get extracted to an accessible location. From there, the attacker could read the leaked memory data.”

The remaining nine vulnerabilities are all located in awk and cause use-after-free memory corruptions when processing specially crafted awk patterns. All can result in DoS and potentially RCE. “The use-after-free vulnerabilities may be exploitable for remote code execution, but currently we did not attempt to create a weaponized exploit for them,” the researchers said. “In addition, it is quite rare (and inherently unsafe) to process an awk pattern from external input.”

The vulnerabilities were fixed in BusyBox 1.34.0, so firmware developers are advised to upgrade to the new version. If that’s not possible because of compatibility issues, earlier can be compiled without the vulnerable applets as a workaround.

The need for regular updates

A large number of IoT, OT and other embedded devices have adopted Linux as the operating system of choice for their firmware. As a result, they are also using many of the thousands of open-source utilities and services that make up the Linux userspace ecosystem. Some of these components are maintained by large communities of developers, while some can be maintained by very small teams or even lone developers.

Vulnerabilities are found in ubiquitous Linux components all the time and can impact billions of devices. While updating Linux servers and desktops can be easily automated, the update processes on many embedded systems still require manual intervention. Not to mention that many embedded firmware developers use very old versions of both the kernel and userspace tools for various compatibility reasons.

Enterprises should have patching policies in place that take into account their IoT and OT devices and should generally choose devices from vendors that commit to releasing regular and timely security updates for their products.