Security researchers from Claroty’s Team82 and JFrog discovered 14 new vulnerabilities on the BusyBox Linux utility that could be leveraged to carry out denial of service (DoS) attacks. However, researchers also added that it is possible to perform information leaks and possibly remote code execution attacks on BusyBox Linux utility in rare cases. We have created this post to let you know how to fix vulnerabilities found in the BusyBox Linux utility.
What Is BusyBox Utility?
BusyBox, commonly known as the Swiss Army Knife of Embedded Linux, is a small Linux utility software containing tiny versions of several common UNIX utilities known as applets into a single executable file.
BusyBox is mostly shipped with many important utilities you usually find in GNU fileutils, shellutils, etc. Since BusyBox is created for embedded systems, applets were created with fewer options to keep the program lighter than the GNU counterparts.
Since BusyBox provides a complete environment, especially for small or embedded systems, it has been written with customizable options allowing easily include or exclude commands at compile time. Therefore, BusyBox offers great flexibility for an embedded system to run its own custom features.
List of 14 Vulnerabilities Found In BusyBox Linux Utility:
|CVE ID||Description||Affected applet||Affected versions (inclusive)||Impact||CVSS v3.1|
|CVE-2021-42373||A NULL pointer dereference in man leads to denial of service when a section name is supplied but no page argument is given||man||1.33.0-1.33.1||DoS||5.1|
|CVE-2021-42374||An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.||lzma/unlzma and more (see below)||1.27.0 – 1.33.1||DoS & InfoLeak||6.5|
|CVE-2021-42375||An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.||ash||1.33.1||DoS||4.1|
|CVE-2021-42376||A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.||hush||1.16-1.31.1||DoS||4.1|
|CVE-2021-42377||An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.||hush||1.33.0-1.33.1||DoS & Possible RCE||6.4|
|CVE-2021-42378||A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function||awk||1.16-1.33.1||DoS & Possible RCE||6.6|
|CVE-2021-42379||A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function||awk||1.18-1.33.1||DoS & Possible RCE||6.6|
|CVE-2021-42380||A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function||awk||1.28-1.33.1||DoS & Possible RCE||6.6|
|CVE-2021-42381||A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function||awk||1.21-1.33.1||DoS & Possible RCE||6.6|
|CVE-2021-42382||A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function||awk||1.26-1.33.1||DoS & Possible RCE||6.6|
|CVE-2021-42383||A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function||awk||1.33.1||DoS & Possible RCE||6.6|
|CVE-2021-42384||A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function||awk||1.18-1.33.1||DoS & Possible RCE||6.6|
|CVE-2021-42385||A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function||awk||1.16-1.33.1||DoS & Possible RCE||6.6|
|CVE-2021-42386||A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function||awk||1.16-1.33.1||DoS & Possible RCE||6.6|
How to Fix Vulnerabilities Found in BusyBox Linux Utility?
Vulnerabilities could be abused using untrusted data, which comes in the form of an argument to the command. Since the affected applets are not daemons, those applets can be excluded or filtered during the compile time. Or, if you need to have the affected applets on your embedded system for your work, it is recommended to upgrade or install the patched version of the BusyBox.
We can fix the fix vulnerabilities found in the BusyBox utility in two ways:
- All these 14 vulnerabilities have been fixed in BusyBox 1.34.0, so users are recommended to upgrade or install BusyBox 1.34.0 or later.
- The users who are running BusyBox 1.33.1 and earlier versions and can’t go with the upgradation or installation of newer versions can exclude these affected applets.
List Of Affected Applets In BusyBox v1.33.1 And Below:
Time needed: 10 minutes.
How to Fix Vulnerabilities Found in BusyBox Linux Utility?
First, we will show you how to install BusyBox v1.34.1 which is the latest release at the time of publishing this post. Late, we will show you how to exclude the applets affected by vulnerabilities.
Note: We are using Ubuntu in this demonstration.
How to Install BusyBox v1.34.1 on Ubuntu?
- Update the repositories on Ubuntu
Let’s start the installation of BusyBox by updating the repository.
$ sudo apt update
- Check the latest BusyBox version in the Ubuntu repository
Well, this is optional to check the latest version available in the official repository. We have added it just for your reference. Use this command to see the version of BusyBox in the Ubuntu repository.
$ sudo apt-cache show busybox
- Select the BusyBox package to install from the available set of packages
List the available BusyBox package on the repository.
$ sudo apt-cache search busybox | grep busybox
- Install compelled binaries of BusyBox on Ubuntu
Run this comment to install the BusyBox compelled package on Ubuntu.
$ sudo apt install busybox
- Check the version of BusyBox on Ubuntu
Checking the version of BusyBox is very easy. You just need to read the first few lines of busybox command.
$ busybox | head
- List all the applets supported by Busybox
You can list out all the supported applies just by running ‘busybox’ command. If you have a long list that goes out of the screen, then use busybox with less like shone here.
$ busybox | less
- Install BusyBox from source code
if your package is vulnerable and wants to install the latest version or upgrade to the newest version, download the source code of BusyBox from the official site. You can download either on the terminal or directly on the browser. We have downloaded the source code using wget utility on the terminal.
$ wget https://busybox.net/downloads/busybox-1.34.1.tar.bz2
- Set the execution permission
Permissions are very important when you are working on Linux. Set the execution permission using chmod command.
$ sudo chmod +x busybox-1.34.1.tar.bz2
- Extract the downloaded file and change it to the extracted directory
Extract the downloaded tar.bz2 file using tar.
$ tar -xf busybox-1.34.1.tar.bz2
$ cd busybox-1.34.1/
- Set the configuration before creating binary file
Run make defconfig command before creating binary of BusyBox.
$ make defconfig
- Create the Busybox executable
Create the Busybox executable with make command.
- Install Busybox
Install the compelled BusyBox using make install command.
$ make install
You will see this message after successful installation of BusyBox.
You will probably need to make your busybox binary
setuid root to ensure all configured applets will
- Check Busybox version after installation
Your new BusyBox is ready to use. You should use your installation directory to use the new BusyBox instead of /bin/busybox. Since we have installed the new BusyBox in /home/arunkl/busybox-1.34.1/.
Our old installation will still remain in /bin/busybox. We will show you how to uninstall that in the next step.
$ /home/arunkl/busybox-1.34.1/busybox date
$ /home/arunkl/busybox-1.34.1/busybox | head
- Uninstall old version of Busybox
You can uninstall the older version using apt remove or purge. Remove will just remove the installed package. However, purge will remove the configuration files and dependency packages along with the BusyBox package.
After remove reboot the server.
$ sudo apt purge busybox
This completes the installation or upgradation of the new BusyBox on Ubuntu Linux.
- Excluding affected BusyBox applets during the compile time
You can exclude the applets in .config file. Since it is a hidden file. You can’t see just in ‘ls’. Use ‘ls -a’ to view the .config file.
Edit the .config file using any text editor. We use nano in this demonstration.
$ nano /home/arunkl/busybox-1.34.1/.config
Search these below applet’s configuration and comment them with ‘#’ at the beginning of the line. like this.
To search the words in nano editor:
Type the string or word hit Enter Key. The cursor will go to the search string. Add ‘#’ at the beginning of the line to comment it.
Save the file with Ctrl+o followed by Enter Key.
We hope this post will help you in knowing how to fix vulnerabilities found in the BusyBox Linux utility. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.