• Home
  • |
  • Blog
  • |
  • How To Fix Vulnerabilities Found In BusyBox Linux Utility?
How to Fix Vulnerabilities Found in BusyBox Linux Utility

Security researchers from Claroty’s Team82 and JFrog discovered 14 new vulnerabilities on the BusyBox Linux utility that could be leveraged to carry out denial of service (DoS) attacks. However, researchers also added that it is possible to perform information leaks and possibly remote code execution attacks on BusyBox Linux utility in rare cases. We have created this post to let you know how to fix vulnerabilities found in the BusyBox Linux utility.

What Is BusyBox Utility?

BusyBox, commonly known as the Swiss Army Knife of Embedded Linux, is a small Linux utility software containing tiny versions of several common UNIX utilities known as applets into a single executable file.
BusyBox is mostly shipped with many important utilities you usually find in GNU fileutils, shellutils, etc. Since BusyBox is created for embedded systems, applets were created with fewer options to keep the program lighter than the GNU counterparts. 
Since BusyBox provides a complete environment, especially for small or embedded systems, it has been written with customizable options allowing easily include or exclude commands at compile time. Therefore, BusyBox offers great flexibility for an embedded system to run its own custom features. 

List of 14 Vulnerabilities Found In BusyBox Linux Utility:

CVE IDDescriptionAffected appletAffected versions (inclusive)ImpactCVSS v3.1
CVE-2021-42373A NULL pointer dereference in man leads to denial of service when a section name is supplied but no page argument is givenman1.33.0-1.33.1DoS5.1
CVE-2021-42374An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.lzma/unlzma and more (see below)1.27.0 – 1.33.1 DoS & InfoLeak6.5
CVE-2021-42375An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.ash1.33.1DoS4.1
CVE-2021-42376A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.hush1.16-1.31.1DoS4.1
CVE-2021-42377An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.hush1.33.0-1.33.1DoS & Possible RCE6.4
CVE-2021-42378A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i functionawk1.16-1.33.1DoS & Possible RCE6.6
CVE-2021-42379A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file functionawk1.18-1.33.1DoS & Possible RCE6.6
CVE-2021-42380A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar functionawk1.28-1.33.1DoS & Possible RCE6.6
CVE-2021-42381A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init functionawk1.21-1.33.1DoS & Possible RCE6.6
CVE-2021-42382A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s functionawk1.26-1.33.1DoS & Possible RCE6.6
CVE-2021-42383A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate functionawk1.33.1DoS & Possible RCE6.6
CVE-2021-42384A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special functionawk1.18-1.33.1DoS & Possible RCE6.6
CVE-2021-42385A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate functionawk1.16-1.33.1DoS & Possible RCE6.6
CVE-2021-42386A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc functionawk1.16-1.33.1DoS & Possible RCE6.6
The table is published in the original report.

How to Fix Vulnerabilities Found in BusyBox Linux Utility?

Vulnerabilities could be abused using untrusted data, which comes in the form of an argument to the command. Since the affected applets are not daemons, those applets can be excluded or filtered during the compile time. Or, if you need to have the affected applets on your embedded system for your work, it is recommended to upgrade or install the patched version of the BusyBox.

We can fix the fix vulnerabilities found in the BusyBox utility in two ways:

  1. All these 14 vulnerabilities have been fixed in BusyBox 1.34.0, so users are recommended to upgrade or install BusyBox 1.34.0 or later. 
  2. The users who are running BusyBox 1.33.1 and earlier versions and can’t go with the upgradation or installation of newer versions can exclude these affected applets.

List Of Affected Applets In BusyBox v1.33.1 And Below:

  1. man
  2. lzma
  3. ash
  4. hush
  5. awk

Time needed: 10 minutes.

How to Fix Vulnerabilities Found in BusyBox Linux Utility?
First, we will show you how to install BusyBox v1.34.1 which is the latest release at the time of publishing this post. Late, we will show you how to exclude the applets affected by vulnerabilities.

Note: We are using Ubuntu in this demonstration.

How to Install BusyBox v1.34.1 on Ubuntu?

  1. Update the repositories on Ubuntu

    Let’s start the installation of BusyBox by updating the repository.

    $ sudo apt update

    Update the repositories on Ubuntu

  2. Check the latest BusyBox version in the Ubuntu repository

    Well, this is optional to check the latest version available in the official repository. We have added it just for your reference. Use this command to see the version of BusyBox in the Ubuntu repository.

    $ sudo apt-cache show busybox

    The latest Busybox version in Ubuntu repository

  3. Select the BusyBox package to install from the available set of packages

    List the available BusyBox package on the repository.

    $ sudo apt-cache search busybox | grep busybox

    The latest Busybox version in Ubuntu repository

  4. Install compelled binaries of BusyBox on Ubuntu

    Run this comment to install the BusyBox compelled package on Ubuntu.

    $ sudo apt install busybox

    Install Busybox on Ubuntu

  5. Check the version of BusyBox on Ubuntu

    Checking the version of BusyBox is very easy. You just need to read the first few lines of busybox command.

    $ busybox | head

    Check the version of Busybox on Ubuntu

  6. List all the applets supported by Busybox

    You can list out all the supported applies just by running ‘busybox’ command. If you have a long list that goes out of the screen, then use busybox with less like shone here.

    $ busybox
    $ busybox | less


    List all the applets supported by Busybox

  7. Install BusyBox from source code

    if your package is vulnerable and wants to install the latest version or upgrade to the newest version, download the source code of BusyBox from the official site. You can download either on the terminal or directly on the browser. We have downloaded the source code using wget utility on the terminal.

    $ wget https://busybox.net/downloads/busybox-1.34.1.tar.bz2


    Download the source code of latest Busybox

  8. Set the execution permission

    Permissions are very important when you are working on Linux. Set the execution permission using chmod command.

    $ sudo chmod +x busybox-1.34.1.tar.bz2
    set the execution permission

  9. Extract the downloaded file and change it to the extracted directory

    Extract the downloaded tar.bz2 file using tar.

    $ tar -xf busybox-1.34.1.tar.bz2
    $ cd busybox-1.34.1/


    Extract the downloaded file and change to the extracted directory

  10. Set the configuration before creating binary file

    Run make defconfig command before creating binary of BusyBox.

    $ make defconfig

    make defconfig

  11. Create the Busybox executable

    Create the Busybox executable with make command.

    $ make

    Create the Busybox executable

  12. Install Busybox

    Install the compelled BusyBox using make install command.

    $ make install

    You will see this message after successful installation of BusyBox.

    ——————————————————–
    You will probably need to make your busybox binary
    setuid root to ensure all configured applets will
    work properly.
    ——————————————————–

    Install Busybox from source code

  13. Check Busybox version after installation

    Your new BusyBox is ready to use. You should use your installation directory to use the new BusyBox instead of /bin/busybox. Since we have installed the new BusyBox in /home/arunkl/busybox-1.34.1/.

    Our old installation will still remain in /bin/busybox. We will show you how to uninstall that in the next step.

    $ /home/arunkl/busybox-1.34.1/busybox date
    $ /home/arunkl/busybox-1.34.1/busybox | head


    Check Busybox version after installation

  14. Uninstall old version of Busybox

    You can uninstall the older version using apt remove or purge. Remove will just remove the installed package. However, purge will remove the configuration files and dependency packages along with the BusyBox package.

    After remove reboot the server.

    $ sudo apt purge busybox
    $ reboot


    This completes the installation or upgradation of the new BusyBox on Ubuntu Linux.

    Uninstall old version of Busybox

  15. Excluding affected BusyBox applets during the compile time

    You can exclude the applets in .config file. Since it is a hidden file. You can’t see just in ‘ls’. Use ‘ls -a’ to view the .config file.

    Edit the .config file using any text editor. We use nano in this demonstration.

    $ nano /home/arunkl/busybox-1.34.1/.config

    Search these below applet’s configuration and comment them with ‘#’ at the beginning of the line. like this.

    To search the words in nano editor:
    Ctrl+w
    Type the string or word hit Enter Key. The cursor will go to the search string. Add ‘#’ at the beginning of the line to comment it.

    # CONFIG_MAN=y
    # CONFIG_UNLZMA=y
    # CONFIG_FEATURE_SEAMLESS_LZMA=y
    # CONFIG_FEATURE_UNZIP_LZMA=y
    # CONFIG_ASH=y
    # CONFIG_HUSH=y
    # CONFIG_AWK=y


    Save the file with Ctrl+o followed by Enter Key.

    Workaround to fix vulnerabilities in BusyBox

We hope this post will help you in knowing how to fix vulnerabilities found in the BusyBox Linux utility. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.