Multiple BusyBox Security Bugs Threaten Embedded Linux Devices

silversurfer

Level 83
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,298
Researchers have discovered 14 critical vulnerabilities in a popular program used in embedded Linux applications, all of which allow for denial of service (DoS) and 10 that also enable remote code execution (RCE), they said.

One of the flaws also could allow devices to leak info, according to researchers from JFrog Security and Claroty Research, in a report shared with Threatpost on Tuesday.

The two firms teamed up to take a deeper dive into BusyBox, a software suite used by many of the world’s leading operational technology (OT) and internet of things (IoT) devices—such as programmable logic controllers (PLCs), human-machine interfaces (HMIs) and remote terminal units (RTUs). Shachar Menashe, senior director security research for JFrog, partnered with Vera Mens, Uri Katz, Tal Keren and Sharon Brizinov of Claroty Research on the report.

Touted as a “Swiss Army Knife” of embedded Linux, BusyBox is comprised of useful Unix utilities called applets that are packaged as a single executable. The program includes a full-fledged shell, a DHCP client/server, and small utilities such as cp, ls, grep and others.

The discovery of the flaws are significant because of the proliferation of BusyBox not just for the embedded Linux world, but also for numerous Linux applications outside of devices, Menashe said in an email to Threatpost.

“These new vulnerabilities that we’ve disclosed only manifest in specific cases, but could be extremely problematic when exploitable,” he said. However, the good news for the security of devices using BusyBox is that generally the vulnerabilities require a bit of effort to exploit, researchers reported.