Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix Vulnerabilities Found In BusyBox Linux Utility?
November 10, 2021
|
9m

How To Fix Vulnerabilities Found In BusyBox Linux Utility?


How To Fix Vulnerabilities Found In Busybox Linux Utility

Security researchers from Clarotys Team82 and JFrog discovered 14 new vulnerabilities on the BusyBox Linux utility that could be leveraged to carry out denial of service (DoS) attacks. However, researchers also added that it is possible to perform information leaks and possibly remote code execution attacks on BusyBox Linux utility in rare cases. We have created this post to let you know how to fix vulnerabilities found in the BusyBox Linux utility.

What Is BusyBox Utility?

BusyBox, commonly known as the Swiss Army Knife of Embedded Linux, is a small Linux utility software containing tiny versions of several common UNIX utilities known as applets into a single executable file.
BusyBox is mostly shipped with many important utilities you usually find in GNU fileutils, shellutils, etc. Since BusyBox is created for embedded systems, applets were created with fewer options to keep the program lighter than the GNU counterparts. 
Since BusyBox provides a complete environment, especially for small or embedded systems, it has been written with customizable options allowing easily include or exclude commands at compile time. Therefore, BusyBox offers great flexibility for an embedded system to run its own custom features. 

List of 14 Vulnerabilities Found In BusyBox Linux Utility:

CVE IDDescriptionAffected appletAffected versions (inclusive)ImpactCVSS v3.1
CVE-2021-42373A NULL pointer dereference in man leads to denial of service when a section name is supplied but no page argument is givenman1.33.0-1.33.1DoS5.1
CVE-2021-42374An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.lzma/unlzma and more (see below)1.27.0 – 1.33.1 DoS & InfoLeak6.5
CVE-2021-42375An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.ash1.33.1DoS4.1
CVE-2021-42376A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.hush1.16-1.31.1DoS4.1
CVE-2021-42377An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.hush1.33.0-1.33.1DoS & Possible RCE6.4
CVE-2021-42378A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i functionawk1.16-1.33.1DoS & Possible RCE6.6
CVE-2021-42379A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file functionawk1.18-1.33.1DoS & Possible RCE6.6
CVE-2021-42380A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar functionawk1.28-1.33.1DoS & Possible RCE6.6
CVE-2021-42381A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init functionawk1.21-1.33.1DoS & Possible RCE6.6
CVE-2021-42382A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s functionawk1.26-1.33.1DoS & Possible RCE6.6
CVE-2021-42383A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate functionawk1.33.1DoS & Possible RCE6.6
CVE-2021-42384A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special functionawk1.18-1.33.1DoS & Possible RCE6.6
CVE-2021-42385A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate functionawk1.16-1.33.1DoS & Possible RCE6.6
CVE-2021-42386A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc functionawk1.16-1.33.1DoS & Possible RCE6.6

The table is published in the original report.

How to Fix Vulnerabilities Found in BusyBox Linux Utility?

Vulnerabilities could be abused using untrusted data, which comes in the form of an argument to the command. Since the affected applets are not daemons, those applets can be excluded or filtered during the compile time. Or, if you need to have the affected applets on your embedded system for your work, it is recommended to upgrade or install the patched version of the BusyBox.

We can fix the fix vulnerabilities found in the BusyBox utility in two ways:

  1. All these 14 vulnerabilities have been fixed in BusyBox 1.34.0, so users are recommended to upgrade or install BusyBox 1.34.0 or later. 

  2. The users who are running BusyBox 1.33.1 and earlier versions and cant go with the upgradation or installation of newer versions can exclude these affected applets.

List Of Affected Applets In BusyBox v1.33.1 And Below:

  1. man

  2. lzma

  3. ash

  4. hush

  5. awk

First, we will show you how to install BusyBox v1.34.1 which is the latest release at the time of publishing this post. Late, we will show you how to exclude the applets affected by vulnerabilities.

Note: We are using Ubuntu in this demonstration.

How to Install BusyBox v1.34.1 on Ubuntu?

Step 1. Update the repositories on Ubuntu

Lets start the installation of BusyBox by updating the repository.

$ sudo apt update

Step 2. Check the latest BusyBox version in the Ubuntu repository

Well, this is optional to check the latest version available in the official repository. We have added it just for your reference. Use this command to see the version of BusyBox in the Ubuntu repository.

$ sudo apt-cache show busybox

Step 3. Select the BusyBox package to install from the available set of packages

List the available BusyBox package on the repository.

$ sudo apt-cache search busybox | grep busybox

Step 4. Install compelled binaries of BusyBox on Ubuntu

Run this comment to install the BusyBox compelled package on Ubuntu.

$ sudo apt install busybox

Step 5. Check the version of BusyBox on Ubuntu

Checking the version of BusyBox is very easy. You just need to read the first few lines of busybox command.

$ busybox | head

Step 6. List all the applets supported by Busybox

You can list out all the supported applies just by running busybox command. If you have a long list that goes out of the screen, then use busybox with less like shone here.

$ busybox
$ busybox | less

Step 7. Install BusyBox from source code

if your package is vulnerable and wants to install the latest version or upgrade to the newest version, download the source code of BusyBox from the official site. You can download either on the terminal or directly on the browser. We have downloaded the source code using wget utility on the terminal.

$ wget https://busybox.net/downloads/busybox-1.34.1.tar.bz2

Step 8. Set the execution permission

Permissions are very important when you are working on Linux. Set the execution permission using chmod command.

$ sudo chmod +x busybox-1.34.1.tar.bz2

Step 9. Extract the downloaded file and change it to the extracted directory

Extract the downloaded tar.bz2 file using tar.

$ tar -xf busybox-1.34.1.tar.bz2
$ cd busybox-1.34.1/

Step 10. Set the configuration before creating binary file

Run make defconfig command before creating binary of BusyBox.

$ make defconfig

Step 11. Create the Busybox executable

Create the Busybox executable with make command.

$ make

Step 12. Install Busybox

Install the compelled BusyBox using make install command.

$ make install

You will see this message after successful installation of BusyBox.


You will probably need to make your busybox binary
setuid root to ensure all configured applets will
work properly.


Step 13. Check Busybox version after installation

Your new BusyBox is ready to use. You should use your installation directory to use the new BusyBox instead of /bin/busybox. Since we have installed the new BusyBox in /home/arunkl/busybox-1.34.1/.

Our old installation will still remain in /bin/busybox. We will show you how to uninstall that in the next step.

$ /home/arunkl/busybox-1.34.1/busybox date
$ /home/arunkl/busybox-1.34.1/busybox | head

Step 14. Uninstall old version of Busybox

You can uninstall the older version using apt remove or purge. Remove will just remove the installed package. However, purge will remove the configuration files and dependency packages along with the BusyBox package.

After remove reboot the server.

$ sudo apt purge busybox
$ reboot

This completes the installation or upgradation of the new BusyBox on
Ubuntu Linux.

Step 15. Excluding affected BusyBox applets during the compile time

You can exclude the applets in .config file. Since it is a hidden file. You cant see just in ls. Use ls -a to view the .config file.

Edit the .config file using any text editor. We use nano in this demonstration.

$ nano /home/arunkl/busybox-1.34.1/.config

Search these below applets configuration and comment them with # at the beginning of the line. like this.

To search the words in nano editor:
Ctrl+w
Type the string or word hit
Enter Key. The cursor will go to the search string. Add # at the beginning of the line to comment it.

# CONFIG_MAN=y
# CONFIG_UNLZMA=y
# CONFIG_FEATURE_SEAMLESS_LZMA=y
# CONFIG_FEATURE_UNZIP_LZMA=y
# CONFIG_ASH=y
# CONFIG_HUSH=y
# CONFIG_AWK=y

Save the file with
Ctrl+o followed by Enter Key.

We hope this post would help you in knowing how to fix vulnerabilities found in the BusyBox Linux utility. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe