DataCenterNews Asia Pacific logo
Specialist data center news for Asia Pacific
Story image

Claroty and JFrog discover 14 vulnerabilities in Busybox

Team82 and JFrog have announced the discovery, by using static and dynamic techniques, of 14 vulnerabilities affecting the latest version of BusyBox.

Typically found in embedded devices with limited memory and storage resources, BusyBox is marketed as the Swiss Army Knife of embedded Linux. It's a software suite of useful Unix utilities, known as applets, packaged as a single executable file.

Busybox can be found on many OT and IoT devices, including popular programmable logic controllers (PLCs), human-machine interfaces (HMIs), and remote terminal units (RTUs) - many of which now run on Linux.

As part of a commitment to improving open source software security, Claroty's Team82 and JFrog collaborated on a vulnerability research project examining BusyBox.

To research BusyBox, they used static and dynamic analysis approaches. First, a manual review of the BusyBox source code was conducted in a top-down approach (following user input up to specific applet handling). They also looked for obvious logical or memory corruption vulnerabilities.

The next approach was fuzzing. They compiled BusyBox with ASan and implemented an AFL harness for each BusyBox applet. Each harness was subsequently optimised by removing unnecessary parts of the code, running multiple fuzzing cycles on the same process (persistent mode), and running multiple fuzzed instances in parallel.

Details of the vulnerabilities

According to the collaboration, since the affected applets are not daemons, each vulnerability can only be exploited if the vulnerable applet is fed with untrusted data - usually through a command-line argument.

Specifically, these are the conditions that must occur for each vulnerability to be triggered:

CVE-2021-42373

  •  Applies if the attacker can control all parameters passed to man.
  •  man is built by the default BusyBox configuration but not shipped with Ubuntu's default BusyBox binary.

CVE-2021-42374:

  • Applies if the attacker can supply a crafted compressed file that will be decompressed by using unlzma.
  • Note that even if the unlzma applet is not available, but CONFIG_FEATURE_SEAMLESS_LZMA (enabled by default) is enabled, other applets such as tar, unzip, rpm, dpkg, lzma and man can also reach the vulnerable code when handling a file with the .lzma filename suffix.
  • unlzma is built by the default BusyBox configuration and shipped with Ubuntu's default BusyBox binary.

CVE-2021-42375:

  •  Applies if the attacker can supply a command-line to ash that contains the special characters $, {, }, or #.
  •  ash is built by the default BusyBox configuration and shipped with Ubuntu's default BusyBox binary.

CVE-2021-42376:

  •  Applies if the attacker can supply a command-line to hush that contains the special character \x03 (delimiter).
  •  hush is built by the default BusyBox configuration but not shipped with Ubuntu's default BusyBox binary.

CVE-2021-42377:

  •  Applies if the attacker can supply a command-line to hush that contains the special character -.

CVE-2021-42378, CVE-2021-42386:

  •  Applies if the attacker can supply an arbitrary pattern to awk (the pattern is the first positional argument this applet takes).
  •  awk is built by the default BusyBox configuration and shipped with Ubuntu's default BusyBox binary.

"We started from fuzzing all the daemon applets, including HTTP, Telnet, DNS, DHCP, NTP etc. Many code changes were required in order to effectively fuzz network-based input," the companies explain.

"For example, the main modification we performed was to replace all recv functions with input from STDIN to support fuzzed inputs. Similar changes were done when we fuzzed non-server applets as well."

Claroty's Team82 and JFrog prepared a couple of examples for each applet and ran hundreds of fuzzed BusyBox instances for a few days.

"This gave us tens of thousands of crashes to evaluate. We had to create classes of crashes with the same root cause to help reduce the volume of crashes we had in our sample set. Later, we minimised each group representative to work with a small subset of unique crash inputs," they say.

To fulfil these tasks, the team developed automatic tooling that digested all crash data and classified it based on the crash analysis report, which mainly includes the crash stack trace, registers, and assembly code of the relevant code area. For example, they merged cases with similar crash stack traces because they usually had the same problematic root cause.

Finally, the team researched each unique crash and minimised its input vector in order to understand the root cause, which allowed them to create a proof-of-concept that exploits the vulnerability responsible for the crash. In addition, they tested their PoCs against several BusyBox versions to understand when the bugs were introduced to the source code.

Threat Analysis and mitigation advice

To assess the threat level posed by these vulnerabilities, Team82 and JFrog inspected JFrog's database of more than 10,000 embedded firmware images. The team found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware.

According to Claroty, all 14 vulnerabilities have been fixed in BusyBox 1.34.0 and users are urged to upgrade immediately.

Related stories
Top stories
Story image
Cloud
Microsoft and Auckland Transport announce Azure Cloud agreement
Microsoft and Auckland Transport (AT) have announced an agreement that looks to boost agility and innovation while also reducing costs and improving sustainability in transport services.
Story image
Cloud infrastructure
Who is HashiCorp, and why your cloud journey will be impacted
We investigate the fast-growing San Francisco vendor that is transforming how enterprises approach cloud infrastructure.
Story image
Cloud
HashiCorp research shows organisations benefit from multi-cloud strategies
The survey highlighted the need for organisations to centralise and automate cloud efforts via platform teams in order to increase operational efficiency.
Story image
5G
Mavenir integrates cloud-native 5G offerings with Google Cloud infrastructure
Mavenir has integrated its cloud-native 5G products with public cloud infrastructure on Google Cloud, expanding the company’s ‘One Network, Any Cloud All Software’ strategy.
Story image
Data analytics
COVID-19 relief innovation takes 2022 SAS Hackathon crown
In COVID-19’s wake, more than 287,000 MSMEs joined JakPreneur, a collaborative government platform that links entrepreneurs and stakeholders
Story image
Data Centre Cooling
The world is heating up, but data centres should keep their cool
With the world heating up, the challenge of keeping data centres cool becomes more complex, expensive and power intensive.
Story image
Sustainable IT
Equinix partners NUS to use hydrogen tech in data centres
The partners will develop hydrogen fuel technologies for green data centres in tropical climates, and for use in Equinix’s global network.
Story image
IT Automation
Juniper Networks announces expansion of Apstra Software with Apstra Freeform
The newly announced Apstra Freeform technology will give customers the ability to manage and automate operations for data centers regardless of the architecture.
Story image
Sustainable IT
Empyrion DC announces 40MW green data center in South Korea
Empyrion DC has announced it is developing a 40MW green data center in Gangnam, Seoul, South Korea (GDC).
Story image
Digital Transformation
Nanyang Technological University Singapore builds digital brand presence
Leveraging the customisation features of Sitefinity DX, non-technical users could upload content and create design pages and boost work productivity. 
AWS Marketplace
Whitepaper: A practical guide for mitigating risk in today’s modern applications
Link image
Story image
Melbourne
Equinix invests $23m to expand ME2 data centre in Melbourne
Equinix has completed the second phase expansion of its ME2 International Business Exchange data centre, located in Port Melbourne.
Story image
Superloop
Stellar financial result after major strategic moves by Superloop
We get a glimpse under the hood at the financial results from 2022 for the connectivity giant Superloop.
Story image
Data Protection
iseek secures Queensland Government data centre contract
iseek secures the Queensland Government's core network data centre as-a-service contract after a competitive procurement process undertaken by the CITEC.
Story image
Artificial Intelligence
ASUS Servers announce AI developments at NVIDIA GTC
The Taiwanese multinational now offers NVIDIA-certified servers with H100 Tensor Core GPU and AI enterprise software suite.
Story image
Software Defined Wide Area Network
Axiata, Versa Networks partner for enterprise SASE in Asia
Axiata has partnered with Versa Networks to deliver Secure Access Service Edge (SASE) technology to rapidly digitalising Asian enterprises.
Story image
Software-as-a-Service
Honeywell launches Data Center Suite for business outcomes
Honeywell has launched its Data Center Suite, a portfolio of outcome-based software offerings to help data centre managers and owners.
Story image
Machine learning
Oracle announces MySQL HeatWave for Amazon Web Services
MySQL HeatWave is a service that combines OLTP, analytics, machine learning, and machine learning-based automation. 
Story image
Microsoft
VMware extends collaboration with Microsoft for enterprise workloads in Azure
Mutual customers will have the choice to purchase Azure VMware Solution through the VMware Cloud Universal program.
Story image
Hyperscale
Growth in hyperscale data centres to increase shortage of IT workers
New Zealand's tech worker capacity is set to come under increasing pressure as the number of hyperscale data centres grows.
Story image
Software-as-a-Service
Cloudera launches all-in-one data lakehouse cloud service
CDP One makes it faster, easier and less risky for businesses to move to the cloud and migrate existing workloads to a modern data architecture.
Story image
Edge Computing
NTT launches Edge-as-a-Service to accelerate automation
"Minimum latency, maximum processing power, and global coverage are exactly what enterprises need to accelerate their digital transformation journeys.”
Story image
Startup
Zetaris is changing the way we think about data virtualisation
Zetaris was launched on the Microsoft Marketplace and Ingram Micro Cloud Marketplace in Australia in 2020 and has since expanded into nine global markets.
Story image
Gartner
SnapLogic named Visionary in two Magic Quadrant categories
SnapLogic has announced that it is the only iPaaS (Integrated Platform as a Service) vendor to be named a Visionary in two Magic Quadrant categories.
Story image
Network Infrastructure
Vertiv launches solutions to better manage edge computing
Vertiv has introduced new power and cooling solutions for the edge of the network, including the addition of lithium-ion models to a leading on-line UPS family.
Story image
Data analytics
Srisawan Hospital to enhance patient experience with InterSystems TrakCare
The new Srisawan Hospital in Bangkok has chosen InterSystems TrakCare to help create enhanced patient experiences and promote further digital engagement.
Story image
Data center
Australia’s data centre pioneer still leading after 22 years
We look at the fascinating success of Macquarie data centre's over its 22 year life span and how they continue to innovate in a highly contested sector.
Aws Marketplace
Learn how to implement a backup and recovery plan for a new generation of Kubernetes-based modern applications
Link image
Story image
Data Centre Maintenance / Management
Schneider Electric backs new Leading Edge data centre in Australia
As a result of the new project, regional Australian businesses and communities will likely have greater access to distributed cloud networks.
Story image
Multi-cloud
VMware advances multi-cloud management with VMware Aria
Managing apps and infrastructure in a multi-cloud, especially public cloud, and multi-technology environment is complex.
Story image
Update
InterSystems releases updates to its IRIS data platform
Provider of next-generation solutions InterSystems has announced a series of new releases to its award-winning InterSystems IRIS data platform.
Story image
5G
Worldwide 5G mobile data traffic exploding - report
"With 5G, there is a wider range of deployment scenarios, forcing vendors to provide comprehensive solutions to support every need."
Story image
Cloud
SoftIron announces its newest flagship offering, HyperCloud
SoftIron has announced HyperCloud, the world's first full turnkey, completely integrated and supported Intelligent Cloud Fabric and the company's newest flagship offering.
Story image
Digital Transformation
NEXTDC opens $1b+ next gen sovereign data centre in Sydney
Australian data centre as a service provider has officially opened S3, its largest Sydney development to date. 
Story image
Storage
Seagate announces next gen advanced storage arrays
The new Exos X systems feature up to twice the performance of the previous generation and enhanced enterprise-class durability, the company states.
Story image
Digital Transformation
NTT launches its Cyberjaya 6 data center in Malaysia
NTT expands its hyperscaler footprint in Malaysia with its sixth data center facility, supporting the growing digital economy.
Story image
Data Protection
Cloudflare brings Data Localisation Suite to more APAC businesses
This allows any business in these countries to service their data locally while benefiting from the speed, security, and scalability of Cloudflare’s global network.
Story image
No-code
Eradicating ‘App Fatigue’ and retention problems through implementing no-code ITSM
Almost always, simplicity is best. Intuitive designs and practical workflows are the keys to preventing fatigue.
Story image
Sustainable IT
New report calls for tighter guidelines on data centre sustainability
A new Cushman & Wakefield report is calling for water consumption and carbon emissions to be measured in addition to power usage.
Story image
Optical Networking
NEC predicts AON as a next-generation infrastructure
NEC's open optical transmission devices support multi-vendor configurations, allowing customers to procure and combine equipment from multiple vendors.
Story image
IT infrastructure
Bentley Systems announces finalists for the 2022 Going Digital Awards in Infrastructure
The company says that this annual awards program honours the work of Bentley software users who are advancing infrastructure design, construction, and operations throughout the world.