Join the thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information about the processing of personal data can be found in the privacy policy. In addition, you will find them in the newsletter confirmation message.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information about the processing of personal data can be found in the privacy policy. In addition, you will find them in the newsletter confirmation message.
Researchers found 14 vulnerabilities in the "Swiss Army Knife" of embedded operating systems used in many OT and IoT environments. They allow RCE, denial of service and data leakage.
They said that researchers found 14 critical vulnerabilities in a popular program used in embedded Linux applications, all of which allow denial of service (DoS), and 10 also support remote code execution (RCE).
Researchers from JFrog Security and Claroty Research said in a report shared with Threatpost on Tuesday that one of the flaws could also cause the device to leak information.
The two companies have joined forces to study BusyBox, a software suite used by many of the world's leading operating technology (OT) and Internet of Things (IoT) devices, such as programmable logic controllers (PLC) and human machine interfaces (HMI) And remote terminal unit (RTU). Shachar Menashe, senior director of security research at JFrog, collaborated with Vera Mens, Uri Katz, Tal Keren, and Sharon Brizinov of Claroty Research to write the report.
BusyBox is known as the "Swiss Army Knife" of embedded Linux. It consists of useful Unix utilities called applets, which are packaged into a single executable file. The program includes a mature shell, a DHCP client/server, and some small utility programs, such as cp, ls, grep, etc.
Menashe said in an email to Threatpost that the discovery of these flaws is significant because the proliferation of BusyBox is not only applicable to the embedded Linux world, but also to many Linux applications outside of devices.
"The new vulnerabilities we disclosed only show up under certain circumstances, but they may cause great problems when they are exploited," he said. However, researchers report that the good news for the security of devices using BusyBox is that usually these vulnerabilities require some effort to exploit.
These vulnerabilities are being tracked using CVE IDs ranging from CVE-2021-42373 to CVE-2021-42386 and affect different versions of BusyBox, ranging from 1.16 to 1.33.1, depending on the defect. They also affect various applets, one of which affects "man", "lzma/unizma" and "ash" respectively; two separate defects that affect "quiet"; and the "awk" (the most vulnerable applet) Nine individual defects.
The researchers wrote that because the applet is not a daemon process, each vulnerability can be exploited only when the vulnerable applet is provided with untrusted data, usually through command-line parameters. The team published in its report a comprehensive breakdown of each vulnerability, the applets it affects, and its potential to be exploited.
They wrote that, overall, 40% of the BusyBox firmware examined by the researchers contained a BusyBox executable file linked to one of the affected applets, which made the problem “extremely significant in Linux-based embedded firmware. universal". However, the researchers pointed out in their analysis that these vulnerabilities currently do not pose a serious threat to the affected devices due to a variety of reasons, including the complexity of exploiting the above-mentioned vulnerabilities.
For example, the potentially most dangerous defect is CVE-2021-42374, which is an out-of-bounds heap read in unlzma, which may lead to DoS and information leakage. However, as the researchers explained in detail, it can only be used to attack the device when the carefully crafted lzma compressed input is decompressed.
The researchers explained that Lzma is a compression algorithm that uses dictionary compression and uses a range encoder to encode its output. The researcher wrote that two specific coding conditions need to be met to exploit the vulnerability: "buffer_pos = 0" and "rep0 = offset dict_size".
They said that in order to meet these conditions, the attacker needs to prepare a specially crafted lzma encoded stream, and when decoded, these conditions will be met and the device memory will eventually be leaked.
The researchers added that although DoS vulnerabilities are easier to exploit, their impact is usually mitigated by the fact that applets are almost always run as separate forked processes.
Finally, most RCE flaws—especially those that exist in the "awk" applet—are also difficult to exploit, because "processing awk patterns from external input is very rare (and inherently unsafe)," they Write.
Nevertheless, Menashe recommends that devices using BusyBox be upgraded to the latest version, and the developers ensure that no affected applets are used to prevent threat actors from exploiting any vulnerabilities.
As we all know, network security in a multi-cloud environment is challenging. OSquery and CloudQuery are a reliable answer. Attend Uptycs and Threatpost's "Introduction to OSquery and CloudQuery" on Tuesday, November 16th at 2 pm Eastern Time. This is a live interactive dialogue with Eric Kaiser, a senior security engineer at Uptycs, to discuss how this open source tool can help tame the entire campus safety.
Register now to participate in the live event and submit questions to Becky Bracken of Threatpost in advance via becky.bracken@threatpost.com.
Cyber attackers stole the PS5 root key and used the kernel to reveal the rampant insecurity in gaming devices.
Asset inventory and risk assessment are key tools to combat the growing scourge of ransomware.
A bill introduced this week will regulate the country’s key financial sector’s response to ransomware.
This website uses Akismet to reduce spam. Learn how to handle your comment data.
Join the thousands of people who receive the latest breaking cybersecurity news every day.
A pair of @PlayStation 5 vulnerabilities-apparently stolen #PS5 root key and kernel vulnerabilities-@fail0verflow shows... https://t.co/WpAotQ9BbP
Send the latest breaking news to your inbox every day.
Safety news first stop
Infosec Insider content is written by the trusted Threatpost network security subject matter expert community. Each contribution has a goal, which is to bring a unique voice to important cybersecurity topics. The content strives to be of the highest quality, objectivity, and non-commercial.
Sponsored content is paid for by advertisers. Sponsored content is written and edited by members of our sponsoring community. This content creates an opportunity for sponsors to provide insights and comments to Threatpost audiences directly from their perspectives. The Threatpost editorial team is not involved in the writing or editing of sponsored content.