Multiple BusyBox Security Bugs Threaten Embedded Linux Devices

2021-11-09 14:00

Researchers have discovered 14 critical vulnerabilities in a popular program used in embedded Linux applications, all of which allow for denial of service and 10 that also enable remote code execution, they said.

One of the flaws also could allow devices to leak info, according to researchers from JFrog Security and Claroty Research, in a report shared with Threatpost on Tuesday.

Shachar Menashe, senior director security research for JFrog, partnered with Vera Mens, Uri Katz, Tal Keren and Sharon Brizinov of Claroty Research on the report.

The discovery of the flaws are significant because of the proliferation of BusyBox not just for the embedded Linux world, but also for numerous Linux applications outside of devices, Menashe said in an email to Threatpost.

The good news for the security of devices using BusyBox is that generally the vulnerabilities require a bit of effort to exploit, researchers reported.

Overall, 40 percent of the firmware using BusyBox that researchers inspected include a BusyBox executable file linked with one of the affected applets, making the problem "Extremely widespread among Linux-based embedded firmware," they wrote.

News URL

https://threatpost.com/busybox-security-bugs-linux-devices/176098/

#linux #security

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Linux		11	64	2337	1502	67	3970
Busybox		1	0	13	20	4	37

News URL

Related news

Related vendor