Vulnerabilities Discovered in IoT Software Suite

By

Claroty's Team82 and JFrog have found 14 critical vulnerabilities in the BusyBox suite of IoT tools.

IoT devices around the world (such as logic controllers, human-machine interfaces, and remote terminal units) depend on BusyBox, which is marketed as the Swiss Army Knife of Embedded Linux. The tools found in BusyBox are packaged as single executable files, which include a shell, DHCP client/server, and plenty of Linux utilities (like cp, ls, and grep). 

When Claroty's Team82 and JFrog collaborated on a vulnerability research project, they discovered BusyBox was rather busy with issues. The teams used both static and dynamic techniques (such as a manual top-down approach and fuzzing the daemon applets) to uncover the vulnerabilities. They found that most of the problems could easily cause DoS attacks on devices. There were, however, some rare cases where remote code execution was made possible. 

Although the vulnerabilities were found and patched in August 2021, plenty of deployed IoT devices contain the vulnerable stack. If any device you develop or use includes BusyBox versions earlier than 1.34.0, it's imperative that you upgrade immediately. 

The discovered vulnerabilities can be found on the JFrog site, which lists each by CVE, description, affected applet/version, and impact.

11/11/2021
comments powered by Disqus