Researchers from the companies Claroty and JFrog Published The Safety Audit Results of the BUSYBOX package, widely used in the embedded devices and offering a set of standard UNIX utilities, designed as a single executable file. During the audit, 14 vulnerabilities were revealed, which were already eliminated in the August BusyBox 1.34 issue. Almost all problems are not harassable and doubtful in terms of use in real attacks, as they require the launch of utilities with the resulting arguments.
Separately, the Vulnerability of CVE-2021-42374, which allows you to call a refusal to maintain when processing a specially decorated compressed file of the UnlZMA utility, and in the case of assembly with the config_feature_seamless_lzma options, also any other components of BusyBox, including TAR, UNZIP, RPM, DPKG, LZMA and MAN.
CVE-2021-42373 vulnerabilities, CVE-2021-42375, CVE-2021-42376 and CVE-2021-42377 allow you to cause a refusal to maintain, but require the launch of MAN, ASH and HUSH utilities with parameters specified by the attacker.
Vulnerabilities with CVE-2021-42378 CVE-2021-42386 affect the AWK utility and can potentially lead to the start of the code, but for this attacking it is required to perform a specific template in AWK (you need to start the AWK with the transmission in the first argument of the command line of the data received from Attacking).
Additionally, you can also note Vulnerability (CVE-2021-43523) UCLIBC and UCLIBC-NG libraries associated with the fact that when accessing GethostByname (), GetAddrinfo (), GetHostByaddr () and GetNameInfo () and GetNameInfo () () and getnameinfo (). For example, in response to a specific resolution request, the DNS server attacker can return the hosts of the type “.attacker.com” and they will be represented as a program that can be displayed without cleaning their web interface. The problem is eliminated in the UCLIBC-NG 1.0.39 release via Adding code to verify the correctness of the returned domain names, implemented by analogy with GLIBC.