Major security issues found in top Linux program for embedded devices

An image of security icons for a network encircling a digital blue earth.
(Image credit: Shutterstock)

Cybersecurity researchers have discovered 14 critical vulnerabilities in BusyBox, marketed as the Swiss Army Knife of embedded Linux.

BusyBox is one of the most widely used Linux software suites, and many of the world’s leading operational technology (OT) and Internet of Things (IoT) devices run BusyBox.

Some of the threats could have resulted in denial of service (DoS) attacks in exploited, and in rarer cases, could also lead to information leaks and possibly remote code execution.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“These new vulnerabilities that we've disclosed only manifest in specific cases, but could be extremely problematic when exploitable. The proliferation of BusyBox makes this an issue that needs to be addressed by security teams,” the team noted.

Assessing the damage

To assess the threat level posed by these vulnerabilities, the researchers inspected JFrog's database of more than 10,000 publicly-available embedded firmware images.

Their experiment revealed that 40% of the images contained a BusyBox executable file that was linked with one of the affected applets, leading them to conclude that the vulnerabilities are extremely widespread among Linux-based embedded firmware.

That said, the researchers shared several reasons that lead them to believe that the discovered vulnerabilities would likely not pose a critical security threat.

For starters, the researchers say that even though the DoS vulnerabilities are trivial to exploit, their impact can usually be mitigated by the fact that the affected applets almost always run as a separate forked process.

Similarly, the use-after-free vulnerabilities may be exploitable for remote code execution, but the researchers didn’t not attempt to create a weaponized exploit for them. Finally, the information leak vulnerability is nontrivial to exploit. 

The researchers note that all 14 vulnerabilities have been fixed in BusyBox 1.34.0 as they urge companies to upgrade their BusyBox deployments, or at least ensure that they aren’t using any of the affected applets.

Prevent information leaks with the help of one of these best firewall apps and services, and ensure your computers are running these best endpoint protection tools to add another layer of defense against cyber-attacks.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.