Multiple BusyBox Security Bugs Threaten Embedded Linux Devices

Researchers discovered 14 vulnerabilities in the ‘Swiss Army Knife’ of the embedded OS used in many OT and IoT environments. They allow RCE, denial of service and data leaks.

Researchers have discovered 14 critical vulnerabilities in a popular program used in embedded Linux applications, all of which allow for denial of service (DoS) and 10 that also enable remote code execution (RCE), they said.

One of the flaws also could allow devices to leak info, according to researchers from JFrog Security and Claroty Research, in a report shared with Threatpost on Tuesday.

The two firms teamed up to take a deeper dive into BusyBox, a software suite used by many of the world’s leading operational technology (OT) and internet of things (IoT) devices—such as programmable logic controllers (PLCs), human-machine interfaces (HMIs) and remote terminal units (RTUs). Shachar Menashe, senior director security research for JFrog, partnered with Vera Mens, Uri Katz, Tal Keren and Sharon Brizinov of Claroty Research on the report.

Touted as a “Swiss Army Knife” of embedded Linux, BusyBox is comprised of useful Unix utilities called applets that are packaged as a single executable. The program includes a full-fledged shell, a DHCP client/server, and

Read More: