"BusyBox Flaws Highlight Need for Consistent IoT Updates"

Researchers from the DevOps specialist company JFrog and the industrial cybersecurity company Claroty detailed 14 vulnerabilities found in the BusyBox userspace tool used in millions of embedded devices that run Linux-based firmware. BusyBox is a software utilities suite that is considered a Swiss army knife of embedded Linux. It contains implementations of the most common Linux command-line tools along with a shell and a DHCP client and server, all of which are packaged as a single binary. In a report, researchers from JFrog emphasized that many OT and IoT devices are likely to be found running BusyBox, including popular Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), and Remote Terminal Units (RTUs). Through the use of static and dynamic analysis techniques, the researchers found vulnerabilities in several BusyBox applets, such as man (manual pages), ash (shell), hush (shell), awk (text manipulation/scripting), and more. The exploitation of these vulnerabilities could result in Denial-of-Service (DoS) conditions on PLCs and other devices found in OT environments, potentially disrupting critical industrial processes. In addition to DoS attacks, the vulnerabilities could result in Remote Code Execution (RCE) and information leaks. Firmware developers are urged to upgrade to BusyBox 1.34.0 as it fixes the flaws. However, if that is not possible because of compatibility issues, earlier versions can be compiled without the vulnerable applets as a workaround. This article continues to discuss findings surrounding the BusyBox flaws as well as the importance of regular updates for IoT and OT devices. 

CSO Online reports "BusyBox Flaws Highlight Need for Consistent IoT Updates"