Researchers from Claroty and JFrog have published the results of a security audit of the BusyBox package, widely used in embedded devices and offering a set of standard UNIX utilities packaged in a single executable file. During the scan, 14 vulnerabilities were identified, which have already been fixed in the August release of BusyBox 1.34. Almost all problems are harmless and questionable from the point of view of use in real attacks, since they require running utilities with arguments received from outside.
A separate vulnerability is CVE-2021-42374, which allows you to cause a denial of service when processing a specially designed compressed file with the unlzma utility, and in the case of assembly with the CONFIG_FEATURE_SEAMLESS_LZMA options, also with any other BusyBox components, including tar, unzip, rpm, dpkg, lzma and man .
Vulnerabilities CVE-2021-42373, CVE-2021-42375, CVE-2021-42376 and CVE-2021-42377 can cause a denial of service, but require running the man, ash and hush utilities with parameters specified by the attacker. Vulnerabilities CVE-2021-42378 to CVE-2021-42386 affect the awk utility and can potentially lead to code execution, but for this the attacker needs to ensure that a certain pattern is executed in awk (it is necessary to run awk with data received from attacker).
Additionally, you can also note a vulnerability (CVE-2021-43523) in the uclibc and uclibc-ng libraries, due to the fact that when accessing the functions gethostbyname(), getaddrinfo(), gethostbyaddr() and getnameinfo(), the domain name is not checked and cleaned name returned by the DNS server. For example, in response to a certain resolution request, a DNS server controlled by an attacker can return hosts like “ alert(‘xss’) .attacker.com" and they will be returned unchanged to some program that, without cleaning, can display them in the web interface. The problem was fixed in the release of uclibc-ng 1.0.39 by adding code to check the correctness of returned domain names, implemented similarly to Glibc.
Source: opennet.ru