JFrog and Claroty cybersecurity experts revealed yesterday the discovery of 14 new critical vulnerabilities in the BusyBox Linux utility. If exploited, they could allow denial-of-service (DoS) and, in some instances, information leaks and Remote Code Execution (RCE).

According to the researchers, all the flaws have a medium risk score and are unlikely to be used for nefarious purposes.

Dubbed “the Swiss Army Knife of Embedded Linux,” BusyBox is a software suite used by many of the world’s leading operational technology (OT) and internet of things (IoT) devices, including popular programmable logic controllers (PLCs), human-machine interfaces (HMIs) and remote terminal units (RTUs).

As explained by JFrog, BusyBox is:

a software suite of many useful Unix utilities, known as applets, that are packaged as a single executable file. Within BusyBox you can find a full-fledged shell, a DHCP client/server, and small utilities such as cp, ls, grep, and others.

The finding of the flaws is important due to the widespread use of BusyBox not only in the embedded Linux community but also in countless Linux applications used outside of devices. Researchers recommend that security teams address these weaknesses as soon as possible.

These new vulnerabilities that we’ve disclosed only manifest in specific cases, but could be extremely problematic when exploitable. However, the good news for the security of devices using BusyBox is that generally the vulnerabilities require a bit of effort to exploit.”


According to JFrog and Claroty joint report, the security weaknesses, tracked from CVE-2021-42373 through CVE-2021-42386, impact multiple versions of BusyBox varying from 1.16-1.33.1, depending on the bug.

Here is a list of the vulnerabilities and the applets they affect:

  • man- CVE-2021-42373
  • lzma/unlzma- CVE-2021-42374
  • ash- CVE-2021-42375
  • hush- CVE-2021-42376, CVE-2021-42377
  • awk- CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386

As explained by researchers, because the applets are not daemons, every vulnerability can only be abused if the vulnerable applet is provided with untrusted data, usually via a command-line argument.

Successful exploitation of the bugs could lead to denial-of-service attacks, sensitive information disclosure, and possibly remote code execution.

To assess the threat level posed by these vulnerabilities, we inspected JFrog’s database of more than 10,000 embedded firmware images (composed of only publicly available firmware images, and not ones uploaded to JFrog Artifactory).

We found that 40% of them contained a BusyBox executable file that is linked with one of the affected applets, making these issues extremely widespread among Linux-based embedded firmware.


The researchers noted that while DoS security flaws are easier to abuse, their impact is typically reduced by the fact that applets almost always operate as a completely separate forked process.

They also stated that almost all RCE vulnerabilities, especially those found in the “awk” applet, are difficult to exploit because “it is quite rare (and inherently unsafe) to process an awk pattern from external input.”

In order to prevent hackers from exploiting any of the vulnerabilities, Shachar Menashe, senior director of security research at JFrog, advised that devices using BusyBox be updated to the most recent version and that developers make sure that none of the impacted applets are used.

How to Stay Safe Using Heimdal™?

With HeimdalTM Security’s patch management software, you can achieve compliance, mitigate exploits, close vulnerabilities, deploy updates, and install software anywhere in the world, and according to any schedule. Our tool covers both Windows and 3rd party application management and comes with customizable set-and-forget settings for automatic deployment of software and updates.

Not only that, but we also provide you with fully tested, repackaged, and ad-free updates using encrypted packages inside HTTPS transfers locally to your endpoints.

By efficiently managing vulnerabilities, you will demonstrate a high ROI within a short timeframe by gaining the ability to become resistant to vulnerabilities and gain a brand new and improved cybersecurity posture.

Heimdal Official Logo
Automate your patch management routine.

Heimdal® Patch & Asset Management Software

Remotely and automatically install Windows, Linux and 3rd party application updates and manage your software inventory.
  • Schedule updates at your convenience;
  • See any software assets in inventory;
  • Global deployment and LAN P2P;
  • And much more than we can fit in here...
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

What Is Patch Management? Definition, Importance, Key Steps, and Best Practices

Newly Discovered Malware Infects Linux Systems

DDoS Attack. How Distributed Denial of Service Works and How to Prevent It

Leave a Reply

Your email address will not be published. Required fields are marked *