Multiple BusyBox Security Bugs Threaten Embedded Linux Devices


Researchers have discovered 14 critical vulnerabilities in a popular program used in embedded Linux applications, all of which allow for denial of service (DoS) and 10 that also enable remote code execution (RCE), they said.

One of the flaws also could allow devices to leak info, according to researchers from JFrog Security and Claroty Research, in a report shared with Threatpost on Tuesday.

The two firms teamed up to take a deeper dive into BusyBox, a software suite used by many of the world’s leading operational technology (OT) and internet of things (IoT) devices—such as programmable logic controllers (PLCs), human-machine interfaces (HMIs) and remote terminal units (RTUs). Shachar Menashe, senior director security research for JFrog, partnered with Vera Mens, Uri Katz, Tal Keren and Sharon Brizinov of Claroty Research on the report.

Read more…
Source: ThreatPost