CVE-2021-42377
📋 TL;DR
CVE-2021-42377 is a critical vulnerability in BusyBox's hush shell applet where an attacker-controlled pointer free leads to denial of service and potential remote code execution when processing a crafted shell command containing the '&&&' string. This affects any system using vulnerable versions of BusyBox's hush shell, particularly embedded devices, routers, and IoT systems. Attackers could exploit this to crash systems or execute arbitrary code.
💻 Affected Systems
- BusyBox
📦 What is this software?
Busybox by Busybox
Busybox by Busybox
Fedora by Fedoraproject
Fedora by Fedoraproject
Solidfire by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root privileges leading to complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Denial of service causing system crashes and instability, with potential for limited code execution in specific configurations.
If Mitigated
Contained impact with proper input validation and privilege separation, resulting in isolated process crashes without system-wide effects.
🎯 Exploit Status
Exploitation requires ability to inject shell commands containing '&&&' string. Public proof-of-concept demonstrates denial of service. Remote code execution requires specific memory layout conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BusyBox 1.34.0 and later
Vendor Advisory: https://git.busybox.net/busybox/commit/?id=bd4c3a8a0b9c0c2c810b4c2aad372e7c6a8c9c7f
Restart Required: Yes
Instructions:
1. Update BusyBox to version 1.34.0 or later. 2. Rebuild and redeploy affected systems. 3. Restart services using BusyBox. 4. Verify the fix by testing with vulnerable command patterns.
🔧 Temporary Workarounds
Disable hush shell
linuxReplace BusyBox hush shell with alternative shell (ash, bash) if available
update-alternatives --config sh
ln -sf /bin/bash /bin/sh
Input filtering
allFilter or sanitize shell command input to block '&&&' sequences
sed -i 's/&&&//g' input_file
validate input for shell metacharacters
🧯 If You Can't Patch
- Implement strict input validation to block shell metacharacters and '&&&' sequences
- Use privilege separation and run BusyBox processes with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Test with command: busybox sh -c 'echo test &&& echo test'. If system crashes or shows abnormal behavior, it's vulnerable.Check Version:
busybox --help | head -1 | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
After patching, run the same test command. System should handle it normally without crashes.📡 Detection & Monitoring
Log Indicators:
- Process crashes of busybox or hush shell
- Unusual shell command patterns containing '&&&'
- Failed authentication attempts followed by shell commands
Network Indicators:
- Unexpected shell command execution over network services
- Traffic to/from embedded devices with command injection patterns
SIEM Query:
process_name:"busybox" AND (event_type:"crash" OR command_line:"*&&&*")🔗 References
- https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog
- https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
- https://security.netapp.com/advisory/ntap-20211223-0002/
- https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog
- https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
- https://security.netapp.com/advisory/ntap-20211223-0002/
