CVE-2021-42385
📋 TL;DR
CVE-2021-42385 is a use-after-free vulnerability in BusyBox's awk applet that can be triggered by processing a specially crafted awk pattern. This vulnerability allows denial of service and potentially remote code execution. Systems using vulnerable BusyBox versions with awk functionality are affected, particularly embedded devices, routers, and Linux distributions that include BusyBox.
💻 Affected Systems
- BusyBox
📦 What is this software?
Busybox by Busybox
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the BusyBox process, potentially leading to full system compromise.
Likely Case
Denial of service through application crash, disrupting services that rely on BusyBox awk functionality.
If Mitigated
Limited impact if proper input validation and sandboxing are implemented, with only service disruption possible.
🎯 Exploit Status
Exploitation requires crafting specific awk patterns and getting them processed by vulnerable BusyBox instances. Public proof-of-concept demonstrates crash/DoS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BusyBox 1.35.0 and later
Vendor Advisory: https://git.busybox.net/busybox/commit/?id=bd4c4a9d6c7b0cac3657566944efda6c2c5b5f7a
Restart Required: No
Instructions:
1. Update BusyBox to version 1.35.0 or later. 2. Recompile if using custom builds. 3. Replace existing BusyBox binary with patched version. 4. Test awk functionality after update.
🔧 Temporary Workarounds
Disable awk applet
linuxRemove or disable awk functionality from BusyBox build
Recompile BusyBox without awk support: make menuconfig (deselect awk)
Input validation
allValidate awk patterns before processing
Implement input sanitization for awk pattern inputs in applications
🧯 If You Can't Patch
- Restrict access to systems using BusyBox awk to trusted users only
- Implement network segmentation to limit exposure of vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check BusyBox version: busybox --version | grep -q '1.3[0-4]' && echo 'VULNERABLE'Check Version:
busybox --versionVerify Fix Applied:
Verify version is 1.35.0 or later: busybox --version | grep -q '1.3[5-9]\|1\.[4-9]' && echo 'PATCHED'📡 Detection & Monitoring
Log Indicators:
- BusyBox crash logs
- Segmentation fault errors involving awk
- Unexpected process termination of BusyBox
Network Indicators:
- Unusual network traffic to services using BusyBox awk
- Patterns containing crafted awk syntax in inputs
SIEM Query:
process.name:"busybox" AND event.action:"crashed" OR error.message:"segmentation fault"🔗 References
- https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog
- https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
- https://security.netapp.com/advisory/ntap-20211223-0002/
- https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog
- https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
- https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
- https://security.netapp.com/advisory/ntap-20211223-0002/
