The IoT security world got a big lift on Tuesday when researchers reported that they had found 14 new vulnerabilities in BusyBox, a software suite of Unix utilities that tend to run many popular programmable logic controllers, human machine interfaces, and remote terminal units — many of which now run on Linux.
In a blog post, researchers from Claroty’s Team82 and JFrog said all the vulnerabilities were privately disclosed and fixed by BusyBox in its version 1.34.0, which was released Aug. 19.
The researchers said companies can potentially expect denial of service (DoS) attacks, but in rarer cases, these types of vulnerabilities can also lead to information leaks and remote code execution.
It’s good that Claroty and JFrog ran BusyBox through the wringer, said Bill Lawrence, chief information security officer at Security Gate. Lawrence said equipment buyers should look for these types of security-related efforts and pay attention to the production companies that heed security researcher efforts and quickly fix the vulnerabilities. However, Lawrence questioned just how many other software suites come without such a rigorous dissection in a lab run by experts, either their own or a third party?
“Fortunately, more and more software providers are providing software bills of materials which allow the consumer to know the ingredients, as well as have a better way to track CVSS releases back to code in their environments,” said Lawrence. “Microsoft has committed to using SBOMs across their empire, and at several stages in the development process. That type of practice would most likely ferret out a SolarWinds-type of attack where adversaries broke into their systems, creatively added malicious code to the production process, and watched while that code was pushed out to unsuspecting, trusting clients. SBOMs should catch the code injections.”
In pointing out the widespread use of BusyBox in IoT devices, Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, said these vulnerabilities could make life difficult for anyone on versions before the updated 1.34 version or who cannot use the suggested workarounds for versions before 1.33.1.
“IoT devices can be problematic because vendor-specific builds may not always be upgradeable, or there’s no means for users to update the software, often due to operating systems being hardcoded into the device,” Nikkel said. “As we've seen in the past, IoT and OT devices can be targeted for use in botnets like with the Mirai, Mozi, and Meris botnets that harnessed thousands to millions of vulnerable devices for use in DDoS attacks.”
Doug Britton, CEO at Haystack Solutions, said open and highly configurable software tools like BusyBox are an awesome resource, but with this level of functionality, we need to give serious consideration to anticipate the impact of bad actors.
“As tools like this scale they need to emphasize cybersecurity measures and invest in a cyber team,” Britton said. “One bad breach can seriously impact growth, scaling and widespread adoption. We have the tools to find cybertalent. BusyBox and other market leaders need to invest in high-caliber cyber teams to help ensure their products are robust and secure.”
Saryu Nayyar, CEO added that the research by Claroty and JFrgo shows that bad actors don’t need a PC to do malicious things on a network, and that IoT networks are in many cases just as vulnerable as enterprise networks.
“It’s fortunate that these vulnerabilities were found by researchers, who reported them directly to BusyBox, which was able to fix them before they did any harm,” Nayyar said. “Every software provider should be that fortunate.”
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, added that software tools such as BusyBox are invaluable to Linux administrators and production support teams, just like Microsoft’s Windows sysinternal tools are in just about all Windows admin toolboxes. However, Everette said like any valuable and useful tools, threat actors can weaponize and harness them. In this latest exploit threat actors have not only weaponized similar tools, but massive vulnerabilities have been found within the tools themselves.
“Best practices are to keep these types of tools removed from critical production systems and only installed and then removed immediately after the project or work that was undertaken is complete,” Everette said. “Never leave these types of tools on a system. It's like leaving your keys in the lock for your home or vehicle — you are literally handing criminals the tools they need to complete their work.”