JFrog Security Research

XRAY-189473 - BusyBox ash DoS

CVE-2021-42375 | CVSS 5.5

JFrog Severity:medium

Published 9 Nov. 2021 | Last updated 9 Nov. 2021

An incorrect handling of a special element in Busybox ash leads to denial of service when processing malformed command line arguments

BusyBox

BusyBox [1.33.0, 1.33.1], fixed in 1.34.0

The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.

An incorrect handling of a special element in ash leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input. An attacker that controls ash command line arguments can trigger this issue.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog

NVD