BusyBox, often referred to as the “Swiss Army knife of embedded Linux,” is a compact suite of Unix utilities combined into a single executable. It’s widely used in small and embedded systems due to its lightweight nature. However, like any software, it is not immune to vulnerabilities. Recently, Canonical has released security updates to address several security issues in BusyBox. These vulnerabilities, if exploited, could allow an attacker to cause a denial of service or even arbitrary code execution. This article explores the details of BusyBox vulnerabilities fixed in Ubuntu and offers guidance on how to protect your systems.

BusyBox Vulnerabilities Details

CVE-2022-48174 (CVSS v3 Severity Score: 9.8 Critical)

This vulnerability stems from improper validation of user input when performing certain arithmetic operations in BusyBox. An attacker could exploit this flaw by tricking a user or an automated system into processing a specially crafted file. An attacker could use this flaw to cause a denial of service or execute arbitrary code on the affected system.

CVE-2023-42363, CVE-2023-42364, CVE-2023-42365 (CVSS v3 Severity Score: 5.5 Medium)

Three use-after-free vulnerabilities were identified in the way BusyBox manages memory when evaluating certain awk expressions. This could also allow an attacker to cause a denial of service or execute arbitrary code. However, these issues only impact Ubuntu 24.04 LTS.

Staying Secure

To protect your systems from these vulnerabilities, it’s crucial to update BusyBox to the latest patched version. Canonical has released updates for Ubuntu 24.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS to address these issues.

Users of Ubuntu 16.04 and 18.04 should be aware that CVE-2022-48174 affects these older versions as well. However, since these versions have reached their end of life, they no longer receive free security updates from Canonical.

For organizations still relying on outdated Ubuntu versions, TuxCare’s Extended Lifecycle Support (ELS) offers a cost-effective solution to maintain security and stability. TuxCare’s ELS provides up to five additional years of security patching for Ubuntu 16.04 and Ubuntu 18.04 beyond the official EOL date. This service covers over 140 packages, including Linux kernel, BusyBox, Python, OpenSSL, glibc, and OpenJDK.

The ELS team has already released patches for CVE-2022-48174 across multiple Linux distributions, including CentOS 6, CloudLinux 6, Ubuntu 16.04, Ubuntu 18.04, and Oracle Linux 6. To stay informed about all vulnerabilities and their patch status, you can visit the CVE tracker.

Final Thoughts

By promptly applying the latest patches from Canonical or utilizing extended support services, you can protect your Ubuntu systems from potential exploits and ensure their continued reliability.

Don’t let outdated Ubuntu compromise your security. Stay protected with TuxCare’s ELS and enjoy vendor-grade security patches at an affordable price.

Source: USN-6961-1

The post Ubuntu Fixes Multiple BusyBox Vulnerabilities appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/ubuntu-fixes-multiple-busybox-vulnerabilities/