CVE-2021-42377 — Free of Memory not on the Heap in Busybox

CWE-590 — Free of Memory not on the Heap CWE-763 — Release of Invalid Pointer or Reference CWE-20 — Improper Input Validation8 documents6 sources

Severity

9.8CRITICALNVD

EPSS

2.9%

top 13.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox Fedoraproject Fedora

Timeline

PublishedNov 15

Latest updateJun 15

Description

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/busybox< busybox 1:1.35.0-1 (bookworm)

▶CVEListV5busybox/busyboxunspecified — 1.34.0

▶Debianbusybox/busybox< 1:1.35.0-1+2

▶NVDbusybox/busybox1.33.0, 1.33.1+1

Also affects: Fedora 33, 34

🔴Vulnerability Details

GHSA

GHSA-phvg-gc27-gjwp: An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell co↗2022-05-24

▶

OSV

CVE-2021-42377: An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell co↗2021-11-15

▶

📋Vendor Advisories

CISA ICS

Siemens SIMATIC S7-1500 TM MFP BIOS↗2023-06-15

▶

CISA ICS

Siemens SCALANCE Third-Party↗2023-03-21

▶

CISA ICS

Siemens SCALANCE, RUGGEDCOM Third-Party↗2023-03-16

▶

Red Hat

busybox: an attacker-controlled pointer free in hush applet leads to denial of service and possible code execution when processing a crafted shell command↗2021-11-09

▶

Debian

CVE-2021-42377: busybox - An attacker-controlled pointer free in Busybox's hush applet leads to denial of ...↗2021

▶