CVE-2021-42374 Overview
CVE-2021-42374 is an out-of-bounds heap read vulnerability in BusyBox's unlzma applet that leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This vulnerability can be triggered by any applet or format that internally utilizes LZMA compression, making it a significant concern for embedded systems and IoT devices where BusyBox is commonly deployed.
Critical Impact
Successful exploitation can result in information disclosure through memory leakage and denial of service conditions on affected systems, particularly impacting embedded devices and infrastructure components relying on BusyBox utilities.
Affected Products
- BusyBox (all versions prior to patch)
- Fedora 33 and 34
- NetApp Cloud Backup
- NetApp HCI Management Node
- NetApp SolidFire
- NetApp H-Series Storage Systems (H300S, H500S, H700S, H300E, H500E, H700E, H410S) and their firmware
Discovery Timeline
- 2021-11-15 - CVE-2021-42374 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2021-42374
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-bounds Read), which occurs when the software reads data past the end or before the beginning of the intended buffer. In the context of BusyBox's unlzma applet, the flaw manifests during the decompression of LZMA-compressed data.
The vulnerability requires local access to exploit, meaning an attacker would need to deliver a maliciously crafted LZMA-compressed file to the target system and have it processed by the unlzma applet or any BusyBox utility that utilizes LZMA decompression internally. The attack complexity is high due to the specific conditions required for successful exploitation.
When a specially crafted LZMA-compressed file is processed, the decompression routine reads heap memory beyond the allocated buffer boundaries. This can expose sensitive information stored in adjacent memory regions and cause the application to crash, resulting in a denial of service condition.
Root Cause
The root cause of CVE-2021-42374 lies in insufficient bounds checking within the LZMA decompression implementation in BusyBox. During the decompression process, the code fails to properly validate buffer boundaries before reading data from the heap, allowing crafted input to trigger reads outside the allocated memory region. This boundary validation failure is a common source of memory safety vulnerabilities in C-based software.
Attack Vector
The attack vector for this vulnerability is local, requiring the attacker to have the ability to provide crafted LZMA-compressed data to the target system. Exploitation scenarios include:
- File Upload Processing: Systems that accept compressed files from users and decompress them using BusyBox utilities
- Package Installation: Embedded systems that process LZMA-compressed firmware updates or packages
- Archive Extraction: Any automated process that extracts LZMA-compressed archives using BusyBox
The vulnerability is triggered when the crafted compressed data is processed by the unlzma applet or any internal BusyBox component that relies on LZMA decompression functionality. The attacker must craft specific LZMA-compressed data that causes the decompressor to read beyond allocated heap boundaries. For detailed technical analysis of the vulnerability, refer to the Claroty Team82 Research and JFrog Security Blog.
Detection Methods for CVE-2021-42374
Indicators of Compromise
- Unexpected crashes or segmentation faults in BusyBox processes during LZMA decompression operations
- Abnormal memory consumption patterns when processing compressed files
- Core dumps generated by unlzma or related BusyBox applets
- Suspicious LZMA-compressed files with malformed headers or unusual compression parameters
Detection Strategies
- Monitor for BusyBox process crashes, particularly those involving unlzma or compression-related applets
- Implement file integrity monitoring on systems using BusyBox to detect unauthorized compressed file introductions
- Deploy endpoint detection solutions capable of identifying memory corruption exploitation attempts
- Use SentinelOne's behavioral AI to detect anomalous decompression activities and memory access patterns
Monitoring Recommendations
- Enable core dump collection and analysis for BusyBox processes to identify exploitation attempts
- Implement logging for all file decompression operations on embedded systems
- Monitor system stability metrics for devices running affected BusyBox versions
- Set up alerts for repeated crashes in compression-related utilities
How to Mitigate CVE-2021-42374
Immediate Actions Required
- Update BusyBox to the latest patched version on all affected systems
- Identify and inventory all systems running vulnerable BusyBox versions, including embedded devices and IoT infrastructure
- Restrict access to LZMA decompression functionality where possible until patches can be applied
- Implement input validation for compressed files before processing with BusyBox utilities
Patch Information
Patches addressing this vulnerability have been released by various vendors. Consult the following resources for version-specific patch information:
Organizations should prioritize patching embedded systems and infrastructure components that utilize BusyBox for core functionality.
Workarounds
- Disable or remove the unlzma applet from BusyBox builds if LZMA decompression is not required
- Implement application-level sandboxing for processes that handle untrusted compressed files
- Use alternative decompression utilities on systems where BusyBox cannot be immediately updated
- Restrict file upload capabilities to prevent introduction of malicious compressed files
# Check BusyBox version on affected systems
busybox --help | head -1
# List enabled applets to identify if unlzma is compiled in
busybox --list | grep -E "unlzma|lzma"
# If rebuilding BusyBox, disable LZMA applet in configuration
# In BusyBox menuconfig, disable: Archival Utilities -> unlzma
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
