CVE-2022-28391 Overview
CVE-2022-28391 is a remote code execution vulnerability in BusyBox through version 1.35.0. The vulnerability allows remote attackers to execute arbitrary code when the netstat utility is used to print a DNS PTR record's value to a VT-compatible terminal emulator. Alternatively, an attacker could exploit this flaw to manipulate the terminal's display colors, potentially enabling further social engineering attacks or obscuring malicious activity.
Critical Impact
Remote attackers can achieve arbitrary code execution through maliciously crafted DNS PTR records when BusyBox netstat output is displayed on VT-compatible terminals, affecting embedded systems, containers, and IoT devices commonly running BusyBox.
Affected Products
- BusyBox versions up to and including 1.35.0
- Alpine Linux distributions using vulnerable BusyBox packages
- Embedded systems, containers, and IoT devices utilizing BusyBox utilities
Discovery Timeline
- 2022-04-03 - CVE-2022-28391 published to NVD
- 2025-06-09 - Last updated in NVD database
Technical Details for CVE-2022-28391
Vulnerability Analysis
This vulnerability exploits the trust relationship between BusyBox utilities and terminal emulators. When BusyBox's netstat command retrieves and displays DNS PTR records, it fails to sanitize the output before rendering it on VT-compatible terminals. Terminal emulators that support VT escape sequences can interpret specially crafted sequences embedded in DNS responses as commands, leading to arbitrary code execution.
The attack leverages a class of vulnerabilities known as "terminal escape injection" or "ANSI escape sequence attacks." VT-compatible terminals process escape sequences to control cursor positioning, text formatting, colors, and in some cases, execute system commands through features like OSC (Operating System Command) sequences.
Root Cause
The root cause is insufficient input sanitization in BusyBox's networking utilities. Specifically, the sockaddr2str function in libbb and the nslookup utility fail to ensure that only printable characters are output to the terminal. When DNS PTR records containing terminal escape sequences are resolved and displayed, these malicious sequences are passed directly to the terminal emulator without filtering.
The vulnerability falls under CWE-88 (Improper Neutralization of Argument Delimiters in a Command), as the escape sequences act as command delimiters that break out of the expected data context and into a command execution context within the terminal.
Attack Vector
The attack requires network-based interaction where an attacker controls DNS responses. The attack flow proceeds as follows:
- The attacker sets up a malicious DNS server or performs DNS spoofing
- The attacker configures a DNS PTR record containing terminal escape sequences designed to execute commands
- A victim system running BusyBox executes netstat with options that trigger reverse DNS lookups
- BusyBox queries the DNS server for PTR records
- The malicious response containing escape sequences is returned and displayed on the victim's terminal
- The VT-compatible terminal interprets the escape sequences, potentially executing attacker-controlled commands
User interaction is required as someone must initiate the netstat command and view its output on a vulnerable terminal. However, this is a common administrative task on systems running BusyBox, particularly in containerized and embedded environments.
Detection Methods for CVE-2022-28391
Indicators of Compromise
- Unusual DNS PTR records containing non-printable characters or escape sequences (look for \\x1b or \033 byte patterns)
- Unexpected terminal behavior such as color changes, cursor movement, or command execution when running network diagnostic tools
- DNS query logs showing PTR lookups to suspicious or attacker-controlled domains
- Process execution anomalies following netstat or nslookup operations
Detection Strategies
- Monitor DNS traffic for PTR responses containing suspicious byte sequences, particularly escape characters (0x1b)
- Implement endpoint detection rules to identify BusyBox processes spawning unexpected child processes
- Deploy network intrusion detection signatures for DNS responses with embedded terminal escape sequences
- Audit BusyBox version across containerized environments and embedded devices to identify vulnerable installations
Monitoring Recommendations
- Enable verbose logging for DNS resolution activities on systems running BusyBox
- Configure terminal emulators to log or alert on receipt of suspicious escape sequences where possible
- Establish baseline behavioral patterns for BusyBox utilities to detect anomalous execution chains
- Monitor for unauthorized modifications to terminal configuration files or environment variables
How to Mitigate CVE-2022-28391
Immediate Actions Required
- Upgrade BusyBox to a patched version that sanitizes terminal output
- Apply the Alpine Linux patches if running Alpine-based containers or systems
- Restrict DNS resolution to trusted nameservers on sensitive systems
- Configure terminal emulators to disable dangerous escape sequence handling where feasible
Patch Information
Alpine Linux has released patches addressing this vulnerability. The fixes ensure that only printable characters are output when displaying DNS-related information:
- Alpine Linux BusyBox Patch 1 - Sanitizes sockaddr2str function output in libbb
- Alpine Linux BusyBox Patch 2 - Sanitizes all printed strings in nslookup utility
For more details on the vulnerability and patches, see Alpine Linux Issue #13661.
Workarounds
- Use alternative networking utilities that properly sanitize output, such as full GNU versions of netstat or ss
- Configure systems to avoid reverse DNS lookups by using numeric options (e.g., netstat -n) when possible
- Implement network-level filtering to detect and block DNS responses containing escape sequences
- Consider using terminal emulators with restricted escape sequence support in sensitive environments
# Configuration example - Use numeric output to avoid DNS PTR lookups
netstat -n
# Alternatively, use ss utility if available
ss -tuln
# For containerized environments, consider overriding BusyBox symlinks
# with full GNU utilities for security-critical operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
