CVE-2021-42380: 
NixOS vulnerability analysis and mitigation

CVE-2021-42380 is a use-after-free vulnerability discovered in BusyBox's awk applet that affects versions 1.28.0 through 1.33.1. The vulnerability was discovered by researchers from Claroty's Team82 and JFrog, and was disclosed in November 2021. The issue occurs when processing a crafted awk pattern in the clrvar function (JFrog Blog).

The vulnerability is classified as a use-after-free issue in BusyBox's awk applet's clrvar function. It has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability can only be exploited if the attacker can supply an arbitrary pattern to awk, which is the first positional argument this applet takes. The awk applet is built by the default BusyBox configuration and shipped with Ubuntu's default BusyBox binary (NetApp Advisory).

Successful exploitation of this vulnerability could lead to denial of service (DoS) and possibly remote code execution when processing a crafted awk pattern. The vulnerability affects approximately 40% of examined embedded firmware images that contain a BusyBox executable linked with the affected applets (JFrog Blog).

The vulnerability has been fixed in BusyBox version 1.34.0. For systems unable to upgrade, a workaround is available by compiling BusyBox without the vulnerable awk functionality by commenting out CONFIG_AWK=y in the .config file after running make defconfig in BusyBox's source directory (JFrog Blog).