CVE-2021-42385: 
NixOS vulnerability analysis and mitigation

CVE-2021-42385 is a use-after-free vulnerability discovered in BusyBox's awk applet that affects versions 1.16.0 through 1.33.1. The vulnerability was discovered by researchers from Claroty's Team82 and JFrog, and was publicly disclosed in November 2021. The issue occurs when processing a crafted awk pattern in the evaluate function (JFrog Blog).

The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue can only be exploited if the attacker can supply an arbitrary pattern to awk (the pattern is the first positional argument this applet takes). The awk applet is built by the default BusyBox configuration and shipped with Ubuntu's default BusyBox binary (JFrog Blog).

Successful exploitation of this vulnerability could lead to denial of service (DoS) and possibly remote code execution when processing a crafted awk pattern. According to research, approximately 40% of examined embedded firmware images contained a BusyBox executable linked with affected applets, making this vulnerability widespread among Linux-based embedded firmware (Claroty Research).

The vulnerability has been fixed in BusyBox version 1.34.0. For systems unable to upgrade, a workaround is available by compiling BusyBox without the vulnerable awk functionality by commenting out CONFIG_AWK=y in the .config file after running make defconfig in BusyBox's source directory (JFrog Blog).