CVE-2022-28391: 
NixOS vulnerability analysis and mitigation

BusyBox through version 1.35.0 contains a vulnerability (CVE-2022-28391) that allows remote attackers to execute arbitrary code when netstat is used to print a DNS PTR record's value to a VT compatible terminal. The vulnerability was discovered and disclosed on April 3, 2022, affecting BusyBox installations, particularly when running on musl instead of glibc (NVD, Debian Tracker).

The vulnerability exists in BusyBox's netstat functionality when handling DNS PTR records. When netstat is used to display network connections in a VT-compatible terminal, maliciously crafted PTR records containing escape sequences can be executed. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high-severity issue requiring user interaction (NVD).

The exploitation of this vulnerability can lead to arbitrary code execution on affected systems. Additionally, attackers could manipulate terminal colors through escape sequence injection. The vulnerability specifically affects systems where netstat is used to display network connection information in VT-compatible terminals (Alpine Issue).

Patches have been released to address this vulnerability, including fixes for ensuring only printable characters in sockaddr2str and sanitizing printed strings in nslookup. Various Linux distributions have released updated packages to address this issue (Alpine Patches).