BalenaOS running binaries with no security policies


I had a ticket where I explain the other part of this multifaceted security issue

At my company, we have been using BalenaOS for our IoT product we are planning to launch to the market. We had a penetration test done on the device, and here is a vulnerability they found in the OS itself.

It seems that the key binaries run in hostOS are not appropriately hardened such as missing stack canaries and fortified compiler flags. This can lead the system to be more easily exploited using buffer overflows.
unfortified_binaries.pdf (121.2 KB)

I could not find anything specific on the forums. Since these are run by the OS, I was a bit reluctant to alter them.

Was wondering if Balena team was made aware of this vulnerability. If yes, is a solution under development?

Otherwise have anyone tried to implement a “fix” for this?


1 Like

Hello @roland-k thank you for sharing all of this information. I shared all of this to the balenaOS team to give you more insights.

Having said that, could you please confirm what hardware are you using and what balenaOS version?

Let’s stay connected

Hello @mpous, We are using Raspberry Pi 4 (Compute module) and we are running balena OS version 2.75.0+rev1 with Balena Supervisor version 12.5.10.

I do know these are both outdated. I had a go at updating the OS this week, but that sort of wrecks our current code. Not by too much, but will require further dev work on our end.

Has there been any OS version changes that introduced a solution for this?


Hi Roland, let me try to address some of the concerns raised in those reports.

BalenaOS is a Yocto Project based distribution, and binaries are built following Yocto Project recipes. The Yocto Project community takes security seriously.

The reports raise concerns about security policies. BalenaOS is a lightweight hypervisor type of operating systems that runs containerized applications. These containerized applications can apply specific security policies to fulfill their needs, it’s not something that the hostOS should mandate.

About the busybox configuration, it raises a generic concern about the number of applets available without any specifics about attack vectors or vulnerabilities.

It feels that the report results are just generic best practice recommendations and the authors did not take the time to investigate the specifics of balenaOS and its use.