BalenaOS running default instance of Busybox


At my company, we have been using BalenaOS for our IoT product we are planning to launch to the market. We had a penetration test done on the device, and here is a vulnerability they found in the OS itself.

It seems the Busybox is running a default instance in the HostOS. This is not present in our container.
According to the pentesters this gives malicious attackers a larger surface to conduct their attack.
busybox.pdf (83.8 KB)

I could not find anything specific on the forums. Since the OS is using it, I was a bit reluctant to start disabling functions in it as this could effect the whole system.

Was wondering if Balena team was made aware of this vulnerability. If yes, is a solution under development?

Otherwise have anyone tried to implement a “fix” for this?