Claudio Bozzato, Lilith >_> and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Update (Sept. 17, 2020): This post has been updated to reflect the status of Microsoft assigning CVEs to these issues.

Cisco Talos researchers recently discovered seven vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected SoC platform designed specifically with IoT application security in mind. The infrastructure around the Azure Sphere platform is Microsoft’s Azure Sphere cloud, which takes care of secure updates, app deployment, and periodically verifying the device integrity. Internally, the SoC is made up of a set of several ARM cores that have different roles.


Talos discovered two chainable vulnerabilities within Azure Sphere that, assuming an attacker could flash a malicious application, would allow for arbitrary writing to anywhere in the /mnt/config partition, resulting in further privilege escalation. These vulnerabilities were also discovered in tandem by McAfee Advanced Threat Research. Talos discovered these vulnerabilities as part of our participation in the Azure Sphere security research challenge.

Our researchers also discovered two vulnerabilities in the platform that could allow an adversary to execute arbitrary shellcode in the restricted Linux userland of the A7 core, which normally provides a guarantee that only signed code can be executed on the device (excluding ROP gadgets). Talos also discovered an information disclosure that may be used to leak sensitive data by reading the kernel message ring buffer, a denial-of-service vulnerability via resource exhaustion in the Pluton ring buffer, and a memory corruption vulnerability in the Azure Sphere AZSPIO socket kernel driver.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. Microsoft plans to assigns CVEs for these issues on Oct. 13. We will update this blog when these have been assigned.

Vulnerability details Microsoft Azure Sphere kernel message ring buffer information disclosure vulnerability (TALOS-2020-1089)

An information disclosure vulnerability exists in the kernel message ring buffer functionality of Microsoft Azure Sphere 20.05. Unprivileged users can access the kernel message ring buffer, which can potentially leak sensitive information, such as kernel or userland memory addresses. An attacker can access the ring buffer via klogctl to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Azure Sphere Normal World application ptrace unsigned code execution vulnerability (TALOS-2020-1090)

A code execution vulnerability exists in the normal world's signed code execution functionality of Microsoft Azure Sphere 20.05. A specially crafted shellcode can cause a process' non-writable memory to be written. An attacker can execute shellcode that uses the ptrace API to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Azure Sphere Normal World application /proc/self/mem unsigned code execution vulnerability (TALOS-2020-1093)

A code execution vulnerability exists in the normal world's signed code execution functionality of Microsoft Azure Sphere 20.05. A specially crafted shellcode can cause a process' non-writable memory to be written. An attacker can execute a shellcode that modifies the program at runtime via /proc/self/mem to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Azure Sphere asynchronous ioctl denial-of-service vulnerability (TALOS-2020-1117)

A denial-of-service vulnerability exists in the asynchronous ioctl functionality of Microsoft Azure Sphere 20.05. A sequence of specially crafted ioctl calls can cause a denial of service. An attacker can write a shellcode to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Azure Sphere AF_AZSPIO socket memory corruption vulnerability (TALOS-2020-1118)

A memory corruption vulnerability exists in the AF_AZSPIO socket functionality of Microsoft Azure Sphere 20.05. A sequence of socket operations can cause a double-free and out-of-bounds read in the kernel. An attacker can write a shellcode to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Azure Sphere ASXipFS inode type privilege escalation vulnerability (TALOS-2020-1131)

A privilege escalation vulnerability exists in the ASXipFS inode type functionality of Microsoft Azure Sphere 20.06. A specially crafted image package can cause access to arbitrary devices. An attacker can flash a malicious image package to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Azure Sphere mtd character device driver privilege escalation vulnerability (TALOS-2020-1132)

An arbitrary flash write vulnerability exists in the mtd character device driver of Microsoft Azure Sphere 20.06. A specially crafted ioctl can bypass file permissions and allow writes to flash by unauthorized users. An attacker can issue a MEMWRITE ioctl to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that these vulnerabilities affect Microsoft Azure Sphere, version 20.05.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 54501 - 53504