Wednesday, April 14, 2021

Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Microsoft Azure Sphere



Claudio Bozzato and Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access.

Talos discovered four vulnerabilities in Azure Sphere that could lead to unsigned code execution and kernel privilege escalation. The discovery of these vulnerabilities continues our research into Azure Sphere and follows the multiple vulnerabilities we disclosed in 2020. Microsoft patched these vulnerabilities as part of their Patch Tuesday releases in March and April. For more on the rest of the issues disclosed as part of April’s update, check out our post here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Microsoft Azure Sphere mount namespace unsigned code execution vulnerability (TALOS-2021-1247/CVE-2021-27047)

An unsigned code execution vulnerability exists in the mount namespace functionality of Microsoft Azure Sphere 21.01. A specially crafted shellcode could allow an adversary to execute an arbitrary binary in a tmpfs mount, leading to unsigned code execution. An attacker can switch to a new mount namespace to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information. 

Microsoft Azure Sphere Linux namespace ptrace unsigned code execution vulnerability (TALOS-2021-1249/CVE-2021-27047)

An unsigned code execution vulnerability exists in the Linux namespace ptrace functionality of Microsoft Azure Sphere 21.01. Specially crafted shellcodes could allow an adversary to execute unsigned code. An attacker can change the namespace and use ptrace to modify the code of a running process to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Microsoft Azure Sphere mqueue inode initialization kernel code execution vulnerability (TALOS-2021-1250/CVE-2021-27080)

A code execution vulnerability exists in the mqueue inode initialization functionality of Microsoft Azure Sphere 21.01. A specially crafted set of syscalls can lead to uninitialized kernel read, which in turn leads to code execution in the kernel. To trigger this vulnerability, an attacker can either create and open an mqueue in the root IPC namespace, or just create and destroy an IPC namespace.

Read the complete vulnerability advisory here for additional information.

Microsoft Azure Sphere Kernel pwm_ioctl_apply_state kfree() code execution vulnerability (TALOS-2021-1262/CVE-2021-28460)

A code execution vulnerability exists in the kernel pwm_ioctl_apply_state functionality of Microsoft Azure Sphere 21.01. A specially crafted ioctl can lead to arbitrary kfree. An attacker can issue an ioctl to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information. 


Versions tested

Talos tested and confirmed that these vulnerabilities affect Microsoft Azure Sphere, version 21.01.


Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 57139, 57140, 57166, 57167, 57266, 57267, 57186, 57187

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.