Claudio Bozzato, Lilith >_> and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Update (Sept. 17, 2020): This post has been updated to reflect the status of Microsoft assigning CVEs to these issues.
Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access.
Talos discovered four vulnerabilities in Azure Sphere, two of which could lead to unsigned code execution, and the two others for privilege escalation. The discovery of these vulnerabilities continues our research into Azure Sphere — conducted as part of the Azure Sphere Security Research Challenge — and follows the multiple vulnerabilities we disclosed in July.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. Microsoft plans to assigns CVEs for these issues on Oct. 13. We will update this blog when these have been assigned.
Vulnerability details
Microsoft Azure Sphere Normal World application READ_IMPLIES_EXEC personality unsigned code execution vulnerability (TALOS-2020-1128)
A code execution vulnerability exists in the normal world's signed code execution functionality of Microsoft Azure Sphere 20.07. A specially crafted shellcode can cause a process' heap to become executable after having been writable. An attacker can execute a shellcode that sets the READ_IMPLIES_EXEC personality to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Microsoft Azure Sphere Capability access control privilege escalation vulnerability (TALOS-2020-1133)
A privilege escalation vulnerability exists in the Capability access control functionality of Microsoft Azure Sphere 20.06. A set of specially crafted ptrace syscalls can be used to obtain elevated capabilities. An attacker can write a shellcode to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Microsoft Azure Sphere uid_map UID uniqueness privilege escalation vulnerability (TALOS-2020-1137)
A privilege escalation vulnerability exists in the uid_map functionality of Microsoft Azure Sphere 20.06. A specially crafted uid_map file can cause multiple applications to get the same UID assigned, effectively letting a user application run as a system application's UID. An attacker can modify the uid_map file to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Microsoft Azure Sphere Normal World application /proc/thread-self/mem unsigned code execution vulnerability (TALOS-2020-1138)
A code execution vulnerability exists in the normal world's signed code execution functionality of Microsoft Azure Sphere 20.07. A specially crafted shellcode can cause a process' non-writable memory to be written to. An attacker can execute shellcode that modifies itself+ at runtime via /proc/thread-self/mem to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Versions tested
Talos tested and confirmed that TALOS-2020-1128, TALOS-2020-1133 and TALOS-2020-1137 affect Microsoft Azure Sphere, version 20.06. TALOS-2020-1138 affects version 20.07.
Coverage
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules: 54645, 54646, 54729, 54730