Details tied to a pair of remote code execution bugs in Microsoft’s IoT security platform called Azure Sphere were released Monday. Also made public were specifics associated with two additional privilege escalation flaws impacting the same cloud security platform.
Public disclosure of all four of the bugs piggyback on six vulnerabilities found in July also impacting Microsoft’s Azure Sphere. Cybersecurity researchers at Cisco Talos found each of the bugs and released the technical details of the vulnerabilities only after Microsoft issued patches.
“Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. However, Microsoft declined to issue any CVEs,” according to a research brief published Monday.
Azure Sphere, which debuted at the RSA Conference 2018, is Redmond’s IoT security solution designed to secure microcontroller unit (MCU) devices typically found within IoT networks. The platform leverages MCUs with built-in security technology leveraging certificate-based authentication to protect against threats.
The first of two code execution bugs disclosed on Monday is described as a “normal world application READ_IMPLIES_EXEC personality unsigned code execution vulnerability“. The TDLR version of the bug, impacting Azure Sphere 20.06, is that specially crafted shellcode introduced into the platform can cause a process’ heap (data stored into memory) to become executable. For example, an “attacker can execute a shellcode that sets the READ_IMPLIES_EXEC personality to trigger this vulnerability,” according Cisco Talos.
How severe is this vulnerability and the other remote code execution (RCE) bug?
“Remote code execution vulnerabilities can lead to complete system compromise. They need to be taken very seriously and patched when possible. In the event a severe issue cannot be patched a layered mitigation strategy needs to be in place,” wrote Craig Williams, director Talos Outreach at Cisco, in an email interview.
Reducing some concern is the fact that both the RCE bugs would be needed to be exploited locally and couldn’t be triggered outside the trusted Azure Sphere environment.
“In our attack scenario we assume that an attacker has already gained a foothold on the device and is using these vulnerabilities in order to execute remote unsigned code which according to Microsoft’s security model is not something that should be possible,” Williams said.
The second code execution vulnerability outlined by researchers impacts Microsoft Azure Sphere 20.07 and is based on the assumption a local attacker can introduce a compromised application into the IoT ecosystem.
“A specially crafted shellcode can cause a process’ non-writable memory to be written. An attacker can execute a shellcode that modifies the program at runtime via /proc/thread-self/mem to trigger this vulnerability,” according to the Cisco Talos write-up.
The vulnerability, according to researchers, can be exploited by an application that hides in Azure Sphere and executes a process within Microsoft’s custom Linux-based OS – part of Azure Sphere. “The scope of this issue is within an already compromised application,” researchers wrote. Pseudo-code, in this scenario, would be implemented via return oriented programming (ROP) gadgets.
Pseudo-code is a way of writing programming code in plain English and is not actual programming language. ROP gadgets are discrete instruction sequences that can be chained together in an attack.
“[The] sequence of commands overwrites the function pointed by func with an arbitrary shellcode, and could be used by an attacker to run unsigned code, after compromising an application,” researchers said.
Cisco Talos researchers also disclosed two privilege escalation vulnerabilities, both rated high-severity and impacting Microsoft Azure Sphere 20.06. Both bugs are also patched.
“A privilege escalation vulnerability exists in the Capability access control functionality,” wrote researchers. “A set of specially crafted ptrace syscalls can be used to obtain elevated capabilities. An attacker can write a shellcode to trigger this vulnerability.”
Ptrace is jargon that describes a single system call and a system call is the action a computer program takes when requesting a service from the core of a computer’s operating system (kernel).
“An attacker can use the ptrace API to gain execution in another Azure Sphere process and use its Azure Sphere capabilities to access an entirely new set of IOCTL (input/output control) requests,” Cisco Talos wrote.
The second privilege escalation bug exploits a flaw in IoT devices and their unique identifier (UID) numbers.
“A privilege escalation vulnerability exists in the uid_map functionality of Microsoft Azure Sphere 20.06. A specially crafted uid_map file can cause multiple applications to get the same UID assigned, thus broadening the attack surface. An attacker can modify the uid_map file to trigger this vulnerability,” according to the writeup.
Each of the bugs disclosed Monday are credited to Claudio Bozzato, Dave McDaniel and “Lilith >_>” of Cisco Talos. Microsoft disclosed the bugs to its customers Aug. 10 and public disclosure was Monday.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.