Linux Kernel Bug Opens Door to Wider Cyberattacks

The information-disclosure flaw allows KASLR bypass and the discovery of additional, unpatched vulnerabilities in ARM devices.

An information-disclosure security vulnerability has been discovered in the Linux kernel, which can be exploited to expose information in the kernel stack memory of vulnerable devices.

Specifically, the bug (CVE-2020-28588) exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux, according to Cisco Talos, which discovered the vulnerability. It arises from an improper conversion of numeric values when reading the file.

Download “The Evolution of Ransomware” to gain valuable insights on emerging trends amidst rapidly growing attack volumes. Click above to hone your defense intelligence!

With a few commands, attackers can output 24 bytes of uninitialized stack memory, which can be used to bypass kernel address space layout randomization (KASLR). KASLR is an anti-exploit technique that places various objects at random to prevent predictable patterns that are guessable by adversaries.

Attacks also would be “impossible to detect on a network remotely,” the firm explained. And, “if utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.”

Kernel-Bug Details

Proc is a special, pseudo-filesystem in Unix-like operating systems that is used for dynamically accessing process data held in the kernel. It presents information about processes and other system information in a hierarchical file-like structure. For instance, it contains /proc/[pid] subdirectories, each of which contains files and subdirectories exposing information about specific processes, readable by using the corresponding process ID. In the case of the “syscall” file, it’s a legitimate Linux operating system file that contains logs of system calls used by the kernel.

An attacker could exploit the vulnerability by reading /proc/<pid>/syscall. “We can see the output on any given Linux system whose kernel was configured with CONFIG_HAVE_ARCH_TRACEHOOK,” according to Cisco’s bug report, publicly disclosed on Tuesday..

“This file exposes the system call number and argument registers for the system call currently being executed by the process, followed by the values of the stack pointer and program counter registers,” explained the firm. “The values of all six argument registers are exposed, although most system call use fewer registers.”

The shell commands that trigger the vulnerability are:

  • # echo 0 > /proc/sys/kernel/randomize_va_space (# only needed for a cleaner output)
  • $ while true; do cat /proc/self/syscall; done | uniq (# waits for changes)
  • $ while true; do free &>/dev/null; done (# triggers changes)

Security Patch Updates Available

Cisco Talos researchers first discovered the issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel. It’s been present since v5.1-rc4 of the kernel.

“Users are encouraged to update these affected products as soon as possible: Linux Kernel versions 5.10-rc4, 5.4.66 and 5.9.8,” according to the advisory. “Talos tested and confirmed these versions of the Linux kernel could be exploited by this vulnerability.”

Linux kernel bugs are rare but do happen. For instance, last October Google and Intel warned of the high-severity “BleedingTooth” flaw in BlueZ, the Linux Bluetooth protocol stack that provides support for core Bluetooth layers and protocols to Linux-based internet of things (IoT) devices. It could be exploited in a “zero-click” attack and potentially allow for escalated privileges on affected devices.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.  

Suggested articles

WordPress Plugin Bug Lets Subscribers Wipe Sites

The flaw, found in the Hashthemes Demo Importer plugin, allows any authenticated user to exsanguinate a vulnerable WordPress site, deleting nearly all database content and uploaded media.


  • Somebody on

    32 bit, huh? So not much to see here, virtually all arm devices are 64 bit, except a few fringe horrendously obsolete heaps that need to be allowed to die. Good that they found it, but don't let it get blown out of proportion.
    • Anonymous on

      Except for Raspberry Pi's which are still using 32 bit. There is a 64 bit version available which only came out when the Pi 4 was released but it's still in development.
  • Oded on

    I don't believe this is much of a security issue - `syscall` proc file is only readable by the super user, so the *potential* damage is already limited to only trusted users (If the system was already broken enough so an attacker can gain root - you have more serious problems). There's yet an official CVE ranking (4 months after kernel patches were distributed), but I'd rank the severity of this issue as 1 out of 10: - requires local root access - exposes no actually actionable data - requires another exploit to *maybe* cause damage
  • herb ritts on

    I do accept as true with all the ideas you have offered for your post.They are really convincing and can definitely work. Nonetheless, the posts are very short for newbies. Could you please lengthen them a little from subsequent time? Thanks for the post.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.