An information disclosure issue in Linux Kernel allows KASLR bypass could be potentially exploited in attacks in the wild.
An information disclosure flaw in the Linux kernel, tracked as CVE-2020-28588, could allow attackers to bypass the Kernel Address Space Layout Randomization bypass (KASLR).
The Kernel Address space layout randomization (KASLR) is a computer security technique designed to prevent the exploitation of memory-corruption vulnerabilities.
The flaw exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux, it can be triggered to expose data in the kernel stack memory of vulnerable devices.
Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel.
The vulnerability was discovered by Cisco Talos researchers it stems from an improper conversion between numeric types when reading the file.
“TALOS-2020-1211 (CVE-2020-28588) is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory . We first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel.” reads the advisory published by Cisco Talos. “An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.”
An attacker could exploit the issue by reading the /proc/<pid>/syscall file, Talos researchers highlighs that it is impossible to detect on a network remotely.
Experts explained that where unsigned long is 4 bytes, only the first 24 bytes of the args argument are written to, leaving the remaining 24 bytes untouched. The 24 bytes of uninitialized stack memory end up getting output, which could lead to a KASLR bypass.
“An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.” continues the advisory.
“This file exposes the system call number and argument registers for the system call currently being executed by the process, followed by the values of the stack pointer and program counter registers,” explained the firm. “The values of all six argument registers are exposed, although most system call use fewer registers.”
Talos also provided the commands to trigger this memory issue:
- # echo 0 > /proc/sys/kernel/randomize_va_space (# only needed for a cleaner output)
- $ while true; do cat /proc/self/syscall; done | uniq (# waits for changes)
- $ while true; do free &>/dev/null; done (# triggers changes)
Users are recommended to update their products to the Linux Kernel versions 5.10-rc4, 5.4.66 and 5.9.8 that address the flaw.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Linux)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
An information disclosure issue in Linux Kernel allows KASLR bypass could be potentially exploited in attacks in the wild.
An information disclosure flaw in the Linux kernel, tracked as CVE-2020-28588, could allow attackers to bypass the Kernel Address Space Layout Randomization bypass (KASLR).
The Kernel Address space layout randomization (KASLR) is a computer security technique designed to prevent the exploitation of memory-corruption vulnerabilities.
The flaw exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux, it can be triggered to expose data in the kernel stack memory of vulnerable devices.
Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel.
The vulnerability was discovered by Cisco Talos researchers it stems from an improper conversion between numeric types when reading the file.
“TALOS-2020-1211 (CVE-2020-28588) is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory . We first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel.” reads the advisory published by Cisco Talos. “An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.”
An attacker could exploit the issue by reading the /proc/<pid>/syscall file, Talos researchers highlighs that it is impossible to detect on a network remotely.
Experts explained that where unsigned long is 4 bytes, only the first 24 bytes of the args argument are written to, leaving the remaining 24 bytes untouched. The 24 bytes of uninitialized stack memory end up getting output, which could lead to a KASLR bypass.
“An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.” continues the advisory.
“This file exposes the system call number and argument registers for the system call currently being executed by the process, followed by the values of the stack pointer and program counter registers,” explained the firm. “The values of all six argument registers are exposed, although most system call use fewer registers.”
Talos also provided the commands to trigger this memory issue:
- # echo 0 > /proc/sys/kernel/randomize_va_space (# only needed for a cleaner output)
- $ while true; do cat /proc/self/syscall; done | uniq (# waits for changes)
- $ while true; do free &>/dev/null; done (# triggers changes)
Users are recommended to update their products to the Linux Kernel versions 5.10-rc4, 5.4.66 and 5.9.8 that address the flaw.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Linux)