An information disclosure flaw in the Linux kernel, tracked as CVE-2020-28588, could allow attackers to bypass the Kernel Address Space Layout Randomization bypass (KASLR).
The Kernel Address space layout randomization (KASLR) is a computer security technique designed to prevent the exploitation of memory-corruption vulnerabilities.
The flaw exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux, it can be triggered to expose data in the kernel stack memory of vulnerable devices.
Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel.
The vulnerability was discovered by Cisco Talos researchers it stems from an improper conversion between numeric types when reading the file.
“TALOS-2020-1211 (CVE-2020-28588) is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory . We first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel.” reads the advisory published by Cisco Talos. “An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.”
An attacker could exploit the issue by reading the /proc/<pid>/syscall file, Talos researchers highlighs that it is impossible to detect on a network remotely.
Experts explained that where unsigned long is 4 bytes, only the first 24 bytes of the args argument are written to, leaving the remaining 24 bytes untouched. The 24 bytes of uninitialized stack memory end up getting output, which could lead to a KASLR bypass.
“An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.” continues the advisory.
“This file exposes the system call number and argument registers for the system call currently being executed by the process, followed by the values of the stack pointer and program counter registers,” explained the firm. “The values of all six argument registers are exposed, although most system call use fewer registers.”
Talos also provided the commands to trigger this memory issue:
Users are recommended to update their products to the Linux Kernel versions 5.10-rc4, 5.4.66 and 5.9.8 that address the flaw.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Linux)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.