Cisco Talos researchers released Few days ago a vulnerability in the Linux kernel that can be exploited to steal data and also serve as a means to escalate privileges and compromise the system.
Vulnerability described as an 'information disclosure vulnerability which could allow an attacker to see the memory of the kernel stack. '
CVE-2020-28588 is the vulnerability that discovered in ARM devices proc / pid / syscall functionality 32-bit devices that run the operating system. According to Cisco Talos, the problem was first discovered on a device running Azure Sphere.
An information disclosure vulnerability exists in the / proc / pid / syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commits 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so all intermediate versions are likely to be affected. An attacker can read / proc / pid / syscall to activate this vulnerability, causing the kernel to lose memory content.
Proc is a special pseudo-filesystem on Unix-like operating systems that used to dynamically access process data found in the kernel. Presents process information and other system information in a hierarchical, file-like structure.
For example, it contains subdirectories / proc / [pid], each of which contains files and subdirectories that expose information about specific processes, readable by using the corresponding process ID. In the case of the "syscall" file, it is a legitimate Linux operating system file that contains logs of the system calls used by the kernel.
For the company, lHackers could exploit the flaw and access the operating system and syscall file through a system used to interact between the kernel data structures, Proc. The syscall procfs entry could be exploited if hackers issue commands to generate 24 bytes of uninitialized heap memory, leading to a bypass of kernel address space layout randomization (KASLR).
Looking at this specific function, everything looks fine, but it is worth noting that the
argspassed parameter came fromproc_pid_syscallfunction and as such is actually of type__u64 args. In an ARM system, the function definition converts the size of theargarray in four-byte elements from eight bytes (sinceunsigned longin ARM it's 4 bytes), which results in that inmemcpyis copied into 20 bytes (plus 4 forargs[0]).Similarly, for i386, where
unsigned longit's 4 bytes, justargsthe first 24 bytes of the argument are written, leaving the remaining 24 bytes intact.In both cases, if we look back at the
proc_pid_syscallfunction.While in 32-bit ARM and i386 we only copy 24 bytes in the
argsarray, the format string ends up reading 48 bytes of theargsmatrix, since the%llxFormat string is eight bytes on 32-bit and 64-bit systems. So 24 bytes of uninitialized heap memory end up getting output, which could lead to a KASLR bypass.
The researchers state that this attack is "impossible to detect remotely on a network" because it is reading from a legitimate Linux operating system file. "If used correctly, a hacker could take advantage of this information leak to successfully exploit other unpatched Linux vulnerabilities," says Cisco.
In this regard, Google recently said:
“Memory security flaws often threaten the security of devices, especially applications and operating systems. For example, on the Android mobile operating system also supported by the Linux kernel, Google says it found that more than half of the security vulnerabilities addressed in 2019 were the result of memory security bugs.
Last but not least It is recommended to update versions 5.10-rc4, 5.4.66, 5.9.8 of the Linux kernel, since This vulnerability has been tested and confirmed to be able to exploit the following versions of the Linux kernel.
Finally if you are interested in knowing more about it About the post, you can check the details in the following link