New Linux Kernel Bug Allows for More Security Attacks
An information-disclosure security vulnerability has been discovered in the Linux kernel, which can be exploited to expose information in the kernel stack memory of vulnerable devices. The bug, classified as CVE-2020-28588, exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux; it arises from an improper conversion of numeric values when reading the file.
With a few commands, attackers can output 24 bytes of uninitialized stack memory, which can be used to bypass kernel address space layout randomization (KASLR). KASLR is an anti-exploit technique that places various objects at random to prevent predictable patterns that are guessable by adversaries.
Proc is a special, pseudo-filesystem in Unix-like operating systems that is used for dynamically accessing process data held in the kernel. It presents information about processes and other system information in a hierarchical file-like structure. For instance, it contains /proc/[pid] subdirectories, each of which contains files and subdirectories exposing information about specific processes, readable by using the corresponding process ID. In the case of the “syscall” file, it’s a legitimate Linux operating system file that contains logs of system calls used by the kernel.
An attacker could exploit the vulnerability by reading /proc/<pid>/syscall. Cisco Talos researchers first discovered the issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel. It’s been present since v5.1-rc4 of the kernel.
“Users are encouraged to update these affected products as soon as possible: Linux Kernel versions 5.10-rc4, 5.4.66 and 5.9.8,” according to the advisory. “Talos tested and confirmed these versions of the Linux kernel could be exploited by this vulnerability.”