Claudio Bozzato, Lilith >_> and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft’s Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft’s Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access.
Talos discovered four vulnerabilities in Azure Sphere, two of which could lead to unsigned code execution, and the two others for privilege escalation. The discovery of these vulnerabilities continues our research into Azure Sphere and follows the multiple vulnerabilities we disclosed in July.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers. However, Microsoft declined to issue any CVEs.
Vulnerability details
Microsoft Azure Sphere Normal World application READ_IMPLIES_EXEC personality unsigned code execution vulnerability (TALOS-2020-1128)
A code execution vulnerability exists in the normal world's signed code execution functionality of Microsoft Azure Sphere 20.07. A specially crafted shellcode can cause a process' heap to become executable after having been writable. An attacker can execute a shellcode that sets the READ_IMPLIES_EXEC personality to trigger this vulnerability.
Read the complete vulnerability advisory vulnerability spotlight remote execution privilege escalation microsoft azure sphere
