An issue in the Linux Kernel could allow the hack of your system

An information disclosure issue in Linux Kernel allows KASLR bypass could be potentially exploited in attacks in the wild.

An information disclosure flaw in the Linux kernel, tracked as CVE-2020-28588, could allow attackers to bypass the Kernel Address Space Layout Randomization bypass (KASLR).

The Kernel Address space layout randomization (KASLR) is a computer security technique designed to prevent the exploitation of memory-corruption vulnerabilities.

The flaw exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux, it can be triggered to expose data in the kernel stack memory of vulnerable devices.

Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel.  

The vulnerability was discovered by Cisco Talos researchers it stems from an improper conversion between numeric types when reading the file.

“TALOS-2020-1211 (CVE-2020-28588) is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory . We first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel.” reads the advisory published by Cisco Talos. “An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file  — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.”

An attacker could exploit the issue by reading the /proc/<pid>/syscall file, Talos researchers highlighs that it is impossible to detect on a network remotely. 

Experts explained that where unsigned long is 4 bytes, only the first 24 bytes of the args argument are written to, leaving the remaining 24 bytes untouched. The 24 bytes of uninitialized stack memory end up getting output, which could lead to a KASLR bypass.

“An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file  — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.” continues the advisory.

“This file exposes the system call number and argument registers for the system call currently being executed by the process, followed by the values of the stack pointer and program counter registers,” explained the firm. “The values of all six argument registers are exposed, although most system call use fewer registers.”

Talos also provided the commands to trigger this memory issue:

• # echo 0 > /proc/sys/kernel/randomize_va_space (# only needed for a cleaner output)
• $ while true; do cat /proc/self/syscall; done | uniq (# waits for changes)
• $ while true; do free &>/dev/null; done (# triggers changes)

Users are recommended to update their products to the Linux Kernel versions 5.10-rc4, 5.4.66 and 5.9.8 that address the flaw.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]