Microsoft Patches Azure Sphere Vulnerabilities Found by Cisco

  • Azure Sphere affected by code execution and privilege escalation vulnerabilities
  • Microsoft already released an update for the platform

Security researchers have found multiple vulnerabilities in Microsoft’s Azure Sphere, an IoT platform for microcontroller unit (MCU) devices.

Researchers from Cisco Talos have identified four vulnerabilities affecting a cloud-connected and custom SoC platform that Microsoft built with IoT application security in mind. The issues were revealed through the Azure Sphere Security Research Challenge, an initiative that had already led to the discovery of another set of vulnerabilities.

The Microsoft Azure Sphere is comprised of a secured, connected, crossover microcontroller unit (MCU), a custom high-level Linux-based operating system (OS), and a cloud-based security service that provides continuous, renewable security.

Two of the vulnerabilities could lead to unsigned code execution. In one case (TALOS-2020-1128), a specially crafted shellcode can cause a process’ heap to become executable after having been writable. In the other (TALOS-2020-1138), a specially crafted shellcode can cause a process’ non-writable memory to be written to.

The two other vulnerabilities, involving privilege escalation (TALOS-2020-1133 and TALOS-2020-1137), could have allowed attackers to obtain elevated capabilities.

According to Talos, Microsoft is already aware of these problems, and it released the Azure Sphere 20.08 version to fix the issues. It’s a more significant update that also upgrades the Linux kernel to version 5.4.54. Talos also said Microsoft didn’t want to assign CVEs to the findings.

“As before during our Azure Sphere Security Research Challenge, Cisco Talos continues to find more vulnerabilities and we have the final patch for the attack chain that McAfee ATR used,” says Microsoft.

Talos tested and confirmed that TALOS-2020-1128, TALOS-2020-1133 and TALOS-2020-1137 affect Microsoft Azure Sphere, version 20.06. TALOS-2020-1138 affects version 20.07.

Fortunately, these kinds of vulnerabilities shouldn’t concern regular users directly, although Microsoft’s Azure Sphere is one of the main solutions used to secure consumers’ IoT devices. IoT security remains a huge problem in the industry, with most manufacturers ignoring post-launch support.