Linux kernel vulnerability exposes stack memory, causes data leaks
An information disclosure vulnerability in the Linux kernel can be exploited to leak data and act as a springboard for further compromise.
Disclosed by Cisco Talos researchers on Tuesday, the bug is described as an information disclosure vulnerability “that could allow an attacker to view Kernel stack memory.”
The kernel is a key component of the open source Linux operating system. The vulnerability, tracked as CVE-2020-28588, was found in the proc/pid/syscall functionality of 32-bit ARM devices running the OS.
According to Cisco, the issue was first found in a device running on Azure Sphere. Attackers seeking to exploit the security flaw could read the /syscall OS file via Proc, a system used for interfacing between kernel data structures.
The /syscall procfs entry could be abused if attackers launch commands to output 24 bytes in uninitialized stack memory, leading to a bypass of Kernel Address Space Layout Randomization (KASLR).
The researchers say this attack is “impossible to detect on a network remotely” as it is a legitimate Linux operating system file being read.
“If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities,” Cisco added.
Linux kernel versions 5.10-rc4, 5.4.66, and 5.9.8 are impacted and a patch was merged on December 3 to tackle the bug. Users are urged to update their builds to later versions.
In related news this month, the Linux Foundation has banned University of Minnesota (UMN) developers from submitting work to the Linux kernel after a pair of graduate students were caught deliberately submitting buggy patches to the project.
Submitted for the purposes of a research paper, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits,” the incident did result in a swift apology from UMN — but forgiveness for the act, considered as made in ‘bad faith,’ is far from assured.
The paper was due to be presented at the 42nd IEEE Symposium on Security and Privacy but has since been withdrawn.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0