2 min read

Microsoft Patches Azure Sphere Vulnerabilities Found by Cisco

Silviu STAHIE

August 27, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Microsoft Patches Azure Sphere Vulnerabilities Found by Cisco
  • Azure Sphere affected by code execution and privilege escalation vulnerabilities
  • Microsoft already released an update for the platform

Security researchers have found multiple vulnerabilities in Microsoft’s Azure Sphere, an IoT platform for microcontroller unit (MCU) devices.

Researchers from Cisco Talos have identified four vulnerabilities affecting a cloud-connected and custom SoC platform that Microsoft built with IoT application security in mind. The issues were revealed through the Azure Sphere Security Research Challenge, an initiative that had already led to the discovery of another set of vulnerabilities.

The Microsoft Azure Sphere is comprised of a secured, connected, crossover microcontroller unit (MCU), a custom high-level Linux-based operating system (OS), and a cloud-based security service that provides continuous, renewable security.

Two of the vulnerabilities could lead to unsigned code execution. In one case (TALOS-2020-1128), a specially crafted shellcode can cause a process’ heap to become executable after having been writable. In the other (TALOS-2020-1138), a specially crafted shellcode can cause a process’ non-writable memory to be written to.

The two other vulnerabilities, involving privilege escalation (TALOS-2020-1133 and TALOS-2020-1137), could have allowed attackers to obtain elevated capabilities.

According to Talos, Microsoft is already aware of these problems, and it released the Azure Sphere 20.08 version to fix the issues. It’s a more significant update that also upgrades the Linux kernel to version 5.4.54. Talos also said Microsoft didn’t want to assign CVEs to the findings.

“As before during our Azure Sphere Security Research Challenge, Cisco Talos continues to find more vulnerabilities and we have the final patch for the attack chain that McAfee ATR used,” says Microsoft.

Talos tested and confirmed that TALOS-2020-1128, TALOS-2020-1133 and TALOS-2020-1137 affect Microsoft Azure Sphere, version 20.06. TALOS-2020-1138 affects version 20.07.

Fortunately, these kinds of vulnerabilities shouldn’t concern regular users directly, although Microsoft’s Azure Sphere is one of the main solutions used to secure consumers’ IoT devices. IoT security remains a huge problem in the industry, with most manufacturers ignoring post-launch support.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read