U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

An issue in the Linux Kernel could allow the hack of your system

An information disclosure issue in Linux Kernel allows KASLR bypass could be potentially exploited in attacks in the wild. An information disclosure flaw in the Linux kernel, tracked as CVE-2020-28588, could allow attackers to bypass the Kernel Address Space Layout Randomization bypass (KASLR). The Kernel Address space layout randomization (KASLR) is a computer security technique designed to prevent […]

Linux Dirty Frag DirtyDecrypt PinTheft

An information disclosure issue in Linux Kernel allows KASLR bypass could be potentially exploited in attacks in the wild.

An information disclosure flaw in the Linux kernel, tracked as CVE-2020-28588, could allow attackers to bypass the Kernel Address Space Layout Randomization bypass (KASLR).

The Kernel Address space layout randomization (KASLR) is a computer security technique designed to prevent the exploitation of memory-corruption vulnerabilities.

The flaw exists in the /proc/pid/syscall functionality of 32-bit ARM devices running Linux, it can be triggered to expose data in the kernel stack memory of vulnerable devices.

Cisco Talos recently discovered an information disclosure vulnerability in the Linux Kernel.  

The vulnerability was discovered by Cisco Talos researchers it stems from an improper conversion between numeric types when reading the file.

TALOS-2020-1211 (CVE-2020-28588) is an information disclosure vulnerability that could allow an attacker to view Kernel stack memory . We first discovered this issue on an Azure Sphere device (version 20.10), a 32-bit ARM device that runs a patched Linux kernel.” reads the advisory published by Cisco Talos. “An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file  — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.”

An attacker could exploit the issue by reading the /proc/<pid>/syscall file, Talos researchers highlighs that it is impossible to detect on a network remotely. 

Experts explained that where unsigned long is 4 bytes, only the first 24 bytes of the args argument are written to, leaving the remaining 24 bytes untouched. The 24 bytes of uninitialized stack memory end up getting output, which could lead to a KASLR bypass.

“An attacker could exploit this vulnerability by reading /proc/<pid>/syscall, a legitimate Linux operating system file  — making it impossible to detect on a network remotely. If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities.” continues the advisory.

“This file exposes the system call number and argument registers for the system call currently being executed by the process, followed by the values of the stack pointer and program counter registers,” explained the firm. “The values of all six argument registers are exposed, although most system call use fewer registers.”

Talos also provided the commands to trigger this memory issue:

  • # echo 0 > /proc/sys/kernel/randomize_va_space (# only needed for a cleaner output)
  • $ while true; do cat /proc/self/syscall; done | uniq (# waits for changes)
  • $ while true; do free &>/dev/null; done (# triggers changes)

Users are recommended to update their products to the Linux Kernel versions 5.10-rc4, 5.4.66 and 5.9.8 that address the flaw.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]