Azure Sphere 20.08 Security Updates

Published Aug 24 2020 09:00 AM 6,828 Views
Microsoft

In our continued effort to increase the baseline security of Azure Sphere, we have now released the Azure Sphere 20.08 quality fix that brings along a number of security enhancements to the platform. As before during our Azure Sphere Security Research Challenge, Cisco Talos continues to find more vulnerabilities and we have the final patch for the attack chain that McAfee ATR used. We also found an interesting scenario with the Linux Kernel 5.4 upgrade that I will cover below.

 

First of all, our list of security enhancements and fixes:

  • We now properly limit the Linux application capability bounding set instead of leaving all bits set.
  • We have added a call to set the PR_SET_NO_NEW_PRIVS value on new applications, further restricting their abilities once set.
  • In an effort to further restrict impacts on the device, symlinks are disabled on most of the tmpfs mounted areas in the system.
  • As a final patch for the McAfee privilege escalation, azcore now has its capability bits properly set restricting it from having extra permissions.
  • wolfSSL has a patch from crashes in ASN parsing found by fuzzing.
  • TrapaSecurity has been using Unicorn to test parts of the system that are not normally accessible, one of the calls they tested for secure world failed to validate its offset when writing to flash which has been corrected. The actual code itself is not accessible to a normal user application and would require a kernel bug or controlling the AzureD daemon.

Cisco Talos has stayed busy in identifying more issues in the system:

  • They found another unsigned code execution bypass via /proc/self/tasks/taskid/maps which was overlooked when setting the /proc/self/maps file read-only.
  • Cisco Talos used a similar attack chain that McAfee ATR located in 20.06, however one of the differences that is now patched is duplicating UIDs in the uid_map file to gain access to other users.
  • The kernel personality flag READ_IMPLIES_EXEC can be used to bypass some of the memory protections, this has been disabled.

Our 20.08 release moves the Linux kernel to version 5.4.54. During the upgrade it was discovered that a key difference between the Linux kernel v4.9 and v5.4 releases is how the random data pool is initialized and used. The new 5.4 kernel brought along optimizations for how the random pool was initialized and used during boot prior to the loading of any drivers for the hardware random number generator (hwrng). On normal computers this is never a problem as the CPU itself has a hwrng embedded in it that the Linux kernel has access to during boot however on the Azure Sphere platform this caused a very small window prior to the Pluton driver initialization to be partially deterministic. Code has been added to secure world to pass a chunk of random data from the Pluton hwrng into the Linux kernel initialization to force a truly random state on boot until the Pluton driver is initialized. This patch guarantees the kernel now has full random data for its full boot process even prior to the driver initialization.

 

We strive to keep all Azure Sphere devices in the field secure and continue to work on improving their security even when unexpected security impacts occur. The ability to hold the security guarantees on Azure Sphere requires multiple companies to work together and help each other when design flaws are found, last month this involved Microsoft alerting the Linux Kernel team to a flaw in the ioctl handling of flash devices. Recently wolfSSL had a few vulnerabilities come out, one of which directly impacts TLS 1.3 client communications which is used by Azure Sphere. wolfSSL helps us keep our security promises for TLS by alerting us to the potential MITM attack along with a patch prior to public disclosure allowing us to get it into our release.

 

Thank you to the teams and researchers that help us increase the security of the platform and make attacking more difficult. As head of the OSP Security team I will continue to do blog posts as new security related enhancements are made to the Azure Sphere platform.

 

Jewell Seay
Azure Sphere OSP Security Lead

%3CLINGO-SUB%20id%3D%22lingo-sub-1604788%22%20slang%3D%22en-US%22%3EAzure%20Sphere%2020.08%20Security%20Updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1604788%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20our%20continued%20effort%20to%20increase%20the%20baseline%20security%20of%20Azure%20Sphere%2C%20we%20have%20now%20released%20the%20Azure%20Sphere%2020.08%20quality%20fix%20that%20brings%20along%20a%20number%20of%20security%20enhancements%20to%20the%20platform.%20As%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Finternet-of-things%2Fazure-sphere-20-07-security-enhancements%2Fba-p%2F1548973%22%20target%3D%22_self%22%3Ebefore%3C%2FA%3E%20during%20our%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmsrc%2Fazure-security-lab%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sphere%20Security%20Research%20Challenge%3C%2FA%3E%2C%20Cisco%20Talos%20continues%20to%20find%20more%20vulnerabilities%20and%20we%20have%20the%20final%20patch%20for%20the%20attack%20chain%20that%20McAfee%20ATR%20used.%20We%20also%20found%20an%20interesting%20scenario%20with%20the%20Linux%20Kernel%205.4%20upgrade%20that%20I%20will%20cover%20below.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%20of%20all%2C%20our%20list%20of%20security%20enhancements%20and%20fixes%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EWe%20now%20properly%20limit%20the%20Linux%20application%20capability%20bounding%20set%20instead%20of%20leaving%20all%20bits%20set.%3C%2FLI%3E%0A%3CLI%3EWe%20have%20added%20a%20call%20to%20set%20the%20PR_SET_NO_NEW_PRIVS%20value%20on%20new%20applications%2C%20further%20restricting%20their%20abilities%20once%20set.%3C%2FLI%3E%0A%3CLI%3EIn%20an%20effort%20to%20further%20restrict%20impacts%20on%20the%20device%2C%20symlinks%20are%20disabled%20on%20most%20of%20the%20tmpfs%20mounted%20areas%20in%20the%20system.%3C%2FLI%3E%0A%3CLI%3EAs%20a%20final%20patch%20for%20the%20McAfee%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Finternet-of-things%2Fazure-sphere-20-07-security-enhancements%2Fba-p%2F1548973%22%20target%3D%22_self%22%3Eprivilege%20escalation%3C%2FA%3E%2C%20azcore%20now%20has%20its%20capability%20bits%20properly%20set%20restricting%20it%20from%20having%20extra%20permissions.%3C%2FLI%3E%0A%3CLI%3EwolfSSL%20has%20a%20patch%20from%20crashes%20in%20ASN%20parsing%20found%20by%20fuzzing.%3C%2FLI%3E%0A%3CLI%3ETrapaSecurity%20has%20been%20using%20%3CA%20href%3D%22https%3A%2F%2Fwww.unicorn-engine.org%2F%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EUnicorn%3C%2FA%3E%20to%20test%20parts%20of%20the%20system%20that%20are%20not%20normally%20accessible%2C%20one%20of%20the%20calls%20they%20tested%20for%20secure%20world%20failed%20to%20validate%20its%20offset%20when%20writing%20to%20flash%20which%20has%20been%20corrected.%20The%20actual%20code%20itself%20is%20not%20accessible%20to%20a%20normal%20user%20application%20and%20would%20require%20a%20kernel%20bug%20or%20controlling%20the%20AzureD%20daemon.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ECisco%20Talos%20has%20stayed%20busy%20in%20identifying%20more%20issues%20in%20the%20system%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EThey%20found%20another%20unsigned%20code%20execution%20bypass%20via%20%2Fproc%2Fself%2Ftasks%2Ftaskid%2Fmaps%20which%20was%20overlooked%20when%20setting%20the%20%2Fproc%2Fself%2Fmaps%20file%20read-only.%3C%2FLI%3E%0A%3CLI%3ECisco%20Talos%20used%20a%20similar%20attack%20chain%20that%20McAfee%20ATR%20located%20in%2020.06%2C%20however%20one%20of%20the%20differences%20that%20is%20now%20patched%20is%20duplicating%20UIDs%20in%20the%20uid_map%20file%20to%20gain%20access%20to%20other%20users.%3C%2FLI%3E%0A%3CLI%3EThe%20kernel%20personality%20flag%20READ_IMPLIES_EXEC%20can%20be%20used%20to%20bypass%20some%20of%20the%20memory%20protections%2C%20this%20has%20been%20disabled.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EOur%2020.08%20release%20moves%20the%20Linux%20kernel%20to%20version%205.4.54.%20During%20the%20upgrade%20it%20was%20discovered%20that%20a%20key%20difference%20between%20the%20Linux%20kernel%20v4.9%20and%20v5.4%20releases%20is%20how%20the%20random%20data%20pool%20is%20initialized%20and%20used.%20The%20new%205.4%20kernel%20brought%20along%20optimizations%20for%20how%20the%20random%20pool%20was%20initialized%20and%20used%20during%20boot%20prior%20to%20the%20loading%20of%20any%20drivers%20for%20the%20hardware%20random%20number%20generator%20(hwrng).%20On%20normal%20computers%20this%20is%20never%20a%20problem%20as%20the%20CPU%20itself%20has%20a%20hwrng%20embedded%20in%20it%20that%20the%20Linux%20kernel%20has%20access%20to%20during%20boot%20however%20on%20the%20Azure%20Sphere%20platform%20this%20caused%20a%20very%20small%20window%20prior%20to%20the%20Pluton%20driver%20initialization%20to%20be%20partially%20deterministic.%20Code%20has%20been%20added%20to%20secure%20world%20to%20pass%20a%20chunk%20of%20random%20data%20from%20the%20Pluton%20hwrng%20into%20the%20Linux%20kernel%20initialization%20to%20force%20a%20truly%20random%20state%20on%20boot%20until%20the%20Pluton%20driver%20is%20initialized.%20This%20patch%20guarantees%20the%20kernel%20now%20has%20full%20random%20data%20for%20its%20full%20boot%20process%20even%20prior%20to%20the%20driver%20initialization.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20strive%20to%20keep%20all%20Azure%20Sphere%20devices%20in%20the%20field%20secure%20and%20continue%20to%20work%20on%20improving%20their%20security%20even%20when%20unexpected%20security%20impacts%20occur.%20The%20ability%20to%20hold%20the%20security%20guarantees%20on%20Azure%20Sphere%20requires%20multiple%20companies%20to%20work%20together%20and%20help%20each%20other%20when%20design%20flaws%20are%20found%2C%20last%20month%20this%20involved%20Microsoft%20alerting%20the%20Linux%20Kernel%20team%20to%20a%20flaw%20in%20the%20ioctl%20handling%20of%20flash%20devices.%20Recently%20wolfSSL%20had%20a%20few%20vulnerabilities%20come%20out%2C%20one%20of%20which%20directly%20impacts%20TLS%201.3%20client%20communications%20which%20is%20used%20by%20Azure%20Sphere.%20wolfSSL%20helps%20us%20keep%20our%20security%20promises%20for%20TLS%20by%20alerting%20us%20to%20the%20potential%20MITM%20attack%20along%20with%20a%20patch%20prior%20to%20public%20disclosure%20allowing%20us%20to%20get%20it%20into%20our%20release.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThank%20you%20to%20the%20teams%20and%20researchers%20that%20help%20us%20increase%20the%20security%20of%20the%20platform%20and%20make%20attacking%20more%20difficult.%20As%20head%20of%20the%20OSP%20Security%20team%20I%20will%20continue%20to%20do%20blog%20posts%20as%20new%20security%20related%20enhancements%20are%20made%20to%20the%20Azure%20Sphere%20platform.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJewell%20Seay%3CBR%20%2F%3EAzure%20Sphere%20OSP%20Security%20Lead%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1604788%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202019-10-22%20124538.png%22%20style%3D%22width%3A%20957px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F213856i28A9022D36AAC402%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202019-10-22%20124538.png%22%20alt%3D%22Annotation%202019-10-22%20124538.png%22%20%2F%3E%3C%2FSPAN%3EIn%20our%20continued%20effort%20to%20increase%20the%20baseline%20security%20of%20Azure%20Sphere%2C%20we%20have%20now%20released%20the%20Azure%20Sphere%2020.08%20quality%20fix%20that%20brings%20along%20a%20number%20of%20security%20enhancements%20to%20the%20platform.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1604788%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eazure%20sphere%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Aug 21 2020 04:24 PM
Updated by: