Linux Kernel “Dirty Pipe”
The Linux “Dirty Pipe” vulnerability was publicly disclosed on March 7, 2022. Dirty Pipe allows an unprivileged user to overwrite data in read-only files and escalate privilege, creating an opportunity to take full control of a system. At the time of disclosure, the Azure Sphere OS was running Linux kernel 5.10.70, which was known to be vulnerable to Dirty Pipe. We updated to 5.10.103, which incorporated a fix, and we released Azure Sphere OS 22.04 to our retail evaluation on March 28, 2022. We released the OS update to the full retail channel on April 11, 2022. In under three weeks we had integrated a Linux kernel upgrade and had tested through to our standards of quality and security and were able to begin deploying to customers.
The Dirty Pipe vulnerability isn’t the first time that the Azure Sphere OS has had to patch a Linux kernel-related vulnerability, or a vulnerability on the platform. Vulnerabilities are an unavoidable part of advanced software systems. Our approach to security is rooted in zero trust and is focused on regaining trust through updates. To regain trust in simple attacks, Azure Sphere resets a compromised device into a known good condition running only signed code, and for more complex attacks, it allows for an over-the-air update to bring a system into a new form that can be trusted again. Azure Sphere can limit the impact within the device and to the larger organization by reducing access scope to potentially compromised devices since all devices have unique certificate-based password-less authentication and don’t share credentials.
Throughout our product journey we’ve worked hard to retain trust and re-establish trust through OS security work. In many cases, we are able to release updates before vulnerabilities are disclosed:
FragAttacks
Last year, researchers reported vulnerabilities that affected most WiFi devices, called FragAttacks. These vulnerabilities were made public on May 11, 2021. Our Azure Sphere MediaTek MT3620 is a chip with built-in WiFi and some of our customers came to us and asked if Azure Sphere was vulnerable. We were happy to report that our partner, MediaTek, had provided us with updated firmware that addressed these vulnerabilities and that we had issued that new firmware to Azure Sphere devices during our 21.04 OS release in April 2021. By the time people were learning about the research from public coverage Azure Sphere devices were already patched and safe from exploits being designed around the vulnerability.
Linux Kernel Zero-Days & Azure Sphere OS CVEs
To-date, we’ve partnered with researchers to issue 30 CVEs against the Azure Sphere OS since it became a publicly available product in February 2020. Several, including CVE-2020-16982, involved our open-source dependencies such as discovering zero-day vulnerabilities in the Linux Kernel through research on the Azure Sphere OS. At the time CVE-2020-16982 was issued and publicly documented, patched code had been running in the Azure Sphere OS for months and the Linux Kernel team had incorporated fixes upstream for some time.
When vulnerabilities go public before the fix
Dirty Pipe is a good example of the potential for software vulnerabilities to be made public before a product is updated. Even though we work with researchers and the open-source community in an effort to fix issues before they are publicized, it isn’t always possible, and there are often good reasons to publish something early, especially if it’s being exploited in the wild. One of Azure Sphere’s core benefits is that Microsoft takes responsibility for staying on top of OS security issues, and Dirty Pipe is a recent example of how our team responds to a publicly known vulnerability.
In Azure Sphere, application domains are separated into filesystems with fixed user identities. Exploiting Dirty Pipe in this context provides substantially less control, but it does provide a foundation for probing the Azure Sphere OS and potentially finding and exploiting Azure Sphere-specific vulnerabilities that could lead to further security compromises. While this exploit was less severe on Azure Sphere than other Linux systems out of the box, it is no less concerning to have an active security vulnerability on our platform, and we were eager to patch the issue.
Our security promise
Keeping a system up to date and secure isn’t a trivial task. Hopefully these incidents help you see the work the Azure Sphere OS team devotes to security and why this is such an integral part of our value proposition. When we at Microsoft focus on platform fundamentals, it frees you to focus on the differentiated value you can produce in IoT.