Azure Sphere Denial of Service Vulnerability

Vulnerability

A denial of service vulnerability exists in the Littlefs Quota functionality of Microsoft Azure Sphere 20.06. The bug is an incorrect calculation (CWE-682) in the quota enforcement code for mutable storage. Applications that declare MutableStorage in their manifest are affected; read-only asxipfs storage is not vulnerable. The vulnerability is triggered via a specially crafted set of syscalls that bypass the defined storage quota [1].

Exploitation

An attacker needs local access to the Azure Sphere device and the ability to call syscalls from a high-level application. No authentication or user interaction is required beyond deploying a malicious application with mutable storage enabled. The exploit sends a sequence of crafted syscalls to exhaust or manipulate the quota calculations, causing a denial of service condition that forces a system reboot [1].

Impact

Successful exploitation allows an attacker to cause a denial of service by rebooting the device. This impacts availability of the IoT application running on Azure Sphere. The CVSS score of 9.0 indicates high impact on integrity and availability, with no impact on confidentiality, and the scope is changed (S:C) meaning the attacker can affect resources beyond their own [1].

Mitigation

Microsoft has not yet released a public fix at the time of the advisory (November 2020). Users should apply any security updates from Microsoft Azure Sphere when they become available. The advisory [1] confirms the vulnerability in version 20.06; no workaround is documented. Check for updates on the Azure Sphere product page.