Azure Sphere Unsigned Code Execution Vulnerability

Vulnerability

Azure Sphere 20.07 has a signed code execution flaw (CWE-284) in the Normal World's memory protection mechanism. The system enforces that writable pages cannot become executable, but after executing a read-only page, the kernel incorrectly permits writes to those pages via /proc/thread-self/mem. This allows an attacker to modify memory that was initially non-writable, bypassing the intended W^X policy. The vulnerability exists in all versions of Azure Sphere 20.07 and possibly earlier builds.

Exploitation

An attacker must have local, low-privilege code execution on the Azure Sphere device. The attack does not require authentication (AV:L/AC:L/PR:N). The attacker crafts a shellcode that uses the /proc/thread-self/mem pseudo-file to write to a memory region that was previously executable but became non-writable. By calling mprotect to set a region to read-only (no write), the kernel still allows the process to write to that same region through /proc/thread-self/mem, violating the intended protection. The attacker then redirects execution to the modified region.

Impact

Successful exploitation yields arbitrary code execution with the privileges of the target process, potentially affecting high-level applications on the Azure Sphere SoC. The attacker can gain integrity compromise (data or code modification) but not confidentiality or availability as per the CVSS score (6.2, impacts only integrity). The vulnerability does not allow the attacker to escape the Normal World sandbox or gain kernel-level privileges.

Mitigation

Microsoft released a security update on 2020-11-11 as part of the monthly Azure Sphere update; the fix is included in Azure Sphere version 20.09 and later. Users should update to a version after 20.07. No workaround is available if the device cannot be updated. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

[1]