Multiple vulnerabilities in Microsoft Azure Sphere
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | N/A |
| CWE-ID | CWE-682 CWE-908 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Azure Sphere Server applications / SCADA systems |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Incorrect calculation
EUVDB-ID: #VU47395
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-682 - Incorrect Calculation
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect calculation issue in the Littlefs Quota functionality. A local user can cause a quota bypass and reboot, resulting in denial of service condition.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAzure Sphere: 20.06
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1129
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use of uninitialized resource
EUVDB-ID: #VU47398
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to bypass certain security restrictions.
The vulnerability exists due to usage of uninitialized resources in the Littlefs filesystem functionality. A local attacker can use a specially crafted set of syscalls, trigger uninitialized usage of resources and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAzure Sphere: 20.06
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2020-1130
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
