CVE-2018-8119 — Azure IoT SDK Spoofing Vulnerability
Executive Summary
A spoofing vulnerability exists for the C# and Java SDKs in the Azure IoT Device Provisioning AMQP Transport library which improperly validates certificates over the AMQP protocol. The same vulnerability exists for the C SDK in the Azure IoT Device library running on Windows devices. An attacker who successfully exploited this vulnerability could impersonate a server used during the provisioning process. To exploit this vulnerability, an attacker would need to perform a man-in-the-middle (MitM) attack on the network that provisioning was taking place. This security update addresses the vulnerability by correcting how the AMQP Transport library validates certificates.
Overview
EPSS Score
No EPSS score available for this CVE.
View on FIRST.orgAffected Products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| C SDK for Azure IoT | Release Notes (Security Update) |
Important | Spoofing | Yes |
| C# SDK for Azure IoT | Release Notes (Security Update) |
Important | Spoofing | Yes |
| Java SDK for Azure IoT | Release Notes (Security Update) |
Important | Spoofing | Yes |
Patches
| Article | Type | Restart |
|---|---|---|
Release Notes |
Security Update | Yes |
Known Exploits
Acknowledgments
Cristian Pop of Azure IoT
Rajeev Vokkarne of Azure IoT
John Spaith of Azure IoT
Tim Taylor of Azure IoT