Important 2018-05 archive

Executive Summary

A spoofing vulnerability exists for the C# and Java SDKs in the Azure IoT Device Provisioning AMQP Transport library which improperly validates certificates over the AMQP protocol. The same vulnerability exists for the C SDK in the Azure IoT Device library running on Windows devices. An attacker who successfully exploited this vulnerability could impersonate a server used during the provisioning process. To exploit this vulnerability, an attacker would need to perform a man-in-the-middle (MitM) attack on the network that provisioning was taking place. This security update addresses the vulnerability by correcting how the AMQP Transport library validates certificates.

Overview

Important
MS Severity
Not Exploited
MS Exploit Status
Exploitation Unlikely
MS Exploit Likelihood
Category Spoofing
Released May 8 2018
Last Updated May 8 2018
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Affected Products

3 affected products
Product KB Article Severity Impact Restart Required
C SDK for Azure IoT Release Notes (Security Update) Important Spoofing Yes
C# SDK for Azure IoT Release Notes (Security Update) Important Spoofing Yes
Java SDK for Azure IoT Release Notes (Security Update) Important Spoofing Yes

Patches

1 patch
Article Type Restart
Release Notes Security Update Yes

Known Exploits

Acknowledgments

Cristian Pop of Azure IoT
Rajeev Vokkarne of Azure IoT
John Spaith of Azure IoT
Tim Taylor of Azure IoT