CVE-2018-8479 — Azure IoT SDK Spoofing Vulnerability
Executive Summary
A spoofing vulnerability exists for the Azure IoT Device Provisioning for the C SDK library using the HTTP protocol on Windows platform. An attacker who successfully exploited this vulnerability could impersonate a server used during the provisioning process. To exploit this vulnerability, an attacker would need to perform a man-in-the-middle (MitM) attack on the network that provisioning was taking place. This security update addresses the vulnerability by correcting how the HTTP transport library validates certificates. This vulnerability does NOT impact other Azure IoT SDK’s such as Java/Node/C#, does NOT impact the C SDK when running on Linux or embedded OS’s, and only impacts when using the HTTP transport and NOT MQTT or AMQP
Overview
EPSS Score
No EPSS score available for this CVE.
View on FIRST.orgAffected Products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| C SDK for Azure IoT | Release Notes (Security Update) |
Important | Spoofing | Maybe |
Patches
| Article | Type | Restart |
|---|---|---|
Release Notes |
Security Update | Maybe |
Known Exploits
Acknowledgments
None