Important 2018-09 archive

Executive Summary

A spoofing vulnerability exists for the Azure IoT Device Provisioning for the C SDK library using the HTTP protocol on Windows platform. An attacker who successfully exploited this vulnerability could impersonate a server used during the provisioning process. To exploit this vulnerability, an attacker would need to perform a man-in-the-middle (MitM) attack on the network that provisioning was taking place. This security update addresses the vulnerability by correcting how the HTTP transport library validates certificates. This vulnerability does NOT impact other Azure IoT SDK’s such as Java/Node/C#, does NOT impact the C SDK when running on Linux or embedded OS’s, and only impacts when using the HTTP transport and NOT MQTT or AMQP

Overview

Important
MS Severity
Not Exploited
MS Exploit Status
Not Found
MS Exploit Likelihood
Category Spoofing
Released Sep 11 2018
Last Updated Sep 11 2018
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Affected Products

1 affected product
Product KB Article Severity Impact Restart Required
C SDK for Azure IoT Release Notes (Security Update) Important Spoofing Maybe

Patches

1 patch
Article Type Restart
Release Notes Security Update Maybe

Known Exploits

Acknowledgments

None