Lucene search

K
mscveMicrosoftMS:CVE-2018-8119
HistoryMay 08, 2018 - 7:00 a.m.

Azure IoT SDK Spoofing Vulnerability

2018-05-0807:00:00
Microsoft
msrc.microsoft.com
10

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

5.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

44.0%

A spoofing vulnerability exists for the C# and Java SDKs in the Azure IoT Device Provisioning AMQP Transport library which improperly validates certificates over the AMQP protocol. The same vulnerability exists for the C SDK in the Azure IoT Device library running on Windows devices. An attacker who successfully exploited this vulnerability could impersonate a server used during the provisioning process.

To exploit this vulnerability, an attacker would need to perform a man-in-the-middle (MitM) attack on the network that provisioning was taking place.

This security update addresses the vulnerability by correcting how the AMQP Transport library validates certificates.

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

5.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

44.0%