SB2019021319 - Multiple vulnerabilities in Azure IoT Java SDK

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019021319

SB2019021319 - Multiple vulnerabilities in Azure IoT Java SDK

Published: February 13, 2019

Security Bulletin ID SB2019021319
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Adjecent network
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2019-0741)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists in the way Azure IoT Java SDK logs sensitive information. A local user can gain unauthorized access to sensitive information and compromise the affected device.


2) Cryptographic issues (CVE-ID: CVE-2019-0729)

CWE-ID: CWE-310 - Cryptographic Issues

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to elevate privileges on the device.

The vulnerability exists due to Azure IoT Java SDK generates predictable symmetric keys for encryption. An attacker can derive the keys from the way they are generated and use them to access a user's IoT hub.

Remediation

Install update from vendor's website.

References