Memory corruption in Hub Device Client SDK for Azure IoT - CVE-2018-8531
Published: October 9, 2018 / Updated: October 10, 2018
Vulnerability identifier: #VU15278
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2018-8531
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Hub Device Client SDK for Azure IoT
Hub Device Client SDK for Azure IoT
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when Azure IoT Hub Device Client SDK using MQTT protocol accesses objects in memory. A remote unauthenticated attacker can trick users into taking action, typically via an enticement in email or instant message, or by getting them to open an email attachment to trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
How to mitigate CVE-2018-8531
Install updates from vendor's website.