#VU12494 Improper certificate validation in Microsoft products - CVE-2018-8119

Cybersecurity Help s.r.o.

Published: 2018-05-08 | Updated: 2018-05-08

Vulnerability identifier: #VU12494

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-8119

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
C# SDK for Azure IoT
Universal components / Libraries / Software for developers
C SDK for Azure IoT
Universal components / Libraries / Software for developers
Java SDK for Azure IoT
Universal components / Libraries / Software for developers

Vendor: Microsoft

Description
The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper certificate validation over the AMQP protocol in the Azure IoT Device Provisioning AMQP Transport library. A remote attacker can perform a man-in-the-middle (MitM) attack during provisioning process.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

C# SDK for Azure IoT: All versions

C SDK for Azure IoT: All versions

Java SDK for Azure IoT: All versions

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8119

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Spoofing attack in Azure IoT SDK