Impact
The azure-c-shared-utility is a C library for AMQP/MQTT communication to Azure Cloud Services. This library may be used by the Azure IoT C SDK for communication between IoT Hub and IoT Hub devices.
An attacker can cause an integer wraparound or under-allocation or heap buffer overflow due to vulnerabilities in parameter checking mechanism, by exploiting the buffer length parameter in Azure C SDK, which may lead to remote code execution.
Requirements for RCE:
- Compromised Azure account allowing malformed payloads to be sent to the device via IoT Hub service
- By passing IoT hub service max message payload limit of 128KB
- Ability to overwrite code space with remote code.
Patches
Fixed in commit 1129147
Workarounds
None
0xdea Analyst
Impact
The azure-c-shared-utility is a C library for AMQP/MQTT communication to Azure Cloud Services. This library may be used by the Azure IoT C SDK for communication between IoT Hub and IoT Hub devices.
An attacker can cause an integer wraparound or under-allocation or heap buffer overflow due to vulnerabilities in parameter checking mechanism, by exploiting the buffer length parameter in Azure C SDK, which may lead to remote code execution.
Requirements for RCE:
Patches
Fixed in commit 1129147
Workarounds
None