CVE-2024-25110
Azure IoT Platform Device SDK Remote Code Execution Vulnerability
In short
A memory allocation failure in the Azure IoT Platform Device SDK can cause a use-after-free vulnerability, allowing attackers to execute arbitrary code on affected devices during connection communication.
Technical detail
CWE-94 (Improper Control of Generation of Code) manifests as a use-after-free in the open_get_offered_capabilities function when memory allocation fails during AMQP 1.0 connection negotiation. Remote attackers can trigger this condition without authentication to achieve code execution on the affected client device. Mitigation requires updating to commit 30865c9c or later.
Summary generated and translated by AI from the official description.
The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities, a memory allocation may fail causing a use-after-free issue and if a client called it during connection communication it may cause a remote code execution. Users are advised to update the submodule with commit `30865c9c`. There are no known workarounds for this vulnerability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Azure · azure-uamqp-cWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →