|CERT-In Vulnerability Note
Azure IoT SDK Spoofing Vulnerability
Original Issue Date:May 16, 2018
Severity Rating: MEDIUM
- Microsoft C SDK for Azure IoT
- Microsoft C# SDK for Azure IoT
- Microsoft Java SDK for Azure IoT
A spoofing vulnerability exists in the AMQP Transport library component of Microsoft Azure IoT SDK which could allow an attacker to impersonate a server used during the provisioning process.
This vulnerability exists in the AMQP Transport library component of Microsoft Azure IoT SDK due to improper validation of cryptographic certificates over the AMQP protocol by the affected software while performing provisioning operations.
An attacker could exploit the vulnerability by performing a man-in-the-middle attack on the network during the provisioning process by sending a malicious request to the targeted system. Successful exploitation of this vulnerability could allow the attacker to impersonate a legitimate system and conduct further attacks.
- Restrict network access from untrusted sources.
- Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Apply updates as mentioned in
Microsoft Security Update Guide
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003