Описание
Azure IoT CLI extension Elevation of Privilege Vulnerability
FAQ
What can an attacker do with this vulnerability?
An elevation of privilege vulnerability exists in the way Azure CLI and Azure IoT CLI extension generates new symmetric keys for encryption, allowing an attacker to predict the randomness of the key. An attacker could derive the keys from the way they are generated and use them to access a user's IoT hub.
How do I know if I need to install the update?
This update addresses the vulnerability by randomizing the key generation within Azure IoT CLI extension. https://github.com/Azure/azure-iot-cli-extension/pull/279/files https://docs.microsoft.com/en-us/cli/azure/release-notes-azure-cli?tabs=azure-cli#december-29-2020
Which versions are affected?
IoT extension versions affected are 0.10.2 – 0.10.6 All versions before 2.17.0 in Azure CLI are affected
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
7 High
CVSS3
Связанные уязвимости
Azure IoT CLI extension Elevation of Privilege Vulnerability
Azure IoT CLI extension Elevation of Privilege Vulnerability
Уязвимость интерфейса командной строки (CLI) платформы Azure IoT, позволяющая нарушителю повысить свои привилегии
EPSS
7 High
CVSS3