Sign-up

ID

VAR-201810-1439


CVE

CVE-2018-8531


TITLE

Hub Device Client SDK and Azure IoT Edge Remote Code Execution Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-013481

DESCRIPTION

A remote code execution vulnerability exists in the way that Azure IoT Hub Device Client SDK using MQTT protocol accesses objects in memory, aka "Azure IoT Device Client SDK Memory Corruption Vulnerability." This affects Hub Device Client SDK, Azure IoT Edge. Microsoft C SDK for Azure IoT is a C language based software development kit for developing Azure IoT (Internet of Things Platform) applications. An attacker could use this vulnerability to execute arbitrary code in the context of the currently logged-on user. A failed attack will result in a denial of service condition

Trust: 2.97

sources: NVD: CVE-2018-8531 // JVNDB: JVNDB-2018-013481 // CNVD: CNVD-2018-21220 // CNNVD: CNNVD-201810-308 // BID: 105472

IOT TAXONOMY

category:['IoT']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2018-21220

AFFECTED PRODUCTS

vendor:microsoftmodel:azure internet of things edgescope:eqversion: -

Trust: 1.6

vendor:microsoftmodel:csharp software development kitscope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:hub device client sdk for azure iotscope:eqversion:0

Trust: 0.9

vendor:microsoftmodel:azure iot edgescope:eqversion:for 32-bit systems

Trust: 0.8

vendor:microsoftmodel:c# sdkscope:eqversion:for azure iot

Trust: 0.8

vendor:microsoftmodel:csharp software development kitscope:eqversion:azure_internet_of_things

Trust: 0.6

sources: CNVD: CNVD-2018-21220 // BID: 105472 // JVNDB: JVNDB-2018-013481 // CNNVD: CNNVD-201810-308 // NVD: CVE-2018-8531

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8531
value: HIGH

Trust: 1.0

NVD: CVE-2018-8531
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-21220
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201810-308
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2018-8531
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-21220
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-8531
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2018-21220 // JVNDB: JVNDB-2018-013481 // CNNVD: CNNVD-201810-308 // NVD: CVE-2018-8531

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

problemtype:CWE-119

Trust: 0.8

sources: JVNDB: JVNDB-2018-013481 // NVD: CVE-2018-8531

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-308

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201810-308

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-013481

PATCH
title:CVE-2018-8531 | Azure IoT Device Client SDK Memory Corruption Vulnerabilityurl:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8531
Trust: 0.8
title:CVE-2018-8531 | Azure IoT Device Client SDK のメモリ破損の脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-8531
Trust: 0.8
title:Patch for Microsoft Azure IoT Device Client SDK Remote Memory Corruption Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/142739
Trust: 0.6
title:Microsoft Azure IoT Edge  and Hub Device Client SDK for Azure IoT Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85501
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-21220 // 
            
            
            
            JVNDB: JVNDB-2018-013481 // 
            
            
            
            CNNVD: CNNVD-201810-308

EXTERNAL IDS
db:NVDid:CVE-2018-8531
Trust: 3.3
db:BIDid:105472
Trust: 2.5
db:JVNDBid:JVNDB-2018-013481
Trust: 0.8
db:CNVDid:CNVD-2018-21220
Trust: 0.6
db:CNNVDid:CNNVD-201810-308
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-21220 // 
            
            
            
            BID: 105472 // 
            
            
            
            JVNDB: JVNDB-2018-013481 // 
            
            
            
            CNNVD: CNNVD-201810-308 // 
            
            
            
            NVD: CVE-2018-8531

REFERENCES
url:http://www.securityfocus.com/bid/105472
Trust: 2.2
url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-8531
Trust: 1.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8531
Trust: 1.4
url:https://www.ipa.go.jp/security/ciadr/vul/20181010-ms.html
Trust: 0.8
url:http://www.jpcert.or.jp/at/2018/at180041.html
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-8531
Trust: 0.8
url:http://www.microsoft.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-21220 // 
            
            
            
            BID: 105472 // 
            
            
            
            JVNDB: JVNDB-2018-013481 // 
            
            
            
            CNNVD: CNNVD-201810-308 // 
            
            
            
            NVD: CVE-2018-8531

CREDITS
Cristian Pop of Azure IoT.
Trust: 0.9
sources:
            
            
            BID: 105472 // 
            
            
            
            CNNVD: CNNVD-201810-308

SOURCES
db:CNVDid:CNVD-2018-21220
db:BIDid:105472
db:JVNDBid:JVNDB-2018-013481
db:CNNVDid:CNNVD-201810-308
db:NVDid:CVE-2018-8531

LAST UPDATE DATE
2024-11-23T22:17:16.672000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-21220date:2018-10-18T00:00:00
db:BIDid:105472date:2018-10-09T00:00:00
db:JVNDBid:JVNDB-2018-013481date:2019-02-21T00:00:00
db:CNNVDid:CNNVD-201810-308date:2020-10-22T00:00:00
db:NVDid:CVE-2018-8531date:2024-11-21T04:13:59.840

SOURCES RELEASE DATE
db:CNVDid:CNVD-2018-21220date:2018-10-18T00:00:00
db:BIDid:105472date:2018-10-09T00:00:00
db:JVNDBid:JVNDB-2018-013481date:2019-02-21T00:00:00
db:CNNVDid:CNNVD-201810-308date:2018-10-10T00:00:00
db:NVDid:CVE-2018-8531date:2018-10-10T13:29:06.243