CVE-2020-17002: Azure SDK for C Security Feature Bypass Vulnerability
Overview
- Severity
- High (CVSS 7.4)
- CVSS Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
- Category
- Security Feature Bypass
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2020-Dec
- Released
- 2020-12-08
- Last Updated
- 2020-12-10
- EPSS Score
- 6.19% (percentile: 90.9%)
Affected Products (18)
Developer Tools
- azure-c-shared-utility
- Azure-c-shared-utility Release LTS_07_2020_Ref02
- Azure-c-shared-utility Release LTS_02_2020_Ref02
- azure-umqtt-c
- azure-uhttp-c
- azure-utpm-c
- azure-uamqp-c Release LTS_07_2020_Ref02
- azure-umqtt-c Release LTS_07_2020_Ref02
- azure-uhttp-c Release LTS_07_2020_Ref02
- azure-utpm-c Release LTS_07_2020_Ref02
- azure-uamqp-c Release LTS_02_2020_Ref02
- azure-umqtt-c Release LTS_02_2020_Ref02
- azure-uhttp-c Release LTS_02_2020_Ref02
- azure-utpm-c Release LTS_02_2020_Ref02
- C SDK for Azure IoT Release LTS_07_2020_Ref02
- C SDK for Azure IoT Release LTS_02_2020_Ref02
- C SDK for Azure IoT
Azure
Security Updates (17)
Acknowledgments
<a href="https://github.com/CIPop">Cristian Pop</a> of Microsoft, Aapo Oksman, Nixu Cybersecurity, https://www.nixu.com/
Revision History
- 2020-12-08: Information published.
- 2020-12-10: In the Security Updates table, added the following: azure-c-shared-utility Release LTS_07_2020 and LTS_02_2020; C SDK for Azure IoT Release LTS_07_2020 and LTS_02_2020; all supported releases of the following protocol submodules: azure-uamqp-c, azure-umqtt-c, azure-uhttp-c, and azure-utpm-c. These releases all contain a security fix, addressed by CVE-2020-17002, affecting applications using c-utility in conjunction with OpenSSL or WolfSSL.