CVE-2021-24087: Azure IoT CLI extension Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Feb

Released

2021-02-09

EPSS Score

0.14% (percentile: 33.9%)

FAQ

What can an attacker do with this vulnerability? An elevation of privilege vulnerability exists in the way Azure CLI and Azure IoT CLI extension generates new symmetric keys for encryption, allowing an attacker to predict the randomness of the key. An attacker could derive the keys from the way they are generated and use them to access a user's IoT hub. How do I know if I need to install the update? This update addresses the vulnerability by randomizing the key generation within Azure IoT CLI extension. https://github.com/Azure/azure-iot-cli-extension/pull/279/files https://docs.microsoft.com/en-us/cli/azure/release-notes-azure-cli?tabs=azure-cli#december-29-2020 Which versions are affected? IoT extension versions affected are 0.10.2 – 0.10.6 All versions before 2.17.0 in Azure CLI are affected

Affected Products (1)

Azure

• azure-iot-cli-extension

Security Updates (1)

• Pull Request

Acknowledgments

Cristian Pop of Azure IoT

Revision History

• 2021-02-09: Information published.