F-Secure

#9210of 53,622
29.7Total CVSS
Vulnerabilities · 4
Medium
1
High
3
PT-2021-22964
6.3
2021-11-22
Amazon · Aws Iot Device Sdk V2 For Python · CVE-2021-40828
**Name of the Vulnerable Software and Affected Versions** AWS IoT Device SDK v2 for Java versions prior to 1.3.3 AWS IoT Device SDK v2 for Python versions prior to 1.5.18 AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 **Description** Connections initialized by the AWS IoT Device SDK v2 did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. **Recommendations** For AWS IoT Device SDK v2 for Java versions prior to 1.3.3, update to version 1.3.3 or later. For AWS IoT Device SDK v2 for Python versions prior to 1.5.18, update to version 1.5.18 or later. For AWS IoT Device SDK v2 for C++ versions prior to 1.12.7, update to version 1.12.7 or later. For AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3, update to version 1.5.3 or later.
PT-2021-22965
8.8
2021-11-22
Amazon · Aws Iot Device Sdk V2 For Python · CVE-2021-40829
**Name of the Vulnerable Software and Affected Versions** AWS IoT Device SDK v2 for Java versions prior to 1.4.2 AWS IoT Device SDK v2 for Python versions prior to 1.6.1 AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 AWS-C-IO version 0.10.4 **Description** Connections initialized by the AWS IoT Device SDK v2 did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. **Recommendations** For AWS IoT Device SDK v2 for Java versions prior to 1.4.2, update to version 1.4.2 or later. For AWS IoT Device SDK v2 for Python versions prior to 1.6.1, update to version 1.6.1 or later. For AWS IoT Device SDK v2 for C++ versions prior to 1.12.7, update to version 1.12.7 or later. For AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3, update to version 1.5.3 or later. For AWS-C-IO version 0.10.4, update to version 0.10.5 or later.
PT-2021-22966
7.3
2021-11-22
Amazon Web Services · Aws Iot Device Sdk V2 For Python · CVE-2021-40830
**Name of the Vulnerable Software and Affected Versions** AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix **Description** The issue arises from the AWS IoT Device SDK v2 appending a user-supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. This allows TLS handshakes to succeed if the peer can be verified from either the user-supplied CA or the system's default trust-store. Attackers with access to a host's trust stores or who can compromise a certificate authority already in the host's trust store may use this to bypass CA pinning, potentially spoofing the MQTT broker and dropping or responding with attacker's data. However, they cannot forward this data to the MQTT broker without the user's private keys. **Recommendations** For AWS IoT Device SDK v2 for Java versions prior to 1.5.0, update to version 1.5.0 or later. For AWS IoT Device SDK v2 for Python versions prior to 1.6.1, update to version 1.6.1 or later. For AWS IoT Device SDK v2 for C++ versions prior to 1.12.7, update to version 1.12.7 or later. For AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3, update to version 1.5.3 or later. For Amazon Web Services AWS-C-IO 0.10.4, ensure the `aws tls ctx options override default trust store *` function is updated to override the default trust store.
PT-2021-22967
7.3
2021-11-22
Amazon Web Services · Aws Iot Device Sdk V2 For Python · CVE-2021-40831
**Name of the Vulnerable Software and Affected Versions** AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS Amazon Web Services AWS-C-IO 0.10.7 on macOS **Description** The AWS IoT Device SDK v2 for Java, Python, C++, and Node.js appends a user-supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been "overridden". This allows attackers with access to a host's trust stores or who can compromise a certificate authority already in the host's trust store to bypass CA pinning. An attacker could then spoof the MQTT broker, drop traffic, and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. **Recommendations** For AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS, update to version 1.5.0 or later. For AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS, update to version 1.7.0 or later. For AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS, update to version 1.14.0 or later. For AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS, update to version 1.6.0 or later. For Amazon Web Services AWS-C-IO 0.10.7 on macOS, update to a version that includes the updated `aws tls ctx options override default trust store *` function.