CVE-2021-40830

Name of the Vulnerable Software and Affected Versions AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix

Description The issue arises from the AWS IoT Device SDK v2 appending a user-supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. This allows TLS handshakes to succeed if the peer can be verified from either the user-supplied CA or the system's default trust-store. Attackers with access to a host's trust stores or who can compromise a certificate authority already in the host's trust store may use this to bypass CA pinning, potentially spoofing the MQTT broker and dropping or responding with attacker's data. However, they cannot forward this data to the MQTT broker without the user's private keys.

Recommendations For AWS IoT Device SDK v2 for Java versions prior to 1.5.0, update to version 1.5.0 or later. For AWS IoT Device SDK v2 for Python versions prior to 1.6.1, update to version 1.6.1 or later. For AWS IoT Device SDK v2 for C++ versions prior to 1.12.7, update to version 1.12.7 or later. For AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3, update to version 1.5.3 or later. For Amazon Web Services AWS-C-IO 0.10.4, ensure the aws tls ctx options override default trust store * function is updated to override the default trust store.