CVE-2021-40830 : The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user suppl

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust store. This corrects this issue. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix. Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix.

Published 2021-11-23 00:15:07

Updated 2021-12-02 14:51:00

Source F-Secure

View at NVD, CVE.org

Products affected by CVE-2021-40830

Amazon » Amazon Web Services Aws-c-io » Version: 0.10.4
cpe:2.3:a:amazon:amazon_web_services_aws-c-io:0.10.4:*:*:*:*:*:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Opengroup » Unix » Version: N/A
Amazon » Amazon Web Services Internet Of Things Device Software Development Kit V2 » For Python
Versions before (<) 1.6.1
cpe:2.3:a:amazon:amazon_web_services_internet_of_things_device_software_development_kit_v2:*:*:*:*:*:python:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Opengroup » Unix » Version: N/A
Amazon » Amazon Web Services Internet Of Things Device Software Development Kit V2 » For Java
Versions before (<) 1.5.0
cpe:2.3:a:amazon:amazon_web_services_internet_of_things_device_software_development_kit_v2:*:*:*:*:*:java:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Opengroup » Unix » Version: N/A
Amazon » Amazon Web Services Internet Of Things Device Software Development Kit V2 » For Node.js
Versions before (<) 1.5.3
cpe:2.3:a:amazon:amazon_web_services_internet_of_things_device_software_development_kit_v2:*:*:*:*:*:node.js:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Opengroup » Unix » Version: N/A
Amazon » Amazon Web Services Internet Of Things Device Software Development Kit V2 » For C++
Versions before (<) 1.12.7
cpe:2.3:a:amazon:amazon_web_services_internet_of_things_device_software_development_kit_v2:*:*:*:*:*:c\+\+:*:*
Matching versions
When used together with: Linux » Linux Kernel » Version: N/A
When used together with: Opengroup » Unix » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-40830

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 25 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-40830

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:A/AC:L/Au:N/C:P/I:P/A:P	6.5	6.4	NIST
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
6.3	MEDIUM	CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H	0.4	5.9	F-Secure
Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-40830

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-40830

https://github.com/aws/aws-iot-device-sdk-python-v2

GitHub - aws/aws-iot-device-sdk-python-v2: Next generation AWS IoT Client SDK for Python using the AWS Common Runtime
Product

CVEs referencing this url
https://github.com/aws/aws-iot-device-sdk-cpp-v2

GitHub - aws/aws-iot-device-sdk-cpp-v2: Next generation AWS IoT Client SDK for C++ using the AWS Common Runtime
Product

CVEs referencing this url
https://github.com/awslabs/aws-c-io/

GitHub - awslabs/aws-c-io: This is a module for the AWS SDK for C. It handles all IO and TLS work for application protocols.
Product

CVEs referencing this url
https://github.com/aws/aws-iot-device-sdk-js-v2

GitHub - aws/aws-iot-device-sdk-js-v2: Next generation AWS IoT Client SDK for Node.js using the AWS Common Runtime
Product

CVEs referencing this url
https://github.com/aws/aws-iot-device-sdk-java-v2

GitHub - aws/aws-iot-device-sdk-java-v2: Next generation AWS IoT Client SDK for Java using the AWS Common Runtime
Product

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-40830

Products affected by CVE-2021-40830

Exploit prediction scoring system (EPSS) score for CVE-2021-40830

CVSS scores for CVE-2021-40830

CWE ids for CVE-2021-40830

References for CVE-2021-40830