CVE-2021-40830

Summary

CVE	CVE-2021-40830
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-11-23 00:15:00 UTC
Updated	2021-12-02 14:51:00 UTC
Description	The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust store. This corrects this issue. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix. Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix.

Risk And Classification

Problem Types: CWE-295

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Amazon	Amazon Web Services Aws-c-io	0.10.4	All	All	All
Application	Amazon	Amazon Web Services Internet Of Things Device Software Development Kit V2	All	All	All	All
Application	Amazon	Amazon Web Services Internet Of Things Device Software Development Kit V2	All	All	All	All
Application	Amazon	Amazon Web Services Internet Of Things Device Software Development Kit V2	All	All	All	All
Application	Amazon	Amazon Web Services Internet Of Things Device Software Development Kit V2	All	All	All	All
Operating System	Linux	Linux Kernel	-	All	All	All
Operating System	Opengroup	Unix	-	All	All	All

References

Reference	Source	Link	Tags
GitHub - aws/aws-iot-device-sdk-cpp-v2: Next generation AWS IoT Client SDK for C++ using the AWS Common Runtime	MISC	github.com
GitHub - aws/aws-iot-device-sdk-js-v2: Next generation AWS IoT Client SDK for Node.js using the AWS Common Runtime	MISC	github.com
GitHub - awslabs/aws-c-io: This is a module for the AWS SDK for C. It handles all IO and TLS work for application protocols.	MISC	github.com
GitHub - aws/aws-iot-device-sdk-java-v2: Next generation AWS IoT Client SDK for Java using the AWS Common Runtime	MISC	github.com
GitHub - aws/aws-iot-device-sdk-python-v2: Next generation AWS IoT Client SDK for Python using the AWS Common Runtime	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: F-Secure

Legacy QID Mappings

980007 Python (pip) Security Update for awsiotsdk (GHSA-c4rh-4376-gff4)
980008 Nodejs (npm) Security Update for aws-iot-device-sdk-v2 (GHSA-c4rh-4376-gff4)
980009 Java (maven) Security Update for software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk (GHSA-c4rh-4376-gff4)