CVE-2021-40828— TLS hostname validation issues within AWS IoT Device SDKs on Windows
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-40828
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
TLS hostname validation issues within AWS IoT Device SDKs on Windows
Source: NVD (National Vulnerability Database)
Vulnerability Description
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Amazon AWS IoT Device SDK 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Amazon AWS IoT Device SDK是美国亚马逊(Amazon)公司的 MIT 开源许可下的 C 源文件集合,可用于嵌入式应用程序以将 IoT 设备安全地连接到 AWS IoT Core。它包括一个 MQTT、JSON 解析器和 AWS IoT Device Shadow 库。它以源代码形式分发,旨在与应用程序代码、其他库以及可选的 RTOS(实时操作系统)一起构建到客户固件中。 Amazon AWS IoT Device SDK v2存在安全漏洞,该漏洞源于在TLS握手期间没有验证服务器证
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Amazon Web Services | AWS IoT Device SDK v2 for Java | unspecified ~ 1.3.3 | - | |
| Amazon Web Services | AWS IoT Device SDK v2 for Python | unspecified ~ 1.5.18 | - | |
| Amazon Web Services | AWS IoT Device SDK v2 for C++ | unspecified ~ 1.12.7 | - | |
| Amazon Web Services | AWS IoT Device SDK v2 for Node.js | unspecified ~ 1.5.3 | - | |
| Amazon Web Services | AWS-C-IO | 0.9.12 | - |
II. Public POCs for CVE-2021-40828
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-40828
请登录查看更多情报信息。
- https://github.com/awslabs/aws-c-io/x_refsource_MISC
- https://github.com/aws/aws-iot-device-sdk-java-v2x_refsource_MISC
- https://github.com/aws/aws-iot-device-sdk-cpp-v2x_refsource_MISC
- https://github.com/aws/aws-iot-device-sdk-js-v2x_refsource_MISC
- https://github.com/aws/aws-iot-device-sdk-python-v2x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-40828
Same Patch Batch · Amazon Web Services · 2021-11-22 · 4 CVEs total
| CVE-2021-40829 | 6.3 MEDIUM | TLS hostname validation issues within AWS IoT Device SDKs on macOS |
| CVE-2021-40830 | 6.3 MEDIUM | Inconsistent CA override function behavior within AWS IoT Device SDKs on Unix systems |
| CVE-2021-40831 | 6.3 MEDIUM | Missing SNI validation and inconsistent CA override function behavior within AWS IoT Devic |
IV. Related Vulnerabilities
V. Comments for CVE-2021-40828
No comments yet