CVE-2024-29195— Azure C SDK Integer Wraparound Vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-29195
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Azure C SDK Integer Wraparound Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
The azure-c-shared-utility is a C library for AMQP/MQTT communication to Azure Cloud Services. This library may be used by the Azure IoT C SDK for communication between IoT Hub and IoT Hub devices. An attacker can cause an integer wraparound or under-allocation or heap buffer overflow due to vulnerabilities in parameter checking mechanism, by exploiting the buffer length parameter in Azure C SDK, which may lead to remote code execution. Requirements for RCE are 1. Compromised Azure account allowing malformed payloads to be sent to the device via IoT Hub service, 2. By passing IoT hub service max message payload limit of 128KB, and 3. Ability to overwrite code space with remote code. Fixed in commit https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
未进行输入大小检查的缓冲区拷贝(传统缓冲区溢出)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Azure C Shared Utility 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Azure C Shared Utility是Microsoft Azure开源的一个 C 库。为基本任务(如字符串、列表操作、IO等)提供通用功能。 Azure C Shared Utility 2023-12-01之前版本存在安全漏洞,该漏洞源于允许攻击者利用Azure C SDK中的buffer length参数使参数检查机制出错,导致整数环绕、分配不足或缓冲区溢出,进而导致远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Azure | azure-c-shared-utility | < 2024-02-08 | - |
II. Public POCs for CVE-2024-29195
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-29195
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Azure
- CVE-2026-32952
go-ntlmssp NTLM challenges can panic on malformed payloads - CVE-2024-27099
Azure IoT Platform Device SDK Double Free Vulnerability - CVE-2024-25110
Azure IoT Platform Device SDK Remote Code Execution Vulnerab - CVE-2024-21638
Azure IPAM solution Elevation of Privilege Vulnerability - CVE-2024-21646
Azure IoT Platform Device SDK Remote Code Execution Vulnerab
Same weakness: CWE-120
- CVE-2026-8260
D-Link DCS-935L HNAP Service hnap_service SetDeviceSettings - CVE-2026-8137
Totolink X5000R formDdns sub_458E40 buffer overflow - CVE-2026-6691
MongoDB C Driver Cyrus SASL Canonicalization Buffer Overflow - CVE-2026-7857
D-Link DI-8100 CGI user_group.asp sprintf buffer overflow - CVE-2026-7856
D-Link DI-8100 Web Management url_member.asp buffer overflow
V. Comments for CVE-2024-29195
No comments yet