CVE-2021-40831:AWS IoT Device SDK v2 for multiple languages incorrectly handles Certificate Authority (CA) validation on macOS, potentially allowing attackers to bypass CA pinning.

splash
Back

Description Preview

A vulnerability exists in AWS IoT Device SDK v2 for Java, Python, C++, and Node.js running on macOS systems. The issue occurs when the SDK appends a user-supplied Certificate Authority (CA) to the root CAs instead of overriding it as intended. Additionally, Server Name Indication (SNI) validation is not enabled when the CA has been "overridden." This means TLS handshakes will succeed if the peer can be verified either from the user-supplied CA or the system's default trust store. Attackers who can access a host's trust stores or compromise a certificate authority already in the host's trust store (along with the ability to spoof DNS) could bypass CA pinning. This could allow them to spoof the MQTT broker to intercept, drop, or manipulate traffic, though they would still need the user's private keys to authenticate against the legitimate MQTT broker.

Overview

CVE-2021-40831 is a certificate validation vulnerability (CWE-295) affecting AWS IoT Device SDK v2 implementations across multiple programming languages when running on macOS systems. The vulnerability stems from improper handling of Certificate Authority trust stores, where user-supplied CAs are appended to rather than replacing the system's default trust store. This implementation flaw, combined with disabled SNI validation, creates a security weakness where attackers could potentially bypass certificate pinning protections.

The vulnerability specifically impacts:

  • AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS
  • AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS
  • AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS
  • AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS
  • AWS-C-IO 0.10.7 on macOS

Remediation

To remediate this vulnerability, users should:

  1. Update to the following fixed versions or later:

    • AWS IoT Device SDK v2 for Java: version 1.5.0 or later
    • AWS IoT Device SDK v2 for Python: version 1.7.0 or later
    • AWS IoT Device SDK v2 for C++: version 1.14.0 or later
    • AWS IoT Device SDK v2 for Node.js: version 1.6.0 or later
    • AWS-C-IO: newer than version 0.10.7

  2. The core fix addresses the 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule to correctly override the default trust store rather than appending to it.

  3. If immediate updates are not possible, consider implementing additional network security controls to prevent potential DNS spoofing attacks and unauthorized access to trust stores.

  4. Review your application's security architecture to ensure proper certificate validation practices are followed throughout your IoT implementation.

References

  1. AWS IoT Device SDK for C++: https://github.com/aws/aws-iot-device-sdk-cpp-v2
  2. AWS IoT Device SDK for Java: https://github.com/aws/aws-iot-device-sdk-java-v2
  3. AWS IoT Device SDK for JavaScript: https://github.com/aws/aws-iot-device-sdk-js-v2
  4. AWS IoT Device SDK for Python: https://github.com/aws/aws-iot-device-sdk-python-v2
  5. AWS C IO Library: https://github.com/awslabs/aws-c-io/

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database