Detections
Analytics

Azure Linux 3.0 Security Update: azure-iot-sdk-c (CVE-2024-29195)

medium Nessus Plugin ID 233164

Synopsis

The remote Azure Linux host is missing one or more security updates.

Description

The version of azure-iot-sdk-c installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-29195 advisory.

 - The azure-c-shared-utility is a C library for AMQP/MQTT communication to Azure Cloud Services. This library May be used by the Azure IoT C SDK for communication between IoT Hub and IoT Hub devices. An attacker can cause an integer wraparound or under-allocation or heap buffer overflow due to vulnerabilities in parameter checking mechanism, by exploiting the buffer length parameter in Azure C SDK, which May lead to remote code execution. Requirements for RCE are 1. Compromised Azure account allowing malformed payloads to be sent to the device via IoT Hub service, 2. By passing IoT hub service max message payload limit of 128KB, and 3. Ability to overwrite code space with remote code. Fixed in commit https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2.
 (CVE-2024-29195)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://nvd.nist.gov/vuln/detail/CVE-2024-29195

Plugin Details

Severity: Medium

ID: 233164

File Name: azure_linux_CVE-2024-29195.nasl

Version: 1.1

Type: local

Published: 3/20/2025

Updated: 3/20/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.5

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:H/Au:M/C:C/I:C/A:P

CVSS Score Source: CVE-2024-29195

CVSS v3

Risk Factor: Medium

Base Score: 6

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:microsoft:azure_linux:azure-iot-sdk-c, x-cpe:/o:microsoft:azure_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/AzureLinux/release, Host/AzureLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/11/2025

Vulnerability Publication Date: 3/26/2024

Reference Information

CVE: CVE-2024-29195