Azure-connected IoT devices at risk of RCE due to critical vulnerability
Internet-of-things (IoT) devices that use Microsoft’s uAMQP C library for communication with Azure Cloud Services may be vulnerable to remote code execution (RCE) due to a critical vulnerability disclosed on Tuesday.
The Advanced Message Queuing Protocol (AMQP) is used by Azure Cloud Services, including Azure Service Bus, Azure Event Hubs and Azure IoT Hubs, for communication between various devices and applications across the cloud environment. At risk is the C library for “uAMQP,” which is a lightweight implementation of the AMPQ protocol designed for devices with limited memory or processing power, such as portable IoT devices.
Microsoft provides the open-source uAMQP libraries to developers who write code in C and Python programing languages. On Feb. 27, a security notice was posted to the Azure uAMQP for C (azure-uamqp-c) GitHub repository, warning that a vulnerability in the library could cause conditions ripe for RCE due to a “double free” memory error.