Internet-of-things (IoT) devices that use Microsoft’s uAMQP C library for communication with Azure Cloud Services may be vulnerable to remote code execution (RCE) due to a critical vulnerability disclosed on Tuesday.
The Advanced Message Queuing Protocol (AMQP) is used by Azure Cloud Services, including Azure Service Bus, Azure Event Hubs and Azure IoT Hubs, for communication between various devices and applications across the cloud environment. At risk is the C library for “uAMQP,” which is a lightweight implementation of the AMPQ protocol designed for devices with limited memory or processing power, such as portable IoT devices.
Microsoft provides the open-source uAMQP libraries to developers who write code in C and Python programing languages.
On Feb. 27, a security notice was posted to the Azure uAMQP for C (azure-uamqp-c) GitHub repository, warning that a vulnerability in the library could cause conditions ripe for RCE due to a “double free” memory error.
The vulnerability, tracked as CVE-2024-27099, has a critical CVSS score of 9.8 and could potentially be exploited by an unprivileged, remote attacker without user interaction. According to the CVE record the “attack complexity” is low.
According to descriptions of the bug, the uAMQP library may attempt to free the same memory location twice while processing an incorrect “AMQP_VALUE” failed state. This could lead to a condition where RCE is possible, according to the CVE description.
This type of “double free” flaw, in which the same memory location is freed twice, results in corruption of memory management data structures, which can further lead to unexpected behavior such as crashes or arbitrary code execution.
If an attacker can craft a malicious request that triggers a double free error in a vulnerable IoT device, it creates an opportunity for the attacker to inject their own arbitrary values into heap memory, wrote cybersecurity researcher Christophe Crochet in his analysis of CVE-2024-27099.
“While the specifics of exploiting this vulnerability depend on the context of the application’s deployment and the attacker’s ingenuity, understanding the exploit’s mechanics is vital. This knowledge not only aids in devising countermeasures but also in fostering a security-conscious development culture,” Crochet wrote on Medium.
CVE-2024-27099 is resolved by a commit (2ca42b6) that prevents the double free error, which was first added on Feb. 9.
The vulnerability is not known to affect the Python uAMQP library, which receives nearly 1.5 million weekly downloads, according to Snyk. The number of active azure-uamqp-c installations is unknown, although the project has 63 forks and 92 dependent repositories on GitHub.
SC Media reached out to Microsoft for more information about the vulnerability and the devices that use its uAMQP C library for communication with Azure Cloud Services, and did not receive a response.
