Microsoft disclosed a critical vulnerability affecting the Azure IoT Platform Device SDK. Published by GitHub Security Advisories, the advisory, identified as GHSA-6rh4-fj44-v4jj, warns of a double-free vulnerability that could lead to remote code execution (RCE).
The impacted library, uAMQP, is a C library utilized for AMQP 1.0 communication with Azure Cloud Services. The vulnerability arises when processing an incorrect AMQP_VALUE failed state, potentially causing a double-free problem. If exploited, this flaw could result in a severe security risk, allowing attackers to execute arbitrary code remotely.
To address this vulnerability, Microsoft has released patches in the form of an update submodule with commit 2ca42b6e4e098af2d17e487814a91d05f6ae4987. Organizations relying on the Azure IoT Platform Device SDK are strongly urged to apply this patch promptly to mitigate the risk of exploitation.
The Common Vulnerabilities and Exposures (CVE) identifier for this vulnerability is CVE-2024-27099. The associated CVSS score is 9.8, categorizing it as critical. This score reflects the severity of the vulnerability, considering factors like exploitability and potential impact on confidentiality, integrity, and availability.
The GitHub Security Advisories also provide an Exploit Prediction Scoring System (EPSS) score for CVE-2024-27099, indicating a low probability of exploitation activity in the next 30 days (0.04%).