Headline

CVE-2021-40831: GitHub - aws/aws-iot-device-sdk-js-v2: Next generation AWS IoT Client SDK for Node.js using the AWS Common Runtime

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been “overridden”. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the system’s default trust-store. Attackers with access to a host’s trust stores or are able to compromise a certificate authority already in the host’s trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker’s data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user’s private keys to authenticate against the MQTT broker. The ‘aws_tls_ctx_options_override_default_trust_store_*’ function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.

2 years ago

CVE

Open in Source

#web #mac #amazon #apache #nodejs #js #git #java

AWS IoT Device SDK for JavaScript v2

This document provides information about the AWS IoT device SDK for Javascript V2.

If you have any issues or feature requests, please file an issue or pull request.

This SDK is built on the AWS Common Runtime, a collection of libraries (aws-c-common, aws-c-io, aws-c-mqtt, aws-c-http, aws-c-cal …) written in C to be cross-platform, high-performance, secure, and reliable. The libraries are bound to JS by the awscrt package.

Jump To:

Installation
Mac-Only TLS Behavior
Samples
Getting Help
Giving Feedback and Contributions

Installation****Check for minimum Requirements

The AWS IoT Device SDK for JavaScript requires Node v10.0 or later.

Install the required libraries using apt

sudo apt-get install cmake
sudo apt-get install libssl-dev

Install the required libraries using yum

sudo yum install cmake
sudo yum install openssl-devel

Install the AWS Common Runtime****Install the AWS IoT Device SDK

npm install aws-iot-device-sdk-v2

Build from source****Mac-Only TLS Behavior

Please note that on Mac, once a private key is used with a certificate, that certificate-key pair is imported into the Mac Keychain. All subsequent uses of that certificate will use the stored private key and ignore anything passed in programmatically. Beginning in v1.2.4, when a stored private key from the Keychain is used, the following will be logged at the “info” log level:

static: certificate has an existing certificate-key pair that was previously imported into the Keychain.  Using key from Keychain instead of the one provided.

Samples

Samples README

Getting Help

The best way to interact with our team is through GitHub. You can open an issue and choose from one of our templates for guidance, bug reports, or feature requests. You may also find help on community resources such as StackOverFlow with the tag #aws-iot or If you have a support plan with AWS Support, you can also create a new support case.

Please make sure to check out our resources too before opening an issue:

API Documentation
Our Developer Guide (source)
Check for similar Issues
AWS IoT Core Documentation
Dev Blog
Integration with AWS IoT Services such as Device Shadow and Jobs is provided by code that been generated from a model of the service.

Giving Feedback and Contributions

We need your help in making this SDK great. Please participate in the community and contribute to this effort by submitting issues, participating in discussion forums and submitting pull requests through the following channels.