CVE-2024-29195 Overview
CVE-2024-29195 affects the Azure C Shared Utility, a C library used for AMQP and MQTT communication between Azure IoT Hub and IoT devices. The flaw resides in the buffer length parameter handling, where insufficient validation enables an integer wraparound or under-allocation. This condition can trigger a heap buffer overflow [CWE-120] and may result in remote code execution on affected IoT devices. The Azure IoT C SDK depends on this library, expanding the impact to any device built on that stack. Microsoft patched the vulnerability in commit 1129147c38ac02ad974c4c701a1e01b2141b9fe2.
Critical Impact
An attacker with a compromised Azure account can send malformed payloads exceeding the 128KB IoT Hub message limit to trigger heap corruption and achieve remote code execution on connected IoT devices.
Affected Products
- Microsoft Azure C Shared Utility (versions prior to commit 1129147c38ac02ad974c4c701a1e01b2141b9fe2)
- Azure IoT C SDK consumers of the shared utility library
- IoT devices communicating with Azure IoT Hub via AMQP or MQTT through the affected library
Discovery Timeline
- 2024-03-26 - CVE-2024-29195 published to NVD
- 2025-12-15 - Last updated in NVD database
Technical Details for CVE-2024-29195
Vulnerability Analysis
The vulnerability stems from missing arithmetic safety checks in buffer allocation routines within the Azure C Shared Utility. When the library computes allocation sizes derived from an attacker-controlled buffer length parameter, the multiplication or addition can wrap around the unsigned integer boundary. The resulting under-allocated heap region is then written with the larger, untruncated payload, producing a heap buffer overflow.
Because the library handles inbound AMQP and MQTT messages for IoT Hub clients, the corrupted memory sits inside long-running device processes. Successful exploitation requires bypassing the 128KB IoT Hub payload limit and overwriting executable code regions on the target device, conditions that elevate exploitation complexity but do not eliminate the risk for embedded targets.
Root Cause
The root cause is unchecked integer arithmetic on size parameters passed into malloc calls across multiple adapter modules, including adapters/httpapi_curl.c and adapters/httpapi_tirtos.c. The patch introduces the safe_math.h helper to perform overflow-checked size calculations before allocations.
Attack Vector
Exploitation requires a compromised Azure account capable of dispatching crafted cloud-to-device messages through IoT Hub. The attacker sends a payload whose declared length triggers the wraparound during allocation. The subsequent write operation corrupts heap metadata adjacent to the under-allocated buffer, which an attacker can shape to redirect execution flow on the receiving device.
// Patch excerpt: adapters/httpapi_curl.c
#include "mbedtls/ssl.h"
#endif
#include "azure_c_shared_utility/shared_util_options.h"
+#include "azure_c_shared_utility/safe_math.h"
#define TEMP_BUFFER_SIZE 1024
Source: Azure C Shared Utility commit 1129147
// Patch excerpt: adapters/httpapi_tirtos.c
#include "azure_c_shared_utility/httpapi.h"
#include "azure_c_shared_utility/strings.h"
#include "azure_c_shared_utility/xlogging.h"
+#include "azure_c_shared_utility/safe_math.h"
#define CONTENT_BUF_LEN 128
Source: Azure C Shared Utility commit 1129147
The additions of safe_math.h introduce overflow-safe wrappers around the size calculations that precede each malloc, ensuring oversized inputs are rejected before allocation.
Detection Methods for CVE-2024-29195
Indicators of Compromise
- Cloud-to-device messages from IoT Hub exceeding or approaching the 128KB payload boundary against devices running the Azure C SDK.
- Unexpected crashes, restarts, or watchdog resets on IoT devices coinciding with inbound AMQP or MQTT traffic.
- Anomalous outbound connections originating from IoT devices to non-Azure endpoints after receiving large messages.
Detection Strategies
- Inventory firmware images and SDKs to identify devices linking against versions of azure-c-shared-utility prior to commit 1129147c38ac02ad974c4c701a1e01b2141b9fe2.
- Inspect IoT Hub diagnostic logs for malformed payloads, oversized messages, and repeated delivery failures targeting the same device.
- Correlate Azure Active Directory sign-in anomalies for accounts with IoT Hub data writer permissions with downstream device telemetry gaps.
Monitoring Recommendations
- Enable IoT Hub diagnostic settings and route logs to a centralized analytics workspace for retention and querying.
- Alert on Azure RBAC role assignments granting Microsoft.Devices/IotHubs/Send/Action permissions to non-standard identities.
- Track device twin reported properties and connection state transitions to surface devices that go offline after receiving cloud-to-device messages.
How to Mitigate CVE-2024-29195
Immediate Actions Required
- Update embedded firmware and applications to consume azure-c-shared-utility containing commit 1129147c38ac02ad974c4c701a1e01b2141b9fe2 or later.
- Rotate IoT Hub shared access policy keys and review service principal credentials that can send cloud-to-device messages.
- Audit Azure account access to IoT Hub and enforce multi-factor authentication on all identities with send permissions.
Patch Information
Microsoft fixed the vulnerability by integrating overflow-checked arithmetic through safe_math.h into allocation paths within the Azure C Shared Utility. Apply the changes from Azure C Shared Utility commit 1129147 and review the GitHub Security Advisory GHSA-m8wp-hc7w-x4xg for the full scope of changes. Rebuild and redeploy any firmware that statically links the library.
Workarounds
- Restrict IoT Hub cloud-to-device messaging permissions to a minimal set of service identities and apply conditional access policies.
- Enforce payload size and schema validation at an upstream gateway or Azure Function before forwarding messages to constrained devices.
- Segment IoT devices on isolated network tiers to limit lateral impact if a device is compromised through this flaw.
# Verify the patched commit is included in your library checkout
cd azure-c-shared-utility
git log --oneline | grep 1129147c38ac02ad974c4c701a1e01b2141b9fe2
# Confirm safe_math.h is referenced in adapter sources
grep -R "safe_math.h" adapters/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
