CVE-2024-25110: 
CBL Mariner vulnerability analysis and mitigation

The UAMQP (Azure AMQP) is a general purpose C library for AMQP 1.0 communication. A critical vulnerability was discovered where during a call to open_get_offered_capabilities, a memory allocation failure can cause a use-after-free issue. If a client calls this function during connection communication, it may lead to remote code execution (NVD, GitHub Advisory). The vulnerability affects versions prior to 2023-12-01.

The vulnerability has been assigned CVE-2024-25110 with a CVSS v3.1 base score of 8.1 HIGH (NIST) and 9.8 CRITICAL (GitHub). The issue stems from a use-after-free condition in the open_get_offered_capabilities function, which can be triggered when memory allocation fails during AMQP connection handling. The vulnerability is classified under CWE-416 (Use After Free) and CWE-94 (Improper Control of Generation of Code) (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code remotely on affected systems. The exploitation requires specific conditions including: a compromised Azure account that can send malformed payloads to the device via IoT Hub service, the ability to bypass IoT hub service max message payload limit of 128KB, and the capability to overwrite code space with remote code (GitHub Advisory).

Users are advised to update their systems with commit 30865c9c which addresses the vulnerability. There are no known workarounds for this vulnerability, making the update the only effective mitigation strategy (GitHub Advisory).