CVE-2021-41278 : Security Advisory and Response

Functions SDK for EdgeX is meant to provide all the plumbing necessary for developers to get started in processing/transforming/exporting data out of the EdgeX IoT platform. In affected versions, broken encryption in app-functions-sdk "AES" transform in EdgeX Foundry releases prior to Jakarta allows attackers to decrypt messages via unspecified vectors. This CVE has a CVSS base score of 5.4.

Understanding CVE-2021-41278

What is CVE-2021-41278?

In versions of app-functions-sdk-go before 2.1.0, EdgeX Foundry is affected by broken encryption in the "AES" transform, potentially allowing attackers to decrypt messages through unspecified vectors.

The Impact of CVE-2021-41278

This vulnerability has a CVSS base score of 5.4, indicating a medium severity issue. It affects confidentiality and has a high impact on confidentiality and low impact on integrity.

Technical Details of CVE-2021-41278

Vulnerability Description

The broken encryption in the "AES" transform in EdgeX Foundry allows attackers to decrypt messages through unspecified vectors. The vulnerable versions prior to Jakarta release may provide less protection due to a broken implementation.

Affected Systems and Versions

Product: app-functions-sdk-go
Vendor: edgexfoundry
Versions affected: < 2.1.0

Exploitation Mechanism

Attack complexity is rated as HIGH with a required network attack vector. Low privileges are needed for exploitation, with user interaction also being required.

Mitigation and Prevention

Immediate Steps to Take

Upgrade to the Jakarta EdgeX release to avoid the broken implementation
Modify processing pipelines to use the new "aes256" transform.

Long-Term Security Practices

Regularly monitor and update cryptographic algorithms
Implement industry best practices for encryption

Patching and Updates

Stay informed about security advisories and apply patches as soon as they are available.