Azure Sphere CVEs
Microsoft's goal is to reward security researchers who have an interest in Azure Sphere for finding potential vulnerabilities and reporting them responsibly according to Microsoft's Coordinated Vulnerability Disclosure principle and the Microsoft Azure Bounty Program. The Azure Sphere team welcomes and acknowledges the security research community for their work and help in keeping our solution secure over time.
We want to be transparent about our security improvements. We partner with the CVE Program to publish common vulnerabilities and exposures (CVEs) for vulnerabilities that have been fixed in current or previous versions of the Azure Sphere OS.
Customer impact of publishing CVEs
CVEs for the OS are only published once a fix is available. Any device that is running Azure Sphere and is connected to the Internet is automatically updated. Devices that are running the latest version are therefore always protected. For devices that are new or have not been connected to the Internet for a while (for example, when the OS version is older than the OS version that contains the fix), we recommend connecting the device to a secure, private local network with Internet access and allowing the device to automatically update itself.
Principles for publishing CVEs
CVEs may be published for vulnerabilities in the Azure Sphere OS that can be exploited "out of the box", in an extended offline period, or before a connection to the Azure Sphere Security Service is made. Vulnerabilities in customer applications are out of scope for assigning a CVE. CVEs for third-party software are the responsibility of the respective manufacturer.
The types of vulnerabilities for which we publish CVEs can be described in three ways:
- Pre-emptive Impact: Vulnerabilities related to when an Azure Sphere device is powered off and not performing a function that could be exploited while bringing the device up and configuring it.
- Invisible Impact: Vulnerabilities related to when an Azure Sphere device is actively performing a function, but is not connected to the Azure Sphere Security service for updates that could be exploited without disrupting primary device function.
- Disruptive Impact: Vulnerabilities that would prevent an Azure Sphere device from receiving an update automatically or would trigger an update rollback.
Contents of Azure Sphere CVEs
CVEs for Azure Sphere consist of a brief description and score based on the Common Vulnerability Scoring system (CVSS), an exploitability index assessment, an Azure Sphere-specific FAQ, and an acknowledgement to the finder who reported it. This content is required in every CVE and is included for all CVEs for Microsoft products.
When Azure Sphere CVEs are published
CVE records will be published on the second Tuesday of the month (a.k.a. Microsoft Patch Tuesday) after a fix has been made available to customers. We expect CVEs to be published on an irregular basis whenever a vulnerability is reported to us, meets the principles described here, and is fixed in the latest available version of the Azure Sphere OS. We will not publish CVEs before a fix is publicly available.
How to find Azure Sphere CVEs
To find a list of all published CVEs for Azure Sphere, use "Sphere" for the keyword search in the Security Update Guide.
Published Azure Sphere CVEs are also listed in What's new for the release at which the vulnerability was fixed.