Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerabilities Found in Microsoft Defender for IoT

Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.

Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.

Designed with continuous network detection and response (NDR) capabilities, Defender for IoT supports various IoT, OT, and industrial control system (ICS) devices, and can be deployed both on-premises and in the cloud.

Tracked as CVE-2021-42311 and CVE-2021-42313, the two critical bugs have a CVSS score of 10 and were addressed by Microsoft with its December 2021 Patch Tuesday updates.

Both are SQL injection vulnerabilities that a remote attacker could exploit without authentication to achieve arbitrary code execution.

Identified in the token validation process, CVE-2021-42313 exists because the UUID parameter isn’t sanitized, SentinelLabs explains.

[ READ: Microsoft Patches for 51 Windows Security Defects ]

The researchers say the vulnerability allowed them to “insert, update, and execute SQL special commands.” They came up with proof-of-concept (PoC) code that exploits the bug to extract a logged-in user session ID from the database, which leads to complete account takeover.

Also related to the token validation process, albeit performed by a different function, CVE-2021-42311 exists because an API token used for verification is shared across Defender for IoT installations.

Advertisement. Scroll to continue reading.

SentinelLabs reported the critical vulnerabilities to Microsoft in June 2021 along with three other issues – two high-severity flaws in Microsoft Defender for IoT (CVE-2021-42312 and CVE-2021-42310) and a vulnerability in the RCDCAP open source project (CVE-2021-37222).

CVE-2021-42310, SentinelLabs explains, is related to the password recovery mechanism of the Azure portal, which consists of a Python web API and a Java web API, which is prone to a time-of-check-time-of-use (TOCTOU) vulnerability.

[ READ: Patch Tuesday: Microsoft Calls Attention to ‘Wormable’ Windows Flaw ]

The mechanism uses a signed password reset ZIP file that the user needs to upload on the password reset page. Due to the security bug, however, it was possible to use the signed ZIP file from a different user to create a ZIP file containing a malicious JSON.

The attack could be used to obtain the password for the privileged user cyberx (Microsoft acquired CyberX in 2020 and built Defender for IoT on their product), which could result in the execution of code with root privileges.

This led the researchers to the discovery of a simple command injection issue impacting the change password mechanism, which was addressed as part of CVE-2021-42312.

“While we have no evidence of in-the-wild exploitation of these vulnerabilities, we further recommend revoking any privileged credentials deployed to the platform before the cloud platforms have been patched, and checking access logs for irregularities,” SentinelLabs notes.

Related: Microsoft Teams Abused for Malware Distribution in Recent Attacks

Related: Microsoft Urges Customers to Patch Recent Active Directory Vulnerabilities

Related: Microsoft Patches 67 Security Flaws, Including Zero-Day Exploited by Emotet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.