Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.
Designed with continuous network detection and response (NDR) capabilities, Defender for IoT supports various IoT, OT, and industrial control system (ICS) devices, and can be deployed both on-premises and in the cloud.
Tracked as CVE-2021-42311 and CVE-2021-42313, the two critical bugs have a CVSS score of 10 and were addressed by Microsoft with its December 2021 Patch Tuesday updates.
Both are SQL injection vulnerabilities that a remote attacker could exploit without authentication to achieve arbitrary code execution.
Identified in the token validation process, CVE-2021-42313 exists because the UUID parameter isn’t sanitized, SentinelLabs explains.
[ READ: Microsoft Patches for 51 Windows Security Defects ]
The researchers say the vulnerability allowed them to “insert, update, and execute SQL special commands.” They came up with proof-of-concept (PoC) code that exploits the bug to extract a logged-in user session ID from the database, which leads to complete account takeover.
Also related to the token validation process, albeit performed by a different function, CVE-2021-42311 exists because an API token used for verification is shared across Defender for IoT installations.
SentinelLabs reported the critical vulnerabilities to Microsoft in June 2021 along with three other issues – two high-severity flaws in Microsoft Defender for IoT (CVE-2021-42312 and CVE-2021-42310) and a vulnerability in the RCDCAP open source project (CVE-2021-37222).
CVE-2021-42310, SentinelLabs explains, is related to the password recovery mechanism of the Azure portal, which consists of a Python web API and a Java web API, which is prone to a time-of-check-time-of-use (TOCTOU) vulnerability.
[ READ: Patch Tuesday: Microsoft Calls Attention to ‘Wormable’ Windows Flaw ]
The mechanism uses a signed password reset ZIP file that the user needs to upload on the password reset page. Due to the security bug, however, it was possible to use the signed ZIP file from a different user to create a ZIP file containing a malicious JSON.
The attack could be used to obtain the password for the privileged user cyberx (Microsoft acquired CyberX in 2020 and built Defender for IoT on their product), which could result in the execution of code with root privileges.
This led the researchers to the discovery of a simple command injection issue impacting the change password mechanism, which was addressed as part of CVE-2021-42312.
“While we have no evidence of in-the-wild exploitation of these vulnerabilities, we further recommend revoking any privileged credentials deployed to the platform before the cloud platforms have been patched, and checking access logs for irregularities,” SentinelLabs notes.
Related: Microsoft Teams Abused for Malware Distribution in Recent Attacks
Related: Microsoft Urges Customers to Patch Recent Active Directory Vulnerabilities
Related: Microsoft Patches 67 Security Flaws, Including Zero-Day Exploited by Emotet

More from Ionut Arghire
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Atlassian Warns of Critical Jira Service Management Vulnerability
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
Latest News
- Comcast Wants a Slice of the Enterprise Cybersecurity Business
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- New York Attorney General Fines Vendor for Illegally Promoting Spyware
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
