Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerabilities Found in Microsoft Defender for IoT

Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.

Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.

Designed with continuous network detection and response (NDR) capabilities, Defender for IoT supports various IoT, OT, and industrial control system (ICS) devices, and can be deployed both on-premises and in the cloud.

Tracked as CVE-2021-42311 and CVE-2021-42313, the two critical bugs have a CVSS score of 10 and were addressed by Microsoft with its December 2021 Patch Tuesday updates.

Both are SQL injection vulnerabilities that a remote attacker could exploit without authentication to achieve arbitrary code execution.

Identified in the token validation process, CVE-2021-42313 exists because the UUID parameter isn’t sanitized, SentinelLabs explains.

[ READ: Microsoft Patches for 51 Windows Security Defects ]

The researchers say the vulnerability allowed them to “insert, update, and execute SQL special commands.” They came up with proof-of-concept (PoC) code that exploits the bug to extract a logged-in user session ID from the database, which leads to complete account takeover.

Also related to the token validation process, albeit performed by a different function, CVE-2021-42311 exists because an API token used for verification is shared across Defender for IoT installations.

SentinelLabs reported the critical vulnerabilities to Microsoft in June 2021 along with three other issues – two high-severity flaws in Microsoft Defender for IoT (CVE-2021-42312 and CVE-2021-42310) and a vulnerability in the RCDCAP open source project (CVE-2021-37222).

CVE-2021-42310, SentinelLabs explains, is related to the password recovery mechanism of the Azure portal, which consists of a Python web API and a Java web API, which is prone to a time-of-check-time-of-use (TOCTOU) vulnerability.

[ READ: Patch Tuesday: Microsoft Calls Attention to ‘Wormable’ Windows Flaw ]

The mechanism uses a signed password reset ZIP file that the user needs to upload on the password reset page. Due to the security bug, however, it was possible to use the signed ZIP file from a different user to create a ZIP file containing a malicious JSON.

The attack could be used to obtain the password for the privileged user cyberx (Microsoft acquired CyberX in 2020 and built Defender for IoT on their product), which could result in the execution of code with root privileges.

This led the researchers to the discovery of a simple command injection issue impacting the change password mechanism, which was addressed as part of CVE-2021-42312.

“While we have no evidence of in-the-wild exploitation of these vulnerabilities, we further recommend revoking any privileged credentials deployed to the platform before the cloud platforms have been patched, and checking access logs for irregularities,” SentinelLabs notes.

Related: Microsoft Teams Abused for Malware Distribution in Recent Attacks

Related: Microsoft Urges Customers to Patch Recent Active Directory Vulnerabilities

Related: Microsoft Patches 67 Security Flaws, Including Zero-Day Exploited by Emotet

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.