Researchers at endpoint security firm SentinelOne on Monday published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.
Designed with continuous network detection and response (NDR) capabilities, Defender for IoT supports various IoT, OT, and industrial control system (ICS) devices, and can be deployed both on-premises and in the cloud.
Tracked as CVE-2021-42311 and CVE-2021-42313, the two critical bugs have a CVSS score of 10 and were addressed by Microsoft with its December 2021 Patch Tuesday updates.
Both are SQL injection vulnerabilities that a remote attacker could exploit without authentication to achieve arbitrary code execution.
Identified in the token validation process, CVE-2021-42313 exists because the UUID parameter isn’t sanitized, SentinelLabs explains.
[ READ: Microsoft Patches for 51 Windows Security Defects ]
The researchers say the vulnerability allowed them to “insert, update, and execute SQL special commands.” They came up with proof-of-concept (PoC) code that exploits the bug to extract a logged-in user session ID from the database, which leads to complete account takeover.
Also related to the token validation process, albeit performed by a different function, CVE-2021-42311 exists because an API token used for verification is shared across Defender for IoT installations.
SentinelLabs reported the critical vulnerabilities to Microsoft in June 2021 along with three other issues – two high-severity flaws in Microsoft Defender for IoT (CVE-2021-42312 and CVE-2021-42310) and a vulnerability in the RCDCAP open source project (CVE-2021-37222).
CVE-2021-42310, SentinelLabs explains, is related to the password recovery mechanism of the Azure portal, which consists of a Python web API and a Java web API, which is prone to a time-of-check-time-of-use (TOCTOU) vulnerability.
[ READ: Patch Tuesday: Microsoft Calls Attention to ‘Wormable’ Windows Flaw ]
The mechanism uses a signed password reset ZIP file that the user needs to upload on the password reset page. Due to the security bug, however, it was possible to use the signed ZIP file from a different user to create a ZIP file containing a malicious JSON.
The attack could be used to obtain the password for the privileged user cyberx (Microsoft acquired CyberX in 2020 and built Defender for IoT on their product), which could result in the execution of code with root privileges.
This led the researchers to the discovery of a simple command injection issue impacting the change password mechanism, which was addressed as part of CVE-2021-42312.
“While we have no evidence of in-the-wild exploitation of these vulnerabilities, we further recommend revoking any privileged credentials deployed to the platform before the cloud platforms have been patched, and checking access logs for irregularities,” SentinelLabs notes.
Related: Microsoft Teams Abused for Malware Distribution in Recent Attacks
Related: Microsoft Urges Customers to Patch Recent Active Directory Vulnerabilities
Related: Microsoft Patches 67 Security Flaws, Including Zero-Day Exploited by Emotet