Scientists at endpoint security firm SentinelOne on Monday released comprehensive information on a number of important remote code execution vulnerabilities found in Microsoft Defender for IoT.
Developed with continuous network detection and response (NDR) capabilities, Defender for IoT supports different IoT, OT, and industrial control system (ICS) gadgets, and can be deployed both on-premises and in the cloud.
Tracked as CVE-2021-42311 and CVE-2021-42313, the two vital bugs have a CVSS rating of 10 and were addressed by Microsoft with its December 2021 Spot Tuesday updates.
Both are SQL injection vulnerabilities that a remote aggressor might make use of without authentication to achieve approximate code execution.
Recognized in the token recognition process, CVE-2021-42313 exists since the UUID parameter isn’t sanitized, SentinelLabs discusses.
The scientists say the vulnerability permitted them to “insert, update, and perform SQL special commands.” They came up with proof-of-concept (PoC) code that exploits the bug to draw out a logged-in user session ID from the database, which causes finish account takeover.
Also associated to the token recognition process, albeit carried out by a various function, CVE-2021-42311 exists since an API token utilized for confirmation is shared across Protector for IoT setups.
SentinelLabs reported the vital vulnerabilities to Microsoft in June 2021 together with three other problems– 2 high-severity defects in Microsoft Protector for IoT (CVE-2021-42312 and CVE-2021-42310) and a vulnerability in the RCDCAP open source project (CVE-2021-37222).
CVE-2021-42310, SentinelLabs explains, is related to the password healing mechanism of the Azure portal, which includes a Python web API and a Java web API, which is prone to a time-of-check-time-of-use (TOCTOU) vulnerability.
The system uses a signed password reset ZIP file that the user needs to publish on the password reset page. Due to the security bug, nevertheless, it was possible to use the signed ZIP file from a various user to produce a ZIP file consisting of a destructive JSON.
The attack might be utilized to obtain the password for the fortunate user cyberx (Microsoft obtained CyberX in 2020 and developed Protector for IoT on their product), which could lead to the execution of code with root advantages.
This led the researchers to the discovery of an easy command injection issue impacting the change password mechanism, which was resolved as part of CVE-2021-42312.
“While we have no evidence of in-the-wild exploitation of these vulnerabilities, we further recommend revoking any fortunate qualifications released to the platform prior to the cloud platforms have actually been covered, and examining access logs for abnormalities,” SentinelLabs notes.