Microsoft Azure Defender for IoT, an IoT, OT, and ICS device security solution, has been found featuring five security vulnerabilities. Discovered by SentinelOne, two of the five vulnerabilities enable remote code execution and SQL injection.
SentinelOne disclosed the five vulnerabilities this week, nine months after the cybersecurity company alerted Microsoft last June. While Microsoft released security updates to patch up these flaws in December 2021, the patches took at least six months to appear.
“It’s particularly concerning when it comes to IoT and OT devices that have little to no defenses and depend entirely on these vulnerable platforms for their security posture,†said SentinelOne. “Cloud users should take a defense-in-depth approach to cloud security to ensure breaches are detected and contained, whether the threat comes from the outside or from the platform itself.â€
The five vulnerabilities impact both cloud and on-premise implementations of Azure Defender for IoT. They are tracked as CVE-2021-42310, CVE-2021-42312, CVE-2021-37222, CVE-2021-42313 and CVE-2021-42311.
SentinelOne notedOpens a new window that a “successful attack may lead to full network compromise, since Azure Defender For IoT is configured to have a TAP (Terminal Access Point) on the network traffic. Access to sensitive information on the network could open a number of sophisticated attacking scenarios that could be difficult or impossible to detect.â€
See More: Security at the Edge: What Tools Should Organizations Be Considering?
Fortunately, SentinelOne has no evidence of any exploit attempts in the wild, nor has Microsoft.
Of the five vulnerabilities in Azure Defender for IoT, CVE-2021-42311Opens a new window and CVE-2021-42313Opens a new window received a CVSS score of 10 out of 10, making them the most critical ones. Both of these can allow SQL injection without authentication and allow remote code execution in target systems.
CVE-2021-42313 exists because the UUID parameter isn’t sanitized and can enable insertion, updation, and execution of SQL special commands. On the other hand, exploiting CVE-2021-42311 becomes possible because the update.token is hardcoded in the file index.properties shared across all Defender For IoT installations worldwide.
CVE-2021-42310Opens a new window and CVE-2021-42312Opens a new window have a CVSS score of 8.1 and 7.8, respectively, making them high-severity vulnerabilities. The former resides in the password recovery mechanism of Azure Defender for IoT. It can be exploited using the time-of-check-time-of-use method, which entails the attacker uploading a ZIP file containing the device ApplianceID and other device properties in a malicious JSON file.
But the IoT/OT asset discovery, vulnerability management and threat detection platform validates this file and device. It allows a threat actor to reset the password which they do not own in the first place. Once this is done, a threat actor can log into the SSH server and execute code as root.
CVE-2021-42312 is simply an extension of CVE-2021-42310 in that the password is entered as a JSON field. But Azure function only “checks the complexity of the password using regex, but does not sanitize the input for command injection primitives.†As a result, a threat actor can inject any command they want to as root.
Finally, CVE-2021-37222Opens a new window (CVSS 9.8) resides in the RCDCap, an open-source framework for packet processing. It is a wild copy heap-based buffer overflow vulnerability and can allow arbitrary code execution.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!