SentinelOne this week revealed a number of vulnerabilities in Microsoft Azure Defender for IoT, including two critical ones. The vulnerabilities, which took Microsoft six months to fix, allowed unauthorized attackers to hack devices and seize control of critical infrastructure networks.
The Microsoft Azure Defender security solution for IoT should detect and block suspicious activity, as well as detect known vulnerabilities and manage the inventory of updates and equipment in IoT systems and automated process control systems. Energy companies and other users can deploy it both locally and for devices connected to Azure.
The vulnerabilities disclosed this week have all been fixed, and no signs of their exploitation in hacker attacks have been detected.
“A successful attack can lead to a complete compromise of the network, since Azure Defender For IoT is configured so that TAP (Terminal Access Point) is in network traffic. Access to sensitive information on the network can lead to a number of complex attack scenarios that will be difficult or even impossible to detect,” the SentinelLabs researchers explained.
Two critical vulnerabilities in Defender for IoT, CVE-2021-42311 and CVE-2021-42313, allow SQL injections and received 10 points out of 10 on the vulnerability risk assessment scale.
Authentication is not required to operate CVE-2021-42311, since the “secret” API token needed for this is common to all Defender installations worldwide. The same applies to CVE-2021-42313, which also allows SQL injection without authentication, since the UUID parameter is not checked properly before it is used in an SQL query.
Vulnerability CVE-2021-42310, marked as highly dangerous, affects the password recovery mechanism in Defender for IoT. An attacker can carry out a TOCTOU (time-of-check-time-of-use – verification time/usage time) attack to reset the password to the device and get a new one without authentication.
The fourth vulnerability, CVE-2021-42312, also affects the password recovery mechanism and allows you to execute code using command injection.
Vulnerability CVE-2021-37222 is present in the open source RCDCap package processing framework.