Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT

SQL injection, race condition, bad cryptographic check pave way for infrastructure network takeovers


SentinelOne this week detailed a handful of bugs, including two critical remote code execution vulnerabilities, it found in Microsoft Azure Defender for IoT.

These security flaws, which took six months to address, could have been exploited by an unauthenticated attacker to compromise devices and take over critical infrastructure networks.

Microsoft Azure Defender for IoT is supposed to detect and respond to suspicious behavior as well as highlight known vulnerabilities, and manage patching and equipment inventories, for Internet-of-Things and industrial control systems. Energy utilities and other customers can deploy the product on-premises, and for Azure-connected devices.

The aforementioned five vulnerabilities have since been patched, and neither Microsoft nor SentinelOne's research arm are aware of any in-the-wild abuse. However, they highlight the challenges in securing aging operational technology networks, and the expanding attack surface that the growing number of IoT devices enables.

"Successful attack may lead to full network compromise, since Azure Defender For IoT is configured to have a TAP (Terminal Access Point) on the network traffic," according to a technical analysis by SentinelLabs' Kasif Dekel and independent researcher Ronen Shustin. "Access to sensitive information on the network could open a number of sophisticated attacking scenarios that could be difficult or impossible to detect."

Two of the critical bugs in Defender for IoT, CVE-2021-42311 and CVE-2021-42313, were SQL injection vulnerabilities and both received a perfect 10 out of 10 score in terms of severity.

An attacker could exploit CVE-2021-42311 without any authentication because the "secret" API token needed to do this is shared across all Defender for IoT installations worldwide, according to the security researchers. Similarly, CVE-2021-42313 also allows an attacker to trigger the SQL injection without authentication because the UUID parameter is not properly sanitized before being used in an SQL query.

CVE-2021-42310, which is ranked as a high-severity vulnerability, targets the Defender for IoT device password recovery mechanism.

SentinelLabs explained an attacker could perform a time-of-check-time-of-use attack to reset and receive the password of a device without any authentication. To start this off, the miscreant uploads a ZIP archive containing some configuration information and supposedly the necessary cryptographic data to prove the user owns and operates the device. A digital signature check is poorly implemented by the software, however, allowing the configuration info to be self-signed rather signed using a key associated with the device owner; this should not ideally be accepted.

This config information can be written in a way – an ID value contains a single hyphen – that bypasses another security check, leading to a race condition that produces and displays a new password for the device.

And after obtaining this credential, which authenticates the attacker as a privileged user, the miscreant can then log in to the SSH server and execute code as root. Or, as addressed in CVE-2021-42312, an attacker "could use a stealthier approach to execute code" via a simple command injection vulnerability within the change of password mechanism, according to the security analysts.

A buggy function validates the username and password, which the attacker already has, and then it checks the complexity of the new password using regex, "but does not sanitize the input for command injection primitives," SentinelLabs wrote:

After the validation it executes the /usr/local/bin/cyberx-users-password-reset script as root with the username and new password controlled by an attacker. As the function doesn't sanitize the input of "new_password" properly, we can inject any command we choose. Our command will then be executed as root with the help of sudo because the cyberx user is a sudoer. This lets us execute code as a root user.

A fifth vuln, CVE-2021-37222, affects the open source RCDCap packet processing framework.

The team disclosed the vulnerabilities to Microsoft in June 2021, and the software giant started working on fixes a month later, according to the researchers. However, Microsoft didn't issue a security alert or software update for the bugs until December. 

When asked about the almost six-month delay in patching the vulnerabilities, a Microsoft spokesperson said: 

Security vulnerabilities are serious issues we all face and that is why we partner with the industry and follow the Coordinated Vulnerability Disclosure (CVD) process to protect customers before vulnerabilities are public. We addressed the specific issues mentioned and we appreciate the finder working with us to ensure customers remain safe. 

While none of these bugs were exploited beyond SentinelLab's proof-of-concept code, these vulnerabilities are "particularly concerning when it comes to IoT and OT devices that have little to no defenses and depend entirely on these vulnerable platforms for their security posture," the analysis warned.

"Cloud users should take a defense-in-depth approach to cloud security to ensure breaches are detected and contained, whether the threat comes from the outside or from the platform itself," it concluded. ®

Broader topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022