Security News > 2022 > March > Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT

Detailed: Critical hijacking bugs that took months to patch in Microsoft Azure Defender for IoT
2022-03-30 02:18

SentinelOne this week detailed a handful of bugs, including two critical remote code execution vulnerabilities, it found in Microsoft Azure Defender for IoT. These security flaws, which took six months to address, could have been exploited by an unauthenticated attacker to compromise devices and take over critical infrastructure networks.

Microsoft Azure Defender for IoT is supposed to detect and respond to suspicious behavior as well as highlight known vulnerabilities, and manage patching and equipment inventories, for Internet-of-Things and industrial control systems.

"Successful attack may lead to full network compromise, since Azure Defender For IoT is configured to have a TAP on the network traffic," according to a technical analysis by SentinelLabs' Kasif Dekel and independent researcher Ronen Shustin.

Two of the critical bugs in Defender for IoT, CVE-2021-42311 and CVE-2021-42313, were SQL injection vulnerabilities and both received a perfect 10 out of 10 score in terms of severity.

CVE-2021-42310, which is ranked as a high-severity vulnerability, targets the Defender for IoT device password recovery mechanism.

While none of these bugs were exploited beyond SentinelLab's proof-of-concept code, these vulnerabilities are "Particularly concerning when it comes to IoT and OT devices that have little to no defenses and depend entirely on these vulnerable platforms for their security posture," the analysis warned.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/30/sentinelone_microsoft_azure_iot/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-12-15 CVE-2021-42313 SQL Injection vulnerability in Microsoft Defender for IOT
Microsoft Defender for IoT Remote Code Execution Vulnerability
network
low complexity
microsoft CWE-89
critical
10.0
2021-12-15 CVE-2021-42311 SQL Injection vulnerability in Microsoft Defender for IOT
Microsoft Defender for IoT Remote Code Execution Vulnerability
network
low complexity
microsoft CWE-89
critical
10.0
2021-12-15 CVE-2021-42310 Unspecified vulnerability in Microsoft Defender for IOT
Microsoft Defender for IoT Remote Code Execution Vulnerability
network
low complexity
microsoft
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 701 775 4527 4650 3617 13569