Two critical vulnerabilities discovered in Microsoft Defender for IoT

Researchers published detailed information on a couple of critical remote code execution vulnerabilities discovered in Microsoft Defender for IoT.

Tracked as CVE-2021-42311 and CVE-2021-42313, both the critical bugs are SQL injection vulnerabilities that could be exploited by a remote attacker without authentication to achieve arbitrary code execution.

The vulnerability came up with proof-of-concept (PoC) code that exploits the bug to extract a logged-in user session ID from the database, which leads to complete account takeover.

Three other issues have also been reported – two high-severity flaws in Microsoft Defender for IoT (CVE-2021-42312 and CVE-2021-42310) and a vulnerability in the RCDCAP open-source project (CVE-2021-37222).

The vulnerability CVE-2021-42310 is related to the password recovery mechanism of the Azure portal, which consists of a Python web API and a Java web API, which is prone to a time-of-check-time-of-use (TOCTOU) vulnerability.

The mechanism uses a signed password reset ZIP file that the user needs to upload on the password reset page. The attack could be used to obtain the password for Microsoft acquired CyberX and built Defender for IoT on their product, which could result in the execution of code with root privileges.