SentinelOne’s SentinelLabs had discovered a number of security flaws in Microsoft Azure’s Defender for IoT last year. A few of these vulnerabilities were rated “Critical” for severity and impact. Microsoft has issued patches for all the bugs, but Azure Defender for IoT users must take action immediately, urged the company.
The flaws discovered by security researchers at SentinelLabs can allow attackers to remotely compromise devices protected by Microsoft Azure Defender for IoT. Exploits based on these vulnerabilities take advantage of certain weaknesses in Azure’s Password Recovery mechanism.
SentinelLabs claims it proactively reported the security vulnerabilities to Microsoft in June 2021. The vulnerabilities are tracked as CVE-2021-42310, CVE-2021-42312, CVE-2021-37222, CVE-2021-42313, and CVE-2021-42311 and are marked as Critical, some with CVSS score 10.0, which is the highest. The security researchers claim they haven’t yet discovered evidence of in-the-wild abuse. In other words, despite the security flaws in Microsoft Azure Defender for IoT being over eight months old, there have been no recorded attacks that were based on the bugs.
Microsoft Defender for IoT is an agent-less network-layer security for continuous IoT (Internet of Things) or OT (Operational Technology) asset discovery, vulnerability management, and threat detection. Microsoft assures the protection layer does not require changes to existing environments. It is a flexible security platform which means users can choose to deploy the same on-premises or in Azure-connected environments.
Microsoft had acquired CyberX back in 2020. Azure Defender for IoT is a product that is largely based on CyberX. It appears at least one of the attack vectors was discovered inside an installation script and a tar archive containing the system’s encrypted files. Both these files are present in the home directory of the “CyberX” user. The script decrypts the archive file.
The vulnerabilities that SentinelLabs discovered, affect both cloud and on-premises customers. Although there’s no evidence of “in the wild” exploits, a successful attack can lead to full network compromise. This is primarily because Azure Defender for IoT is configured to have a TAP (Terminal Access Point) on the network traffic. Needless to add, once attackers have unrestricted access, they can execute any attack or steal sensitive information.