Microsoft Defender for IoT Remote Code Execution Vulnerability

Vulnerability

The vulnerability is an SQL injection in the sync endpoint of Microsoft Azure Defender for IoT. The issue occurs because the software fails to properly validate a user-supplied string before using it to construct SQL queries. This allows an attacker to inject arbitrary SQL commands. The vulnerability affects Azure Defender for IoT as reported in ZDI-21-1555 [1].

Exploitation

An unauthenticated attacker with network access to the Azure Defender for IoT instance can exploit this vulnerability by sending a crafted request to the sync endpoint. No authentication or user interaction is required. The attacker injects SQL commands to bypass authentication mechanisms and then execute arbitrary code in the context of root.

Impact

Successful exploitation allows the attacker to bypass authentication and execute arbitrary code with root privileges. This leads to full compromise of the affected system, including complete confidentiality, integrity, and availability impact (CIA triad).

Mitigation

Microsoft released a security update to address this vulnerability in December 2021. Users should apply the latest patches for Azure Defender for IoT as soon as possible. For details, refer to the advisory [1].