Microsoft Defender for Endpoint for Linux Code Injection Vulnerability Allowing Remote Code Execution

A code injection vulnerability has been identified in Microsoft Defender for Endpoint on Linux. This issue allows an unauthorized attacker to execute code on affected systems over an adjacent network. The vulnerability arises from improper control of code generation, enabling exploitation by intercepting and manipulating installation requests to inject malicious commands that are executed with root privileges.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system, with the executed code running as the root user.

Reproduction

To reproduce this vulnerability, an attacker must be on the same network subnet as the target Linux virtual machine. During the installation of the Microsoft Defender for Endpoint Linux extension, the attacker can intercept the extension's request to the Instance Metadata Service (IMDS). By crafting a malicious JSON response, the attacker can inject unsanitized data that the installation script executes as a shell command. This process can be automated to execute arbitrary code on the victim's machine with root privileges.

Remediation

Users can enable Microsoft Defender for Endpoint auto-provisioning in Defender for Cloud to receive the updated extension version 1.0.9.0, which addresses this vulnerability. Once auto-provisioning is enabled, the updated extension will be automatically pushed to all eligible Linux machines without requiring manual action.