CVE-2024-21329: Azure Connected Machine Agent Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Feb

Released

2024-02-13

Last Updated

2024-03-20

EPSS Score

0.69% (percentile: 71.8%)

FAQ

Why is the update for Azure Connected Machine Agents unavailable? The update was removed from the Microsoft Update Catalog due to reports of installation failing. The update will be re-released when the issue is resolved, and this CVE will be updated at that time. According to the CVSS metric, user interaction is required (UI:R) and privileges required is Low (PR:L). What does that mean for this vulnerability? A non-admin local user who has sufficient permissions to create symbolic links on a Windows computer that has Azure Connected Machine Agent installed (or before the agent is installed) could create links from a directory used by the agent to other privileged files on the computer. If the administrator later installs virtual machine extensions on the machine, those files could be deleted. What privileges could an attacker gain with successful exploitation? An attacker who successfully exploited the vulnerability could add symlinks and cause an arbitrary file delete as SYSTEM.

Affected Products (1)

Azure

• Azure Connected Machine Agent

Security Updates (1)

• Release Notes

Acknowledgments

R4nger & Zhiniang Peng

Revision History

• 2024-02-13: Information published.
• 2024-02-15: In the Security Updates table, removed the Article and Download links because the update is not available for Azure Connected Machine Agent. Customers will be notified via a revision to this CVE information when the update becomes available.
• 2024-03-20: The security update 1.38 for Azure Connected Machine Agent is now available. See the Security Updates table for more information.