Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) and availability (A:N), but could lead to major loss of integrity (I:H). What does that mean for this vulnerability? This primarily impacts integrity, as an attacker could execute unauthorized code and modify system behavior or trusted processes. There is no direct impact to confidentiality, as the scenario does not inherently provide access to sensitive data, and no impact to availability, as exploitation does not inherently disrupt service operation. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. What privileges an attacker could gain with a successful exploitation? The OpenSSL configuration auto‑loading behavior allows extension modules (such as MetricsExtension) to load automatically. Therefore, if an attacker was able to place a malicious DLL in a location referenced by the configuration, it could get loaded implicitly, that could result in arbitrary code execution with elevated privileges.
Cristhian Parrot with <a href="https://www.kroll.com/en">Kroll</a>