#VU91723 Race condition in Microsoft products - CVE-2024-35255

Cybersecurity Help s.r.o.

Published: 2024-06-11

Vulnerability identifier: #VU91723

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-35255

CWE-ID: CWE-362

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Microsoft Authentication Library (MSAL) for Python
Mobile applications / Apps for mobile phones
Microsoft Authentication Library (MSAL) for Node.js
Mobile applications / Apps for mobile phones
Microsoft Authentication Library (MSAL) for Java
Mobile applications / Apps for mobile phones
Microsoft Authentication Library (MSAL) for .NET
Mobile applications / Apps for mobile phones
Azure Identity Library for Python
Mobile applications / Apps for mobile phones
Azure Identity Library for JavaScript
Mobile applications / Apps for mobile phones
Azure Identity Library for Java
Mobile applications / Apps for mobile phones
Azure Identity Library for Go
Mobile applications / Apps for mobile phones
Azure Identity Library for C++
Mobile applications / Apps for mobile phones
Azure Identity Library for .NET
Other software / Other software solutions

Vendor: Microsoft

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in Azure Identity Libraries and Microsoft Authentication Library. A local user can elevate privileges and read any file on the file system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Microsoft Authentication Library (MSAL) for Python: All versions

Microsoft Authentication Library (MSAL) for Node.js: All versions

Microsoft Authentication Library (MSAL) for Java: All versions

Microsoft Authentication Library (MSAL) for .NET: All versions

Azure Identity Library for Python: All versions

Azure Identity Library for JavaScript: All versions

Azure Identity Library for Java: All versions

Azure Identity Library for Go: All versions

Azure Identity Library for C++: All versions

Azure Identity Library for .NET: All versions

External links
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for python-azure-identity

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

IBM watsonx.data update for Microsoft Azure Identity Libraries and Microsoft Authentication Library

Multiple vulnerabilities in IBM Netezza for Cloud Pak for Data (on Cloud)

IBM Workload Scheduler update for Microsoft Azure Identity

Multiple vulnerabilities in IBM Observability with Instana

IBM Robotic Process Automation Microsoft.BotBuilder

Multiple vulnerabilities in Red Hat Camel for Spring Boot 4

SUSE update for python-azure-identity

Multiple vulnerabilities in IBM Process Mining