CVE-2024-21329 - Azure Connected Machine Agent Elevation of Privilege Explained (With Exploit Walkthrough)

In early 2024, a critical vulnerability was discovered in the Azure Connected Machine Agent (CMA)—a tool that allows you to manage non-Azure servers with Azure Arc. Tracked as CVE-2024-21329, this flaw can let local users escalate their privileges on the affected Windows system. This article breaks down what CVE-2024-21329 is, demonstrates a simple exploit scenario, and helps you stay secure.

What Is the Azure Connected Machine Agent?

Azure Connected Machine Agent is a Microsoft service that brings on-premise or non-Azure servers into Azure Arc. Once installed, organizations manage these servers in the Azure Portal—apply policies, deploy extensions, and even run scripts remotely.

Official docs:
https://learn.microsoft.com/en-us/azure/azure-arc/servers/agent-overview

CVE-2024-21329 was published by Microsoft in their June 2024 Patch Tuesday updates

> *A local attacker could exploit this vulnerability to gain higher privileges (including SYSTEM rights) by abusing insecure permissions or improper validation inside the Azure Connected Machine Agent service.*

Microsoft's advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21329

Affected Versions

If you’re running Azure Connected Machine Agent before version 1.37. on Windows, you are affected.

Attack Scenario: How Could CVE-2024-21329 Be Exploited?

Here's a *simplified* scenario based on public details and common local privilege escalation patterns.

Root Cause

Azure Connected Machine Agent runs several services as SYSTEM. One service, like GuestConfigurationAgent, drops logs and temporary files in directories where normal users may also have write access due to misconfigured permissions.

Suppose the agent writes to a folder like this

C:\ProgramData\AzureConnectedMachineAgent\Temp

And suppose Everyone has write permissions here.

The agent then runs a SYSTEM-level process that reads .ps1 (PowerShell) files from this folder when it starts, trusting any content there.

Here’s a simulated example. An attacker creates evil.ps1

# evil.ps1 - run as SYSTEM
Start-Process powershell -ArgumentList '-c "net localgroup administrators attacker /add"' -Verb runAs

Writes it to the temp directory

Copy-Item .\evil.ps1 "C:\ProgramData\AzureConnectedMachineAgent\Temp\startup.ps1"

Once the agent restarts and runs any .ps1 in this folder, the exploit fires. The local user attacker is added to the Administrators group.

Mitigation

Immediate action:

You can do this via PowerShell

Set-ExecutionPolicy RemoteSigned -Scope Process
iex "& { $(irm https://aka.ms/InstallAzureConnectedMachineAgent) }"

Or, uninstall/reinstall the newer agent from the Microsoft download page.

References

- Microsoft Security Response Center - CVE-2024-21329
- Azure Connected Machine Agent Documentation
- Azure Arc Security Best Practices

Summary

*CVE-2024-21329* is a serious Windows privilege escalation bug in Azure Connected Machine Agent. If you run hybrid servers with Azure Arc, patch immediately! This is a classic case where improper permissions turn a helpful agent into an attack surface.

Stay safe and up to date—review your Arc-connected machines today.

Timeline

Published on: 02/13/2024 18:15:48 UTC
Last modified on: 02/22/2024 15:27:57 UTC