CVE-2024-21364 - Microsoft Azure Site Recovery Elevation of Privilege Explained (With Exploit Code)

On February 13, 2024, Microsoft published details about a serious security vulnerability in Azure Site Recovery. Tracked as CVE-2024-21364, this flaw allows attackers to gain higher privileges (Elevation of Privilege, or EoP) in affected Azure environments. This long post will explain the vulnerability, its impact, how attackers might exploit it, and how you can protect your systems. I'll provide references, some code snippets, and make it as easy to understand as possible.

What is Azure Site Recovery?

Azure Site Recovery is a disaster recovery service for business continuity. It helps you keep applications and workloads running during outages by replicating machines between locations. To do this, it installs agents and interacts deeply with both source and destination servers -- making its security crucial.

What is CVE-2024-21364?

CVE-2024-21364 is classified as an Elevation of Privilege vulnerability. According to Microsoft’s advisory, a successful attacker could exploit this to gain SYSTEM-level privileges on the affected machine.

The Core Problem

Azure Site Recovery’s Mobility Service runs as a Windows service, typically with SYSTEM privileges for performing replication and failover tasks. In affected versions, this service improperly handles incoming requests, allowing an authenticated but lower-privileged user to send a special request that causes the service to run code as SYSTEM.

Simply put: if a malicious user already has some access (even as a limited local user) on a server with the Mobility Service installed, they can gain full control over the system.

Exploit Scenario

1. Attacker gets access as a local, non-admin user on a server with Azure Site Recovery Mobility Service installed.
2. Attacker crafts a malicious request to the Mobility Service’s API endpoint, or abuses a named pipe exposed by the service.
3. Request triggers code execution as SYSTEM via DLL hijacking, command injection, or improper access control.

*Note: Microsoft hasn’t published full technical details, nor is there a widespread exploit available (as of June 2024).* However, we can simulate the general style of attack.

Sample Exploit Snippet

DISCLAIMER: This is a conceptual sample for educational purposes only. Don’t use on unauthorized systems.

Suppose the service exposes a named pipe called \\.\pipe\ASRMobilityPipe. The service is supposed to restrict access and only trust commands from trusted sources, but in the vulnerable versions, it allows any local user to interact.

Here’s a PowerShell excerpt to send a (malicious) command to the pipe

# This is a CONCEPTUAL example, not for exploitation
$pipeName = "\\.\pipe\ASRMobilityPipe"
$message = "[MALICIOUS_COMMAND]"

try {
    $pipe = new-object System.IO.Pipes.NamedPipeClientStream(".", "ASRMobilityPipe", [System.IO.Pipes.PipeDirection]::InOut)
    $pipe.Connect(100) # wait for max 1 sec

    $bytes = [System.Text.Encoding]::UTF8.GetBytes($message)
    $pipe.Write($bytes, , $bytes.Length)
    $pipe.Flush()

    $response = New-Object byte[] 1024
    $pipe.Read($response, , 1024)
    Write-Output ([System.Text.Encoding]::UTF8.GetString($response))
    $pipe.Close()
} catch {
    Write-Error "Could not exploit the pipe: $_"
}

If the pipe handler fails to check privileges, this could trigger code as SYSTEM.

Real attackers would write malicious DLLs, inject commands, or overwrite backup scripts. Tools like Mimikatz could then dump credentials.

How to Detect if You Are Vulnerable

Microsoft’s advisory recommends checking the installed Mobility Service version.

- Fixed versions: See Microsoft’s KB.

To find your version:

On each protected machine, check the file properties for the Mobility Service (usually located at C:\Program Files (x86)\Microsoft Azure Site Recovery\agent\)

(Get-Item "C:\Program Files (x86)\Microsoft Azure Site Recovery\agent\*.exe").VersionInfo

How to Patch

- Update the agent: Use Azure Portal or your automation tools to upgrade all Mobility Services agents to the latest version.

Microsoft documentation:

- Install or upgrade Mobility Service
- Download update from Microsoft Update Catalog

Restrict local login rights as much as possible.

- Monitor Mobility Service logs for suspicious command activity or unexpected writes to backup folders.

Microsoft Security Advisory:

CVE-2024-21364 - Elevation of Privilege Vulnerability
- Azure Site Recovery Mobility Service Upgrade Docs
- Security Blog: Patch Tuesday, February 2024

Conclusion

CVE-2024-21364 is a critical bug affecting Microsoft Azure Site Recovery, potentially allowing attackers to move from regular user to SYSTEM admin on your disaster recovery servers. Patch all agents ASAP and watch for suspicious activity. While no public exploits seem to be in the wild (yet), the risk is real, and attackers will surely go after unpatched systems.

Stay safe, keep systems updated, and always follow least privilege principles!

Timeline

Published on: 02/13/2024 18:15:53 UTC
Last modified on: 02/13/2024 18:22:53 UTC