On February 13, 2024, Microsoft published an advisory for CVE-2024-21424—an elevation of privilege vulnerability in Azure Compute Gallery. This flaw allows unprivileged users to leverage misconfigured permissions and escalate their access within Azure. This post gives you a full breakdown, includes code snippets showing the kind of exploitation that’s possible (for educational purposes only), and best practices to protect your cloud environment.

Azure Compute Gallery (ACG), formerly known as Shared Image Gallery, is a service that helps you manage, share, and distribute custom VM images at scale. It’s popular among teams that deploy several VMs needing identical base images.

When you share images using ACG, you assign Azure RBAC roles to users or groups, specifying their ability to create, read, update, or delete images.

What is CVE-2024-21424?

This vulnerability occurs due to insecure permission handling in Azure Compute Gallery. By manipulating resource permissions, a low-privileged user can get unauthorized elevated access, such as the ability to write or replace VM images that others rely on.

According to Microsoft's advisory:

Attack Vector: Remote

The attacker needs minimal setup—just a valid, low-permission Azure account with access to a compute gallery.

Attack Scenario: How it Works

Suppose you belong to a large team with shared VM images. The admin assigns you “Reader” access (Microsoft.Compute/galleries/images/versions/read). Due to a misconfiguration (or because of this bug), Azure grants more permissions than intended, allowing you to push a new, malicious VM image version.

Your injected image might contain a backdoor or additional administrative user accounts. Anyone deploying from this gallery would unknowingly use your tampered image.

Step-by-Step Exploitation (Example)

Let’s walk through an example of how this can play out, using the Azure CLI.

1. List Available Galleries

az sig list --resource-group "ProductionImagesRG"

Let’s say there's one called "TeamDevGallery".

3. Create a Malicious Image Version

You’d prepare a VM image (for instance, using Packer) containing your “extras,” then register it to the gallery—*even though you should only have “Reader” access* due to the vulnerability.

az sig image-version create \
  --resource-group "ProductionImagesRG" \
  --gallery-name "TeamDevGallery" \
  --gallery-image-definition "WindowsServer2019" \
  --gallery-image-version "2.1." \
  --managed-image "/subscriptions/xxxx/resourceGroups/maliciousRG/providers/Microsoft.Compute/images/malBackdoor"

4. Now Wait for Users to Deploy…

Any team member who launches a VM from "2.1." now gets your hacked OS image.

Detection: Signs of Exploitation

Look for unexpected image versions or images originating from unfamiliar accounts. In Azure Activity Logs:

// Log Analytics: Find unexpected image pushes
AzureActivity
| where ResourceProvider == "MICROSOFT.COMPUTE"
| where OperationNameValue endswith "write" and ResourceType == "MICROSOFT.COMPUTE/GALLERIES/IMAGES/VERSIONS"
| order by TimeGenerated desc

Check for image version creations by accounts who do not normally own gallery write rights.

Patch

Microsoft has fixed CVE-2024-21424 (see official security update guide), so apply all recommended updates.

Rotate Images

If you suspect compromise, rebuild and redistribute clean images, and force redeployment from trusted images.

References

- Microsoft Security Advisory: CVE-2024-21424
- Azure Compute Gallery documentation
- Packer — Automate VM Image Creation
- Azure RBAC: Built-in roles

Conclusion

CVE-2024-21424 is a classic example of why “least privilege” and continuous review are critical in the cloud era. Any user with even limited access to Azure Compute Gallery could escalate to full control over what code your team runs. Make sure you verify permissions, update your galleries, and keep logs tight.

This post taught you how attackers work, so you can do better defense. If you’re responsible for your organization’s Azure environments, check your galleries today and talk to your security folks.

Timeline

Published on: 04/09/2024 17:15:35 UTC
Last modified on: 04/10/2024 13:24:00 UTC