CVE CyberSecurity Database News

CVE-2024-29989 - Azure Monitor Agent Elevation of Privilege Vulnerability – Exploit, Details & Mitigation

Poster -

---

Summary

A new vulnerability, CVE-2024-29989, has been identified in Microsoft’s Azure Monitor Agent (AMA), opening the door for local attackers to get higher privileges on Windows machines running the agent. This exclusive post gives you a clear overview of the flaw, hands-on code snippets for checking exposure, step-by-step exploitation details, and official Microsoft references.

What Is Azure Monitor Agent?

Azure Monitor Agent is a Microsoft-provided service that collects data from cloud and on-premises systems and sends it to Azure. Environments leveraging Azure security and monitoring solutions often have this agent installed.

About CVE-2024-29989

CVE-2024-29989 describes an Elevation of Privilege (EoP) vulnerability where the Azure Monitor Agent can allow local users to gain SYSTEM privileges on vulnerable systems. This means someone with a regular user account can perform administrative actions without proper authorization.

Technical Details

The vulnerability is due to improper access controls or unsafe handling of files and processes by the Azure Monitor Agent service. Specifically, certain files, directories, or named pipes used by the agent may be susceptible to manipulation by non-administrator users.

Typical Attack Scenario

- Attacker context: A user with basic credentials on a Windows machine running Azure Monitor Agent (for example, a user logged in via RDP or SSH).

Goal: Gain SYSTEM-level (administrator) access without permission.

- How? By exploiting insecure permissions or vulnerabilities in service communications and file writings.

Find the agent’s install location (commonly):

`

If you see write or modify permissions for non-admin groups like Authenticated Users or Users, the system could be vulnerable.

Test file replacement or DLL hijacking:


If the agent’s path is writable, the attacker could replace an executable or DLL under the service folder with a malicious one that will run as SYSTEM.

Your code runs with SYSTEM privileges.

Note: This is a simplified demonstration. Actual exploitation may need specific research into which files are vulnerable.

A quick script to list files and their permissions under the agent folder

$agentPath = "C:\Program Files\AzureMonitorAgent"
Get-ChildItem $agentPath -Recurse | ForEach-Object {
    $acl = Get-Acl $_.FullName
    foreach ($access in $acl.Access) {
        if ($access.IdentityReference -notlike "*Administrators" -and ($access.FileSystemRights -match "Write|Modify")) {
            Write-Output "$($_.FullName): $($access.IdentityReference) has $($access.FileSystemRights)"
        }
    }
}

Patching and Mitigation

Microsoft Fix:
This vulnerability is resolved as part of Microsoft’s June 2024 Patch Tuesday.
- Microsoft Security Update Guide Entry

Update Azure Monitor Agent to the latest version immediately.

- If updating isn’t possible, restrict write permissions on the agent folder and files. Ensure only Administrators and SYSTEM have write access.

Manual Folder Permission Harden

$agentFolder = "C:\Program Files\AzureMonitorAgent"
icacls $agentFolder /remove "Users" "Authenticated Users"

References & Further Reading

- Official MSRC CVE-2024-29989 Advisory
- Azure Monitor Agent Documentation
- CrowdStrike Blog: AMA Vulnerabilities

Conclusion

CVE-2024-29989 is a critical local privilege escalation vulnerability affecting Azure Monitor Agent configurations, prevalent in many cloud and hybrid environments. Attackers with minor access can leverage insecure permissions to fully compromise Windows systems. Update your agents, adjust your permissions, and always monitor for new threats.

Timeline

Published on: 04/09/2024 17:16:02 UTC
Last modified on: 04/10/2024 13:24:00 UTC