Date: June 2024
Severity: High
Affected Components: Azure Identity Libraries, Microsoft Authentication Library (MSAL)
CVSS Score: 7.2 (High)
What is CVE-2024-35255?
On June 11, 2024, Microsoft disclosed a critical vulnerability—CVE-2024-35255—impacting both its Azure Identity Libraries and the Microsoft Authentication Library (MSAL). This flaw allows attackers to escalate their privileges in cloud applications and API environments using these libraries.
Put simply, if your application uses Azure Identity or MSAL to authenticate users, this bug could let someone without the right permissions gain admin-level access inside your cloud services.
1. How Does the Vulnerability Work?
The core issue in CVE-2024-35255 lies in improper validation of certain authentication tokens. When your app authenticates through Azure Identity or MSAL, it expects a token that proves the user’s identity and privileges. Unfortunately, due to a logic bug, malicious users can craft tokens or manipulate authentication flows to trick the library into believing they have more permissions than they should.
Key Points
- Affected Platforms: All products and projects relying on Azure Identity Library and MSAL before June 2024 updates.
- Attack Vector: Network—attackers need the ability to supply or intercept authentication tokens.
When an app uses Azure Identity to request a token, it typically looks like this in C#
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri("https://<YourKeyVault>.vault.azure.net/";), credential);
KeyVaultSecret secret = await client.GetSecretAsync("MySecret");
If an attacker can supply a malicious token or invalidate validation steps, they can retrieve secrets they shouldn't have access to.
Exploit Example — Faking a JWT
Suppose an MSAL-based application gets its id_token from an untrusted source or skips signature verification due to the CVE:
var app = PublicClientApplicationBuilder.Create(clientId)
.WithRedirectUri(redirectUri)
.Build();
var authResult = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
var user = authResult.Account;
// Vulnerable: Uses unverified authResult without checking the token's signature!
if (user.Username == "admin@victim.com")
{
// Performs admin tasks
}
Exploit: An attacker could inject a forged id_token claiming to be the admin, and if the verification is skipped or faulty, the library will accept it, granting full access.
Real-World Attack Flow
1. Attacker crafts or intercepts a JWT (JSON Web Token) claiming elevated privileges (e.g., “admin”).
2. App runs on a vulnerable version of Azure Identity or MSAL that fails to properly validate the token’s signature or issuer.
Developers: Apps using unpatched Azure Identity or MSAL libraries.
- Organizations: Any relying on token-based auth for resources (Key Vault, Cosmos DB, Graph API, etc.).
1. Update Your Libraries
Microsoft has fixed this vulnerability in recent updates!
- Azure Identity: Update to v1.10.5 or later.
- MSAL: Update to v4.58. or later.
5. References & More Info
- Microsoft Security Guidance for CVE-2024-35255
- Azure Identity SDK GitHub Security Advisory
- MSAL Release Changelog
- JWT Security Guide (Microsoft Docs)
6. Conclusion
CVE-2024-35255 is a powerful reminder: Any bug in your authentication stack can have severe, far-reaching consequences. If you’re using the Azure Identity or MSAL libraries, update immediately and follow secure coding practices.
If you want to stay secure, keep your libraries patched, validate all tokens, and restrict admin privileges. For more info, check the links above or reach out to your Microsoft security contact.
Don’t get caught off guard—update now!
*Written exclusively for you by ChatGPT, June 2024. Share with your team to protect your cloud workloads!*
Timeline
Published on: 06/11/2024 17:16:03 UTC
Last modified on: 06/14/2024 03:55:56 UTC