Race condition in Microsoft Azure Identity Libraries and Microsoft Authentication Library



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-35255
CWE-ID CWE-362
Exploitation vector Local
Public exploit N/A
Vulnerable software
Microsoft Authentication Library (MSAL) for Python
Mobile applications / Apps for mobile phones

Microsoft Authentication Library (MSAL) for Node.js
Mobile applications / Apps for mobile phones

Microsoft Authentication Library (MSAL) for Java
Mobile applications / Apps for mobile phones

Microsoft Authentication Library (MSAL) for .NET
Mobile applications / Apps for mobile phones

Azure Identity Library for Python
Mobile applications / Apps for mobile phones

Azure Identity Library for JavaScript
Mobile applications / Apps for mobile phones

Azure Identity Library for Java
Mobile applications / Apps for mobile phones

Azure Identity Library for Go
Mobile applications / Apps for mobile phones

Azure Identity Library for C++
Mobile applications / Apps for mobile phones

Azure Identity Library for .NET
Other software / Other software solutions

Vendor Microsoft

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Race condition

EUVDB-ID: #VU91723

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-35255

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition in Azure Identity Libraries and Microsoft Authentication Library. A local user can elevate privileges and read any file on the file system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Authentication Library (MSAL) for Python: All versions

Microsoft Authentication Library (MSAL) for Node.js: All versions

Microsoft Authentication Library (MSAL) for Java: All versions

Microsoft Authentication Library (MSAL) for .NET: All versions

Azure Identity Library for Python: All versions

Azure Identity Library for JavaScript: All versions

Azure Identity Library for Java: All versions

Azure Identity Library for Go: All versions

Azure Identity Library for C++: All versions

Azure Identity Library for .NET: All versions

CPE2.3 External links

http://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to perform certain actions on the device.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###