Kaspersky LabKLA68916KLA68916 Multiple vulnerabilities in Microsoft Azure
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.3%
Multiple vulnerabilities were found in Microsoft Azure. Malicious users can exploit these vulnerabilities to gain privileges, cause denial of service.
Below is a complete list of vulnerabilities:
- An elevation of privilege vulnerability in Azure Science Virtual Machine (DSVM) can be exploited remotely to gain privileges.
- An elevation of privilege vulnerability in Microsoft Azure File Sync can be exploited remotely to gain privileges.
- An elevation of privilege vulnerability in Azure Monitor Agent can be exploited remotely to gain privileges.
- A denial of service vulnerability in Azure Storage Movement Client Library can be exploited to cause denial of service.
- An elevation of privilege vulnerability in Azure Identity Libraries and Microsoft Authentication Library can be exploited remotely to gain privileges.
Original advisories
Related products
CVE list
CVE-2024-35252 high
CVE-2024-35255 high
CVE-2024-37325 high
CVE-2024-35253 warning
CVE-2024-35254 high
KB list
Solution
Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)
Impacts
- DoS
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
- PE
Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.
Affected Products
- Azure File Sync v16.0Azure Identity Library for JavaScriptAzure Identity Library for C++Azure Storage Movement Client Library for .NETAzure Identity Library for PythonAzure Data Science Virtual Machines for LinuxAzure Identity Library for .NETMicrosoft Authentication Library (MSAL) for Node.jsAzure Identity Library for JavaMicrosoft Authentication Library (MSAL) for .NETAzure Monitor AgentAzure Identity Library for GoMicrosoft Authentication Library (MSAL) for JavaAzure File Sync v17.0Azure File Sync v18.0
References
support.microsoft.com/kb/5023058
support.microsoft.com/kb/5039814
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35252
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35253
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35254
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35255
msrc.microsoft.com/update-guide/vulnerability/CVE-2024-37325
statistics.securelist.com/
threats.kaspersky.com/en/product/.NET/
threats.kaspersky.com/en/product/Microsoft-Azure/
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.3%