Himmelblau Privilege Escalation Vulnerability via Entra ID Group Name Matching

A privilege escalation vulnerability has been identified in Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune. This issue affects Himmelblau versions 0.9.0 prior to 0.9.14 and 1.00-alpha. The vulnerability arises when Entra ID group-based access restrictions are configured using group display names instead of object IDs. Affected versions of Himmelblau compare group names by displayName, allowing users to create personal groups with the same name as legitimate access groups, such as 'Allow-Linux-Login'. By adding themselves to these impersonating groups, users can gain unauthorized authentication or sudo rights. This bypasses access control mechanisms designed to restrict login to members of official, centrally-managed groups.

Impact

Exploitation of this vulnerability allows unauthorized users to gain authentication and sudo rights by impersonating legitimate access group names with personal groups created in Entra ID.

Reproduction

The vulnerability can be reproduced by creating a personal security group in Microsoft Entra ID with the same display name as a legitimate access group used for access control in Himmelblau. Once the group is created, the user can add themselves to it. When Himmelblau is configured to allow group-based access using display names, the application will incorrectly grant access and sudo rights, bypassing the intended restrictions.

Remediation

To address this vulnerability, users should upgrade to Himmelblau version 0.9.15 or later, where the issue has been fixed by removing group name matching in the 'pam_allow_groups' configuration option' and allowing only group object IDs to be specified for secure filtering. If an upgrade is not possible, replace all entries in 'pam_allow_groups' with the object ID of the target Entra ID group(s) and audit the tenant for groups with duplicate display names using the Microsoft Graph API.