Himmelblau Interoperability Suite Privilege Escalation Vulnerability via Group Name-Derived GID Mapping

A privilege escalation vulnerability exists in the Himmelblau interoperability suite for Microsoft Azure Entra ID and Intune, specifically in versions 0.9.0 prior to 0.9.22. The issue arises because Himmelblau derives numeric group IDs (GIDs) from the display names of Entra ID groups, using a default configuration that maps group names to IDs. This mapping can lead to distinct directory groups collapsing into the same numeric GID on Linux, especially since Entra ID allows multiple groups to share the same display name. As a result, a user could gain unauthorized access to resources or services that rely on GID-based authorization by exploiting this naming collision.

Impact

Exploitation of this vulnerability could allow a user to access files, directories, or services protected by a legitimate security group, by creating or joining a group with the same display name as one that has privileged access. This could lead to unauthorized rights, such as `sudo` access, depending on the groups involved.

Remediation

Users are advised to upgrade to Himmelblau version 0.9.23 or 1.0.0 and later, where this vulnerability has been patched by changing the group-to-GID mapping to use Entra ID object IDs, which are unique and do not conflict with similarly named groups. As a temporary measure, organizations can restrict the creation of new groups through tenant policy hardening until all hosts are updated.