Himmelblau Authentication Vulnerability Allowing Cross-Tenant Access

A vulnerability in Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune, exists in versions 3.0.0 prior to 3.1.0. When deployed without a configured tenant domain, authentication is not restricted to specific tenants. This allows the application to accept authentication attempts from any Entra ID domain by dynamically registering providers at runtime. While this behavior is intended for initial bootstrap scenarios, it poses a risk in remote authentication environments by enabling unintended cross-tenant authentication.

Impact

Exploiting this vulnerability could lead to unauthorized cross-tenant authentication, allowing access beyond the operator's intended tenant boundary. This is particularly risky if the deployment uses Entra group-based role mapping, as an attacker could potentially gain privileged access on the host by satisfying group conditions within their controlled tenant. Additionally, if authentication occurs during the unscoped window after installation but before configuring a tenant domain, injected tenant details could persist and cause continued authentication scope beyond the intended boundary.

Remediation

To address this vulnerability, explicitly configure a tenant domain in the Himmelblau configuration file. After setting the domain, restart the Himmelblau daemons. For deployments that may have been compromised, audit local privileged group assignments and remove any unexpected entries. Monitor authentication logs for signs of unauthorized cross-tenant access.