Himmelblau Interoperability Suite Privilege Escalation Vulnerability via Symlink Attack on Kerberos Cache

A local privilege escalation vulnerability has been identified in the Himmelblau interoperability suite for Microsoft Azure Entra ID and Intune. This issue affects versions 1.0.0 and later, prior to 3.1.0 and 2.3.8. The vulnerability arises because the himmelblaud-tasks daemon, running as root, creates Kerberos cache files in the /tmp directory without proper symlink protections. A local user can exploit this by creating a symlink to a sensitive directory, such as /etc, which the daemon will inadvertently follow, allowing the user to take ownership of critical system files or directories.

Impact

Exploitation of this vulnerability allows local users to escalate privileges to root by taking ownership of arbitrary files or directories, potentially leading to full system compromise.

Reproduction

To reproduce this vulnerability, create a symlink from /tmp/krb5cc_<uid> to a directory like /etc. Then, authenticate in a way that triggers a Kerberos login, which will prompt the himmelblaud-tasks daemon to create a Kerberos cache directory. The daemon will follow the symlink and change the ownership of the target directory to the user's UID, allowing for unauthorized access or modification of sensitive files.

Remediation

Users can re-enable PrivateTmp for the himmelblaud-tasks service via a systemd drop-in, which will block the symlink attack vector. After applying the override, systemctl daemon-reload and systemctl restart himmelblaud-tasks should be executed.