Himmelblau Privileged Local Group Name Collision Vulnerability Allowing Unauthorized Access to Sudo and Other Rights

A conditional local privilege escalation vulnerability has been identified in Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune. This vulnerability affects Himmelblau versions 2.0.0-alpha prior to 2.3.9 and 3.0.0-alpha prior to 3.1.1. The issue arises from an edge-case naming collision where authenticated users can manipulate group name resolutions to gain unauthorized privileges. Specifically, if a user's mapped short name matches that of a privileged local group (such as 'sudo', 'wheel', 'docker', or 'adm'), the NSS module can be tricked into assigning that group’s privileges to the user. This exploitation is possible in environments where Himmelblau is integrated with NSS for group lookups and the 'cn_name_mapping' feature is enabled, which is the default setting.

Impact

Exploitation of this vulnerability allows authenticated Himmelblau users to escalate privileges by manipulating group name resolutions, potentially gaining root-equivalent access through the 'sudo' group.

Reproduction

To reproduce this vulnerability, first ensure that Himmelblau is installed and configured with 'cn_name_mapping' enabled. Then, create an Entra ID user whose short name matches a privileged local group name. After authenticating this user through Himmelblau, the NSS 'getent group' command can be used to verify that the group name resolution has been manipulated to reflect the user's fake primary group, thereby granting unauthorized privileges.

Remediation

Users can upgrade to Himmelblau versions 2.3.9 or 3.1.1, where this vulnerability has been patched.