CVE-2023-35624
📋 TL;DR
This vulnerability in Azure Connected Machine Agent allows an authenticated attacker to elevate privileges on affected systems. Attackers could gain SYSTEM-level access on Windows machines or root access on Linux machines running the vulnerable agent. This affects organizations using Azure Arc-enabled servers with the vulnerable agent version.
💻 Affected Systems
- Azure Connected Machine Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining SYSTEM/root privileges, enabling persistence, lateral movement, data exfiltration, and disabling of security controls.
Likely Case
Privilege escalation from a lower-privileged user account to SYSTEM/root, allowing installation of malware, credential harvesting, and further network reconnaissance.
If Mitigated
Limited impact if proper network segmentation, least privilege principles, and monitoring are in place, though privilege escalation would still be possible.
🎯 Exploit Status
Requires authenticated access to the target system. Microsoft has not disclosed specific exploitation details, but privilege escalation vulnerabilities in system agents typically have low exploitation complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.36.0 or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35624
Restart Required: Yes
Instructions:
1. Update Azure Connected Machine Agent to version 1.36.0 or later. 2. For Windows: The agent auto-updates by default. 3. For Linux: Run 'azcmagent version' to check current version, then update via package manager. 4. Restart the system after update.
🔧 Temporary Workarounds
Disable automatic updates temporarily
allPrevents the vulnerable update mechanism from being exploited while planning permanent fix
azcmagent config set auto-upgrade.enabled false
Restrict agent service permissions
allApply strict file system permissions to agent directories and executables
chmod 750 /opt/azcmagent/bin/azcmagent (Linux)
icacls "C:\Program Files\AzureConnectedMachineAgent" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" (Windows)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Azure Arc-managed systems from critical assets
- Enforce least privilege access controls and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Run 'azcmagent version' and check if version is below 1.36.0Check Version:
azcmagent versionVerify Fix Applied:
Run 'azcmagent version' and confirm version is 1.36.0 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Azure Connected Machine Agent service
- Failed privilege escalation attempts in system logs
- Modifications to agent configuration files
Network Indicators:
- Unexpected outbound connections from agent service
- Communication with unusual endpoints from agent
SIEM Query:
Process creation where parent_process_name contains 'azcmagent' and (process_name contains 'cmd.exe' or process_name contains 'powershell.exe' or process_name contains 'bash')