CVE-2024-21364
📋 TL;DR
This vulnerability in Microsoft Azure Site Recovery allows authenticated attackers to elevate privileges within the Azure environment, potentially gaining administrative control over recovery operations. It affects organizations using Azure Site Recovery for disaster recovery scenarios.
💻 Affected Systems
- Microsoft Azure Site Recovery
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over Azure Site Recovery infrastructure, allowing them to manipulate recovery operations, access protected data, and potentially compromise connected on-premises systems.
Likely Case
Privileged users or compromised accounts abuse the vulnerability to gain unauthorized access to recovery configurations and sensitive data.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users who might abuse legitimate privileges.
🎯 Exploit Status
Requires authenticated access and knowledge of Azure Site Recovery operations
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest Azure Site Recovery update
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21364
Restart Required: No
Instructions:
1. Log into Azure Portal 2. Navigate to Azure Site Recovery 3. Check for and apply available updates 4. Verify service is running latest version
🔧 Temporary Workarounds
Restrict Access Controls
allImplement strict role-based access control (RBAC) to limit who can access Azure Site Recovery operations
az role assignment create --assignee <user> --role "Site Recovery Contributor" --scope <resource>
Enable Audit Logging
allEnable detailed audit logging for all Site Recovery operations to detect suspicious activity
az monitor diagnostic-settings create --resource <resource-id> --name "SiteRecoveryAudit" --logs '[{"category":"AuditEvent","enabled":true}]'
🧯 If You Can't Patch
- Implement strict principle of least privilege for all Azure Site Recovery users
- Enable multi-factor authentication for all administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check Azure Site Recovery service version in Azure Portal under Service SettingsCheck Version:
az resource show --ids /subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.RecoveryServices/vaults/{vault} --query properties.serviceVersionVerify Fix Applied:
Verify service shows latest version and no pending updates in Azure Portal📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts in Azure Activity Logs
- Unexpected role assignments for Site Recovery
- Suspicious configuration changes to recovery plans
Network Indicators:
- Unusual API calls to Site Recovery endpoints from unexpected locations
SIEM Query:
AzureActivity | where OperationNameValue contains "Microsoft.RecoveryServices" and ActivityStatusValue == "Success" | where Caller contains suspicious_user