CVE-2024-35261
📋 TL;DR
This vulnerability in Azure Network Watcher VM Extension allows authenticated attackers to elevate privileges on affected virtual machines. Attackers could gain SYSTEM-level access on Windows VMs or root access on Linux VMs. Only Azure customers using Network Watcher VM Extension are affected.
💻 Affected Systems
- Azure Network Watcher VM Extension
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the virtual machine with SYSTEM/root access, enabling lateral movement, data exfiltration, and persistence establishment.
Likely Case
Privilege escalation from a lower-privileged user to SYSTEM/root on the compromised VM, allowing installation of malware, credential theft, and further network reconnaissance.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though the VM would still be compromised.
🎯 Exploit Status
Requires authenticated access to the VM first. Microsoft has not disclosed technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Automatic updates via Azure platform; no specific version number for customers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-35261
Restart Required: No
Instructions:
1. Ensure Azure VMs are updated automatically via Azure Update Management. 2. Verify Network Watcher VM Extension is updated to latest version. 3. No customer action required for patching - Microsoft handles updates.
🔧 Temporary Workarounds
Disable Network Watcher VM Extension
allRemove the vulnerable extension if not required for operations
az vm extension delete --resource-group <RG> --vm-name <VM> --name NetworkWatcherAgentLinux (or NetworkWatcherAgentWindows)
Restrict VM Access
allImplement strict access controls and network segmentation to limit who can access VMs
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected VMs
- Enforce least privilege access and monitor for unusual authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check if Network Watcher VM Extension is installed on Azure VMs via Azure Portal or CLI: az vm extension list --resource-group <RG> --vm-name <VM>Check Version:
az vm extension show --resource-group <RG> --vm-name <VM> --name NetworkWatcherAgentLinux (or NetworkWatcherAgentWindows)Verify Fix Applied:
Verify extension is updated via Azure Portal under VM Extensions or check for automatic platform updates📡 Detection & Monitoring
Log Indicators:
- Unusual process execution with SYSTEM/root privileges
- Unexpected Network Watcher extension activity
- Failed authentication attempts followed by successful privilege escalation
Network Indicators:
- Unusual outbound connections from VMs after privilege escalation
- Lateral movement attempts to other VMs
SIEM Query:
Source:AzureActivity | where OperationName contains 'Microsoft.Compute/virtualMachines/extensions' | where ActivityStatus contains 'Success' | where Caller contains suspicious user