CVE-2024-43470
📋 TL;DR
This vulnerability in Azure Network Watcher VM Agent allows authenticated attackers to elevate privileges on affected virtual machines. Attackers could gain SYSTEM-level access by exploiting improper link resolution. Only Azure virtual machines with Network Watcher extension enabled are affected.
💻 Affected Systems
- Azure Network Watcher Agent
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM-level compromise of the virtual machine, enabling complete control, data exfiltration, lateral movement, and persistence establishment.
Likely Case
Privilege escalation from a lower-privileged user to SYSTEM, allowing installation of malware, credential theft, and further exploitation.
If Mitigated
Limited impact with proper network segmentation, least privilege access, and monitoring in place, though local privilege escalation remains possible.
🎯 Exploit Status
Requires authenticated access to the VM. Exploitation involves manipulating symbolic links or junctions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Network Watcher Agent version with fix applied automatically by Azure
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43470
Restart Required: No
Instructions:
1. Ensure Azure VMs are updated automatically via Azure Update Management. 2. Verify Network Watcher extension is updated to latest version. 3. No manual patching required - Azure handles updates automatically.
🔧 Temporary Workarounds
Disable Network Watcher Extension
windowsTemporarily disable the Network Watcher VM Agent if not required for operations
Remove-AzVMExtension -ResourceGroupName <RG> -VMName <VM> -Name NetworkWatcherAgentWindows
Restrict VM Access
allImplement strict access controls and network segmentation for affected VMs
🧯 If You Can't Patch
- Implement strict least privilege access controls on all Azure VMs
- Enable enhanced monitoring and alerting for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if Network Watcher extension is enabled on Windows Azure VMs via Azure Portal or PowerShell: Get-AzVMExtension -ResourceGroupName <RG> -VMName <VM>Check Version:
Get-AzVMExtension -ResourceGroupName <RG> -VMName <VM> -Name NetworkWatcherAgentWindows | Select-Object TypeHandlerVersionVerify Fix Applied:
Verify Network Watcher extension version is updated in Azure Portal under VM Extensions settings📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) with unusual parent processes
- Unexpected SYSTEM-level process execution from user contexts
- Network Watcher agent unusual behavior logs
Network Indicators:
- Unusual outbound connections from affected VMs
- Lateral movement attempts from compromised VMs
SIEM Query:
EventID=4688 AND (NewProcessName="*\system32\*" OR IntegrityLevel="System") AND SubjectUserName!="SYSTEM"