Khronosd

Name of the Vulnerable Software and Affected Versions Himmelblau versões 2.0.0-alpha através de 2.3.8 e 3.0.0-alpha através de 3.1.0 Description Himmelblau, um conjunto de interoperabilidade para Microsoft Azure Entra ID e Intune, contém um problema de escalonamento de privilégios local condicional devido a uma colisão de nomenclatura em um caso extremo. Usuários autenticados cujo CN/nome curto mapeado corresponda exatamente a um nome de grupo local privilegiado (por exemplo, "sudo", "wheel", "docker", "adm") podem fazer com que o módulo NSS resolva esse nome de grupo para um grupo primário falso. Se o sistema usar resultados do NSS para decisões de autorização baseadas em grupo (sudo, polkit, etc.), isso pode conceder ao invasor os privilégios desse grupo. Recommendations Atualize para a versão 2.3.9 ou posterior. Atualize para a versão 3.1.1 ou posterior.

**Name of the Vulnerable Software and Affected Versions** Himmelblau versions 3.0.0 through 3.1.0 **Description** Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. If Himmelblau is deployed without a configured tenant domain in `himmelblau.conf`, authentication is not limited to the intended tenant. In this scenario, Himmelblau can accept authentication attempts from any Entra ID domain through dynamic provider registration during runtime. This behavior is designed for initial or local setup but introduces risk in remote authentication environments. This can lead to tenant confusion attacks, potentially granting initial access. **Recommendations** Versions 3.0.0 through 3.1.0 should be updated to version 3.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Himmelblau versions prior to 3.1.0 Himmelblau versions prior to 2.3.8 **Description** Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. The `himmelblaud-tasks` daemon, running as root, writes Kerberos cache files under `/tmp/krb5cc <uid>` without symlink protections. The `PrivateTmp` setting was removed from the daemon’s systemd hardening, exposing it to the host `/tmp`. A local user can exploit this through symlink attacks to overwrite arbitrary files, potentially achieving local privilege escalation. This is a Time-of-Check to Time-of-Use (TOCTOU) vulnerability where a Kerberos cache file can be swapped for a symlink to `/etc/shadow`, allowing an unprivileged user to gain control of system credentials. **Recommendations** Versions prior to 3.1.0: Update to version 3.1.0. Versions prior to 2.3.8: Update to version 2.3.8.