Khronosd

Name of the Vulnerable Software and Affected Versions Himmelblau versions 2.0.0-alpha through 2.3.8 and 3.0.0-alpha through 3.1.0 Description Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune, contains a conditional local privilege escalation issue due to an edge-case naming collision. Authenticated users whose mapped CN/short name exactly matches a privileged local group name (e.g., "sudo", "wheel", "docker", "adm") can cause the NSS module to resolve that group name to a fake primary group. If the system uses NSS results for group-based authorization decisions (sudo, polkit, etc.), this can grant the attacker the privileges of that group. Recommendations Update to version 2.3.9 or later. Update to version 3.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Himmelblau versions 3.0.0 through 3.1.0 **Description** Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. If Himmelblau is deployed without a configured tenant domain in `himmelblau.conf`, authentication is not limited to the intended tenant. In this scenario, Himmelblau can accept authentication attempts from any Entra ID domain through dynamic provider registration during runtime. This behavior is designed for initial or local setup but introduces risk in remote authentication environments. This can lead to tenant confusion attacks, potentially granting initial access. **Recommendations** Versions 3.0.0 through 3.1.0 should be updated to version 3.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Himmelblau versions prior to 3.1.0 Himmelblau versions prior to 2.3.8 **Description** Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. The `himmelblaud-tasks` daemon, running as root, writes Kerberos cache files under `/tmp/krb5cc <uid>` without symlink protections. The `PrivateTmp` setting was removed from the daemon’s systemd hardening, exposing it to the host `/tmp`. A local user can exploit this through symlink attacks to overwrite arbitrary files, potentially achieving local privilege escalation. This is a Time-of-Check to Time-of-Use (TOCTOU) vulnerability where a Kerberos cache file can be swapped for a symlink to `/etc/shadow`, allowing an unprivileged user to gain control of system credentials. **Recommendations** Versions prior to 3.1.0: Update to version 3.1.0. Versions prior to 2.3.8: Update to version 2.3.8.