CVE-2024-21364 Overview
CVE-2024-21364 is an elevation of privilege vulnerability affecting Microsoft Azure Site Recovery. The flaw allows a local attacker to escalate privileges and gain control over resources beyond the authorized security boundary. The vulnerability is mapped to [CWE-284] Improper Access Control and carries a CVSS 3.1 base score of 9.3. Successful exploitation impacts confidentiality, integrity, and availability across security scopes because the issue causes a scope change. Microsoft addressed the vulnerability through the Microsoft Security Response Center advisory.
Critical Impact
A local, unauthenticated attacker can elevate privileges in Azure Site Recovery and compromise resources outside the originally authorized security scope.
Affected Products
- Microsoft Azure Site Recovery
- Azure Site Recovery configuration server components
- Hybrid disaster recovery deployments relying on Azure Site Recovery
Discovery Timeline
- 2024-02-13 - CVE-2024-21364 published to NVD
- 2024-02-13 - Microsoft published the security advisory for CVE-2024-21364
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21364
Vulnerability Analysis
The vulnerability resides in Microsoft Azure Site Recovery, a disaster recovery service that orchestrates replication and failover of workloads between on-premises and Azure environments. The defect allows a local actor to break out of the intended privilege boundary and execute actions reserved for higher-privileged identities. Because the scope changes during exploitation, the attacker can affect components beyond the vulnerable service itself. The high impact across confidentiality, integrity, and availability indicates that an attacker can read protected replication data, modify failover configurations, and disrupt recovery workflows. The local attack vector means the adversary needs prior access to the host running the Azure Site Recovery components.
Root Cause
The issue is categorized under [CWE-284] Improper Access Control. The Azure Site Recovery component fails to correctly enforce authorization checks for operations that should be restricted to privileged principals. The lack of granular access enforcement permits unauthorized actions on protected objects.
Attack Vector
An attacker with local access to a system hosting Azure Site Recovery components can invoke privileged operations without authentication or user interaction. The scoped privilege boundary breaks during exploitation, allowing the attacker to interact with replication services, configuration data, and recovery plans. Microsoft has not published exploitation prerequisites beyond the local attack vector. No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. For implementation specifics, refer to the Microsoft CVE-2024-21364 Advisory.
Detection Methods for CVE-2024-21364
Indicators of Compromise
- Unexpected privilege escalation events on hosts running Azure Site Recovery configuration or process servers.
- Anomalous modifications to Azure Site Recovery replication policies, recovery plans, or vault configurations.
- Local logons to Azure Site Recovery infrastructure followed by API calls scoped beyond the calling identity.
Detection Strategies
- Audit Azure Activity Logs for Site Recovery operations performed by accounts with unexpected scope changes.
- Correlate local authentication events on Site Recovery hosts with subsequent privileged operations against the recovery vault.
- Monitor process creation and service interactions on Azure Site Recovery configuration servers for non-administrative principals invoking administrative actions.
Monitoring Recommendations
- Enable diagnostic settings on Recovery Services vaults and forward logs to a centralized SIEM for correlation.
- Alert on changes to Azure Site Recovery role assignments, replication policies, and failover settings.
- Track installation or modification of Azure Site Recovery agents and configuration server binaries.
How to Mitigate CVE-2024-21364
Immediate Actions Required
- Apply the Microsoft update referenced in the CVE-2024-21364 advisory to all Azure Site Recovery components.
- Restrict local and interactive access to systems hosting Azure Site Recovery configuration servers and process servers.
- Review and tighten role-based access control (RBAC) assignments on Recovery Services vaults.
Patch Information
Microsoft released a security update addressing CVE-2024-21364. Refer to the Microsoft Security Response Center advisory for the specific update packages, affected component versions, and deployment guidance for both Azure-hosted and on-premises Azure Site Recovery installations.
Workarounds
- Limit local logon rights on Azure Site Recovery infrastructure to a minimal set of administrative accounts.
- Enforce network segmentation around Site Recovery configuration and process servers to reduce local access opportunities.
- Require multi-factor authentication and just-in-time access for administrators managing Recovery Services vaults.
# Configuration example: review RBAC assignments on a Recovery Services vault
az role assignment list \
--scope /subscriptions/<subscription-id>/resourceGroups/<rg>/providers/Microsoft.RecoveryServices/vaults/<vault-name> \
--output table
# Restrict local logon to specific admin group on Site Recovery hosts (run on host)
secedit /export /cfg C:\\secpol.cfg
# Edit SeInteractiveLogonRight to include only the approved admin group, then:
secedit /configure /db C:\\Windows\\security\\local.sdb /cfg C:\\secpol.cfg /areas USER_RIGHTS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
