CVE-2024-21638: Azure IPAM Privilege Escalation Flaw

CVE-2024-21638 Overview

CVE-2024-21638 is a critical authentication bypass vulnerability in Microsoft Azure IPAM (IP Address Management), a lightweight solution developed on the Azure platform to help customers manage their IP address space. The vulnerability stems from missing validation of authentication tokens passed to the application, allowing attackers to impersonate privileged users and access sensitive data stored within the IPAM instance and subsequently from Azure environments.

By design, Azure IPAM uses a Service Principal assigned only the Reader role at the root Management Group level, providing no write access to customers' Azure environments. However, the lack of token validation created a significant security gap that could be exploited for elevation of privilege attacks.

Critical Impact

Attackers can impersonate any privileged user to access IP address management data and Azure resource information without authentication, leading to unauthorized data exposure and potential lateral movement within Azure environments.

Affected Products

• Microsoft Azure IPAM versions prior to 3.0.0
• Azure IPAM instances deployed without the security patch from commit 64ef2d07edf16ffa50f29c7e0e25d32d974b367f

Discovery Timeline

• 2024-01-10 - CVE-2024-21638 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-21638

Vulnerability Analysis

This vulnerability is classified under CWE-287 (Improper Authentication) and CWE-269 (Improper Privilege Management). The Azure IPAM solution failed to properly validate authentication tokens passed in API requests, creating a scenario where an attacker could craft or manipulate tokens to impersonate legitimate users.

The attack is network-accessible, requires no special privileges or user interaction, and can be executed with low complexity. An attacker exploiting this vulnerability could gain access to sensitive IP address management data, network configuration details, and Azure resource information that the IPAM instance has visibility into through its Reader role permissions.

Root Cause

The root cause of this vulnerability lies in the authentication mechanism within the Azure IPAM engine. Prior to the fix, the application's check_token_expired function in engine/app/dependencies.py only verified whether tokens had expired but did not validate the authenticity of the tokens themselves against Azure Active Directory's JSON Web Key Set (JWKS). This allowed attackers to craft tokens that would pass the expiration check without proper cryptographic verification.

Attack Vector

The vulnerability can be exploited over the network by sending crafted HTTP requests to the Azure IPAM API endpoints. An attacker would:

1. Identify an exposed Azure IPAM instance
2. Craft a malicious authentication token or manipulate an existing token
3. Submit API requests with the crafted token in the Authorization header
4. Bypass authentication and impersonate privileged users
5. Access sensitive IP address management and Azure resource data

The following patch shows how the authentication mechanism was strengthened to properly validate tokens using JWKS:

 from fastapi import Request, HTTPException
 
+from requests import Session, adapters
+from urllib3.util.retry import Retry
+from cryptography.hazmat.primitives import serialization
+
 import jwt
-import time
 import copy
+import json
 
 from app.routers.common.helper import (
     cosmos_query
 )
 
-async def check_token_expired(request: Request):
-    now = int(time.time()) + 10
-    auth = request.headers.get('authorization')
+from app.globals import globals
+
+_session = None
+
+async def fetch_jwks_keys():
+    global _session
+
+    if _session is None:  
+        _session = Session()
+
+        retries = Retry(
+            total=5,

Source: GitHub Commit Update

The fix replaces the simple expiration check with proper JWT validation using JWKS keys fetched from Azure AD, ensuring tokens are cryptographically verified.

Detection Methods for CVE-2024-21638

Indicators of Compromise

• Unusual API requests to Azure IPAM endpoints from unexpected IP addresses or geographic locations
• Authentication logs showing successful access without corresponding Azure AD sign-in events
• Access patterns indicating enumeration of IP address spaces or Azure resources
• Anomalous user activity in IPAM audit logs that doesn't correlate with legitimate user sessions

Detection Strategies

• Monitor Azure IPAM application logs for authentication anomalies and failed validation attempts
• Implement network monitoring to detect unusual traffic patterns to IPAM endpoints
• Review Azure AD sign-in logs and correlate with IPAM access logs to identify discrepancies
• Deploy web application firewall rules to detect malformed or suspicious JWT tokens in Authorization headers

Monitoring Recommendations

• Enable verbose logging in the Azure IPAM application to capture authentication events
• Configure alerts for access attempts from untrusted IP ranges or outside business hours
• Implement Azure Sentinel or similar SIEM integration to correlate IPAM activity with Azure AD events
• Regularly audit IPAM user access patterns and investigate anomalies promptly

How to Mitigate CVE-2024-21638

Immediate Actions Required

• Upgrade Azure IPAM to version 3.0.0 or later immediately
• If immediate upgrade is not possible, restrict network access to the IPAM instance to trusted IP ranges only
• Review IPAM access logs for any suspicious activity that may indicate prior exploitation
• Rotate any credentials or secrets associated with the Azure IPAM deployment
• Audit Azure resources accessible through the IPAM Service Principal's Reader role for unauthorized access

Patch Information

Microsoft has addressed this vulnerability in Azure IPAM version 3.0.0. The security fix is documented in GitHub Pull Request #218 and the specific commit can be found at GitHub Commit Update. For complete details on the vulnerability and remediation, refer to the GitHub Security Advisory GHSA-m8mp-jq4c-g8j6.

Workarounds

• Restrict network access to the Azure IPAM instance using Azure Network Security Groups or firewall rules
• Implement Azure Private Link to eliminate public internet exposure of the IPAM endpoint
• Place the IPAM instance behind an Azure Application Gateway with Web Application Firewall enabled
• Consider temporarily taking the IPAM instance offline until the patch can be applied in high-risk environments

# Restrict access to Azure IPAM using Network Security Group
az network nsg rule create \
  --resource-group <resource-group> \
  --nsg-name <nsg-name> \
  --name AllowTrustedIPsOnly \
  --priority 100 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --destination-port-ranges 443 \
  --source-address-prefixes <trusted-ip-ranges>