Himmelblau
Monthly
Authorization bypass in Himmelblau (the open-source Entra ID/Intune interoperability suite) versions 2.0.0 through 3.1.4 and the 2.3.x branch before 2.3.11 lets any authenticated user in the same Entra ID domain obtain a local Unix login session as a different user by presenting only their own valid credentials. The flaw lives in the token_validate function of the Device Authorization Grant flow, which matched only the domain portion of the User Principal Name and ignored the username (local part), so a low-privileged domain member can impersonate higher-value accounts on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the issue is a confirmed identity-spoofing defect fixed by the vendor.
Local privilege escalation in Himmelblau prior to versions 3.1.0 and 2.3.8 allows authenticated local users to exploit insecure Kerberos cache file handling in the root-running himmelblaud-tasks daemon through symlink attacks. The vulnerability stems from the removal of PrivateTmp protections, exposing /tmp operations to symlink-based file overwrite and ownership manipulation attacks. An attacker with local access can leverage this flaw to achieve arbitrary file modification and full system compromise.
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available.
Authorization bypass in Himmelblau (the open-source Entra ID/Intune interoperability suite) versions 2.0.0 through 3.1.4 and the 2.3.x branch before 2.3.11 lets any authenticated user in the same Entra ID domain obtain a local Unix login session as a different user by presenting only their own valid credentials. The flaw lives in the token_validate function of the Device Authorization Grant flow, which matched only the domain portion of the User Principal Name and ignored the username (local part), so a low-privileged domain member can impersonate higher-value accounts on the host. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the issue is a confirmed identity-spoofing defect fixed by the vendor.
Local privilege escalation in Himmelblau prior to versions 3.1.0 and 2.3.8 allows authenticated local users to exploit insecure Kerberos cache file handling in the root-running himmelblaud-tasks daemon through symlink attacks. The vulnerability stems from the removal of PrivateTmp protections, exposing /tmp operations to symlink-based file overwrite and ownership manipulation attacks. An attacker with local access can leverage this flaw to achieve arbitrary file modification and full system compromise.
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. Public exploit code available.