TL;DR: We have found a low severity vulnerability in Linux VMs. It has been patched for newly created VMs. Existing VMs can be self-service patched by downloading and running the script below.
While troubleshooting a Linux VM, we recently uncovered a low severity vulnerability regarding logging into Linux VMs. We found that it was possible to log in to a Linux VM when someone is not a member of that Workspace, but provided that the user has very advanced permissions on a mydre account and manually added permissions to use an organisation’s Bastion instance. This combination of permissions is restricted to the anDREa Support Team for troubleshooting. Workspace users are not able to gain these permissions.
Domain joining of the VM makes it possible for anyone with a myDRE account to log in to a VM and every other account is rejected. On top of that there is code to make this specific to users of the particular Workspace. That part of the code was not behaving as expected. This was not earlier found as users would not be able to reach the resources in other Workspaces through Azure. But if such permissions would be granted then it would be possible to log in to a Linux VM in a Workspace where they are not a member. Anyone that logs in to a VM this way would not have sudo access on the VM, only read access.
This impacts all Linux VMs. However the permission mentioned above are mainly restricted to the anDREa Support Team. By default, the anDREa Support Team does not have access to the tenant's Bastion resource.
Risk: With the above, the risk level was set to Low.
Included in this announcement is a script that can be used to fix the vulnerability on an existing Linux VM, newly created Linux VMs will have this patch included. This fix will restrict logins purely to workspace members, as initially intended. This script has to be run once on each existing Linux VM. The simplest way to get this script in your Workspace is to use the file upload feature in the myDRE portal.
To run the script:
Download the script in this article.
Upload the script to your Workspace.
Login to your Linux VM and open the console.
Run the script with the following commands:
cp /mnt/data/inbox/transfer-<time of upload>/DreDomainLogin.sh ./
sudo ./DreDomainLogin.sh
Enter the acronym of the workspace when prompted and press Enter.
The workspace acronym is the max 8 letter unique identifier of the workspace. An example below: