CVE-2023-36414: Bump Azure.Identity from 1.9.0 to 1.10.3

[ramonsmits]

Symptoms

This is a fix for a Remote Code Execution (RCE) vulnerability in a third-party component.

Who's affected

Azure Service Bus or Azure Storage Queues users might be affected, more information available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36414

Root cause

This is a third-party bug fix, more information is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36414

According to the CVSS metric, the attack vector is network (AV:N), and privilege required is low (PR:L). What is the target used in the context of the remote code execution?

The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call.

The privilege requirement is low because the attacker needs to be authenticated as a normal user.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H), and availability (A:H). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality.

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by passing a specially crafted OS-level command to a specific SDK property which is passed to the underlying CLI and results in remote code execution.

Which credential types provided by the Azure Identity client library are affected?

The vulnerability exists in the following credential types:

DefaultAzureCredential
AzureCliCredential
AzureDeveloperCliCredential
AzurePowerShellCredential