CVE-2025-49012: Himmelblau's Name-Based Group Matching in `pam_allow_groups` Leads to Potential Security Bypass
Description
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau versions 0.9.0 through 0.9.14 and 1.00-alpha are vulnerable to a privilege escalation issue when Entra ID group-based access restrictions are configured using group display names instead of object IDs. Starting in version 0.9.0, Himmelblau introduced support for specifying group names in the `pam_allow_groups` configuration option. However, Microsoft Entra ID permits the creation of multiple groups with the same `displayName` via the Microsoft Graph API—even by non-admin users, depending on tenant settings. As a result, a user could create a personal group with the same name as a legitimate access group (e.g., `"Allow-Linux-Login"`), add themselves to it, and be granted authentication or `sudo` rights by Himmelblau. Because affected Himmelblau versions compare group names by either `displayName` or by the immutable `objectId`, this allows bypassing access control mechanisms intended to restrict login to members of official, centrally-managed groups. This issue is fixed in Himmelblau version **0.9.15** and later. In these versions, group name matching in `pam_allow_groups` has been deprecated and removed, and only group `objectId`s (GUIDs) may be specified for secure group-based filtering. To mitigate the issue without upgrading, replace all entries in `pam_allow_groups` with the objectId of the target Entra ID group(s) and/or audit your tenant for groups with duplicate display names...
Classification
CVE ID: CVE-2025-49012
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.4
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Problem Types
CWE-287: Improper AuthenticationAffected Products
Vendor: himmelblau-idm
Product: himmelblau
References
https://nvd.nist.gov/vuln/detail/CVE-2025-49012https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-gcxr-m95v-qcf7
https://github.com/himmelblau-idm/himmelblau/issues/554
https://github.com/himmelblau-idm/himmelblau/commit/918577f6a8392a71d9d3d67f20962c372a0c01c6
https://learn.microsoft.com/en-us/answers/questions/1035045/azure-ad-b2c-creates-groups-with-the-same-name-usi?utm_source=chatgpt.com