Vulnerability Alert - Virtual Machine contains an Entra browser cookie of the user account

Carl Hansen 40

Hi Team,

We received a Defender alert recently telling us that there is a Virtual Machine that contains an Entra browser cookie of a user account, providing lateral movement to a Key Vault. This happened after one of our Admin users logged in to Azure Portal within the VM. I tried to replicated this but we are not getting alerts for my account with identical privileges.

We have upgraded software in the VM and cleared cache and cookies for the affected user, but we still get the alerts. There seems to be no documentation on this issue, or how to remediate. The only recommendations in Defender are to update software in the VM, nothing about how to remove the Entra cookie.

Is anyone able to assist?

alert

Silvia Wibowo 4,261 Reputation points Microsoft Employee

2024-11-26T23:18:03.34+00:00

Hi @Carl Hansen , have you asked the affected Admin user to remove browser cookies from the VM? You'd need to delete persistent cookies from Entra authentication cookies.
Carl Hansen 40 Reputation points

2024-11-27T01:35:45.96+00:00

Hi @Silvia Wibowo , we had them clear all browser data from the browser and it has still been alerted on by Defender. Today we have deleted the user data folder and everything under it. I will check tomorrow if Defender alerts on the same issue.
Carl Hansen 40 Reputation points

2024-11-28T04:13:33.2066667+00:00

Deleting the user data did not fix the issue, we are still getting Defender alerts for the same cookie. I have no idea where else it is seeing this cookie, or how it even read it to begin with.
Silvia Wibowo 4,261 Reputation points Microsoft Employee

2024-11-28T04:46:28.56+00:00

Hi @Carl Hansen, what does "Remediation" tab (in the screenshot you shared above) tell you to do?

More info: Remediation Actions in Microsoft Defender XDR.
Carl Hansen 40 Reputation points

2024-11-28T04:52:31.4033333+00:00
Hi @Silvia Wibowo , it shows only one recommendation: "Machines should have vulnerability findings resolved". Clicking into that, then shows the following:

High - W8GQQS - Update Microsoft .net Core - Update

High - MIVPAG - Update Openssl Openssl - Update

High - SDVKSN - Update Python Python - Update

None of this refers to the Entra cookie. Is this just a mislabelled finding from Defender? Why does it show an attack path using the cookie, but not say anything about it in remediation? Very confusing.
Silvia Wibowo 4,261 Reputation points Microsoft Employee

2024-11-28T22:23:51.71+00:00

Hi @Carl Hansen, Defender is saying that the machine is vulnerable, you should update the affected software to remove the vulnerability. Furthermore, it's explaining what the potential attack on the vulnerability: the cookie can be used for lateral movement. So even if your cookie is deleted, the vulnerability is still there until you update the listed software.

Please check Defender Unified Action Center to determine whether you can approve pending remediation action or other action such as isolating device.
Silvia Wibowo 4,261 Reputation points Microsoft Employee

2024-12-09T18:36:37.3533333+00:00

Hi @Carl Hansen, any update? Did you manage to update the affected software in your VM?

Mimi La Bella 25

Hi Silvia,

I also have the same issue. Mine says I have 18 attack paths to our storages. The vulnerability involves Openssl, I updated the Openssl software to the latest version 3.4.0 and I updated the environmental variables. However, the Strawberry Perl software also installed a openssl version 3.3.0 that does not have an update for. I still get the same alert shown below. I am at a loss here as well.


Internet exposed Azure VM with high severity vulnerabilities allows lateral movement to Critical Azure storage account with sensitive data An Azure Virtual Machine is reachable from the internet and has high severity vulnerabilities allows remote code execution. The Azure Virtual Machine contains an Entra browser cookie of the user account. The Entra browser cookie can authenticate as a user account. The user account has permissions to read data from an Azure storage account. The Azure storage account stores sensitive data. December 10, 2024 0:38 UTC

Internet exposed Azure VM with high severity vulnerabilities allows lateral movement to Critical Azure storage account with sensitive data An Azure Virtual Machine is reachable from the internet and has high severity vulnerabilities allows remote code execution. The Azure Virtual Machine contains an Entra browser cookie of the user account. The Entra browser cookie can authenticate as a user account. The user account has permissions to read data from an Azure storage account. The Azure storage account stores sensitive data. December 10, 2024 0:38 UTC

Carl Hansen 40 Reputation points

2024-12-11T03:53:56.64+00:00

Hi @Silvia Wibowo , we have two outstanding vulnerabilities that cannot be updated because there is no newer version of the software that uses them, just like @Mimi La Bella has. One is OpenSSL and the other is Python.

What is the recommendation in this case?

Accepted answer

Silvia Wibowo 4,261 Reputation points Microsoft Employee

2024-12-19T00:00:33.27+00:00

Hi @Carl Hansen and @Mimi La Bella , I understand you're seeking guidance on what to do about Defender warning on OpenSSL and Python, although there is no newer version available or your application requires a specific version of those components.

Defender lists out any vulnerability by giving "Attention required" label. It allows security administrators to use the information about the vulnerable component to evaluate the effect of any proposed remediation on the whole organization.

Then your security admin (or you, if that's your responsibility) needs to decide on what to do, there are 2 buttons available on Defender: Request remediation or Exception options.

More info: Vulnerable components

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Vulnerability Alert - Virtual Machine contains an Entra browser cookie of the user account

0 additional answers

Your answer