News
Microsoft fixes Azure Active Directory issue exposing private key data
Microsoft announced on Wednesday that it has fixed an Azure Active Directory private key data storage issue that affects Azure application subscribers, but affected organizations should still perform specific assessment and remediation tasks.
Affected organizations were notified through the Azure Service Health Notifications message center, Microsoft said.
“We have notified customers who have impacted Azure AD applications created by these services and notified them through Azure Service Health Notifications to provide remediation guidance specific to the services they are using.”
Applications requiring investigation include Azure Automation (when used with “Run-As accounts”), Azure Migrate, Azure Site Recovery, and Azure AD Applications and Service Principals. Microsoft found no evidence that the vulnerability was exploited, but advised organizations to conduct audits and investigate Azure applications for any permissions that may have been granted.
Microsoft also urged IT pros to enforce least-privilege access for apps and check “logins, AAD audit logs, and M365 audit logs for abnormal activity such as connections from unexpected IP addresses”.
Private key data exposed
The problem, essentially, was that Microsoft’s Azure application installation processes included private key data in a property used for public keys. The issue was originally reported as CVE-2021-42306, an information disclosure vulnerability associated with the Azure AD keyCredentials property. Any user in an Azure AD tenancy can read the keyCredentials property, Microsoft’s announcement explains:
The keyCredentials property is used to configure authentication credentials for an application. It is accessible to any user or service in the organization’s Azure AD tenant with read access to the application metadata.
The keyCredential property is supposed to work only with public keys, but it was also possible to store private key data there, and that’s where the Microsoft Azure app installation processes went wrong.
“Certain Microsoft services incorrectly stored private key data in the (keyCredentials) property when building applications on behalf of their customers,” Microsoft explained.
The Microsoft Security Response Center (MSRC) attributed the discovery of the issue to “Karl Fosaaen of NetSPI who reported this vulnerability and to Allscripts who worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help resolve keep Microsoft customers safe,” the announcement read.
Contributor Role Rights
The extent of the problem was explained in a NetSPI press release. NetSPI specializes in penetration testing and attack surface reduction services for organizations.
An exploit for the CVE-2021-42306 vulnerability could give an attacker Azure Contributor role rights, with the ability to “create, manage, and delete all resource types in the affected Azure subscription,” NetSPI explained. An attacker would have access to “all resources in the affected subscriptions”, including “credentials stored in key vaults”.
NetSPI’s report on the vulnerability, authored by Karl Fosaaen, Practice Director of NetSPI, described MSRC’s response as “one of the fastest” it has seen. Fosaaen originally sent his report to the MSRC on October 7, 2021.
Fosaaen advised following MSRC advice, but added a caveat.
“Although Microsoft has updated the affected Azure services, I recommend repeating all existing Automation account ‘Run As’ certificates,” he wrote. “Because there was potential exposure of these credentials, it is best to assume that the credentials may have been compromised.”
Microsoft offers a script from this GitHub page that will check for affected applications, as noted by Microsoft Program Manager Merill Fernando in this twitter post.
Comments are closed.