Last week, Microsoft issued security guidance on a security issue within Azure Active Directory. In this guidance, Microsoft instructs Azure AD admins to rotate the password for Azure Automation Run-As accounts, when these accounts have been created between October 15, 2020 and October 15, 2021.

About the vulnerability

CVE-2021-42306 is a vulnerability in the way Azure AD stores the keyCredentials attribute for application and/or service principals for some Azure services.

The keyCredentials attribute stores the public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the attribute. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted application and/or service principal.

Some Microsoft services incorrectly stored private key data in the keyCredentials  attribute while creating applications. Azure Automation is one of these services, as it uses the Application and Service Principal keyCredential APIs when Automation Run-As Accounts are created.

What Microsoft has done to mitigate

Azure Automation deployed an update to the service to prevent private key data in clear text from being uploaded to the keyCredentials attributes of Azure AD applications.

Azure AD has mitigated the information disclosure issue by preventing reading of clear text private key data that was previously added by any user or service through the UI or through APIs.

As a result, clear text private key material in the keyCredentials attribute is inaccessible, mitigating the risks associated with storage of this material in the attribute.

Call to action

As a precautionary measure, Microsoft recommends rotating the self-signed certificates and certificates that you may have uploaded, if you’ve created Azure Automation Run-As accounts between October 15, 2020 and October 15, 2021.

To identify and remediate impacted Azure AD applications associated with impacted Azure Automation Run-As accounts, please navigate to this Github Repository.

Typically, for Azure Automation applications, the signInUrl in the manifest has the URL to the automation account which signifies the application is associated with an Automation account. You can find your application manifest under the App registration section in the Azure portal.

In addition, Azure Automation supports Managed Identities Support (GA announced on October 2021). Migrating to Managed Identities (MIs) from Run-As accounts will mitigate this issue. Please follow the guidance here to migrate.