Last week, Microsoft issued security guidance on a security issue within Azure Active Directory. In this guidance, Microsoft instructs Azure AD admins to rotate the password for Azure Migrate applications, when these applications have been created prior to November 2, 2021.
About the vulnerability
CVE-2021-42306 is a vulnerability in the way Azure AD stores the keyCredentials attribute for application and/or service principals for some Azure services.
The keyCredentials attribute stores the public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the attribute. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted application and/or service principal.
Some Microsoft services incorrectly stored private key data in the keyCredentials attribute while creating applications. Azure Migrate service creates Azure AD applications to enable Azure Migrate appliances to communicate with the service’s endpoints.
What Microsoft has done to mitigate
Azure Migrate deployed an update to the service to prevent private key data in clear text from being uploaded to the keyCredentials attributes of Azure AD applications.
Azure AD has mitigated the information disclosure issue by preventing reading of clear text private key data that was previously added by any user or service through the UI or through APIs.
As a result, clear text private key material in the keyCredentials attribute is inaccessible, mitigating the risks associated with storage of this material in the attribute.
Call to action
As a precautionary measure, Microsoft recommends using the assessment script in this GitHub Repository. After assessing the impacted Azure AD applications, you need to execute the mitigation script on each Azure Migrate appliance in your organization's environment.
Typically, Under the App registration section in the Azure AD portal, the applications associated with Azure Migrate contain one of the following suffixes:
Azure Migrate appliances that were registered after November 2, 2021 and had Appliance configuration manager version 184.108.40.206 and above are not impacted and do not require further action.