TODO: Mitigate the Information Disclosure vulnerability caused by improperly configured Azure Migrate applications

Azure Active Directory

Last week, Microsoft issued security guidance on a security issue within Azure Active Directory. In this guidance, Microsoft instructs Azure AD admins to rotate the password for Azure Migrate applications, when these applications have been created prior to November 2, 2021.

About the vulnerability

CVE-2021-42306 is a vulnerability in the way Azure AD stores the keyCredentials attribute for application and/or service principals for some Azure services.

The keyCredentials attribute stores the public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the attribute. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted application and/or service principal.

Some Microsoft services incorrectly stored private key data in the keyCredentials  attribute while creating applications. Azure Migrate service creates Azure AD applications to enable Azure Migrate appliances to communicate with the service‚Äôs endpoints.

What Microsoft has done to mitigate

Azure Migrate deployed an update to the service to prevent private key data in clear text from being uploaded to the keyCredentials attributes of Azure AD applications.

Azure AD has mitigated the information disclosure issue by preventing reading of clear text private key data that was previously added by any user or service through the UI or through APIs.

As a result, clear text private key material in the keyCredentials attribute is inaccessible, mitigating the risks associated with storage of this material in the attribute.

Call to action

As a precautionary measure, Microsoft recommends using the assessment script in this GitHub Repository. After assessing the impacted Azure AD applications, you need to execute the mitigation script on each Azure Migrate appliance in your organization's environment.

Typically, Under the App registration section in the Azure AD portal, the applications associated with Azure Migrate contain one of the following suffixes:

  • resourceaccessaadapp
  • agentauthaadapp
  • authandaccessaadapp

Azure Migrate appliances that were registered after November 2, 2021 and had Appliance configuration manager version 6.1.220.1 and above are not impacted and do not require further action.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.