TODO: Mitigate the Information Disclosure vulnerability caused by improperly configured Azure Migrate applications

Reading Time: 2 minutes

Azure Active Directory

Last week, Microsoft issued security guidance on a security issue within Azure Active Directory. In this guidance, Microsoft instructs Azure AD admins to rotate the password for Azure Migrate applications, when these applications have been created prior to November 2, 2021.

About the vulnerability

CVE-2021-42306 is a vulnerability in the way Azure AD stores the keyCredentials attribute for application and/or service principals for some Azure services.

The keyCredentials attribute stores the public key data for use in authentication, but certificates with private key data could have also been incorrectly stored in the attribute. Access to private key data can lead to an elevation of privilege attack by allowing a user to impersonate the impacted application and/or service principal.

Some Microsoft services incorrectly stored private key data in the keyCredentials  attribute while creating applications. Azure Migrate service creates Azure AD applications to enable Azure Migrate appliances to communicate with the service’s endpoints.

What Microsoft has done to mitigate

Azure Migrate deployed an update to the service to prevent private key data in clear text from being uploaded to the keyCredentials attributes of Azure AD applications.

Azure AD has mitigated the information disclosure issue by preventing reading of clear text private key data that was previously added by any user or service through the UI or through APIs.

As a result, clear text private key material in the keyCredentials attribute is inaccessible, mitigating the risks associated with storage of this material in the attribute.

Call to action

As a precautionary measure, Microsoft recommends using the assessment script in this GitHub Repository. After assessing the impacted Azure AD applications, you need to execute the mitigation script on each Azure Migrate appliance in your organization's environment.

Typically, Under the App registration section in the Azure AD portal, the applications associated with Azure Migrate contain one of the following suffixes:

  • resourceaccessaadapp
  • agentauthaadapp
  • authandaccessaadapp

Azure Migrate appliances that were registered after November 2, 2021 and had Appliance configuration manager version 6.1.220.1 and above are not impacted and do not require further action.

2 Responses to TODO: Mitigate the Information Disclosure vulnerability caused by improperly configured Azure Migrate applications

  1.  

    Interesting that Microsoft make you register your e-mail address when you download their software, but when they find a vulnerability in it, they don't let you know. So what is the point of collecting your e-mail address?

  2. I have personally never had to leave my email address to download Microsoft products, except for trials.

    This wasn't a vulnerability in a Microsoft product, but in a Microsoft service.

    When you register for a Microsoft service, you register with an email address. This email address is then notified of service changes.

    For both Microsoft services and products you can get up to date security information on msrc.microsoft.com. You can set alerts there to, using filters for the products and services your organization uses so you won't get overburdened with information on products you don't manage.

     

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.