Customers were notified on Wednesday by Microsoft about a recently patched information disclosure vulnerability affecting Azure Active Directory (AD).
The vulnerability is identified as CVE-2021-42306 (CVSS score of 8.1) and is caused by the way Automation Account “Run as” credentials are created when a new Automation Account is created in Azure.
Automation Account “Run as” credentials (PFX certificates) were saved in clear text in Azure AD due to a misconfiguration, and could be accessed by anyone with access to information on App Registrations. These credentials could be used by an attacker to authenticate as the App Registration.
The researchers explains “This includes credentials stored in key vaults and any sensitive information stored in Azure services used in the subscription. Or worse, they could disable or delete resources and take entire Azure tenants offline,”
The vulnerability, according to Microsoft, is related to the keyCredentials property, which was created for configuring authentication credentials for applications and accepts a certificate containing public key data for authentication, but also wrongly stores such certificates.
Microsoft said “Some Microsoft services incorrectly stored private key data in the (keyCredentials) property while creating applications on behalf of their customers. We have conducted an investigation and have found no evidence of malicious access to this data,”
According to Microsoft, the flaw has been fixed by preventing Azure services from storing clear text private keys in the keyCredentials property, as well as preventing users from reading any private key data that has been incorrectly stored in plain text.
Microsoft said “As a result, clear text private key material in the keyCredentials property is inaccessible, mitigating the risks associated with storage of this material in the property,”
The flaw affects all Automation Run As accounts that have been created between October 15, 2020, and October 15, 2021, using Azure Automation self-signed certificates, according to Microsoft. Azure Migrate services and customers who have deployed the preview version of VMware to Azure DR experience with Azure Site Recovery (ASR) may also be affected.
As a result, Azure AD customers should check all Automation Account “Run as” certificates to ensure that no credentials have been exposed.