Last Updated on 22/11/2021 by TheDigitalHacker
Customers were notified on Wednesday by Microsoft about a newly fixed information exposure issue in Azure Active Directory (AD). The vulnerability is identified as CVE-2021-42306 (CVSS score of 8.1) and is caused by the way Automation Account “Run as” credentials are produced when a new Automation Account is created in Azure.
Automation Account “Run as” credentials (PFX certificates) were saved in clear text in Azure AD due to a misconfiguration, and could be viewed by anybody with access to information on App Registrations. These credentials might be used by an attacker to log in as the App Registration.
An attacker may use the fault to elevate privileges to Contributor of any subscription with an Automation Account, and access resources in the affected subscriptions, according to security experts from business penetration testing firm NetSPI, who discovered the flaw.
“This includes any sensitive information saved in Azure services utilised in the subscription, as well as credentials kept in key vaults.” “Or, much worse, they may deactivate or destroy resources, taking whole Azure tenants down,” the researchers write.
The vulnerability, according to Microsoft, is connected to the keyCredentials property, which was created for defining authentication credentials for apps and takes a certificate providing public key data for authentication, but also wrongly stores such certificates.
“When building apps on behalf of their clients, several Microsoft services mistakenly saved private key data in the (keyCredentials) field. Microsoft claims, “We performed an investigation and discovered no indication of unauthorised access to this data.”
The flaw has been fixed, according to Microsoft, by prohibiting Azure services from storing clear text private keys in the keyCredentials property and preventing users from viewing any private key data that has been saved in plain text erroneously.
“As a consequence, clear text private key material in the keyCredentials property is unavailable,” according to the business, “mitigating the dangers associated with storing this data in the property.”