Redmond: Microsoft Fixes Azure Active Directory Issue Exposing Private Key Data

On November 18, 2021, NetSPI Director Karl Fosaaen was featured in an article written by Kurt Mackie for Redmond. Read the full article below or online here.

Microsoft announced on Wednesday that it fixed an Azure Active Directory private key data storage gaffe that affects Azure application subscribers, but affected organizations nonetheless should carry out specific assessment and remediation tasks.

Affected organizations were notified via the Azure Service Health Notifications message center, Microsoft indicated.

“We have notified customers who have impacted Azure AD applications created by these services and notified them via Azure Service Health Notifications to provide remediation guidance specific to the services they use.”

The applications requiring investigation include Azure Automation (when used with “Run-As Accounts“), Azure Migrate, Azure Site Recovery, and Azure AD Applications and Service Principals. Microsoft didn’t find evidence that the vulnerability was exploited, but advised organizations to conduct audits and investigate Azure apps for any permissions that may have been granted.

Microsoft also urged IT pros to enforce least-privilege access for apps and check the “sign-in logs, AAD audit logs and M365 audit logs for anomalous activity like sign-ins from unexpected IP addresses.”

Private Key Data Exposed

The problem, in essence, was that Microsoft’s Azure app installation processes were including private key data in a property used for public keys. The issue was initially flagged as CVE-2021-42306, an information disclosure vulnerability associated with Azure AD’s keyCredentials property. Any user in an Azure AD tenancy can read the keyCredentials property, Microsoft’s announcement explained:

The keyCredential’s property is supposed to just work with public keys, but it was possible to store private key data in it, too, and that’s where the Microsoft Azure app install processes blundered.

“Some Microsoft services incorrectly stored private key data in the (keyCredentials) property while creating applications on behalf of their customers,” Microsoft explained.

The Microsoft Security Response Center (MSRC) credited the discovery of the issue to “Karl Fosaaen of NetSPI who reported this vulnerability and Allscripts who worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe,” the announcement indicated. 

Contributor Role Rights

The magnitude of the problem was explained in a NetSPI press release. NetSPI specializes in penetration testing and attack surface reduction services for organizations.

An exploit of the CVE-2021-42306 vulnerability could give an attacker Azure Contributor role rights, with the ability to “create, manage, and delete all types of resources in the affected Azure subscription,” NetSPI explained. An attacker would have access to “all of the resources in the affected subscriptions,” including “credentials stored in key vaults.”

NetSPI’s report on the vulnerability, written by Karl Fosaaen, NetSPI’s practice director, described the response by the MSRC as “one of the fastest” he’s seen. Fosaaen had initially sent his report to the MSRC on Oct. 7, 2021.

Fosaaen advised following MSRC’s advice, but added a cautionary note.

“Although Microsoft has updated the impacted Azure services, I recommend cycling any existing Automation Account ‘Run as’ certificates,” he wrote. “Because there was a potential exposure of these credentials, it is best to assume that the credentials may have been compromised.” 

Microsoft offers a script from this GitHub page that will check for affected apps, as noted by Microsoft Program Manager Merill Fernando in this Twitter post.