NetSPI Uncovers a Critical Azure Vulnerability, CVE-2021-42306: CredManifest

The vulnerability, found by NetSPI’s cloud pentesting practice director Karl Fosaaen, affects most organizations that use Azure.

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today recognizes the work of practice director Karl Fosaaen who discovered and reported a critical misconfiguration in Microsoft Azure. If exploited by an adversary, CVE-2021-42306: CredManifest would allow bad actors to escalate up to a Contributor role in the Azure Active Directory subscription. If access to the Azure Contributor role is achieved, the user would be able to create, manage, and delete all types of resources in the affected Azure subscription.

Because Azure Active Directory enables employees to sign in and access resources, if the issue was not identified by NetSPI and a malicious individual found the vulnerability first, they would have the potential to access all of the resources in the affected subscriptions. This includes credentials stored in key vaults and any sensitive information stored in Azure services used in the subscription. Or worse, they could disable or delete resources and take entire Azure tenants offline. This would leave organizations without access to external resources that are hosted in the vulnerable subscription, including applications hosted by App services, public files from Storage Accounts, or databases hosted in AzureSQL.

“The scope of this issue is wide-sweeping, given the prominence of “Run as” accounts in Azure and the growing adoption of Azure. We’re proud to have identified and fixed it before the bad guys,” said Fosaaen. “The discovery of this vulnerability highlights the importance of the shared responsibility model among cloud providers and customers. It’s vital for the security community to put the world’s most prominent technologies to the test.” 

Fosaaen worked closely with the Microsoft Security Response Center (MSRC) to disclose and remediate the issue. You can read Microsoft’s disclosure blog post online here.

“We want to thank Karl Fosaaen of NetSPI who reported this vulnerability and worked with the Microsoft Security Response Center (MSRC) under Coordinated Vulnerability Disclosure (CVD) to help keep Microsoft customers safe,” said a representative from MSRC. Impacted Azure services have deployed updates that prevent clear text private key data from being stored during application creation. Additionally, Azure Active Directory deployed an update that prevents access to private key data previously stored. Customers will be notified via Azure Service Health and should perform the mitigation steps specified in the notification to remediate any confirmed impacted Application and/or Service Principal. 

Although Microsoft has updated the impacted Azure services, NetSPI recommends cycling any existing Automation Account “Run as” certificates. Because there was a potential exposure of these credentials, it is best to assume that the credentials may have been compromised. 

A technical explanation of the vulnerability, how it was found, its impact, and remediation steps, can be found on the NetSPI technical blog. To connect with NetSPI for Azure cloud penetration services, visit NetSPI.com.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest healthcare companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ penetration testing and vulnerability management platform. Its experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on Facebook, Twitter, and LinkedIn.

Media Contact:
Amanda Echavarri, Inkhouse for NetSPI
netspi@inkhouse.com
(978) 201-2510