Headline
CVE-2022-35798: Azure Arc Jumpstart Information Disclosure Vulnerability
What is the nature of this vulnerability?
An information disclosure vulnerabilty exists in Azure Arc Jumpstart that could allow an authenticated user to view certain credentials and other senstive information contained in a log file.
What are the circumstances leading to a successful exploitation?
The client virtual machine is protected behind a secured Azure virtual network (VNET) without access from the internet. A potential attacker would first have to compromise the VNET to have network access to the Azure client virtual machine (Azure Arc Jumpstart-Client). There is only one provisioned user on the client virtual machine, and this user’s credentials are protected by a username and password provided by the end-user at deployment time. There are no other “low level” users that have login access to the virtual machine. The only user credential with access to the VM is the one created and supplied by the original Azure Arc Jumpstart end-user. A potential attacker would first need to gain access to a user login credentials and only then open a remote desktop session (RDP) into the virtual machine.
What information can be disclosed and what is the impact?
The type of information that could be disclosed is information stored in the logs, which could include credentials as well as other sensitive information for the system
Was any personal information or sensitive customer data exposed as a result of this vulnerability?
The primary use-case for Azure Arc Jumpstart is to provide an automated training and demo environment intended to be used in sandbox Azure subscriptions. ArcBox does not disclose any personal information or sensitive customer data. In the context of disclosed vulnerability, no customer data were compromised.
How can I protect myself from this vulnerability?
The Azure Arc Jumpstart service principal credential secret has been removed from the log output of the custom script extension and this fix is now live for all Jumpstart scenarios. If you are an existing user, Microsoft recommends rolling your service principal credential secret. If you are new to Azure Arc Jumpstart, there are no actions necessary.
** When was the fix for this vulnerability implemented? **
The removal of the service principal credential secret from the log was completed on 5/26/2022.
Where can I find more information about Azure Arc Jumpstart?
Please see Announcing Jumpstart ArcBox 2.0 for more information.
CVE-ID
Learn more at National Vulnerability Database (NVD)
• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
N/A
Date Record Created
20220713
Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20220713)
Votes (Legacy)
Comments (Legacy)
Proposed (Legacy)
N/A
This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords:
You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select “Other” from dropdown)