CVE-2021-42306: Azure Active Directory Information Disclosure Vulnerability

Where can I find more information?

Please see the MSRC Blog here.

What Microsoft services are known to be affected by this vulnerability?

Product/Service

Microsoft’s Mitigation

Customer impact assessment and remediation

Azure Automation uses the Application and Service Principal keyCredential APIs when Automation Run-As Accounts are created.

Azure Automation deployed an update to the service to prevent private keys data in clear text from being uploaded to Azure AD applications. Run-As accounts created or renewed after 10/15/2021 are not impacted and do not require further action.

Automation Run As accounts created with an Azure Automation self-signed certificate between 10/15/2020 and 10/15/2021 that have not been renewed are impacted. Separately customers who bring their own certificates could be affected. This is regardless of the renewal date of the certificate. To identify and remediate impacted Azure AD applications associated with impacted Automation Run-As accounts, please navigate to this Github Repo. In addition, Azure Automation supports Managed Identities Support (GA announced on October 2021). Migrating to Managed Identities from Run-As will mitigate this issue. Please follow the guidance here to migrate.

Azure Migrate service creates Azure AD applications to enable Azure Migrate appliances to communicate with the service’s endpoints.

Azure Migrate deployed an update to prevent private key data in clear text from being uploaded to Azure AD applications. Azure Migrate appliances that were registered after 11/02/2021 and had Appliance configuration manager version 6.1.220.1 and above are not impacted and do not require further action.

Azure Migrate appliances registered prior to 11/02/2021 and/or appliances registered after 11/02/2021 where auto-update was disabled could affected by this issue. To identify and remediate any impacted Azure AD applications associated with Azure Migrate appliances, please navigate to this link.

Azure Site Recovery (ASR) creates Azure AD applications to communicate with the ASR service endpoints

Azure Site Recovery deployed an update to prevent private key data in clear text from being uploaded to Azure AD applications. Customers using Azure Site Recovery’s preview experience “VMware to Azure Disaster Recovery” after 11/01/2021 are not impacted and do not require further action.

Customers who have deployed and registered the preview version of VMware to Azure DR experience with ASR before 11/01/2021 could be affected. To identify and remediate the impacted AAD Apps associated with such Azure Site Recovery appliances, please navigate to this link.

Azure AD applications and Service Principals [1]

Microsoft has blocked reading private key data as of 10/30/2021.

Follow the guidance available at https://aka.ms/aad-app-credential-remediation-guide to assess if your application key credentials need to be rotated. The guidance walks through the assessment steps to identify if private key information was stored in keyCredentials and provides remediation options for credential rotation.

[1] This issue only affects Azure AD Applications and Service Principals where private key material in clear text was added to a keyCredential. Microsoft recommends taking precautionary steps to identify any additional instances of this issue in applications where you manage credentials and take remediation steps if impact is found.