-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2021.0241
        Azure Active Directory Information Disclosure Vulnerability
                             19 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Azure Active Directory
Operating System: Virtualisation
                  Windows
Impact/Access:    Increased Privileges   -- Existing Account
                  Access Privileged Data -- Existing Account
Resolution:       Mitigation
CVE Names:        CVE-2021-42306  

OVERVIEW

        Microsoft has released an out-of-band advisory detailing an 
        Azure Active Directory Information Disclosure Vulnerability. [1]


IMPACT

        Microsoft has stated the following:
        "An information disclosure vulnerability manifests when a user or an 
        application uploads unprotected private key data as part of an 
        authentication certificate keyCredential on an Azure AD Application 
        or Service Principal (which is not recommended). 
        This vulnerability allows a user or service in the tenant with 
        application read access to read the private key data that was added 
        to the application." [1]


MITIGATION

        Microsoft states:
        "Azure AD addressed this vulnerability by preventing disclosure of any 
        private key values added to the application.
        Microsoft has identified services that could manifest this vulnerability, 
        and steps that customers should take to be protected." [1]
        
        For more details on this issue, Microsoft recommends referring to the 
        MSRC Blog Entry.[2]


REFERENCES

        [1] Azure Active Directory Information Disclosure Vulnerability
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42306

        [2] Guidance for Azure Active Directory (AD) keyCredential property
            Information Disclosure in Application and Service Principal APIs
            https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYZcZEeNLKJtyKPYoAQigRQ/8D0rzArIhJrCObxAAUE+hr+1v2VTqHzOQ
DnSxSSK42T/aVuFREJT4Qngv4OojFWvsi3E/Cyx9ICRR1FptzrYNT2ANcD1+SnGl
bePBHN5OVQEOYXBC+hvbm7KljLv76kvLreOIufCs/ZMpMkZslZxDVOgAvHix+kAJ
2G1dVqyZRx2yqRcXG0n4tJEt9duR3q/XVPFZzEb0ScED97UOTqek4HCKQsd91UrY
7ZCfv7tuBas2Btqaj61wrIw2UPD8E7HhXuDyVcfWfqQw+poM5G5Gk/WUKkdSWkym
leVu+ttUbjTD05d+G8yEOPbURMRPTIjoiVroHCPlZHuDTyoMUw9aqKq1cmVAj6lE
lEctkt7gGXhexNGK2UITbJdHjO4ZV6EuGw23tqeGWy48WiA2Pgw04aNnevZbJJKD
NsKnY4QHpWbDzxaXkX6UTcwQ6pguLXge9nL+zk51IcF/trYM83hk3FHfSXmDGsM/
+yDTIQ+OGo+Zr09eA5hPNKwWgunY7lKE0RddSx7OlEpRKPLu9EuHT0PJTAeeayFh
I3HQ4tE7KyVz9gJ0D+fsVZT9XkxhPwi5a1Dy1/OB9hLzFIEKle+KArzrnJKtcqIP
Q5c1WXSF1cYKlArD5g1pMFr9nPOapOahRVbfd8uDlHLnNVAB5cq+x0Z6+TjgVXel
lNWDqLhoPQ8=
=bnyP
-----END PGP SIGNATURE-----