Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2021.0241 Azure Active Directory Information Disclosure Vulnerability 19 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Azure Active Directory Operating System: Virtualisation Windows Impact/Access: Increased Privileges -- Existing Account Access Privileged Data -- Existing Account Resolution: Mitigation CVE Names: CVE-2021-42306 OVERVIEW Microsoft has released an out-of-band advisory detailing an Azure Active Directory Information Disclosure Vulnerability. [1] IMPACT Microsoft has stated the following: "An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application." [1] MITIGATION Microsoft states: "Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected." [1] For more details on this issue, Microsoft recommends referring to the MSRC Blog Entry.[2] REFERENCES [1] Azure Active Directory Information Disclosure Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42306 [2] Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYZcZEeNLKJtyKPYoAQigRQ/8D0rzArIhJrCObxAAUE+hr+1v2VTqHzOQ DnSxSSK42T/aVuFREJT4Qngv4OojFWvsi3E/Cyx9ICRR1FptzrYNT2ANcD1+SnGl bePBHN5OVQEOYXBC+hvbm7KljLv76kvLreOIufCs/ZMpMkZslZxDVOgAvHix+kAJ 2G1dVqyZRx2yqRcXG0n4tJEt9duR3q/XVPFZzEb0ScED97UOTqek4HCKQsd91UrY 7ZCfv7tuBas2Btqaj61wrIw2UPD8E7HhXuDyVcfWfqQw+poM5G5Gk/WUKkdSWkym leVu+ttUbjTD05d+G8yEOPbURMRPTIjoiVroHCPlZHuDTyoMUw9aqKq1cmVAj6lE lEctkt7gGXhexNGK2UITbJdHjO4ZV6EuGw23tqeGWy48WiA2Pgw04aNnevZbJJKD NsKnY4QHpWbDzxaXkX6UTcwQ6pguLXge9nL+zk51IcF/trYM83hk3FHfSXmDGsM/ +yDTIQ+OGo+Zr09eA5hPNKwWgunY7lKE0RddSx7OlEpRKPLu9EuHT0PJTAeeayFh I3HQ4tE7KyVz9gJ0D+fsVZT9XkxhPwi5a1Dy1/OB9hLzFIEKle+KArzrnJKtcqIP Q5c1WXSF1cYKlArD5g1pMFr9nPOapOahRVbfd8uDlHLnNVAB5cq+x0Z6+TjgVXel lNWDqLhoPQ8= =bnyP -----END PGP SIGNATURE-----