Final week, Microsoft issued safety steerage on a safety difficulty inside Azure Energetic Listing. On this steerage, Microsoft instructs Azure AD admins to rotate the password for Azure Automation Run-As accounts, when these accounts have been created between October 15, 2020 and October 15, 2021.
CVE-2021-42306 is a vulnerability in the best way Azure AD shops the keyCredentials attribute for utility and/or service principals for some Azure companies.
The keyCredentials attribute shops the general public key information to be used in authentication, however certificates with personal key information may have additionally been incorrectly saved within the attribute. Entry to non-public key information can result in an elevation of privilege assault by permitting a person to impersonate the impacted utility and/or service principal.
Some Microsoft companies incorrectly saved personal key information within the keyCredentials attribute whereas creating functions. Azure Automation is considered one of these companies, because it makes use of the Utility and Service Principal keyCredential APIs when Automation Run-As Accounts are created.
Azure Automation deployed an replace to the service to stop personal key information in clear textual content from being uploaded to the keyCredentials attributes of Azure AD functions.
Azure AD has mitigated the knowledge disclosure difficulty by stopping studying of clear textual content personal key information that was beforehand added by any person or service by means of the UI or by means of APIs.
Because of this, clear textual content personal key materials within the keyCredentials attribute is inaccessible, mitigating the dangers related to storage of this materials within the attribute.
As a precautionary measure, Microsoft recommends rotating the self-signed certificates and certificates that you’ll have uploaded, when you’ve created Azure Automation Run-As accounts between October 15, 2020 and October 15, 2021.
To establish and remediate impacted Azure AD functions related to impacted Azure Automation Run-As accounts, please navigate to this Github Repository.
Sometimes, for Azure Automation functions, the signInUrl within the manifest has the URL to the automation account which signifies the appliance is related to an Automation account. You will discover your utility manifest below the App registration part within the Azure portal.
As well as, Azure Automation helps Managed Identities Help (GA introduced on October 2021). Migrating to Managed Identities (MIs) from Run-As accounts will mitigate this difficulty. Please observe the steerage right here emigrate.