Azure Linux VM extension credential leak

Published Tue, Mar 9th, 2021


A vulnerability in the Azure Linux VM extension mechanism allowed an unprivileged user to leak any Azure VM extension’s private data. An attacker could have abused this to gain credentials for the VM itself as well as credentials for extensions associated with the VM. Paired with the design of the VMAccess extension (an official Azure extension for managing VM credentials), this could have been used to achieve privilege escalation, as an unprivileged attacker would have been able to elevate themselves to a higher privileged user by leaking the VMAccess admin password. Additionally, if the VMAccess password happened to be shared among other Azure VMs, the attacker would have been able to perform lateral movement to other machines. The root cause of this vulnerability was that the certificates endpoint used for decrypting extension credentials did not validate transport certificates, so an attacker could simply issue their own valid transport certificate. Moreover, although an iptables rule was in place to prevent unprivileged access to this endpoint, an attacker could bypass it by directing their requests to the Azure IMDS instead, which happened to be located on the same machine as the certificates endpoint.

Affected Services

Azure Container Instance, Azure Service Fabric, Azure Kubernetes Service, Azure Container Registry, Azure Spring Cloud


For Azure Kubernetes Service, update to image version 2020.10.15 or later. For other services, no action is required.

Tracked CVEs



Disclosure Date
Tue, Mar 9th, 2021
Exploitablity Period
Known ITW Exploitation
Detection Methods
Discovered by
Paul Litvak (Intezer), Wouter ter Maat (Offensi), null