high

CredManifest (Azure AD keyCredential property information disclosure)

Published Wed, Nov 17th, 2021

Platforms

azure

Summary

Automation Account 'Run as' credentials (PFX certificates) were being stored in cleartext, in Azure Active Directory (AAD). These credentials were available to anyone with the ability to read information about App Registrations (typically most AAD users).

Affected Services

AAD

Remediation

Regenerate exposed certificate

Tracked CVEs

CVE-2021-42306

References

https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/https://github.com/microsoft/aad-app-credential-tools/blob/main/azure-migrate/azure-migrate-credential-rotation-guide.mdhttps://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/

Contributed by https://github.com/a10ns

Entry Status

Finalized

Disclosure Date

Thu, Oct 7th, 2021

Exploitability Period

-

Known ITW Exploitation

-

Detection Methods

None

Piercing Index Rating

5.96

(PI:1.5/A3:1.05/A4:1.05/A5:1.05/A6:6/A7:1.1/A8:1.1)

Discovered by

Karl Fosaaen, NetSPI

More vulnerabilities...

AWS SOC 2 type 2 failure (Fall 2021)

aws

Information about this issue is under NDA, but AWS customers can read about it on page 98 of the report, which is available for download through AWS Artifact. Note: This issue is outside the scope ...

Anonymous discoverer
low

AWS API Gateway HTTP header smuggling

aws

A flaw in AWS API Gateway enabled hiding HTTP request headers. Tampering with HTTP requests visibility enabled bypassing IP restrictions, cache poisoning and request smuggling.

Daniel Thatcher, intruder
high

Cloud SQL vulnerabilities in Google's RDS offering

gcp

Multiple vulnerabilities were found in Google Cloud SQL, including config file injection leading to RCE, information disclosure in the Cloud SQL Auth Proxy, and a design issue in Postgres IAM authe...

Imre Rad
View all