Azure Active Directory keyCredentials vulnerability resolved by Microsoft

This content has been archived. But, the content is true and relevant to the underlying technology products or infrastructure services.

Microsoft has reported a new vulnerability on the Azure platform. The vulnerability involves leak of private keys through the keyCredentials property of Active Directory deployments. The Active Directory deployments could be in the form of application or full service installations. The vulnerability has been resolved by Microsoft as of 18th November, 2021.

However, there is a fair bit of work for the Azure administrators on the affected Azure AD deployments. And, a full audit of the private keys being used on the AD applications on Azure framework may be required for most affected deployments of applications and services on the Azure Active Directory tenants.

What is the keyCredentials vulnerability on Active Directory tenants on Azure platform?

keyCredentials is a property that is available across Active Directory tenants on Microsoft’s cloud hosting platform of Azure. The keyCredentials property ought to store public key data. However, as part of the detected vulnerability, it was found that the keyCredential property of AD tenant on Azure stores private key data improperly. So, a user’s or application’s private key data for specific application tasks, role or functions could get compromised and exposed through the keyCredentials property.

The authentication data stored in the keyCredentials property is shared with other applications in the form of read-only access. Leakage of the private keys through the keyCredentials property of Azure can have unprecedented impact of the security of cloud hosted deployments on Azure. Anyone with access to the keyCredentials property and the private data contained therein could, potentially, impair your infrastructure. Privilege escalation attacks could be used to thwart the infrastructure and the applications contained within the infrastructure.

What is the severity or CVSS score of the CVE-2021-42306 vulnerability?

The keyCredentials vulnerability on Azure has been classified by Microsoft as a CVE-2021-42306. vulnerability. It comes with a base severity level or CVSS score of 8.1. This vulnerability has a ‘HIGH’ impact on the affected infrastructure.

Publicly, not much has been shared by Microsoft in terms of the vulnerability details. On its part, Microsoft has stated that there have been no known instances of the vulnerability being used or targeted. And, since the vulnerability resides on the AD tenant of the Azure cloud hosting platform, the attacker would need to have some sort of access to read the keyCredentials data on the Azure platform’s AD tenant. There are less chances of the vulnerability being targeted.

This vulnerability involves information disclosure vulnerability that may lead to privilege escalation attacks on the infrastructure.

What services are affected on the Azure platform’s AD tenant?

Microsoft has mentioned the name of services that are potentially impacted due to the keyCredentials vulnerability. The security advisory note by Microsoft states that the vulnerability affects the following deployments on the Azure platform:

  • Azure automation making use of application and service principal keyCredentials API.
  • Azure Migration services
  • Azure Site Recovery
  • Azure AD applications and Service principals

Microsoft has patched the vulnerabilities to take one or more steps as per the following approach towards resolving the issue:

  • Disallowing the AD tenant from reading the private data of the application in the keyCredentials property
  • Disallowing the upload of private key data in clear text form in the AD applications.

This will affect AD tenant, AD applications on Azure after 30th October. Having said that, there are action points that need to be taken by Azure administrators to mitigate this vulnerability. Microsoft patched the vulnerability on 30th October. So, any private key data comprising of self-signed or private certificates remain vulnerable. Read the section below on the steps that you need to take if you already have potentially compromised private key data. On a similar basis, AD applications and service principals need to be audited as well.

How to mitigate the Azure keyCredentials vulnerability or CVE-2021-42306 on Azure?

Mitigation of the keyCredentials vulnerability would depend upon the AD service, application or component that has been affected.

Azure Automation

Azure automation – Azure customers using Azure automation and Run-as accounts created by Azure automation are affected. The impacted customers should be using either the self-signed certificates or self-acquired certificates. The self-signed certificates ought to have been generated between 15th October 2020 to 15th October 2021.

Mitigation for Azure automation customers – migrate the AD Automation Run-as accounts to ‘Managed Identities’. This will resolve the CVE-2021-42306 vulnerability on the keyCredentials property of the AD tenant on Azure.

If you are unable to migrate to ‘managed identities’ for now, please follow the details instructions to remediate the CVE-2021-42306 as per the details on this github.

Azure migrate

Azure migrate appliances are affected if:

  • auto update is disabled on Azure migrate appliances
  • Azure migrate appliance was registered prior to 2nd November, 2021.

To remediate the vulnerability on Azure migrate appliance, please follow the instructions on the Azure document on this github.

Azure Site Recovery

Azure customers who have deployed VMWare preview version on Azure DR site for Azure site recovery prior to 1st November 2021 could be affected. The vulnerability remediation for the Azure Site Recovery customers can be done as per the document on github. The ASR appliances would need to be audited for the vulnerability under CVE-2021-42306. Remediation should follow any detection of the vulnerability.

Azure AD Applications and Service Principals

All the AD applications and Service Principals should be audited to see if they make use of the keyCredentials. There may be a need to rotate the private keys that are stored on the keyCredentials property.

It is strongly suggested that Azure administrators should conduct an audit of private keys that may have been generated or used with Azure AD applications. This is especially true if the private keys were generated before 15th October 2021. Self-signed certificates or privately acquired certificates should also form a subject of such an audit. If your AD applications have been using the private key data, it may be a good idea to audit the use of private key data and rotate the private key credentials.

Rotating the private key data should be attempted so that the refreshed key data can be sent to the keyCredentials property.


The keyCredentials vulnerability on the Microsoft Azure AD tenants has a HIGH impact and should be patched immediately. Depending on the AD application or service used, Azure administrators will need to rotate the private key data or patch the AD deployments against the CVE-2021-42306 vulnerability. It may be a good idea to take a maintenance window for attempting a fix against the already deployment AD applications and services.

You may like to read the following related content for Microsoft Azure:

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.