CVE-2022-35798

FAQ

What is the nature of this vulnerability?

An information disclosure vulnerability exists in Azure Arc Jumpstart that could allow an authenticated user to view certain credentials and other sensitive information contained in a log file.

What are the circumstances leading to a successful exploitation?

The client virtual machine is protected behind a secured Azure virtual network (VNET) without access from the internet. A potential attacker would first have to compromise the VNET to have network access to the Azure client virtual machine (Azure Arc Jumpstart-Client). There is only one provisioned user on the client virtual machine, and this user’s credentials are protected by a username and password provided by the end-user at deployment time. There are no other “low level” users that have login access to the virtual machine. The only user credential with access to the VM is the one created and supplied by the original Azure Arc Jumpstart end-user. A potential attacker would first need to gain access to a user login credentials and only then open a remote desktop session (RDP) into the virtual machine.

What information can be disclosed and what is the impact?

The type of information that could be disclosed is information stored in the logs, which could include credentials as well as other sensitive information for the system

Was any personal information or sensitive customer data exposed as a result of this vulnerability?

The primary use-case for Azure Arc Jumpstart is to provide an automated training and demo environment intended to be used in sandbox Azure subscriptions. ArcBox does not disclose any personal information or sensitive customer data. In the context of disclosed vulnerability, no customer data were compromised.

How can I protect myself from this vulnerability?

The Azure Arc Jumpstart service principal credential secret has been removed from the log output of the custom script extension and this fix is now live for all Jumpstart scenarios. If you are an existing user, Microsoft recommends rolling your service principal credential secret. If you are new to Azure Arc Jumpstart, there are no actions necessary.

When was the fix for this vulnerability implemented?

The removal of the service principal credential secret from the log was completed on 5/26/2022.

Where can I find more information about Azure Arc Jumpstart?

Please see Announcing Jumpstart ArcBox 2.0 for more information.

According to the CVSS metric, the attack vector is local (AV:L). What does this mean for this vulnerability?

The attacker would already need to be logged into the target Azure Arc Jumpstart client virtual machine to be able to discover the information.

According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L)? What does that mean for this vulnerability?

Successfully exploiting this vulnerability allows an attacker to get access to the information stored in the logs. The disclosed information is scoped to the specific system and does not provide the attacker with any additional privileges.

According to the CVSS metric, privileges required is low (PR:L). What privileges are required?

The attacker would have to be present on the Azure Arc Jumpstart virtual machine as a regular user to be able to exploit this vulnerability.