Tenable Research has discovered that the Jumpstart environments for Microsoft’s Azure Arc do not properly use logging utilities common amongst other Azure services. This leads to potentially sensitive information, such as service principal credentials and Arc database credentials, being logged in plaintext. The log files that these credentials are stored in are accessible by any user on the system. Based on this finding, it may be possible that other services are also affected by a similar issue.
Microsoft’s Azure Arc is a management platform designed to bridge multi-cloud and similarly mixed environments together in a convenient way. The testing environment this issue was discovered in is the ArcBox Fullbox Jumpstart environment. Normally scripts tend to write ***REDACTED*** in place of anything sensitive when writing to a log file. In the provisioning script for this host, however, this sanitising is not done.
“The Arc Jumpstart environment is intended to be used as a demo environment, which ideally lessens the impact of the revealed credentials provided that users haven’t reused the service principal elsewhere in their environment,” said James Sebree, Principal Research Engineer, Tenable who discovered this issue. “That said, it isn’t uncommon for customers to use these types of Jumpstart environments as a starting point to build out their actual production infrastructure. For that reason it’s worth being aware of this issue in the event that other logging mechanisms exist elsewhere in the Azure ecosystem, which could have more dire consequences if present in a production environment.”
Tenable’s technical blog post published on Medium is available here
Tenable’s advisory, which includes the discovery timeline, is available here