What is the nature of this vulnerability? An information disclosure vulnerability exists in Azure Arc Jumpstart that could allow an authenticated user to view certain credentials and other sensitive information contained in a log file. What are the circumstances leading to a successful exploitation? The client virtual machine is protected behind a secured Azure virtual network (VNET) without access from the internet. A potential attacker would first have to compromise the VNET to have network access to the Azure client virtual machine (Azure Arc Jumpstart-Client). There is only one provisioned user on the client virtual machine, and this user’s credentials are protected by a username and password provided by the end-user at deployment time. There are no other “low level” users that have login access to the virtual machine. The only user credential with access to the VM is the one created and supplied by the original Azure Arc Jumpstart end-user. A potential attacker would first need to gain access to a user login credentials and only then open a remote desktop session (RDP) into the virtual machine. What information can be disclosed and what is the impact? The type of information that could be disclosed is information stored in the logs, which could include credentials as well as other sensitive information for the system Was any personal information or sensitive customer data exposed as a result of this vulnerability? The primary use-case for Azure Arc Jumpstart is to provide an automated training and demo environment intended to be used in sandbox Azure subscriptions. ArcBox does not disclose any personal information or sensitive customer data. In the context of disclosed vulnerability, no customer data were compromised. How can I protect myself from this vulnerability? The Azure Arc Jumpstart service principal credential secret has been removed from the log output of the custom script extension and this fix is now live for all Jumpstart scenarios. If you are an
<a href="https://https/">Jimi Sebree</a> with <a href="https://tenable.com/">Tenable</a>