Microsoft Security Response Center Blog

Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs

Wednesday, November 17, 2021

Microsoft recently mitigated an information disclosure issue, CVE-2021-42306, to prevent private key data from being stored by some Azure services in the keyCredentialsproperty of an Azure Active Directory (Azure AD) Applicationand/or Service Principal, and prevent reading of private key data previously stored in the keyCredentials property. The keyCredentials property is used to configure an application’s authentication credentials.

BlueHat is Back!

Thursday, November 11, 2021

After a short hiatus, BlueHat is coming back with a vengeance! And we’ve got big plans for the entire researcher community. But first, I must apologize. It’s been a while since you have heard from us. We didn’t have BlueHat 2020 or 2021, and we know that was disappointing. It was partly due to the pandemic, where our priority was simply keeping everyone safe.

We’re Excited to Announce the Launch of Comms Hub!

Monday, October 25, 2021

We are excited to announce the launch of Comms Hub to the Researcher Portal submission experience! With this launch, security researchers will be able to streamline communication with MSRC case SPMs (case managers), attach additional files, track case and bug bounty status all in the Researcher Portal. Summary – What is Comms Hub?

• Report Vulnerability
• Researcher Portal

New High Impact Scenarios and Awards for the Azure Bounty Program

Monday, October 18, 2021

Microsoft is excited to announce new Azure Bounty Program awards up to $60,000 to encourage and reward vulnerability research focused on the highest potential impact to customer security. These increased awards are a part of our ongoing investment in partnership with the security research community, and an important part of Microsoft’s holistic approach to defending against security threats.

• Azure
• Bounty
• Community-based Defense
• Security
• Security Research

Congratulations to the Top MSRC 2021 Q3 Security Researchers!

Thursday, October 14, 2021

Congratulations to all the researchers recognized in this quarter’s MSRC Researcher Recognition Program leaderboard! Thank you to everyone for your hard work and continued partnership to secure customers. The top three researchers of the 2021 Q3 Security Researcher Leaderboard are: BugHunter010 (840

• Community-based Defense
• Coordinated Vulnerability Disclosure
• Researcher Recognition
• Security Researcher

Power Platform is Here! Introducing the Dynamics 365 and Power Platform Bug Bounty Program

Wednesday, October 13, 2021

Microsoft is excited to announce the addition of Power Platform to the newly rebranded Dynamics 365 and Power Platform Bounty Program. Through this expanded program, we encourage researchers to discover and report high impact security vulnerabilities they may find in the new Power Platform scope to help protect customers. We offer awards up to $20,000 USD for eligible submissions.

• Bounty
• Community-based Defense
• Security
• Security Research

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

Thursday, September 16, 2021

Last updated on October 5, 2021: See revision history located at the end of the post for changes. On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.

Coordinated disclosure of vulnerability in Azure Container Instances Service

Wednesday, September 08, 2021

Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers’ information in the ACI service. Our investigation surfaced no unauthorized access to customer data. Out of an abundance of caution we notified customers with containers running on the same clusters as the researchers via Service Health Notifications in the Azure Portal.

• Azure

Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature

Friday, August 27, 2021

On August 12, 2021, a security researcher reported a vulnerability in the Azure Cosmos DB Jupyter Notebook feature that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. We mitigated the vulnerability immediately. Our investigation indicates that no customer data was accessed because of this vulnerability by third parties or security researchers.

• Azure

Announcing the Launch of the Azure SSRF Security Research Challenge

Thursday, August 19, 2021

Microsoft is excited to announce the launch of a new, three-month security research challenge under the Azure Security Lab initiative. The Azure Server-Side Request Forgery (SSRF) Research Challenge invites security researchers to discover and share high impact SSRF vulnerabilities in Microsoft Azure. Qualified submissions are eligible for bounty rewards up to $60,000 USD, with additional awards for identifying innovative or novel attack patterns.

• Azure
• Azure Security Lab
• Bounty
• Community-based Defense
• Coordinated Vulnerability Disclosure
• Security
• Security Research