Skip to content

Security Issue with az desktopvirtualization using old API which is exposing the registrationtoken to users who dont have permission to view it #4580

New issue
New issue
Closed
#4526
Closed
Security Issue with az desktopvirtualization using old API which is exposing the registrationtoken to users who dont have permission to view it#4580
#4526
Assignees
wangzelin007
Labels
Auto-AssignAuto assign by botDesktop Virtualizationcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.
Milestone
Backlog
@ghost

Description

@ghost
ghost
opened on Mar 27, 2022

Extension name (the extension in question)

desktopvirtualization

Description of issue (in as much detail as possible)

az desktopvirtualization hostpool list is using a old API Version : api-version=2019-12-10-preview

So when a user who does not have permission to read the HostPool registration token can easily expose it from the az cli.

Risk

Users are able to steal the token and can register any machine they want to the HostPool

Detail of the issue

As you can see, I can view the token, even when I dont have access to see this on the Portal. I can use this token to register any machine.

 "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkZDMTBFOUQzNUQ4MEFCMjQyMTM2MTJBMDIwQjA3Q0U2Q0UxODRGMDAiLCJ0eXAiOiJKV1Qi"

I have altered the token here in the example for security reasons ofcourse

PS C:\Users\azcli> az desktopvirtualization hostpool list
[
 {
   "applicationGroupReferences": [
     "/subscriptions/0000000000000000000000000000000000/resourcegroups/rg-avd-ddg-XXXXXX-tst-weu-test/providers/Microsoft.DesktopVirtualization/applicationgroups/ag-avd-ddg-XXXXXX-tst-weu-test"
   ],
   "customRdpProperty": "enablecredsspsupport:i:1;authentication level:i:0;audiomode:i:0;videoplaybackmode:i:1;",
   "description": "",
   "friendlyName": "",
   "hostPoolType": "Personal",
   "id": "/subscriptions/0000000000000000000000000000000000/resourcegroups/rg-avd-ddg-XXXXXX-tst-weu-test/providers/Microsoft.DesktopVirtualization/hostpools/hp-avd-ddg-XXXXXX-tst-weu-test",
   "kind": null,
   "loadBalancerType": "Persistent",
   "location": "westeurope",
   "maxSessionLimit": 999999,
   "name": "hp-avd-ddg-XXXXXX-tst-weu-test",
   "personalDesktopAssignmentType": "Direct",
   "registrationInfo": {
     "expirationTime": "2022-04-04T15:22:57.687747+00:00",
     "registrationTokenOperation": "None",
     "resetToken": false,
     "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IkZDMTBFOUQzNUQ4MEFCMjQyMTM2MTJBMDIwQjA3Q0U2Q0UxODRGMDAiLCJ0eXAiOiJKV1Qi"
   },
   "resourceGroup": "rg-avd-ddg-XXXXXX-tst-weu-test",
   "ring": null,
   "ssoContext": null,
   "systemData": {
     "createdAt": "2022-03-04T13:53:30.97Z",
     "createdBy": "0000000000000000000000000000000000",
     "createdByType": "Application",
     "lastModifiedAt": "2022-03-16T13:37:32.57Z",
     "lastModifiedBy": "0000000000000000000000000000000000",
     "lastModifiedByType": "Application"
   },
   "type": "Microsoft.DesktopVirtualization/hostpools",
   "validationEnvironment": false,
   "vmTemplate": null
 }

]

Mitigation

Remove use of old API "2019-12-10-preview" instead use latest API "api-version=2021-07-12" which does not have this issue.

Metadata

Metadata

Assignees

Labels

Auto-AssignAuto assign by botDesktop Virtualizationcustomer-reportedIssues that are reported by GitHub users external to the Azure organization.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions