Azure Attested metadata usage and certificate verification

Azure Partner 21 Reputation points
2022-06-07T10:57:29.1+00:00

Hello, with regard of the announcement "Azure Instance Metadata Service-Attested data TLS: Critical changes are here!"

we do use Azure Attested data in our application, but, at the best of my knowledge, we don't use certificate pinning. However we use Attested data to perform verification that the Azure VM is running properly on Azure platform: 

   # Get the signature  
   curl --silent -H Metadata:True --noproxy "*" "http://169.254.169.254/metadata/attested/document?api-version=2019-04-30" | jq -r '.["signature"]' > signature  
   # Decode the signature  
   base64 -d signature > decodedsignature  
   # Get PKCS7 format  
   openssl pkcs7 -in decodedsignature -inform DER -out sign.pk7  
   # Get Public key out of pkc7  
   openssl pkcs7 -in decodedsignature -inform DER  -print_certs -out signer.pem  
   # Get the intermediate certificate  
   curl -s -o intermediate.cer "$(openssl x509 -in signer.pem -text -noout | grep " CA Issuers -" | awk -FURI: '{print $2}')"  
   openssl x509 -inform der -in intermediate.cer -out intermediate.pem  
   # Verify the contents  
   openssl smime -verify -in sign.pk7 -inform pem -noverify

as shown in this page

In my opinion this shouldn't be affected by your changes, but I wanted to be sure I hadn't miss something. So can you please confirm it is ok?
Thank you in advance

Andrea Castello
Scientiamobile Inc.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
4,598 questions
Accepted answer
  1. Prrudram-MSFT 10,616 Reputation points Microsoft Employee
    2022-06-07T19:23:47.41+00:00

    Hello @Azure Partner ,

    Thank you for reaching out to the Microsoft Q&A platform. Happy to answer your question.

    Customers who explicitly specify a list of acceptable CAs (a practice known as “certificate pinning”) in Azure instance metadata service attested data are impacted. Hence you will not be impacted as you confirm that you have not pinned certs to any intermediate CA certs.

    How do I know whether my applications are impacted?
    If any client application has pinned to an Intermediate CA rather than the Baltimore CyberTrust Root, immediate action is required to prevent disruption in the services which rely on Azure Instance metadata service.

    If you have an application that integrates with Azure services, or if you get your VM images from Azure marketplace, and you are unsure if it uses certificate pinning with Azure Instance Metadata Service Attested data, check with the application/image owner.

    For more details, you can refer to this thread https://learn.microsoft.com/en-us/answers/questions/878907/azure-instance-metadata-service-attested-data-cert.html

    ****If you are satisfied with the answer, please "Accept as Answer" and Upvote, so that you can help others in the community looking for remediation for similar issues.****

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest