Skip to main content

Unrestricted access between network segments - Azure AD

Need

Restrict access to Azure Active Directory Graph API services to authorized network segments

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of azurerm for managing resources in Microsoft Azure
  • Usage of Azure AD for authentication and authorization in Node.js applications

Description

Non compliant code

provider "azurerm" {
  features {}
}

data "azurerm_client_config" "current" {}

resource "azuread_application" "example" {
  name                       = "example-app"
  homepage                   = "https://homepage"
  identifier_uris            = ["https://uri"]
  reply_urls                 = ["https://replyurl"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

resource "azuread_service_principal" "example" {
  application_id = azuread_application.example.application_id
}

resource "azuread_service_principal_password" "example" {
  service_principal_id = azuread_service_principal.example.id
  value                = "example_password"
  end_date             = "2020-01-01T01:02:03Z"
}

This Terraform script creates an Azure Active Directory application and a service principal associated with it. The service principal is granted a password, which is hardcoded as "example_password".

The main vulnerability here lies in the unrestricted access to the Azure AD Graph API services. The service can be accessed from anywhere on the Internet, and the URL of the service and the credentials are found in the application code.

This is a serious security concern because anyone who gains access to this code can potentially access and manipulate the Azure AD Graph API services. The hardcoded credentials (in this case, the service principal password) make the system even more vulnerable to unauthorized access and potential data breaches.

Moreover, the available_to_other_tenants attribute is set to false, which means the application is available to users in any Azure AD tenant, not just the one where it's registered. This could potentially allow unauthorized users to access the application.

Finally, the oauth2_allow_implicit_flow attribute is set to true, which enables the OAuth 2.0 implicit grant flow. This flow allows the application to obtain an access token directly from the Azure AD authorization endpoint, without needing to authenticate first. This could potentially allow an attacker to impersonate a legitimate user and gain unauthorized access to the application.

Steps

    1. Remove the 'oauth2_allow_implicit_flow' attribute from the 'azuread_application' resource.
    1. Configure Conditional Access policies in Azure Active Directory to restrict access to the Azure AD Graph API services.
    1. Follow Azure documentation to establish trusted locations for accessing the Azure AD Graph API services.
    1. Avoid hardcoding sensitive information, such as credentials, in the application code.
    1. Regularly review and update the access control configurations for the Azure AD Graph API services.

Compliant code

provider "azurerm" {
  features {}
}

data "azurerm_client_config" "current" {}

resource "azuread_application" "example" {
  name                       = "example-app"
  homepage                   = "https://homepage"
  identifier_uris            = ["https://uri"]
  reply_urls                 = ["https://replyurl"]
  available_to_other_tenants = false
}

resource "azuread_service_principal" "example" {
  application_id = azuread_application.example.application_id
}

resource "azuread_service_principal_password" "example" {
  service_principal_id = azuread_service_principal.example.id
  value                = var.service_principal_password
  end_date             = "2020-01-01T01:02:03Z"
}

The updated code removes the 'oauth2_allow_implicit_flow' attribute from the 'azuread_application' resource. This attribute was allowing the application to use the OAuth 2.0 implicit flow, which is less secure and has been deprecated.

The 'azuread_service_principal_password' resource now references a variable for the password value instead of hardcoding it. This is a more secure practice as it prevents sensitive information from being exposed in the code. The actual password can be provided as a variable when running Terraform.

Please note that this code update alone is not enough to fully address the vulnerability. Additional steps need to be taken outside of the code:

  1. Configure Conditional Access policies in Azure Active Directory to restrict access to the Azure AD Graph API services. This can be done in the Azure portal.

  2. Establish trusted locations for accessing the Azure AD Graph API services. This can be done by following the Azure documentation.

  3. Regularly review and update the access control configurations for the Azure AD Graph API services to ensure they are still appropriate and secure.

References

Last updated on