Skip to main content

Authentication mechanism absence or evasion - Azure

Description

The system has flaws over authentication mechanisms or had been configured with one that can be bypassed.

Impact

  • Allow organizations to be vulnerable to stealthy brute-force attacks.
  • Allow fraudulent attempts on access users accounts.

Recommendation

  • Force users to register multiple authentication methods.
  • Enable Azure Fraud alert to empower users to proactively report attempts of someone trying to use their account.
  • Set account lockout thresholds notifications.

Threat

Anonymous attacker with credentials access from the Internet.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 5.3
    • Temporal: 4.8
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The azure resources have secure authentication mechanisms configured

resource "azurerm_app_service" "not_vulnerable" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = true
client_cert_enabled = true
logs {
failed_request_tracing_enabled = true
detailed_error_messages_enabled = true
}
auth_settings {
enabled = true
}
}
resource "azurerm_function_app" "not_vulnerable" {
name = "test-azure-functions"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
https_only = true
os_type = "linux"
version = "~3"
auth_settings {
enabled = true
}
}

Non compliant code

The authentication mechanism of the azure resource can be bypassed due to a wrong configuration

resource "azurerm_app_service" "vulnerable" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = true
client_cert_enabled = false
logs {
failed_request_tracing_enabled = true
detailed_error_messages_enabled = true
}
auth_settings {
enabled = true
}
}

The resource does not have authentication settings enabled

resource "azurerm_function_app" "vulnerable" {
name = "test-azure-functions"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
storage_account_name = azurerm_storage_account.example.name
storage_account_access_key = azurerm_storage_account.example.primary_access_key
https_only = true
os_type = "linux"
version = "~3"
}

Requirements