Skip to main content

Insecure service configuration - Container level access policy

Description

Container level policy is not set when generating a service Shared Access Signature (SAS). A container-level access policy can be modified or revoked at any time. It provides greater flexibility and control over the permissions that are granted

Impact

Create IDORs, excessive privileges, or broken authentication vulnerabilities

Recommendation

Specify a valid group policy identifier when generating the service SAS.

Threat

Authenticated attacker from the Internet

Expected Remediation Time

⌚ 50 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: U
  • Remediation level: O
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:R
  • Score:
    • Base: 4.2
    • Temporal: 3.5
  • Severity:
    • Base: Medium
    • Temporal: Low

Code Examples

Compliant code

The service SAS is correctly configured with a group policy

var storageAccount = CloudStorageAccount.Parse(connectionString);
var blobClient = storageAccount.CreateCloudBlobClient();

var blobContainer = blobClient.GetContainerReference(containerName);
blobContainer.CreateIfNotExists();

var storedPolicy = new SharedAccessPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read |
SharedAccessBlobPermissions.Write |
SharedAccessBlobPermissions.List
AccessPolicy = groupPolicy();
};

//Define access permissions before generating the key
var permissions = blobContainer.GetPermissions();
permissions.SharedAccessPolicies.Clear();
permissions.SharedAccessPolicies.Add(policyName, storedPolicy);
blobContainer.SetPermissions(permissions);

var containerSignature = blobContainer.GetSharedAccessSignature(null, policyName);
var uri = blobContainer.Uri + containerSignature;

Non compliant code

The service SAS does not specify any group policy identifier

var storageAccount = CloudStorageAccount.Parse(connectionString);
var blobClient = storageAccount.CreateCloudBlobClient();

var blobContainer = blobClient.GetContainerReference(containerName);
blobContainer.CreateIfNotExists();

var storedPolicy = new SharedAccessPolicy()
{
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read |
SharedAccessBlobPermissions.Write |
SharedAccessBlobPermissions.List
AccessPolicy = defaultPolicy();
};
//Generate SAS
var containerSignature = blobContainer.GetSharedAccessSignature(null, policyName);
var uri = blobContainer.Uri + containerSignature;

Requirements