Insecure service configuration - Container level access policy

Insecure service configuration - Container level access policy

Description

Container level policy is not set when generating a service Shared Access Signature (SAS). A container-level access policy can be modified or revoked at any time. It provides greater flexibility and control over the permissions that are granted

Impact

Create IDORs, excessive privileges, or broken authentication vulnerabilities

Recommendation

Specify a valid group policy identifier when generating the service SAS.

Threat

Authenticated attacker from the Internet

Expected Remediation Time

⌚ 50 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code maturity: U
  • Remediation level: O
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:R
  • Score:
    • Base: 4.2
    • Temporal: 3.5
  • Severity:
    • Base: Medium
    • Temporal: Low

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

  • Attack vector: N
  • Attack complexity: H
  • Attack Requirements: N
  • Privileges required: L
  • User interaction: N
  • Confidentiality (VC): L
  • Integrity (VI): L
  • Availability (VA): N
  • Confidentiality (SC): N
  • Integrity (SI): N
  • Availability (SA): N

Threat 4.0

  • Exploit maturity: U

Result 4.0

  • Vector string: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
  • Score:
    • CVSS-BT: 0.6
  • Severity:
    • CVSS-BT: Low

Compliant code

The service SAS is correctly configured with a group policy

                var storageAccount = CloudStorageAccount.Parse(connectionString);
var blobClient = storageAccount.CreateCloudBlobClient();

var blobContainer = blobClient.GetContainerReference(containerName); blobContainer.CreateIfNotExists();

var storedPolicy = new SharedAccessPolicy() { SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10), Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.List AccessPolicy = groupPolicy(); };

//Define access permissions before generating the key var permissions = blobContainer.GetPermissions(); permissions.SharedAccessPolicies.Clear(); permissions.SharedAccessPolicies.Add(policyName, storedPolicy); blobContainer.SetPermissions(permissions);

var containerSignature = blobContainer.GetSharedAccessSignature(null, policyName); var uri = blobContainer.Uri + containerSignature;

Non compliant code

The service SAS does not specify any group policy identifier

                var storageAccount = CloudStorageAccount.Parse(connectionString);
var blobClient = storageAccount.CreateCloudBlobClient();

var blobContainer = blobClient.GetContainerReference(containerName); blobContainer.CreateIfNotExists();

var storedPolicy = new SharedAccessPolicy() { SharedAccessExpiryTime = DateTime.UtcNow.AddHours(10), Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.List AccessPolicy = defaultPolicy(); }; //Generate SAS var containerSignature = blobContainer.GetSharedAccessSignature(null, policyName); var uri = blobContainer.Uri + containerSignature;

Requirements

Fixes

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.