Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False negatives for Azure 'Key Vault Role Based Access Control Disabled' rule #1607

Closed
rieck-srlabs opened this issue Feb 27, 2024 · 1 comment
Labels
bug Something isn't working potential Unconfirmed issue

Comments

@rieck-srlabs
Copy link
Contributor

Describe the bug

ScoutSuite's 'Key Vault Role Based Access Control Disabled' rule fails to flag certain Key Vaults that are using the Vault access policy permission model.

The problem is caused because the enableRbacAuthorization field can be true, false, or null, while ScoutSuite does not handle the null case appropriately.

The code sets the rbac_authorization_enabled flag to None if the API returns null:

    vault['public_access_allowed'] = self._is_public_access_allowed(raw_vault)
    vault['rbac_authorization_enabled'] = raw_vault.properties.enable_rbac_authorization
    return vault['id'], vault

However, the rule matches for false only:

    "conditions": [
        "and",
        [
            "keyvault.subscriptions.id.vaults.id.rbac_authorization_enabled",
            "false",
            ""
        ]
    ],

To Reproduce

Prepare environment: Create a Key Vault via the az CLI utility as follows:

# Note: Choose a unique name here
$ az keyvault create --resource-group 'key-vault-tests' --name 'key-vault-2fg28f22'

This sets enableRbacAuthorization = null:

$ az keyvault show --name 'key-vault-2fg28f22' | jq '.properties.enableRbacAuthorization'
null

The resulting Key Vault uses Vault access policy as its permission model, as can be seen in the following screenshot:

Screenshot 2024-02-26 at 16 55 01

Execute ScoutSuite: Run ScoutSuite with the default parameters:

$ scout azure --cli

The results do not flag the key vault 'key-vault-2fg28f22':

Screenshot 2024-02-26 at 16 58 18

Additional context

n/a

@rieck-srlabs rieck-srlabs added bug Something isn't working potential Unconfirmed issue labels Feb 27, 2024
@rieck-srlabs
Copy link
Contributor Author

Closing issue, as the fix was merged and is included in the latest release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working potential Unconfirmed issue
Projects
None yet
Development

No branches or pull requests

1 participant