Skip to content

Cleartext transmission of Terraform state snapshots when using Azure backend with certain SAS tokens

High
teamterraform published GHSA-4rvg-555h-r626 Dec 2, 2019

Package

No package listed

Affected versions

< 0.12.17

Patched versions

0.12.17

Description

Impact

When using the Azure backend with a shared access signature (SAS), Terraform transmits the token itself and the state snapshot using cleartext HTTP in some cases.

Users are impacted when all of the following conditions are true:

  1. Terraform is configured to use the AzureRM blob storage for state storage
  2. State storage is authenticated using a SAS token and the token was not generated to require HTTPS
  3. The AzureRM blob storage container is configured to allow HTTP

Under those circumstances, Terraform will send state to AzureRM blob storage using unencrypted HTTP rather than HTTPS. Consequently, an attacker with access to this unencrypted network traffic could read all Terraform state, including any secrets stored in the state.

If you were impacted by this, you should generate a new SAS token. If your state file contains any sensitive values, such as API keys, you should also rotate those credentials.

Patches

This issue has been addressed in Terraform 0.12.17, by upgrading the Azure SDK to a version that selects HTTPS by default when the token does not explicitly select a protocol.

Workarounds

If you’re on a version of Terraform prior to 0.12.17, there are steps that will allow you to mitigate this issue:

The AzureRM SAS (shared access signatures) must be configured explicitly configured for HTTPS-only.

az storage container generate-sas \
  --https-only \
  --subscription $ARM_SUBSCRIPTION_ID \
  --permissions acdlrw \
  --auth-mode login --as-user \
  --account-name $STORAGE_ACCOUNT \
  --name $CONTAINER \
  --expiry $EXPIRY

References

This issue was reported in #23493 and fixed by #23496.

For more information

If you have any questions or comments about this advisory, email us at [email protected].

Severity

High

CVE ID

CVE-2019-19316

Weaknesses

No CWEs

Credits