Impact
When using the Azure backend with a shared access signature (SAS), Terraform transmits the token itself and the state snapshot using cleartext HTTP in some cases.
Users are impacted when all of the following conditions are true:
- Terraform is configured to use the AzureRM blob storage for state storage
- State storage is authenticated using a SAS token and the token was not generated to require HTTPS
- The AzureRM blob storage container is configured to allow HTTP
Under those circumstances, Terraform will send state to AzureRM blob storage using unencrypted HTTP rather than HTTPS. Consequently, an attacker with access to this unencrypted network traffic could read all Terraform state, including any secrets stored in the state.
If you were impacted by this, you should generate a new SAS token. If your state file contains any sensitive values, such as API keys, you should also rotate those credentials.
Patches
This issue has been addressed in Terraform 0.12.17, by upgrading the Azure SDK to a version that selects HTTPS by default when the token does not explicitly select a protocol.
Workarounds
If you’re on a version of Terraform prior to 0.12.17, there are steps that will allow you to mitigate this issue:
The AzureRM SAS (shared access signatures) must be configured explicitly configured for HTTPS-only.
az storage container generate-sas \
--https-only \
--subscription $ARM_SUBSCRIPTION_ID \
--permissions acdlrw \
--auth-mode login --as-user \
--account-name $STORAGE_ACCOUNT \
--name $CONTAINER \
--expiry $EXPIRY
References
This issue was reported in #23493 and fixed by #23496.
For more information
If you have any questions or comments about this advisory, email us at [email protected].
Impact
When using the Azure backend with a shared access signature (SAS), Terraform transmits the token itself and the state snapshot using cleartext HTTP in some cases.
Users are impacted when all of the following conditions are true:
Under those circumstances, Terraform will send state to AzureRM blob storage using unencrypted HTTP rather than HTTPS. Consequently, an attacker with access to this unencrypted network traffic could read all Terraform state, including any secrets stored in the state.
If you were impacted by this, you should generate a new SAS token. If your state file contains any sensitive values, such as API keys, you should also rotate those credentials.
Patches
This issue has been addressed in Terraform 0.12.17, by upgrading the Azure SDK to a version that selects HTTPS by default when the token does not explicitly select a protocol.
Workarounds
If you’re on a version of Terraform prior to 0.12.17, there are steps that will allow you to mitigate this issue:
The AzureRM SAS (shared access signatures) must be configured explicitly configured for HTTPS-only.
References
This issue was reported in #23493 and fixed by #23496.
For more information
If you have any questions or comments about this advisory, email us at [email protected].