False negatives for Azure 'Key Vault Not Recoverable' rule
rieck-srlabs opened this issue · comments
Describe the bug
ScoutSuite fails to flag unrecoverable key vaults as such, if the Azure API returns enable_soft_delete = null
for the key vault.
ScoutSuite uses the computed property recovery_protection_enabled
to flag vaults where soft-delete is disabled or purge protection is missing:
vault[
'recovery_protection_enabled'] = raw_vault.properties.enable_soft_delete and \
bool(raw_vault.properties.enable_purge_protection)
However, the code does not correctly handle all possible API return values. According to my tests, enable_soft_delete
can be true
, false
, or null
.
I have verified in the Azure Portal that soft-delete is disabled for vaults with enable_soft_delete = null
In the case of a null
API response, the code sets vault['recovery_protection_enabled'] = None
.
The keyvault-not-recoverable.json
rule however checks only for false
to flag affected resources. The rule does not handle None
/ null
:
"conditions": [
"and",
[
"keyvault.subscriptions.id.vaults.id.recovery_protection_enabled",
"false",
""
]
],
This results in false negatives. Some Key Vaults lacking soft-delete (and, by extension, purge protection) are not flagged.
To Reproduce
I was not able to reproduce this issue for recently created vaults, for which either true
or false
was returned by the API. I believe the API returns null
for old key vaults that were created before soft-delete was added and that have not been migrated yet.
The issue can therefore likely only be reproduced in older tenants that have Key Vaults that are a few years old and that have not enabled soft-delete yet.
- Run ScoutSuite with default settings
scout azure --cli --subscriptions '<subscription-id>'
- Search for affected Key Vaults using
jq
:
jq -r """.services.keyvault.subscriptions[].vaults[]
| select(
(.properties.enable_soft_delete == null)
)
| .name""" < scoutsuite-results.json
Fixed in PR #1610, merged into develop branch.