Storage Accounts

Log Container Public Access

Risk Level: High

Description

The plugin will check that the user has not enabled anonymous access sets or subsets for the container logs. The access will allow people to anonymously access the log details of your container.  

About the Service

Storage Accounts: An azure storage account is used to store the customer’s data objects such as files, queues, shares, etc. The storage accounts ensure high availability for the clients and allot a unique namespace for the storage data and are accessible from anywhere around the world using HTTP or HTTPS protocols.

Impact

In case the access level is not set to private, anyone from the internet can anonymously access the log details such as requests for successful or failed login or login requests using  Oauth or SAS leading to breach in confidentiality and disclosure of sensitive information to threat actors.

Steps to Reproduce

  1. Log in to the Azure portal.
  2. Click on Storage accounts for Services.
  3. Select any one of the storage accounts to check for the issue.
  4. From the navigation bar, select Containers from Data storage
  5. Check the value for Public Access level for ‘$log’ container (usually given at top of the list). If it is set to “blob” or “container”, check the Steps for remediation section.
  6. Repeat for other storage account’s logs container as well.

Steps for Remediation

  1. Log in to the Azure portal.
  2. Click on Storage accounts for Services.
  3. Select any one of the storage accounts to check for the issue.
  4. From the navigation bar, select Containers from Data storage
  5. Select the ‘$log’ container to set the access level as private.
  6. Go to Change access level and click on the drop-down menu. Select private (no anonymous access).
  7. Repeat for other storage account’s logs container as well.

Please feel free to reach out to support@pingsafe.com with any questions that you may have.

Thanks

PingSafe Support