Information disclosure from outdated TLS versions in Azure Storage account

Medium Risk infrastructure-security
azurestorage-accounttlsencryption-in-transitprotocol-securityinformation-disclosureterraform

What it is

Azure Storage accounts configured to accept TLS 1.0 and TLS 1.1 connections are vulnerable to protocol downgrade attacks, man-in-the-middle attacks, and cryptographic weaknesses. These legacy TLS versions contain known security flaws that can expose data in transit between clients and storage endpoints.

# VULNERABLE: Storage account without minimum TLS version
resource "azurerm_storage_account" "vulnerable_storage" {
  name                     = "vulnerablestorage123"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  
  # VULNERABLE: No min_tls_version set (accepts TLS 1.0/1.1)
}

# VULNERABLE: Explicitly allowing TLS 1.0
resource "azurerm_storage_account" "legacy_tls" {
  name                     = "legacytls123"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  
  # VULNERABLE: TLS 1.0 allows weak cryptography
  min_tls_version = "TLS1_0"
}

# VULNERABLE: TLS 1.1 still vulnerable
resource "azurerm_storage_account" "tls11_storage" {
  name                     = "tls11storage123"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
  
  # VULNERABLE: TLS 1.1 has known weaknesses
  min_tls_version = "TLS1_1"
}
# SECURE: Storage account with minimum TLS 1.2
resource "azurerm_storage_account" "secure_storage" {
  name                     = "securestorage123"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  
  # SECURE: Enforce TLS 1.2 minimum
  min_tls_version          = "TLS1_2"
  enable_https_traffic_only = true
}

# SECURE: Storage account with comprehensive security
resource "azurerm_storage_account" "hardened_storage" {
  name                     = "hardenedstorage123"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  
  # SECURE: TLS 1.2 and HTTPS only
  min_tls_version           = "TLS1_2"
  enable_https_traffic_only = true
  
  # SECURE: Additional security settings
  allow_blob_public_access  = false
  
  network_rules {
    default_action = "Deny"
    bypass         = ["AzureServices"]
  }
}

💡 Why This Fix Works

The vulnerable configurations either omit min_tls_version (accepting any TLS version including 1.0/1.1) or explicitly set it to TLS1_0 or TLS1_1, which have known cryptographic weaknesses and are susceptible to protocol downgrade attacks. The secure version enforces min_tls_version of TLS1_2, combined with enable_https_traffic_only to ensure all connections use modern, secure cryptographic protocols.

Why it happens

Azure Storage accounts created without explicitly setting min_tls_version in Terraform. Without this parameter, storage accounts may accept connections using legacy TLS 1.0 and 1.1 protocols with known cryptographic vulnerabilities.

Root causes

Missing TLS Version Configuration

Azure Storage accounts created without explicitly setting min_tls_version in Terraform. Without this parameter, storage accounts may accept connections using legacy TLS 1.0 and 1.1 protocols with known cryptographic vulnerabilities.

Backward Compatibility Concerns

Storage accounts intentionally configured to accept TLS 1.0/1.1 to maintain compatibility with legacy clients and applications. Security is sacrificed for operational convenience without assessing actual client requirements.

Inadequate Security Standards in IaC

Terraform modules and templates lack minimum TLS version enforcement as a required security baseline. Infrastructure-as-code doesn't codify secure TLS configuration, allowing insecure deployments to reach production.

Insecure Azure Default Settings

Azure's default TLS configuration may permit older protocol versions for legacy support. Teams rely on defaults without hardening security settings, unknowingly exposing data to protocol downgrade attacks.

Unvalidated Legacy Client Dependencies

Teams assume they must support TLS 1.0/1.1 for legacy clients without actually auditing which clients connect to storage and whether they support TLS 1.2. This prevents security upgrades based on false compatibility assumptions.

Fixes

1

Enforce TLS 1.2 Minimum Version

Set min_tls_version = 'TLS1_2' on all Azure Storage accounts in Terraform configurations. This rejects connection attempts using TLS 1.0 and 1.1, ensuring all data in transit uses modern, secure cryptographic protocols.

2

Enable HTTPS-Only Traffic

Set enable_https_traffic_only = true to enforce encrypted connections for all storage access. Combined with TLS 1.2 minimum, this ensures all data transfers use secure, modern encryption protocols.

3

Audit Client TLS Compatibility

Before enforcing TLS 1.2, review storage account access logs to identify which TLS versions clients currently use. Test applications and clients to verify TLS 1.2+ support, creating upgrade plans for any incompatible systems.

4

Implement Azure Policy Enforcement

Deploy Azure Policy definitions that enforce min_tls_version = 'TLS1_2' across all storage accounts organization-wide. Use policy effects like 'Deny' to prevent deployment of storage accounts with insecure TLS configurations.

5

Monitor TLS Version Usage

Enable storage account logging and monitor for TLS version usage patterns. Set up alerts for any attempts to connect using TLS 1.0/1.1 after enforcement, indicating legacy clients that need remediation.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from outdated tls versions in azure storage account and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities