azure-openai-cmk-not-enabled: Azure OpenAI Encryption using Customer-Managed Keys Not Enabled

日期: 2025-08-01 | 影响软件: Azure OpenAI | POC: 已公开

漏洞描述

Ensure that your Microsoft Azure OpenAI service instances are using Customer-Managed Keys (CMKs) instead of Microsoft-managed encryption keys (i.e., default keys used by Microsoft Azure for encryption at rest) in order to have a more granular control over your Azure OpenAI data encryption and decryption process.

PoC代码[已公开]

id: azure-openai-cmk-not-enabled
info:
  name: Azure OpenAI Encryption using Customer-Managed Keys Not Enabled
  author: princechaddha
  severity: high
  description: |
    Ensure that your Microsoft Azure OpenAI service instances are using Customer-Managed Keys (CMKs) instead of Microsoft-managed encryption keys (i.e., default keys used by Microsoft Azure for encryption at rest) in order to have a more granular control over your Azure OpenAI data encryption and decryption process.
  impact: |
    Not using Customer-Managed Keys (CMKs) for Azure OpenAI instances can limit your control over encryption keys and potentially expose sensitive data to higher risks.
  remediation: |
    Configure your Azure OpenAI instances to use Customer-Managed Keys by setting up encryption key attributes in the Azure Key Vault and then linking them to your OpenAI service instances.
  reference:
    - https://docs.microsoft.com/en-us/azure/cognitive-services/encryption-key-management
  tags: cloud,devops,azure,microsoft,openai,azure-cloud-config

flow: |
  code(1);
  for (let ServiceData of iterate(template.serviceList)) {
    ServiceData = JSON.parse(ServiceData);
    set("name", ServiceData.Name);
    set("resourceGroup", ServiceData.ResourceGroup);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az cognitiveservices account list --output json --query '[?(kind=="OpenAI")].{"Name":name,"ResourceGroup":resourceGroup}'

    extractors:
      - type: json
        name: serviceList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az cognitiveservices account show --name "$name" --resource-group "$resourceGroup" --query '{"encryptionKey":properties.encryption.keyVaultProperties.keyName}'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'encryptionKey'
          - 'null'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"$name in $resourceGroup does not use CMK"'
# digest: 4a0a0047304502202d371c0b11e99b4639048d8838040f11717757a572237352dcc017df1fd69e630221008306f773a98c3b399126912a7b9338954bb249d368db8d7922f762bb4ef4632b:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/aiservices/azure-openai-cmk-not-enabled.yaml

相关漏洞推荐