azure-openai-managed-identity-not-used: Azure OpenAI Service Instance Managed Identity Not Used

日期: 2025-08-01 | 影响软件: Azure OpenAI | POC: 已公开

漏洞描述

Ensure that your Azure OpenAI service instances are using system-assigned and/or user-assigned managed identities to allow secure access to other cloud protected resources such as Azure key vaults. Managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.

PoC代码[已公开]

id: azure-openai-managed-identity-not-used
info:
  name: Azure OpenAI Service Instance Managed Identity Not Used
  author: princechaddha
  severity: medium
  description: |
    Ensure that your Azure OpenAI service instances are using system-assigned and/or user-assigned managed identities to allow secure access to other cloud protected resources such as Azure key vaults. Managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.
  impact: |
    Not using managed identities can increase risks related to security and management, and hinder compliance with security best practices.
  remediation: |
    Configure your Azure OpenAI service instances to use either system-assigned or user-assigned managed identities to enhance security and simplify resource access management.
  reference:
    - https://docs.microsoft.com/en-us/azure/cognitive-services/authentication
  tags: cloud,devops,azure,microsoft,openai,azure-cloud-config

flow: |
  code(1);
  for (let ServiceInstance of iterate(template.instanceList)) {
    ServiceInstance = JSON.parse(ServiceInstance);
    set("name", ServiceInstance.Name);
    set("resourceGroup", ServiceInstance.ResourceGroup);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az cognitiveservices account list --output json --query '[?(kind==`OpenAI`)].{"Name":name,"ResourceGroup":resourceGroup}'

    extractors:
      - type: json
        name: instanceList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az cognitiveservices account identity show --name "$name" --resource-group "$resourceGroup" --query '{"IdentityType":type}'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - '"IdentityType": null'
          - '"IdentityType": "None"'

    extractors:
      - type: dsl
        dsl:
          - 'name + " in " + resourceGroup + " does not use a managed identity"'
# digest: 490a0046304402201d2dd4c0da912a83c8dfb6e3c6fd56414e4da3a8b0118396060fccb00c7800620220759f09afa595c913f3fa7017cf66a84b68a639f7ffb1e9a6a4fb24499c91a983:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/aiservices/azure-openai-managed-identity-not-used.yaml

相关漏洞推荐