azure-vm-web-tier-disk-unencrypted: Azure VM Web-Tier Disk Volumes Not Encrypted

日期: 2025-08-01 | 影响软件: Azure VM Web Tier Disk Unencrypted | POC: 已公开

漏洞描述

Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) launched within the web tier are encrypted to meet security and compliance requirements. This rule assumes all Azure cloud resources in the web tier are tagged with <web_tier_tag>:<web_tier_tag_value>. Tags must be configured on the Cloud Conformity dashboard prior to running this check.

PoC代码[已公开]

id: azure-vm-web-tier-disk-unencrypted
info:
  name: Azure VM Web-Tier Disk Volumes Not Encrypted
  author: princechaddha
  severity: high
  description: |
    Ensure that all the disk volumes attached to the Microsoft Azure virtual machines (VMs) launched within the web tier are encrypted to meet security and compliance requirements. This rule assumes all Azure cloud resources in the web tier are tagged with <web_tier_tag>:<web_tier_tag_value>. Tags must be configured on the Cloud Conformity dashboard prior to running this check.
  impact: |
    Unencrypted disk volumes can lead to data breaches and non-compliance with security standards, exposing sensitive information.
  remediation: |
    Enable encryption for all disk volumes attached to VMs within the Azure web tier to enhance data security and comply with regulatory requirements.
  reference:
    - https://docs.microsoft.com/en-us/azure/virtual-machines/linux/encrypt-disks
  tags: cloud,devops,azure,microsoft,azure-vm,azure-cloud-config

flow: |
  code(1);
  for (let VmData of iterate(template.vmList)) {
    VmData = JSON.parse(VmData);
    set("ids", VmData.Id);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az vm list --query '[?(tags.web_tier_tag == "web_tier_tag_value")].{"Id":id}'

    extractors:
      - type: json
        name: vmList
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az vm encryption show --ids "$ids" --query 'disks'

    matchers-condition: and
    matchers:
      - type: word
        part: stderr
        words:
          - 'Azure Disk Encryption is not enabled'

    extractors:
      - type: dsl
        dsl:
          - 'ids + " in " + " is not encrypted"'
# digest: 4b0a00483046022100d70fe7e6ef5bdd1f8eb7a0a38afd19e9d10f9b3e9d57b2142851895a14f6b615022100f12b55c83d3f322ac88ae3ad8f342005a9c05911cac8e2f4b4811470f30e9d52:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/azure/virtualmachines/azure-vm-web-tier-disk-unencrypted.yaml