漏洞描述
The Alibaba RAM password policy does not enforce the inclusion of at least one numeric character, increasing the risk of weak passwords and potential unauthorized access.
password-policy-num-unconfigured: RAM Password Policy requires atleast One Number - Unconfigured
PoC代码[已公开]
id: password-policy-num-unconfigured
info:
name: RAM Password Policy requires atleast One Number - Unconfigured
author: DhiyaneshDK
severity: medium
description: |
The Alibaba RAM password policy does not enforce the inclusion of at least one numeric character, increasing the risk of weak passwords and potential unauthorized access.
reference:
- https://www.alibabacloud.com/help/en/ram/user-guide/configure-a-password-policy-for-ram-users
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/alibaba-cloud/AlibabaCloud-RAM/require-number-password-policy.html
metadata:
max-request: 1
verified: true
tags: cloud,devops,aliyun,alibaba,alibaba-cloud-config,alibaba-ram
variables:
region: "cn-hangzhou"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aliyun ram GetPasswordPolicy --region $region
matchers:
- type: word
name: policy
words:
- '"RequireNumbers": false'
extractors:
- type: dsl
dsl:
- '"RAM Password Policy Does not contain One Number "'
# digest: 490a00463044022020adf9739a13e0165e1c00e9ee425937191afd8c32a862f78383aa8901adc959022036afc09b6c217d87bdda0309426e4c5780459da865ee72c378f8e7a8872dd641:922c64590222798bb761d5b6d8e72950