Skip to content

Improper Masking of Secrets in Logs

High
mattdot published GHSA-7w3w-pjm5-m36c Sep 25, 2024

Package

gomod github.com/microsoft/terraform-provider-power-platform/internal/powerplatform/provider (Go)

Affected versions

<= 2.7.0-preview

Patched versions

>= 3.0.0

Description

Overview

We have identified a security issue in the Power Platform Terraform Provider where sensitive information, specifically the client_secret used in the service principal authentication, may be exposed in logs. This exposure occurs due to an error in the logging code that causes the client_secret to not be properly masked when logs are persisted or viewed.

Details

The issue arises when the Terraform provider sets up logging fields and attempts to mask sensitive information such as client_secret. Due to a typographical error involving an unexpected newline character (\n), the client_secret field is not correctly identified for masking, leading to its value being included in logs.

If logging is configured to persist to a file or an external logging system, this could result in the client_secret being inadvertently exposed, posing a security risk. Users who have configured persistent logging are at higher risk of having this sensitive information compromised.

Affected Logging Configuration

  • Default Behavior: By default, Terraform logs are not persisted and are kept in memory. This issue is less severe if logs are not explicitly configured to be written to a file or an external system.
  • Custom Logging Configuration: If the TF_LOG_PATH environment variable is set or if logs are redirected to an external system, the client_secret may be exposed in the logs. This includes any configuration that redirects or saves logs to a file, monitoring system, or logging service.

Impact

The impact of this issue includes the potential exposure of the client_secret used in the service principal for authenticating with Azure or other services. If an attacker gains access to this client_secret via the logs, they could potentially gain unauthorized access to the services or resources associated with the service principal.

Mitigation Steps

Users who have used this provider with the affected versions should take the following steps to mitigate the risk:

  1. Rotate Secrets:
    - Service Principal: Immediately rotate the client_secret for any service principal that has been configured using this Terraform provider. This will invalidate any potentially exposed secrets.

  2. Disable Persistent Logging:

    • If you have set the TF_LOG_PATH environment variable or configured Terraform to persist logs to a file or an external system, consider disabling this until you have updated to a fixed version of the provider.
    • To disable logging to a file, unset the TF_LOG_PATH environment variable: unset TF_LOG_PATH

  3. Sanitize Existing Logs:

    • If you have existing logs that may contain the client_secret, remove or sanitize these logs to prevent unauthorized access. This includes logs on disk, in monitoring systems, or in logging services.

  4. Update to Fixed Version:

    • We have released a patched version of the provider that removes all logging of sensitive content. Update to the latest version to ensure this issue is resolved: 
      terraform {
  required_providers {
    powerplatform = {
      source  = "microsoft/power-platform"
      version = ">= 3.0.0"
    }
  }
}

  5. Use OIDC for Authentication:

    • We recommend switching to OpenID Connect (OIDC) for authentication instead of using client secrets. OIDC provides a more secure and manageable approach by eliminating the need to manage and rotate secrets.
    • Update your Terraform configuration to use OIDC for authentication: 
      provider "powerplatform" {
  use_oidc = true
  # Other OIDC configuration options
}

Recommendations

  • Audit Your Logs: Regularly audit your logs to ensure no sensitive information is being recorded and apply appropriate log management practices to handle sensitive data securely.
  • Prefer secretless authentication: When possible, prefer OIDC or Managed Identities to reduce the risk of secret exposure.

References

Summary

This advisory addresses an issue where the client_secret could be exposed in logs due to improper masking. Users are advised to rotate secrets, update to the latest provider version, sanitize existing logs, and consider using OIDC for improved security.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v4 base metrics

Exploitability Metrics
Attack Vector Local
Attack Complexity Low
Attack Requirements Present
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality High
Integrity High
Availability High

CVSS v4 base metrics

Exploitability Metrics
Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.
Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.
Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.
Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.
User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.
Vulnerable System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
Subsequent System Impact Metrics
Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.
Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).
Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE ID

CVE-2024-47083

Weaknesses

Credits