Azure Storage account configured with TLS version lower than 1.2
Description
AlphaSOC detected that an Azure Storage account was configured with a minimum
TLS version below 1.2. This is identified through the
Microsoft.Storage/storageAccounts/write action where the minimumTlsVersion
property is set to TLS1_1 or TLS1_0. Azure Storage accounts support
configurable minimum TLS versions to enforce secure encrypted connections for
all client requests to blob, file, queue, and table services. Organizations
typically configure TLS 1.2 or higher as the minimum version to protect against
known cryptographic vulnerabilities in older TLS protocols. TLS 1.0 and TLS 1.1
are deprecated protocols that contain security weaknesses including
susceptibility to BEAST (Browser Exploit Against SSL/TLS) attacks, POODLE
(Padding Oracle On Downgraded Legacy Encryption) attacks, and weak cipher suites
that can be exploited to decrypt traffic. Major browsers and security frameworks
have removed support for these outdated protocols due to their known risks.
However, threat actors who have gained access to an Azure environment may
downgrade the minimum TLS version to enable connections using weak cryptographic
protocols, making it easier to conduct man-in-the-middle attacks or decrypt
intercepted traffic through cryptographic exploitation techniques.
Impact
Configuring Azure Storage accounts with weak TLS versions exposes data in transit to cryptographic attacks that can compromise confidentiality and integrity. Attackers positioned on the network path between clients and Azure Storage can exploit vulnerabilities in TLS 1.0 and TLS 1.1 to decrypt encrypted traffic, intercept authentication credentials, or modify data during transmission. The deprecated protocols support weak cipher suites and outdated key exchange mechanisms that are vulnerable to known attack techniques, allowing sophisticated adversaries to break encryption and access sensitive information.
Severity
| Severity | Condition |
|---|---|
Low | Azure Storage account configured with TLS version lower than 1.2 |
Investigation and Remediation
Review Azure Activity logs to identify the
Microsoft.Storage/storageAccounts/write event and examine the request body to
verify the minimumTlsVersion property was set to TLS1_1 or TLS1_0.
Identify the affected storage account and assess what data is stored within it,
including the sensitivity of blobs, files, tables, and queues, to understand the
scope of potential exposure. Verify the principal (user, service principal, or
managed identity) that performed the modification and check the source IP
address and user agent to confirm whether the activity originated from
authorized infrastructure or personnel. Review Azure Storage diagnostic logs to
identify any connections made to the storage account using TLS 1.0 or TLS 1.1
during the period when weak protocols were allowed, looking for potential
exploitation attempts or suspicious client behavior. If the modification was
unauthorized, immediately update the minimum TLS version to TLS1_2 or higher
to enforce modern encryption standards for all connections. Assess whether the
downgrade may have enabled man-in-the-middle attacks by examining network
traffic logs and connection patterns for anomalies during the exposure window.
Rotate all storage account access keys and regenerate shared access signature
(SAS) tokens as a precaution, as credentials may have been intercepted during
the period when weak encryption was permitted. Disable or rotate credentials for
the compromised principal and review Azure RBAC assignments to remove excessive
permissions on storage account resources. Implement Azure Policy to enforce
minimum TLS 1.2 requirements across all storage accounts and configure alerts
for future modifications to the minimum TLS version setting.