Fluid Attacks Database

Description

Identifies Azure PostgreSQL servers configured without SSL/TLS encryption enforcement in Terraform configurations. When SSL enforcement is disabled, database connections can be made without encryption, potentially exposing sensitive data to network-level attacks.

Weakness:

016 - Insecure encryption algorithm - SSL/TLS

Category: Information Collection

Detection Strategy

• Look for Terraform resource blocks of type 'azurerm_postgresql_server'

• Check if the resource has 'ssl_enforcement_enabled' attribute set to 'false'

• Report a vulnerability for each PostgreSQL server instance where SSL enforcement is explicitly disabled

Vulnerable code example

resource "azurerm_postgresql_server" "example" {
  name                = "psql-server"
  sku_name            = "B_Gen5_2"
  version             = "9.5"
  
  ssl_enforcement_enabled = false  # Vulnerable: SSL enforcement disabled allows unencrypted connections
}

✅ Secure code example

resource "azurerm_postgresql_server" "example" {
  name                = "psql-server"
  sku_name            = "B_Gen5_2"
  version             = "9.5"
  
  ssl_enforcement_enabled = true  # Required: Enforce SSL to ensure encrypted connections
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.