401 – Insecure service configuration - AKV Secret Expiration

Description

The secrets stored in Azure Key Vault do not set an expiration date.

Impact

Increase the chances of compromising sensitive secrets of the system.

Recommendation

Define an expiration date for Azure secrets by setting the expiration_date property.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: H
• Attack Requirements: N
• Privileges required: H
• User interaction: N
• Confidentiality (VC): H
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: U

Requirements

• 130 - Limit password lifespan
• 138 - Define lifespan for temporary passwords
• 140 - Define OTP lifespan

Fixes

• Azure

Last updated

2024/02/20