Sensitive Port Is Exposed To Wide Private Network
- Query id: 92fe237e-074c-4262-81a4-2077acb928c1
- Query name: Sensitive Port Is Exposed To Wide Private Network
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_security_group" "positive1" {
name = "allow_tls1"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 2200
to_port = 2500
protocol = "-1"
cidr_blocks = ["10.0.0.0/8"]
}
}
Positive test num. 2 - tf file
resource "aws_security_group" "positive2" {
name = "allow_tls2"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 20
to_port = 60
protocol = "tcp"
cidr_blocks = ["192.168.0.0/16"]
}
}
Positive test num. 3 - tf file
resource "aws_security_group" "positive3" {
name = "allow_tls3"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 5000
to_port = 6000
protocol = "-1"
cidr_blocks = ["172.16.0.0/12"]
}
}
Positive test num. 4 - tf file
Positive test num. 5 - tf file
Positive test num. 6 - tf file
Positive test num. 7 - tf file
Positive test num. 8 - tf file
Positive test num. 9 - tf file
module "vote_service_sg" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["172.16.0.0/12"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_security_group" "negative1" {
name = "allow_tls1"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
}
}
Negative test num. 2 - tf file
resource "aws_security_group" "negative2" {
name = "allow_tls2"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 2384
to_port = 2386
protocol = "tcp"
cidr_blocks = ["/0"]
}
}
Negative test num. 3 - tf file
resource "aws_security_group" "negative3" {
name = "allow_tls3"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 25
to_port = 2500
protocol = "tcp"
cidr_blocks = ["1.2.3.4/0"]
}
}
Negative test num. 4 - tf file
Negative test num. 5 - tf file
Negative test num. 6 - tf file
Negative test num. 7 - tf file
module "vote_service_sg" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["1.2.3.4", "0.0.0.0/0"]
}
]
}