Sensitive Port Is Exposed To Entire Network
- Query id: 0ac9abbc-6d7a-41cf-af23-2e57ddb3dbfc
- Query name: Sensitive Port Is Exposed To Entire Network
- Platform: Ansible
- Severity: High
- Category: Networking and Firewall
- CWE: 200
- URL: Github
Description¶
A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
---
- name: foo1
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example1
priority: 100
direction: Inbound
access: Allow
protocol: UDP
source_port_range: "*"
destination_port_range: "61621"
source_address_prefix: "/0"
destination_address_prefix: "*"
- name: foo2
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example2
priority: 100
direction: Inbound
access: Allow
protocol: TCP
source_port_range: "*"
destination_port_range: "23-34"
source_address_prefix: "1.1.1.1/0"
destination_address_prefix: "*"
- name: foo3
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example3
priority: 100
direction: Inbound
access: Allow
protocol: "*"
source_port_range: "*"
destination_port_range: "21-23"
source_address_prefix: "/0"
destination_address_prefix: "*"
- name: foo4
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example4
priority: 100
direction: Inbound
access: Allow
protocol: "*"
source_port_range: "*"
destination_port_range: "23"
source_address_prefix: "0.0.0.0/0"
destination_address_prefix: "*"
- name: foo5
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example5
priority: 100
direction: Inbound
access: Allow
protocol: "UDP"
source_port_range: "*"
destination_port_range:
- "23"
- "245"
source_address_prefix: "34.15.11.3/0"
destination_address_prefix: "*"
- name: foo6
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example6
priority: 100
direction: Inbound
access: Allow
protocol: "TCP"
source_port_range: "*"
destination_port_range: "23"
source_address_prefix: "/0"
destination_address_prefix: "*"
- name: foo7
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example7
priority: 100
direction: Inbound
access: Allow
protocol: "UDP"
source_port_range: "*"
destination_port_range: "22-64, 94"
source_address_prefix: "10.0.0.0/0"
destination_address_prefix: "*"
- name: foo8
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example8
priority: 100
direction: Inbound
access: Allow
protocol: "TCP"
source_port_range: "*"
destination_port_range:
- "14"
- "23"
- "48"
source_address_prefix: "12.12.12.12/0"
destination_address_prefix: "*"
- name: foo9
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example9
priority: 100
direction: Inbound
access: Allow
protocol: "*"
source_port_range: "*"
destination_port_range:
- "12"
- "23-24"
- "46"
source_address_prefix: "/0"
destination_address_prefix: "*"
- name: example10
priority: 100
direction: Inbound
access: Allow
protocol: "*"
source_port_range: "*"
destination_port_range: 46-146, 18-36, 1-2, 3
source_address_prefix: "1.2.3.4/0"
destination_address_prefix: "*"
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: foo1
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example1
priority: 100
direction: Inbound
access: Deny
protocol: TCP
source_port_range: '*'
destination_port_range: 23
source_address_prefix: '*'
destination_address_prefix: '*'
- name: foo2
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example2
priority: 100
direction: Inbound
access: Allow
protocol: Icmp
source_port_range: '*'
destination_port_range: 23-24
source_address_prefix: '*'
destination_address_prefix: '*'
- name: foo3
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example3
priority: 100
direction: Inbound
access: Allow
protocol: TCP
source_port_range: '*'
destination_port_range: 8-174
source_address_prefix: 0.0.0.0
destination_address_prefix: '*'
- name: foo4
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example4
priority: 100
direction: Inbound
access: Allow
protocol: TCP
source_port_range: '*'
destination_port_range: 23-196
source_address_prefix: 192.168.0.0
destination_address_prefix: '*'
- name: foo5
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example5
priority: 100
direction: Inbound
access: Allow
protocol: TCP
source_port_range: '*'
destination_port_range: 23
source_address_prefix: /1
destination_address_prefix: '*'
- name: foo6
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example6
priority: 100
direction: Inbound
access: Allow
protocol: '*'
source_port_range: '*'
destination_port_range: 43
source_address_prefix: /0
destination_address_prefix: '*'
- name: foo7
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example7
priority: 100
direction: Inbound
access: Allow
protocol: Icmp
source_port_range: '*'
destination_port_range: 23
source_address_prefix: internet
destination_address_prefix: '*'
- name: foo8
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example8
priority: 100
direction: Inbound
access: Allow
protocol: '*'
source_port_range: '*'
destination_port_range: 22, 24,49-67
source_address_prefix: any
destination_address_prefix: '*'
- name: foo9
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example9
priority: 100
direction: Inbound
access: Allow
protocol: Icmp
source_port_range: '*'
destination_port_range: 23
source_address_prefix: /0
destination_address_prefix: '*'
- name: foo10
azure_rm_securitygroup:
resource_group: myResourceGroup
name: mysecgroup
rules:
- name: example10
priority: 100
direction: Inbound
access: Allow
protocol: TCP
source_port_range: '*'
destination_port_range:
- 23
- 69
source_address_prefix: 0.0.1.0
destination_address_prefix: '*'
- name: example11
priority: 100
direction: Inbound
access: Allow
protocol: TCP
source_port_range: '*'
destination_port_range:
- 2
- 310
source_address_prefix: 0.0.0.0
destination_address_prefix: '*'