Unrestricted SQL Server Access

  • Query id: 3f23c96c-f9f5-488d-9b17-605b8da5842f
  • Query name: Unrestricted SQL Server Access
  • Platform: Ansible
  • Severity: Critical
  • Category: Networking and Firewall
  • CWE: 284
  • URL: Github

Description

Azure SQL Server Accessibility should be set to a minimal address range to grant the principle of least privileges, which means the difference between the values of the 'end_ip_address' and 'start_ip_address' should be less than 256. Additionally, both ips should be different from '0.0.0.0'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
- name: Create (or update) Firewall Rule1
  azure_rm_sqlfirewallrule:
    resource_group: myResourceGroup1
    server_name: firewallrulecrudtest-6285
    name: firewallrulecrudtest-5370
    start_ip_address: 0.0.0.0
    end_ip_address: 172.28.11.138
- name: Create (or update) Firewall Rule2
  azure_rm_sqlfirewallrule:
    resource_group: myResourceGroup2
    server_name: firewallrulecrudtest-6285
    name: firewallrulecrudtest-5370
    start_ip_address: 172.28.10.136
    end_ip_address: 172.28.11.138

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
- name: Create (or update) Firewall Rule
  azure_rm_sqlfirewallrule:
    resource_group: myResourceGroup
    server_name: firewallrulecrudtest-6285
    name: firewallrulecrudtest-5370
    start_ip_address: 172.28.10.136
    end_ip_address: 172.28.10.138