SQL Database Server Firewall Allows All IPS
- Query id: 6a3201a5-1630-494b-b294-3129d06b0eca
- Query name: SQL Database Server Firewall Allows All IPS
- Platform: AzureResourceManager
- Severity: Critical
- Category: Networking and Firewall
- CWE: 284
- URL: Github
Description¶
SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
name: 'sqlServer1'
location: resourceGroup().location
tags: {
displayName: 'sqlServer1'
}
properties: {
administratorLogin: 'adminUsername'
administratorLoginPassword: 'adminPassword'
}
}
resource sqlServer1_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
parent: sqlServer1
location: resourceGroup().location
name: 'AllowAllWindowsAzureIps'
properties: {
endIpAddress: '255.255.255.255'
startIpAddress: '0.0.0.0'
}
}
Positive test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "sqlServer1",
"type": "Microsoft.Sql/servers",
"apiVersion": "2021-02-01-preview",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "sqlServer1"
},
"properties": {
"administratorLogin": "adminUsername",
"administratorLoginPassword": "adminPassword"
},
"resources": [
{
"type": "firewallRules",
"apiVersion": "2021-02-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "0.0.0.0"
}
}
]
}
],
"outputs": {}
}
Positive test num. 3 - bicep file
resource sample_firewall 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
name: 'sample/firewall'
properties: {
endIpAddress: '255.255.255.255'
startIpAddress: '0.0.0.0/0'
}
}
Positive test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "0.0.0.0/0"
}
}
],
"outputs": {}
}
Positive test num. 5 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
name: 'sqlServer1'
location: resourceGroup().location
tags: {
displayName: 'sqlServer1'
}
properties: {
administratorLogin: 'adminUsername'
administratorLoginPassword: 'adminPassword'
}
}
resource sqlServer1_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
parent: sqlServer1
location: resourceGroup().location
name: 'AllowAllWindowsAzureIps'
properties: {
endIpAddress: '255.255.255.255'
startIpAddress: '0.0.0.0'
}
}
Positive test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"name": "sqlServer1",
"type": "Microsoft.Sql/servers",
"apiVersion": "2021-02-01-preview",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "sqlServer1"
},
"properties": {
"administratorLogin": "adminUsername",
"administratorLoginPassword": "adminPassword"
},
"resources": [
{
"type": "firewallRules",
"apiVersion": "2021-02-01-preview",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
],
"location": "[resourceGroup().location]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "0.0.0.0"
}
}
]
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Positive test num. 7 - bicep file
Positive test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "0.0.0.0/0"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - bicep file
resource sample_firewall 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
name: 'sample/firewall'
properties: {
endIpAddress: '0.0.0.0'
startIpAddress: '0.0.0.0'
}
}
Negative test num. 2 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
}
],
"outputs": {}
}
Negative test num. 3 - bicep file
resource sample_firewall 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
name: 'sample/firewall'
properties: {
endIpAddress: '192.168.1.2'
startIpAddress: '192.168.1.254'
}
}
Negative test num. 4 - json file
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "192.168.1.2",
"startIpAddress": "192.168.1.254"
}
}
],
"outputs": {}
}
Negative test num. 5 - bicep file
Negative test num. 6 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}
Negative test num. 7 - bicep file
Negative test num. 8 - json file
{
"properties": {
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "2.0.0.0",
"apiProfile": "2019-03-01-hybrid",
"parameters": {},
"variables": {},
"functions": [],
"resources": [
{
"type": "Microsoft.Sql/servers/firewallRules",
"apiVersion": "2021-02-01-preview",
"name": "sample/firewall",
"properties": {
"endIpAddress": "192.168.1.2",
"startIpAddress": "192.168.1.254"
}
}
],
"outputs": {}
},
"parameters": {}
},
"kind": "template",
"type": "Microsoft.Blueprint/blueprints/artifacts",
"name": "myTemplate"
}