SQL Database Server Firewall Allows All IPS

  • Query id: 6a3201a5-1630-494b-b294-3129d06b0eca
  • Query name: SQL Database Server Firewall Allows All IPS
  • Platform: AzureResourceManager
  • Severity: Critical
  • Category: Networking and Firewall
  • CWE: 284
  • URL: Github

Description

SQL Database Server Firewall endIpAddress should not be '255.255.255.255' when startIpAddress is '0.0.0.0' since this allows all IPS
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
  name: 'sqlServer1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlServer1'
  }
  properties: {
    administratorLogin: 'adminUsername'
    administratorLoginPassword: 'adminPassword'
  }
}

resource sqlServer1_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
  parent: sqlServer1
  location: resourceGroup().location
  name: 'AllowAllWindowsAzureIps'
  properties: {
    endIpAddress: '255.255.255.255'
    startIpAddress: '0.0.0.0'
  }
}
Positive test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "name": "sqlServer1",
      "type": "Microsoft.Sql/servers",
      "apiVersion": "2021-02-01-preview",
      "location": "[resourceGroup().location]",
      "tags": {
        "displayName": "sqlServer1"
      },
      "properties": {
        "administratorLogin": "adminUsername",
        "administratorLoginPassword": "adminPassword"
      },
      "resources": [
        {
          "type": "firewallRules",
          "apiVersion": "2021-02-01-preview",
          "dependsOn": [
            "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
          ],
          "location": "[resourceGroup().location]",
          "name": "AllowAllWindowsAzureIps",
          "properties": {
            "endIpAddress": "255.255.255.255",
            "startIpAddress": "0.0.0.0"
          }
        }
      ]
    }
  ],
  "outputs": {}
}
Positive test num. 3 - bicep file
resource sample_firewall 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
  name: 'sample/firewall'
  properties: {
    endIpAddress: '255.255.255.255'
    startIpAddress: '0.0.0.0/0'
  }
}

Positive test num. 4 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "type": "Microsoft.Sql/servers/firewallRules",
      "apiVersion": "2021-02-01-preview",
      "name": "sample/firewall",
      "properties": {
        "endIpAddress": "255.255.255.255",
        "startIpAddress": "0.0.0.0/0"
      }
    }
  ],
  "outputs": {}
}
Positive test num. 5 - bicep file
resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = {
  name: 'sqlServer1'
  location: resourceGroup().location
  tags: {
    displayName: 'sqlServer1'
  }
  properties: {
    administratorLogin: 'adminUsername'
    administratorLoginPassword: 'adminPassword'
  }
}

resource sqlServer1_AllowAllWindowsAzureIps 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
  parent: sqlServer1
  location: resourceGroup().location
  name: 'AllowAllWindowsAzureIps'
  properties: {
    endIpAddress: '255.255.255.255'
    startIpAddress: '0.0.0.0'
  }
}
Positive test num. 6 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "name": "sqlServer1",
          "type": "Microsoft.Sql/servers",
          "apiVersion": "2021-02-01-preview",
          "location": "[resourceGroup().location]",
          "tags": {
            "displayName": "sqlServer1"
          },
          "properties": {
            "administratorLogin": "adminUsername",
            "administratorLoginPassword": "adminPassword"
          },
          "resources": [
            {
              "type": "firewallRules",
              "apiVersion": "2021-02-01-preview",
              "dependsOn": [
                "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]"
              ],
              "location": "[resourceGroup().location]",
              "name": "AllowAllWindowsAzureIps",
              "properties": {
                "endIpAddress": "255.255.255.255",
                "startIpAddress": "0.0.0.0"
              }
            }
          ]
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Positive test num. 7 - bicep file
resource sample_firewall 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
  name: 'sample/firewall'
  properties: {
    endIpAddress: '255.255.255.255'
    startIpAddress: '0.0.0.0/0'
  }
}
Positive test num. 8 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "type": "Microsoft.Sql/servers/firewallRules",
          "apiVersion": "2021-02-01-preview",
          "name": "sample/firewall",
          "properties": {
            "endIpAddress": "255.255.255.255",
            "startIpAddress": "0.0.0.0/0"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}

Code samples without security vulnerabilities

Negative test num. 1 - bicep file
resource sample_firewall 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
  name: 'sample/firewall'
  properties: {
    endIpAddress: '0.0.0.0'
    startIpAddress: '0.0.0.0'
  }
}
Negative test num. 2 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "type": "Microsoft.Sql/servers/firewallRules",
      "apiVersion": "2021-02-01-preview",
      "name": "sample/firewall",
      "properties": {
        "endIpAddress": "0.0.0.0",
        "startIpAddress": "0.0.0.0"
      }
    }
  ],
  "outputs": {}
}
Negative test num. 3 - bicep file
resource sample_firewall 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
  name: 'sample/firewall'
  properties: {
    endIpAddress: '192.168.1.2'
    startIpAddress: '192.168.1.254'
  }
}

Negative test num. 4 - json file
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "2.0.0.0",
  "apiProfile": "2019-03-01-hybrid",
  "parameters": {},
  "variables": {},
  "functions": [],
  "resources": [
    {
      "type": "Microsoft.Sql/servers/firewallRules",
      "apiVersion": "2021-02-01-preview",
      "name": "sample/firewall",
      "properties": {
        "endIpAddress": "192.168.1.2",
        "startIpAddress": "192.168.1.254"
      }
    }
  ],
  "outputs": {}
}
Negative test num. 5 - bicep file
resource sample_firewall 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
  name: 'sample/firewall'
  properties: {
    endIpAddress: '0.0.0.0'
    startIpAddress: '0.0.0.0'
  }
}
Negative test num. 6 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "type": "Microsoft.Sql/servers/firewallRules",
          "apiVersion": "2021-02-01-preview",
          "name": "sample/firewall",
          "properties": {
            "endIpAddress": "0.0.0.0",
            "startIpAddress": "0.0.0.0"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}
Negative test num. 7 - bicep file
resource sample_firewall 'Microsoft.Sql/servers/firewallRules@2021-02-01-preview' = {
  name: 'sample/firewall'
  properties: {
    endIpAddress: '192.168.1.2'
    startIpAddress: '192.168.1.254'
  }
}
Negative test num. 8 - json file
{
  "properties": {
    "template": {
      "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
      "contentVersion": "2.0.0.0",
      "apiProfile": "2019-03-01-hybrid",
      "parameters": {},
      "variables": {},
      "functions": [],
      "resources": [
        {
          "type": "Microsoft.Sql/servers/firewallRules",
          "apiVersion": "2021-02-01-preview",
          "name": "sample/firewall",
          "properties": {
            "endIpAddress": "192.168.1.2",
            "startIpAddress": "192.168.1.254"
          }
        }
      ],
      "outputs": {}
    },
    "parameters": {}
  },
  "kind": "template",
  "type": "Microsoft.Blueprint/blueprints/artifacts",
  "name": "myTemplate"
}