Public Security Group Rule Sensitive Port
- Query id: 2ae9d554-23fb-4065-bfd1-fe43d5f7c419
- Query name: Public Security Group Rule Sensitive Port
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- CWE: 284
- URL: Github
Description¶
A sensitive port, such as port 23 or port 110, is open to the public in either TCP or UDP protocol
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "internet"
policy = "accept"
port_range = "19/20"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
Positive test num. 2 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "udp"
nic_type = "internet"
policy = "accept"
port_range = "4333/4334"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
Positive test num. 3 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "all"
nic_type = "internet"
policy = "accept"
port_range = "444/445"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "internet"
policy = "accept"
port_range = "1/65535"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "10.159.6.18/12"
}
Negative test num. 2 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "icmp"
nic_type = "internet"
policy = "accept"
port_range = "1/65535"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}