Sensitive Port Is Exposed To Entire Network
- Query id: 381c3f2a-ef6f-4eff-99f7-b169cda3422c
- Query name: Sensitive Port Is Exposed To Entire Network
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- CWE: 200
- Risk score: 7.7
- URL: Github
Description¶
A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
# ipv4
resource "aws_security_group" "positive1_ipv4_1" {
ingress {
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["10.0.0.0/0"]
}
}
resource "aws_security_group" "positive1_ipv4_2" {
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/0"]
}
}
resource "aws_security_group" "positive1_array_test_ipv4" {
ingress {
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["172.16.0.0/0"]
}
ingress {
from_port = 110
to_port = 110
protocol = "udp"
cidr_blocks = ["10.68.0.0", "172.16.0.0/0"]
}
}
# ipv6
resource "aws_security_group" "positive1_ipv6_1" {
ingress {
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["fd00::/0"]
}
}
resource "aws_security_group" "positive1_ipv6_2" {
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/0"]
}
}
resource "aws_security_group" "positive1_array_test_ipv6" {
ingress {
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00:abcd:1234::42/0"]
}
ingress {
from_port = 110
to_port = 110
protocol = "udp"
ipv6_cidr_blocks = ["fd03:5678::/64", "fd00:abcd:1234::42/0"]
}
}
Positive test num. 2 - tf file
# ipv4
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_1" {
from_port = 22
to_port = 22
ip_protocol = "-1"
cidr_ipv4 = "10.0.0.0/0"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_2" {
from_port = 22
to_port = 22
ip_protocol = "tcp"
cidr_ipv4 = "192.168.0.0/0"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_3" {
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv4 = "172.16.0.0/0"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_4" {
from_port = 110
to_port = 110
ip_protocol = "udp"
cidr_ipv4 = "172.16.0.0/0"
}
# ipv6
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_1" {
from_port = 22
to_port = 22
ip_protocol = "-1"
cidr_ipv6 = "fd00::/0"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_2" {
from_port = 22
to_port = 22
ip_protocol = "tcp"
cidr_ipv6 = "fd12:3456:789a::1/0"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_3" {
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv6 = "fd00:abcd:1234::42/0"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_4" {
from_port = 110
to_port = 110
ip_protocol = "udp"
cidr_ipv6 = "fd00:abcd:1234::42/0"
}
Positive test num. 3 - tf file
# ipv4
resource "aws_security_group_rule" "positive3_ipv4_1" {
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["10.0.0.0/0"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv4_2" {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/0"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv4_3" {
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["172.16.0.0/0"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv4_4" {
from_port = 110
to_port = 110
protocol = "udp"
cidr_blocks = ["10.68.0.0", "172.16.0.0/0"]
type = "ingress"
}
# ipv6
resource "aws_security_group_rule" "positive3_ipv6_1" {
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["fd00::/0"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv6_2" {
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/0"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv6_3" {
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00:abcd:1234::42/0"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv6_4" {
from_port = 110
to_port = 110
protocol = "udp"
ipv6_cidr_blocks = ["fd03:5678::/64", "fd00:abcd:1234::42/0"]
type = "ingress"
}
Positive test num. 4 - tf file
module "positive4_ipv4_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["10.0.0.0/0"]
},
{
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/0"]
},
{
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["172.16.0.0/0"]
},
{
from_port = 110
to_port = 110
protocol = "udp"
cidr_blocks = ["10.68.0.0", "172.16.0.0/0"]
}
]
}
module "positive4_ipv6_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_ipv6_cidr_blocks = [
{
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["fd00::/0"]
},
{
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/0"]
},
{
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00:abcd:1234::42/0"]
},
{
from_port = 110
to_port = 110
protocol = "udp"
ipv6_cidr_blocks = ["fd03:5678::/64", "fd00:abcd:1234::42/0"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
# ipv4
resource "aws_security_group" "negative1_ipv4_1" {
#incorrect protocol
ingress {
from_port = 22
to_port = 22
protocol = "icmp"
cidr_blocks = ["10.0.0.0/0"]
}
}
resource "aws_security_group" "negative1_ipv4_2" {
#incorrect port range (unknown)
ingress {
from_port = 5000
to_port = 5000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/0"]
}
}
resource "aws_security_group" "negative1_array_test_ipv4" {
#incorrect cidr (mask is not "/0")
ingress {
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["8.8.0.0/16"]
}
#all incorrect
ingress {
from_port = 5000
to_port = 5000
protocol = "icmp"
cidr_blocks = ["10.68.0.0/14", "8.8.0.0/16"]
}
}
# ipv6
resource "aws_security_group" "negative1_ipv6_1" {
#incorrect protocol
ingress {
from_port = 22
to_port = 22
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd00::/0"]
}
}
resource "aws_security_group" "negative1_ipv6_2" {
#incorrect port range (unknown)
ingress {
from_port = 5000
to_port = 5000
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/0"]
}
}
resource "aws_security_group" "negative1_array_test_ipv6" {
#incorrect cidr (mask is not "/0")
ingress {
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2400:cb00::/32"]
}
#all incorrect
ingress {
from_port = 5000
to_port = 5000
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd03:5678::/64", "2400:cb00::/32"]
}
}
Negative test num. 2 - tf file
# ipv4
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_1" {
#incorrect protocol
from_port = 22
to_port = 22
ip_protocol = "icmp"
cidr_ipv4 = "10.0.0.0/0"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
cidr_ipv4 = "192.168.0.0/0"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_3" {
#incorrect cidr (mask is not "/0")
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv4 = "8.8.0.0/16"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_4" {
#all incorrect
from_port = 5000
to_port = 5000
ip_protocol = "icmp"
cidr_ipv4 = "8.8.0.0/16"
}
# ipv6
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_1" {
#incorrect protocol
from_port = 22
to_port = 22
ip_protocol = "icmpv6"
cidr_ipv6 = "fd00::/0"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
cidr_ipv6 = "fd12:3456:789a::1/0"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_3" {
#incorrect cidr (mask is not "/0")
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv6 = "2400:cb00::/32"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_4" {
#all incorrect
from_port = 5000
to_port = 5000
ip_protocol = "icmpv6"
cidr_ipv6 = "2400:cb00::/32"
}
Negative test num. 3 - tf file
# ipv4
resource "aws_security_group_rule" "negative3_ipv4_1" {
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmp"
cidr_blocks = ["10.0.0.0/0"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv4_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/0"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv4_3" {
#incorrect cidr (mask is not "/0")
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["8.8.0.0/16"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv4_4" {
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmp"
cidr_blocks = ["10.68.0.0/14", "8.8.0.0/16"]
type = "ingress"
}
# ipv6
resource "aws_security_group_rule" "negative3_ipv6_1" {
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd00::/0"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv6_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/0"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv6_3" {
#incorrect cidr (mask is not "/0")
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2400:cb00::/32"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv6_4" {
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd03:5678::/64", "2400:cb00::/32"]
type = "ingress"
}
Negative test num. 4 - tf file
module "negative4_ipv4_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmp"
cidr_blocks = ["10.0.0.0/0"]
},
{
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/0"]
},
{
#incorrect cidr (mask is not "/0")
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["8.8.0.0/16"]
},
{
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmp"
cidr_blocks = ["10.68.0.0/14", "8.8.0.0/16"]
}
]
}
module "negative4_ipv6_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_ipv6_cidr_blocks = [
{
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd00::/0"]
},
{
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/0"]
},
{
#incorrect cidr (mask is not "/0")
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2400:cb00::/32"]
},
{
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd03:5678::/64", "2400:cb00::/32"]
}
]
}