SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
- Query id: 54c417bf-c762-48b9-9d31-b3d87047e3f0
- Query name: SQL Analysis Services Port 2383 (TCP) Is Publicly Accessible
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- CWE: 668
- Risk score: 6.5
- URL: Github
Description¶
Check if port 2383 on TCP is publicly accessible by checking the CIDR block range that can access it.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_security_group" "positive1-1" {
name = "allow_tls"
description = "SQL Analysis Services port open"
ingress {
description = "SQL Analysis Services port open"
from_port = 2300
to_port = 2400
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16", "0.0.0.0/0"]
}
}
resource "aws_security_group" "positive1-2" {
name = "allow_tls"
description = "SQL Analysis Services port open"
ingress {
description = "SQL Analysis Services port open"
from_port = 2380
to_port = 2390
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16"]
}
ingress {
description = "SQL Analysis Services port open"
from_port = 2350
to_port = 2384
protocol = "tcp"
cidr_blocks = ["192.121.0.0/16", "0.0.0.0/0"]
}
}
resource "aws_security_group" "positive1-3" {
name = "allow_tls"
description = "SQL Analysis Services port open"
ingress {
description = "SQL Analysis Services port open"
from_port = 2300
to_port = 2400
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
resource "aws_security_group" "positive1-4" {
name = "allow_tls"
description = "SQL Analysis Services port open"
ingress {
description = "SQL Analysis Services port open"
from_port = 2380
to_port = 2390
protocol = "tcp"
ipv6_cidr_blocks = ["fd01::/8"]
}
ingress {
description = "SQL Analysis Services port open"
from_port = 2350
to_port = 2384
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
resource "aws_security_group" "positive1-5" {
name = "allow_tls"
description = "SQL Analysis Services port open"
ingress {
description = "SQL Analysis Services port open"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_security_group" "positive1-6" {
name = "allow_tls"
description = "SQL Analysis Services port open"
ingress {
description = "SQL Analysis Services port open"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["fd00::/8"]
}
}
resource "aws_security_group" "positive1-7" {
name = "allow_tls"
description = "SQL Analysis Services port open"
ingress {
description = "SQL Analysis Services port open"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
Positive test num. 2 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_vpc_security_group_ingress_rule" "positive2-1" {
security_group_id = aws_security_group.ec2.id
description = "SQL Analysis Services port open"
cidr_ipv4 = "0.0.0.0/0"
from_port = 2383
ip_protocol = "tcp"
to_port = 2383
}
resource "aws_vpc_security_group_ingress_rule" "positive2-2" {
security_group_id = aws_security_group.ec2.id
description = "SQL Analysis Services port open"
cidr_ipv6 = "::/0"
from_port = 2383
ip_protocol = "-1"
to_port = 2383
}
Positive test num. 3 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_security_group_rule" "positive3-1" {
type = "ingress"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.ec2.id
description = "SQL Analysis Services port open"
}
resource "aws_security_group_rule" "positive3-2" {
type = "ingress"
from_port = 2383
to_port = 2383
protocol = "-1"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.ec2.id
description = "SQL Analysis Services port open"
}
Positive test num. 4 - tf file
module "vote_service_sg_ipv4" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "SQL Analysis Services port open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2300
to_port = 3000
protocol = "-1"
cidr_blocks = ["10.92.168.0/28","0.0.0.0/0"]
}
]
}
module "vote_service_sg_ipv6" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "SQL Analysis Services port open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2300
to_port = 3000
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
module "vote_service_sg_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "SQL Analysis Services port open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0", "1.2.3.4/27"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
},
{
description = "TLS from VPC"
from_port = 2000
to_port = 2500
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
},
]
}
module "vote_service_sg_ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "SQL Analysis Services port open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2383
to_port = 2383
protocol = "-1"
ipv6_cidr_blocks = ["2001:0db8:85a3:0000:0000:8a2e:0370:7334/24", "2401:fa00:4:1a::abcd/128", "::/0"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["2606:4700:3033::6815:3e3/56"]
},
{
description = "TLS from VPC"
from_port = 2000
to_port = 2500
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_security_group" "negative1-1" {
ingress {
description = "TLS from VPC"
from_port = 2383
to_port = 2383
protocol = "tcp"
}
}
resource "aws_security_group" "negative1-2" {
ingress {
description = "sample"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["0.1.0.0/0"]
}
}
resource "aws_security_group" "negative1-3" {
ingress {
description = "sample"
from_port = 2200
to_port = 2500
protocol = "tcp"
ipv6_cidr_blocks = ["2001:db8:abcd:0012::/64"]
}
}
resource "aws_security_group" "negative1-4" {
name = "allow_tls"
description = "sample"
ingress {
description = "sample"
from_port = 20
to_port = 2000
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "sample"
from_port = 20
to_port = 2000
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
resource "aws_security_group" "negative1-5" {
name = "allow_tls"
description = "sample"
ingress {
description = "sample"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16"]
ipv6_cidr_blocks = ["fd00::/8"]
}
}
resource "aws_security_group" "negative1-6" {
name = "allow_tls"
description = "sample"
ingress {
description = "sample"
from_port = 2383
to_port = 2383
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "sample"
from_port = 2383
to_port = 2383
protocol = "udp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
Negative test num. 2 - tf file
resource "aws_security_group" "negative" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
}
resource "aws_vpc_security_group_ingress_rule" "negative2-1" {
security_group_id = aws_security_group.negative.id
from_port = 2383
to_port = 2383
ip_protocol = "tcp"
description = "TLS from VPC"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-2" {
security_group_id = aws_security_group.negative.id
cidr_ipv4 = "0.1.0.0/0"
from_port = 2383
to_port = 2383
ip_protocol = "tcp"
description = "Remote desktop open private"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-3" {
security_group_id = aws_security_group.negative.id
cidr_ipv6 = "2001:db8:abcd:0012::/64"
from_port = 2200
to_port = 2500
ip_protocol = "tcp"
description = "Remote desktop open private"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-4" {
security_group_id = aws_security_group.negative.id
cidr_ipv6 = "::/0"
from_port = 20
to_port = 2000
ip_protocol = "tcp"
description = "Remote desktop open private"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-5" {
security_group_id = aws_security_group.negative.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 20
to_port = 2000
ip_protocol = "tcp"
description = "Remote desktop open private"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-6" {
security_group_id = aws_security_group.negative.id
cidr_ipv6 = "::/0"
from_port = 2200
to_port = 2500
ip_protocol = "udp"
description = "Remote desktop open private"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-7" {
security_group_id = aws_security_group.negative.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 2200
to_port = 2500
ip_protocol = "udp"
description = "Remote desktop open private"
}
Negative test num. 3 - tf file
resource "aws_security_group" "negative" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
}
resource "aws_security_group_rule" "negative3-1" {
type = "ingress"
from_port = 2383
to_port = 2383
protocol = "tcp"
security_group_id = aws_security_group.negative.id
description = "TLS from VPC"
}
resource "aws_security_group_rule" "negative3-2" {
type = "ingress"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["0.1.0.0/0"]
security_group_id = aws_security_group.negative.id
description = "Remote desktop open private"
}
resource "aws_security_group_rule" "negative3-3" {
type = "ingress"
from_port = 2200
to_port = 2500
protocol = "tcp"
ipv6_cidr_blocks = ["2001:db8:abcd:0012::/64"]
security_group_id = aws_security_group.negative.id
description = "Remote desktop open private"
}
resource "aws_security_group_rule" "negative3-4" {
type = "ingress"
from_port = 20
to_port = 2000
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.negative.id
description = "Remote desktop open private"
}
resource "aws_security_group_rule" "negative3-5" {
type = "ingress"
from_port = 20
to_port = 2000
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.negative.id
description = "Remote desktop open private"
}
resource "aws_security_group_rule" "negative3-6" {
type = "ingress"
from_port = 2383
to_port = 2383
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.negative.id
description = "Remote desktop open private"
}
resource "aws_security_group_rule" "negative3-6" {
type = "ingress"
from_port = 2383
to_port = 2383
protocol = "udp"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.negative.id
description = "Remote desktop open private"
}
Negative test num. 4 - tf file
module "vote_service_sg_ipv4" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["1.2.3.4"]
}
]
}
module "vote_service_sg_ipv6" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "tcp"
ipv6_cidr_blocks = ["2001:0db8:85a3:0000:0000:8a2e:0370:7334/64"]
}
]
}
module "vote_service_sg_ipv4" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 20
to_port = 2000
protocol = "tcp"
cidr_blocks = ["0.0.0.0"]
}
]
}
module "vote_service_sg_ipv6" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 20
to_port = 2000
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
module "vote_service_sg_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2000
to_port = 2420
protocol = "udp"
cidr_blocks = ["0.1.1.1/21", "8.8.8.8/24"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
},
{
description = "TLS from VPC"
from_port = 20
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.01.01.02/23"]
},
{
description = "TLS from VPC"
from_port = 2000
to_port = 2420
protocol = "udp"
cidr_blocks = ["0.1.1.1/21", "0.0.0.0/0"]
},
]
}
module "vote_service_sg_ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2000
to_port = 2420
protocol = "udp"
ipv6_cidr_blocks = ["2001:0db8:85a3::8a2e:0370:7334/64", "::/0"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["10.0.0.0/16"]
},
{
description = "TLS from VPC"
from_port = 20
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["2606:4700:3033::6815:3e3/56"]
}
]
}