Sensitive Port Is Exposed To Wide Private Network
- Query id: 92fe237e-074c-4262-81a4-2077acb928c1
- Query name: Sensitive Port Is Exposed To Wide Private Network
- Platform: Terraform
- Severity: Low
- Category: Networking and Firewall
- CWE: 200
- Risk score: 2.9
- URL: Github
Description¶
A sensitive port, such as port 23 or port 110, is open for a wide private network in either TCP or UDP protocol
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
# ipv4
resource "aws_security_group" "positive1_ipv4_1" {
ingress {
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["10.0.0.0/8"]
}
}
resource "aws_security_group" "positive1_ipv4_2" {
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/16"]
}
}
resource "aws_security_group" "positive1_array_test_ipv4" {
ingress {
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["172.16.0.0/12"]
}
ingress {
from_port = 110
to_port = 110
protocol = "udp"
cidr_blocks = ["10.68.0.0", "172.16.0.0/12"]
}
}
# ipv6
resource "aws_security_group" "positive1_ipv6_1" {
ingress {
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["fd00::/8"] # ipv6 equivalent of 10.0.0.0/8
}
}
resource "aws_security_group" "positive1_ipv6_2" {
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1"]
}
}
resource "aws_security_group" "positive1_array_test_ipv6" {
ingress {
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00:abcd:1234::42"]
}
ingress {
from_port = 110
to_port = 110
protocol = "udp"
ipv6_cidr_blocks = ["fd03:5678::/64", "fd00:abcd:1234::42"]
}
}
Positive test num. 2 - tf file
# ipv4
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_1" {
from_port = 22
to_port = 22
ip_protocol = "-1"
cidr_ipv4 = "10.0.0.0/8"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_2" {
from_port = 22
to_port = 22
ip_protocol = "tcp"
cidr_ipv4 = "192.168.0.0/16"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_3" {
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv4 = "172.16.0.0/12"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_4" {
from_port = 110
to_port = 110
ip_protocol = "udp"
cidr_ipv4 = "172.16.0.0/12"
}
# ipv6
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_1" {
from_port = 22
to_port = 22
ip_protocol = "-1"
cidr_ipv6 = "fd00::/8" # ipv6 equivalent of 10.0.0.0/8
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_2" {
from_port = 22
to_port = 22
ip_protocol = "tcp"
cidr_ipv6 = "fd12:3456:789a::1"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_3" {
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv6 = "fd00:abcd:1234::42"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_4" {
from_port = 110
to_port = 110
ip_protocol = "udp"
cidr_ipv6 = "fd00:abcd:1234::42"
}
Positive test num. 3 - tf file
# ipv4
resource "aws_security_group_rule" "positive3_ipv4_1" {
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["10.0.0.0/8"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv4_2" {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/16"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv4_3" {
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["172.16.0.0/12"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv4_4" {
from_port = 110
to_port = 110
protocol = "udp"
cidr_blocks = ["10.68.0.0", "172.16.0.0/12"]
type = "ingress"
}
# ipv6
resource "aws_security_group_rule" "positive3_ipv6_1" {
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["fd00::/8"] # ipv6 equivalent of 10.0.0.0/8
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv6_2" {
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv6_3" {
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00:abcd:1234::42"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv6_4" {
from_port = 110
to_port = 110
protocol = "udp"
ipv6_cidr_blocks = ["fd03:5678::/64", "fd00:abcd:1234::42"]
type = "ingress"
}
Positive test num. 4 - tf file
module "positive4_ipv4_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["10.0.0.0/8"]
},
{
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/16"]
},
{
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["172.16.0.0/12"]
},
{
from_port = 110
to_port = 110
protocol = "udp"
cidr_blocks = ["10.68.0.0", "172.16.0.0/12"]
}
]
}
module "positive4_ipv6_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_ipv6_cidr_blocks = [
{
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["fd00::/8"] # ipv6 equivalent of 10.0.0.0/8
},
{
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1"]
},
{
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00:abcd:1234::42"]
},
{
from_port = 110
to_port = 110
protocol = "udp"
ipv6_cidr_blocks = ["fd03:5678::/64", "fd00:abcd:1234::42"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
# ipv4
resource "aws_security_group" "negative1_ipv4_1" {
#incorrect protocol
ingress {
from_port = 22
to_port = 22
protocol = "icmp"
cidr_blocks = ["10.0.0.0/8"]
}
}
resource "aws_security_group" "negative1_ipv4_2" {
#incorrect port range (unknown)
ingress {
from_port = 5000
to_port = 5000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/16"]
}
}
resource "aws_security_group" "negative1_array_test_ipv4" {
#incorrect cidr (not wide private network)
ingress {
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["8.8.0.0/16"]
}
#all incorrect
ingress {
from_port = 5000
to_port = 5000
protocol = "icmp"
cidr_blocks = ["10.68.0.0/14", "8.8.0.0/16"]
}
}
# ipv6
resource "aws_security_group" "negative1_ipv6_1" {
#incorrect protocol
ingress {
from_port = 22
to_port = 22
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd00::/8"] # ipv6 equivalent of 10.0.0.0/8
}
}
resource "aws_security_group" "negative1_ipv6_2" {
#incorrect port range (unknown)
ingress {
from_port = 5000
to_port = 5000
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1"] # private ipv6 address
}
}
resource "aws_security_group" "negative1_array_test_ipv6" {
#incorrect cidr
ingress {
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2400:cb00::/32"] # not a private ipv6 address
}
#all incorrect
ingress {
from_port = 5000
to_port = 5000
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd03:5678::/64", "2400:cb00::/32"]
}
}
Negative test num. 2 - tf file
# ipv4
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_1" {
#incorrect protocol
from_port = 22
to_port = 22
ip_protocol = "icmp"
cidr_ipv4 = "10.0.0.0/8"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
cidr_ipv4 = "192.168.0.0/16"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_3" {
#incorrect cidr (not wide private network)
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv4 = "8.8.0.0/16"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_4" {
#all incorrect
from_port = 5000
to_port = 5000
ip_protocol = "icmp"
cidr_ipv4 = "8.8.0.0/16"
}
# ipv6
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_1" {
#incorrect protocol
from_port = 22
to_port = 22
ip_protocol = "icmpv6"
cidr_ipv6 = "fd00::/8" # ipv6 equivalent of 10.0.0.0/8
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
cidr_ipv6 = "fd12:3456:789a::1" # private ipv6 address
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_3" {
#incorrect cidr
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv6 = "2400:cb00::/32" # not a private ipv6 address
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_4" {
#all incorrect
from_port = 5000
to_port = 5000
ip_protocol = "icmpv6"
cidr_ipv6 = "2400:cb00::/32"
}
Negative test num. 3 - tf file
# ipv4
resource "aws_security_group_rule" "negative3_ipv4_1" {
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmp"
cidr_blocks = ["10.0.0.0/8"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv4_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/16"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv4_3" {
#incorrect cidr (not wide private network)
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["8.8.0.0/16"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv4_4" {
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmp"
cidr_blocks = ["10.68.0.0/14", "8.8.0.0/16"]
type = "ingress"
}
# ipv6
resource "aws_security_group_rule" "negative3_ipv6_1" {
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd00::/8"] # ipv6 equivalent of 10.0.0.0/8
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv6_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1"] # private ipv6 address
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv6_3" {
#incorrect cidr
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2400:cb00::/32"] # not a private ipv6 address
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv6_4" {
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd03:5678::/64", "2400:cb00::/32"]
type = "ingress"
}
Negative test num. 4 - tf file
module "negative4_ipv4_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmp"
cidr_blocks = ["10.0.0.0/8"]
},
{
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/16"]
},
{
#incorrect cidr (not wide private network)
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["8.8.0.0/16"]
},
{
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmp"
cidr_blocks = ["10.68.0.0/14", "8.8.0.0/16"]
}
]
}
module "negative4_ipv6_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_ipv6_cidr_blocks = [
{
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd00::/8"] # ipv6 equivalent of 10.0.0.0/8
},
{
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1"] # private ipv6 address
},
{
#incorrect cidr
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2400:cb00::/32"] # not a private ipv6 address
},
{
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd03:5678::/64", "2400:cb00::/32"]
}
]
}