Sensitive Port Is Exposed To Small Public Network
- Query id: e35c16a2-d54e-419d-8546-a804d8e024d0
- Query name: Sensitive Port Is Exposed To Small Public Network
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- CWE: 200
- Risk score: 5.2
- URL: Github
Description¶
A sensitive port, such as port 23 or port 110, is open for a small public network in either TCP or UDP protocol
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
# ipv4
resource "aws_security_group" "positive1_ipv4_1" {
ingress {
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["10.0.0.0/25"]
}
}
resource "aws_security_group" "positive1_ipv4_2" {
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/26"]
}
}
resource "aws_security_group" "positive1_array_test_ipv4" {
ingress {
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["172.16.0.0/27"]
}
ingress {
from_port = 110
to_port = 110
protocol = "udp"
cidr_blocks = ["10.68.0.0", "172.16.0.0/27"]
}
}
# ipv6
resource "aws_security_group" "positive1_ipv6_1" {
ingress {
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["fd00::/121"]
}
}
resource "aws_security_group" "positive1_ipv6_2" {
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/122"]
}
}
resource "aws_security_group" "positive1_array_test_ipv6" {
ingress {
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00:abcd:1234::42/123"]
}
ingress {
from_port = 110
to_port = 110
protocol = "udp"
ipv6_cidr_blocks = ["fd03:5678::/64", "fd00:abcd:1234::42/123"]
}
}
Positive test num. 2 - tf file
# ipv4
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_1" {
from_port = 22
to_port = 22
ip_protocol = "-1"
cidr_ipv4 = "10.0.0.0/25"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_2" {
from_port = 22
to_port = 22
ip_protocol = "tcp"
cidr_ipv4 = "192.168.0.0/26"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_3" {
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv4 = "172.16.0.0/27"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv4_4" {
from_port = 110
to_port = 110
ip_protocol = "udp"
cidr_ipv4 = "172.16.0.0/27"
}
# ipv6
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_1" {
from_port = 22
to_port = 22
ip_protocol = "-1"
cidr_ipv6 = "fd00::/121"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_2" {
from_port = 22
to_port = 22
ip_protocol = "tcp"
cidr_ipv6 = "fd12:3456:789a::1/122"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_3" {
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv6 = "fd00:abcd:1234::42/123"
}
resource "aws_vpc_security_group_ingress_rule" "positive2_ipv6_4" {
from_port = 110
to_port = 110
ip_protocol = "udp"
cidr_ipv6 = "fd00:abcd:1234::42/123"
}
Positive test num. 3 - tf file
# ipv4
resource "aws_security_group_rule" "positive3_ipv4_1" {
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["10.0.0.0/25"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv4_2" {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/26"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv4_3" {
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["172.16.0.0/27"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv4_4" {
from_port = 110
to_port = 110
protocol = "udp"
cidr_blocks = ["10.68.0.0", "172.16.0.0/27"]
type = "ingress"
}
# ipv6
resource "aws_security_group_rule" "positive3_ipv6_1" {
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["fd00::/121"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv6_2" {
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/122"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv6_3" {
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00:abcd:1234::42/123"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3_ipv6_4" {
from_port = 110
to_port = 110
protocol = "udp"
ipv6_cidr_blocks = ["fd03:5678::/64", "fd00:abcd:1234::42/123"]
type = "ingress"
}
Positive test num. 4 - tf file
module "positive4_ipv4_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
from_port = 22
to_port = 22
protocol = "-1"
cidr_blocks = ["10.0.0.0/25"]
},
{
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/26"]
},
{
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["172.16.0.0/27"]
},
{
from_port = 110
to_port = 110
protocol = "udp"
cidr_blocks = ["10.68.0.0", "172.16.0.0/27"]
}
]
}
module "positive4_ipv6_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_ipv6_cidr_blocks = [
{
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["fd00::/121"]
},
{
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/122"]
},
{
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00:abcd:1234::42/123"]
},
{
from_port = 110
to_port = 110
protocol = "udp"
ipv6_cidr_blocks = ["fd03:5678::/64", "fd00:abcd:1234::42/123"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
# ipv4
resource "aws_security_group" "negative1_ipv4_1" {
#incorrect protocol
ingress {
from_port = 22
to_port = 22
protocol = "icmp"
cidr_blocks = ["10.0.0.0/25"]
}
}
resource "aws_security_group" "negative1_ipv4_2" {
#incorrect port range (unknown)
ingress {
from_port = 5000
to_port = 5000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/26"]
}
}
resource "aws_security_group" "negative1_array_test_ipv4" {
#incorrect cidr (not small network)
ingress {
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["1.0.0.0/2"]
}
#all incorrect
ingress {
from_port = 5000
to_port = 5000
protocol = "icmp"
cidr_blocks = ["10.68.0.0/14", "1.0.0.0/2"]
}
}
# ipv6
resource "aws_security_group" "negative1_ipv6_1" {
#incorrect protocol
ingress {
from_port = 22
to_port = 22
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd00::/121"]
}
}
resource "aws_security_group" "negative1_ipv6_2" {
#incorrect port range (unknown)
ingress {
from_port = 5000
to_port = 5000
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/122"]
}
}
resource "aws_security_group" "negative1_array_test_ipv6" {
#incorrect cidr
ingress {
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2400:cb00::/32"]
}
#all incorrect
ingress {
from_port = 5000
to_port = 5000
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd03:5678::/64", "2400:cb00::/32"]
}
}
Negative test num. 2 - tf file
# ipv4
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_1" {
#incorrect protocol
from_port = 22
to_port = 22
ip_protocol = "icmp"
cidr_ipv4 = "10.0.0.0/25"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
cidr_ipv4 = "192.168.0.0/26"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_3" {
#incorrect cidr (not wide private network)
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv4 = "1.0.0.0/2"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv4_4" {
#all incorrect
from_port = 5000
to_port = 5000
ip_protocol = "icmp"
cidr_ipv4 = "1.0.0.0/2"
}
# ipv6
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_1" {
#incorrect protocol
from_port = 22
to_port = 22
ip_protocol = "icmpv6"
cidr_ipv6 = "fd00::/121"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
ip_protocol = "tcp"
cidr_ipv6 = "fd12:3456:789a::1/122"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_3" {
#incorrect cidr
from_port = 22
to_port = 22
ip_protocol = "udp"
cidr_ipv6 = "2400:cb00::/32"
}
resource "aws_vpc_security_group_ingress_rule" "negative2_ipv6_4" {
#all incorrect
from_port = 5000
to_port = 5000
ip_protocol = "icmpv6"
cidr_ipv6 = "2400:cb00::/32"
}
Negative test num. 3 - tf file
# ipv4
resource "aws_security_group_rule" "negative3_ipv4_1" {
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmp"
cidr_blocks = ["10.0.0.0/25"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv4_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/26"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv4_3" {
#incorrect cidr (not wide private network)
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["1.0.0.0/2"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv4_4" {
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmp"
cidr_blocks = ["10.68.0.0/14", "1.0.0.0/2"]
type = "ingress"
}
# ipv6
resource "aws_security_group_rule" "negative3_ipv6_1" {
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd00::/121"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv6_2" {
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/122"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv6_3" {
#incorrect cidr
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2400:cb00::/32"]
type = "ingress"
}
resource "aws_security_group_rule" "negative3_ipv6_4" {
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd03:5678::/64", "2400:cb00::/32"]
type = "ingress"
}
Negative test num. 4 - tf file
module "negative4_ipv4_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmp"
cidr_blocks = ["10.0.0.0/25"]
},
{
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/26"]
},
{
#incorrect cidr (not wide private network)
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["1.0.0.0/2"]
},
{
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmp"
cidr_blocks = ["10.68.0.0/14", "1.0.0.0/2"]
}
]
}
module "negative4_ipv6_1" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_ipv6_cidr_blocks = [
{
#incorrect protocol
from_port = 22
to_port = 22
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd00::/121"]
},
{
#incorrect port range (unknown)
from_port = 5000
to_port = 5000
protocol = "tcp"
ipv6_cidr_blocks = ["fd12:3456:789a::1/122"]
},
{
#incorrect cidr
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2400:cb00::/32"]
},
{
#all incorrect
from_port = 5000
to_port = 5000
protocol = "icmpv6"
ipv6_cidr_blocks = ["fd03:5678::/64", "2400:cb00::/32"]
}
]
}