Beta - VM With Extension Operations Enabled

  • Query id: 59528fe9-0c8e-4153-8016-445911a2d933
  • Query name: Beta - VM With Extension Operations Enabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Insecure Defaults
  • CWE: 250
  • Risk score: 3.0
  • URL: Github

Description

Virtual machine resources should disable extension_operations since they can provide administrative privileges to processes
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "azurerm_linux_virtual_machine" "positive1_1" {
  name                = "positive1_1-machine"
  resource_group_name = azurerm_resource_group.positive1_1.name
  location            = azurerm_resource_group.positive1_1.location
  size                = "Standard_F2"
  admin_username      = "adminuser"
  network_interface_ids = [
    azurerm_network_interface.positive1_1.id,
  ]

  # missing "allow_extension_operations"
}

resource "azurerm_linux_virtual_machine" "positive1_2" {
  name                = "positive1_2-machine"
  resource_group_name = azurerm_resource_group.positive1_2.name
  location            = azurerm_resource_group.positive1_2.location
  size                = "Standard_F2"
  admin_username      = "adminuser"
  network_interface_ids = [
    azurerm_network_interface.positive1_2.id,
  ]

  allow_extension_operations = true     # set to true
}
Positive test num. 2 - tf file
resource "azurerm_linux_virtual_machine_scale_set" "positive2_1" {
  name                = "positive2_1-vmss"
  resource_group_name = azurerm_resource_group.positive2_1.name
  location            = azurerm_resource_group.positive2_1.location
  sku                 = "Standard_F2"
  instances           = 1
  admin_username      = "adminuser"

  # missing "extension_operations_enabled"
}

resource "azurerm_linux_virtual_machine_scale_set" "positive2_2" {
  name                = "positive2_2-vmss"
  resource_group_name = azurerm_resource_group.positive2_2.name
  location            = azurerm_resource_group.positive2_2.location
  sku                 = "Standard_F2"
  instances           = 1
  admin_username      = "adminuser"

  extension_operations_enabled = true       # set to true
}
Positive test num. 3 - tf file
resource "azurerm_windows_virtual_machine" "positive3_1" {
  name                = "positive3_1-machine"
  resource_group_name = azurerm_resource_group.positive3_1.name
  location            = azurerm_resource_group.positive3_1.location
  size                = "Standard_F2"
  network_interface_ids = [
    azurerm_network_interface.positive3_1.id,
  ]

  # missing "allow_extension_operations"
}

resource "azurerm_windows_virtual_machine" "positive3_2" {
  name                = "positive3_2-machine"
  resource_group_name = azurerm_resource_group.positive3_2.name
  location            = azurerm_resource_group.positive3_2.location
  size                = "Standard_F2"
  network_interface_ids = [
    azurerm_network_interface.positive3_2.id,
  ]

  allow_extension_operations = true     # set to true
}

Positive test num. 4 - tf file 
resource "azurerm_windows_virtual_machine_scale_set" "positive4_1" {
  name                 = "positive4_1-vmss"
  resource_group_name  = azurerm_resource_group.positive4_1.name
  location             = azurerm_resource_group.positive4_1.location
  sku                  = "Standard_F2"
  computer_name_prefix = "vm-"

   # missing "extension_operations_enabled"
}

resource "azurerm_windows_virtual_machine_scale_set" "positive4_2" {
  name                = "positive4_2-machine"
  resource_group_name = azurerm_resource_group.positive4_2.name
  location            = azurerm_resource_group.positive4_2.location
  size                = "Standard_F2"
  network_interface_ids = [
    azurerm_network_interface.positive4_2.id,
  ]

  extension_operations_enabled = true     # set to true
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "azurerm_linux_virtual_machine" "negative1" {
  name                = "negative1-machine"
  resource_group_name = azurerm_resource_group.negative1.name
  location            = azurerm_resource_group.negative1.location
  size                = "Standard_F2"
  admin_username      = "adminuser"
  network_interface_ids = [
    azurerm_network_interface.negative1.id,
  ]

  allow_extension_operations = false
}
Negative test num. 2 - tf file
resource "azurerm_linux_virtual_machine_scale_set" "negative2" {
  name                = "negative2-vmss"
  resource_group_name = azurerm_resource_group.negative2.name
  location            = azurerm_resource_group.negative2.location
  sku                 = "Standard_F2"
  instances           = 1
  admin_username      = "adminuser"

  extension_operations_enabled = false
}
Negative test num. 3 - tf file
resource "azurerm_windows_virtual_machine" "negative3" {
  name                = "negative3-machine"
  resource_group_name = azurerm_resource_group.negative3.name
  location            = azurerm_resource_group.negative3.location
  size                = "Standard_F2"
  network_interface_ids = [
    azurerm_network_interface.negative3.id,
  ]

  allow_extension_operations = false
}

Negative test num. 4 - tf file 
resource "azurerm_windows_virtual_machine_scale_set" "negative4" {
  name                 = "negative4-vmss"
  resource_group_name  = azurerm_resource_group.negative4.name
  location             = azurerm_resource_group.negative4.location
  sku                  = "Standard_F2"
  computer_name_prefix = "vm-"

  extension_operations_enabled = false
}