Skip to main content

Unrestricted access between network segments

Description

The network does not currently limit access between network segments, so an employee can access database servers from the Internet.

Impact

Obtain unauthorized access to network traffic.

Recommendation

Segment the corporate network using the principle of least privilege necessary to limit access to the database.

Threat

Unauthorized user in local network.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: C
  • Confidentiality: H
  • Integrity: L
  • Availability: L

Temporal

  • Exploit code madurity: X
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L/E:X/RL:O/RC:X
  • Score:
    • Base: 9.1
    • Temporal: 8.7
  • Severity:
    • Base: Critical
    • Temporal: High

Code Examples

Compliant code

All resources in the application have properly defined network segments

resource "azurerm_key_vault" "not_vulnerable" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
soft_delete_enabled = true
purge_protection_enabled = true
network_acls {
default_action = "Deny"
bypass = "AzureServices"
}
}

All resources use a secure network access configuration

resource "azurerm_storage_account_network_rules" "not_vulnerable" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name

default_action = "Deny"
}


resource "azurerm_storage_account" "not_vulnerable" {
name = var.watcher
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location

network_rules {
default_action = "Deny"
}

account_tier = "Standard"
account_kind = "StorageV2"
account_replication_type = "LRS"
enable_https_traffic_only = true
min_tls_version = "TLS1_2"

queue_properties {
logging {
delete = true
read = true
write = true
}
}
}

Non compliant code

A resource does not have proper network segments

resource "azurerm_key_vault" "vulnerable" {
name = "examplekeyvault"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
tenant_id = data.azurerm_client_config.current.tenant_id
soft_delete_retention_days = 7
soft_delete_enabled = true
purge_protection_enabled = true
network_acls {
default_action = "Allow"
bypass = "None"
}
}

A resource has a default network access configured

resource "azurerm_storage_account_network_rules" "vulnerable" {
resource_group_name = azurerm_resource_group.test.name
storage_account_name = azurerm_storage_account.test.name

default_action = "Allow"
}

resource "azurerm_storage_account" "vulnerable" {
name = var.watcher
resource_group_name = azurerm_resource_group.test.name
location = azurerm_resource_group.test.location

network_rules {
default_action = "Allow"
}

account_tier = "Standard"
account_kind = "StorageV2"
account_replication_type = "LRS"
enable_https_traffic_only = true
min_tls_version = "TLS1_2"

queue_properties {
logging {
delete = true
read = true
write = true
}
}
}

Using the azure CLI, the following command returns the network access configuration

$ az cosmosdb show
--ids {subscription_id}
--query '{"ipRangeFilter":ipRules,"isVirtualNetworkFilterEnabled":isVirtualNetworkFilterEnabled}'

If the command output returns false for the "isVirtualNetworkFilterEnabled" attribute and [] for the "ipRangeFilter" attribute, the resource has an insecure default network access.

Requirements