Compute firewall allows open egress Affecting Compute Engine service in Google

Severity Framework Snyk CCSS

Rule category Network / Ports

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls

Snyk ID SNYK-CC-00390
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Open egress can be used to exfiltrate data to unauthorized destinations, and enable access to potentially malicious resources.

How to fix?

Set destination_ranges attribute to specific net addresses, e.g. 192.168.0.0/16.

Example Configuration

resource "google_compute_firewall" "allowed" {
  name    = "test-firewall"
  network = "test"
  destination_ranges = [
    "192.168.0.0/16"
  ]
  allow {
    protocol = "icmp"
  }
}

Terraform

Resource: google_compute_firewall

References

VPC firewall rules overview