CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00462
- creditSnyk Research Team
Description
Attackers could use brute force techniques to gain access to virtual machines. Once the attackers gain access, they can use a virtual machine as a launch point for compromising other machines on the virtual network or even attack networked devices outside of Azure.
How to fix?
Remove 22, *, or any port range that covers 22 from properties.securityRules[].properties.destinationPortRange(s) when 'properties.securityRules[].properties.access' is set to allow.
Remove 22, *, or any port range that covers 22 from security_rule.destination_port_range when security_rule.access is set to Allow.
Example Configuration
resource "azurerm_network_security_group" "valid" {
name = "test1"
location = var.azure_ssh_sec_group
resource_group_name = var.azure_ssh_sec_group
security_rule {
name = "valid"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80-88"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}