SQL server firewall rule permits ingress from 0.0.0.0/0 to all ports and protocols Affecting Database service in Azure

Snyk CCSS

Network / Public Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Azure CIS-Controls CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00660
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

To reduce the potential attack surface for a SQL server, firewall rules should be defined with more granular IP addresses by referencing the range of addresses available from specific data centers.

How to fix?

Set start_ip_address and end_ip_address to specific IP address only, e.g. 10.0.17.62.

An invalid range has start IP set to 0.0.0.0 and end IP set to 0.0.0.0 or 255.255.255.255.

Example Configuration

"resources": [
        {
          "type": "Microsoft.Sql/servers/firewallRules",
          "apiVersion": "2022-05-01-preview",
          "name": "test660deal1/allowed",
          "properties": {
            "endIpAddress": "10.0.17.62",
            "startIpAddress": "10.0.17.62"
          },
          "dependsOn": [
            "[resourceId('Microsoft.Sql/servers', 'test660deal1')]"
          ]
        }
]

ARM

Microsoft.Sql servers/firewallRules

Terraform

azurerm_sql_firewall_rule

References

Azure SQL Database and Azure Synapse IP firewall rules