Severity Framework
Snyk CCSS
Rule category
Network / Ports
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Azure
- Snyk ID SNYK-CC-00694
- credit Snyk Research Team
Description
Broadly exposing UDP services over the internet enables malicious actors to use DDoS amplification techniques to reflect spoofed UDP traffic from virtual machines.
How to fix?
Set the securityRules.properties.access attribute of Microsoft.Network/networkSecurityGroups or properties.access attribute of Microsoft.Network/networkSecurityGroups/securityRules to Deny.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2022-07-01",
"name": "example-sg694-allowed1",
"location": "[resourceGroup().location]",
"properties": {
"securityRules": [
{
"name": "security-rule6941",
"properties": {
"priority": 100,
"direction": "Inbound",
"access": "Deny",
"protocol": "Udp",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefixes": [
"0.0.0.0"
],
"destinationAddressPrefix": "*"
}
},
{
"name": "security-rule6942",
"properties": {
"priority": 400,
"direction": "Inbound",
"access": "Deny",
"protocol": "Udp",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefixes": [
"0.0.0.0"
],
"destinationAddressPrefix": "*"
}
}
]
}
}
]
}