CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00694
- creditSnyk Research Team
Description
Broadly exposing UDP services over the internet enables malicious actors to use DDoS amplification techniques to reflect spoofed UDP traffic from virtual machines.
How to fix?
Set the securityRules.properties.access attribute of Microsoft.Network/networkSecurityGroups or properties.access attribute of Microsoft.Network/networkSecurityGroups/securityRules to Deny.
Example Configuration
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2022-07-01",
"name": "example-sg694-allowed1",
"location": "[resourceGroup().location]",
"properties": {
"securityRules": [
{
"name": "security-rule6941",
"properties": {
"priority": 100,
"direction": "Inbound",
"access": "Deny",
"protocol": "Udp",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefixes": [
"0.0.0.0"
],
"destinationAddressPrefix": "*"
}
},
{
"name": "security-rule6942",
"properties": {
"priority": 400,
"direction": "Inbound",
"access": "Deny",
"protocol": "Udp",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefixes": [
"0.0.0.0"
],
"destinationAddressPrefix": "*"
}
}
]
}
}
]
}
Set security_rule.access attribute (azurerm_network_security_group) or access attribute (azurerm_network_security_rule) to Deny.
Example Configuration
# Inline security rule example
resource "azurerm_network_security_group" "allowed1" {
name = "example-sg694v-1"
location = azurerm_resource_group.example-rg694v.location
resource_group_name = azurerm_resource_group.example-rg694v.name
security_rule {
name = "security-rule694v"
priority = 100
direction = "Inbound"
access = "Deny"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefixes = ["0.0.0.0"]
destination_address_prefix = "*"
}
}
# Standalone security rule example
resource "azurerm_network_security_rule" "allowed2-security-rule" {
name = "security-rule694v-2"
priority = 100
direction = "Inbound"
access = "Deny"
protocol = "Udp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example-rg694v.name
network_security_group_name = azurerm_network_security_group.allowed2.name
}