checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

`CKV_AZURE_9`: source_address_prefix `<prefix>/0` and RDP over UDP

Open tplisson opened this issue 5 months ago • 2 comments

Describe the issue CKV_AZURE_9 is not able to identify misconfigurations for NSG rules that include a source_address_prefix with a /0, like:<prefix>/0.

Would suggest replacing INTERNET_ADDRESSES in NSGRulePortAccessRestricted.py (line 8):

INTERNET_ADDRESSES = ("*", "0.0.0.0", "<nw>/0", "/0", "internet", "any")  # nosec

... with some regular expression such as this:

INTERNET_ADDRESSES = re.compile(r"^(?:\*|internet|any|0.0.0.0|(?:[\d.]*?)/0)$", re.IGNORECASE)

Additionally Microsoft introduced UDP support in RDP 8.0 and later, allowing RDP to use UDP port 3389 alongside TCP. So CKV_AZURE_9 should also be updated to match UDP protocol too. :/

Examples Sample Terraform code sample that currently fails detection:

resource "azurerm_network_security_rule" "example" {
  name                        = "example"
  priority                    = 100
  direction                   = "Outbound"
  access                      = "Allow"
  protocol                    = "Tcp"     # should also match on "Udp"
  source_port_range           = "*"
  destination_port_range      = "3389"

  source_address_prefix       = "/0"            # should match
  source_address_prefix       = "0/0"           # should match
  source_address_prefix       = "0.0.0.0/0"     # should match
  source_address_prefix       = "1.2.3.4/0"     # should match
  source_address_prefixes     = ["192.168.100.0/24", "/0", "172.20.100.1/32"]         # should match
  source_address_prefixes     = ["192.168.100.0/24", "0/0", "172.20.100.1/32"]        # should match
  source_address_prefixes     = ["192.168.100.0/24", "0.0.0.0/0", "172.20.100.1/32"]  # should match
  source_address_prefixes     = ["192.168.100.0/24", "1.2.3.4/0", "172.20.100.1/32"]  # should match

  source_address_prefixes     = "something/else", # should not match
  source_address_prefixes     = "192.168.1.1",    # should not match
  source_address_prefixes     = "192.168.1.1/32", # should not match
  source_address_prefixes     = "172.20.1.0/24"   # should not match

Version (please complete the following information):

  • Checkov Version 3.2.460

tplisson avatar Aug 11 '25 13:08 tplisson

Created a draft for this, if it helps. I don’t know what "<nw>/0” is supposed to mean, but it fails to recognise 0.0.0.0/0, which is common around here.

davimmt avatar Aug 11 '25 19:08 davimmt

Hey Anton @gruebel ! Sorry to ping you personally but is there anyone to review this PR please ?

tplisson avatar Sep 17 '25 09:09 tplisson