nuclei-templates/cloud/azure/network/azure-nsg-dns-unrestricted....

id: azure-nsg-dns-unrestricted
info:
  name: Unrestricted DNS Access in Azure NSGs
  author: princechaddha
  severity: high
  description: |
    Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted inbound access on TCP and UDP port 53 to prevent DNS amplification attacks and other DNS-related threats.
  impact: |
    Allowing unrestricted access on TCP and UDP port 53 can make DNS servers vulnerable to various types of cyber attacks, disrupting network operations.
  remediation: |
    Restrict access to DNS services by configuring NSG rules to only allow trusted sources and necessary traffic on TCP and UDP port 53.
  reference:
    - https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
  tags: cloud,devops,azure,microsoft,nsg,azure-cloud-config

flow: |
  code(1);
  for (let NsgData of iterate(template.nsgdata)) {
    NsgData = JSON.parse(NsgData)
    set("nsg", NsgData.name)
    set("resourcegroup", NsgData.resourceGroup)
    code(2)
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az network nsg list --query '[*].{name:name, resourceGroup:resourceGroup}' --output json

    extractors:
      - type: json
        name: nsgdata
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az network nsg rule list --nsg-name $nsg --resource-group $resourcegroup --query "[?direction=='Inbound' && access=='Allow' && (protocol=='TCP' || protocol=='UDP') && (destinationPortRange=='53')]"

    matchers:
      - type: word
        words:
          - '"sourceAddressPrefix": "*"'
          - '"sourceAddressPrefix": "internet"'
          - '"sourceAddressPrefix": "any"'

    extractors:
      - type: dsl
        dsl:
          - 'nsg + " has unrestricted access on TCP and UDP port 53"'
# digest: 4b0a004830460221008b8f04054777f77d5380360bc515531774a4ad7e063edabe1619fd600aad455d0221009a10b51064b5f63c339c89146773b5e3c4fc834fd4fb3d609a3387c38a2b5d2d:922c64590222798bb761d5b6d8e72950
added network templates 2024-07-04 07:50:46 +00:00			`id: azure-nsg-dns-unrestricted`
			`info:`
			`name: Unrestricted DNS Access in Azure NSGs`
			`author: princechaddha`
			`severity: high`
			`description: \|`
			`Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted inbound access on TCP and UDP port 53 to prevent DNS amplification attacks and other DNS-related threats.`
			`impact: \|`
			`Allowing unrestricted access on TCP and UDP port 53 can make DNS servers vulnerable to various types of cyber attacks, disrupting network operations.`
			`remediation: \|`
			`Restrict access to DNS services by configuring NSG rules to only allow trusted sources and necessary traffic on TCP and UDP port 53.`
			`reference:`
			`- https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview`
			`tags: cloud,devops,azure,microsoft,nsg,azure-cloud-config`

			`flow: \|`
			`code(1);`
			`for (let NsgData of iterate(template.nsgdata)) {`
			`NsgData = JSON.parse(NsgData)`
			`set("nsg", NsgData.name)`
			`set("resourcegroup", NsgData.resourceGroup)`
			`code(2)`
			`}`

			`self-contained: true`
			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az network nsg list --query '[*].{name:name, resourceGroup:resourceGroup}' --output json`

			`extractors:`
			`- type: json`
			`name: nsgdata`
			`internal: true`
			`json:`
			`- '.[]'`

			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`az network nsg rule list --nsg-name $nsg --resource-group $resourcegroup --query "[?direction=='Inbound' && access=='Allow' && (protocol=='TCP' \|\| protocol=='UDP') && (destinationPortRange=='53')]"`

			`matchers:`
			`- type: word`
			`words:`
			`- '"sourceAddressPrefix": "*"'`
			`- '"sourceAddressPrefix": "internet"'`
			`- '"sourceAddressPrefix": "any"'`

			`extractors:`
			`- type: dsl`
			`dsl:`
			`- 'nsg + " has unrestricted access on TCP and UDP port 53"'`
chore: sign templates 🤖 2024-09-12 05:59:14 +00:00			`# digest: 4b0a004830460221008b8f04054777f77d5380360bc515531774a4ad7e063edabe1619fd600aad455d0221009a10b51064b5f63c339c89146773b5e3c4fc834fd4fb3d609a3387c38a2b5d2d:922c64590222798bb761d5b6d8e72950`