CKV_AZURE_9: source_address_prefix <prefix>/0 and RDP over UDP #7271
Description
Describe the issue
CKV_AZURE_9 is not able to identify misconfigurations for NSG rules that include a source_address_prefix with a /0, like:<prefix>/0.
Would suggest replacing INTERNET_ADDRESSES in NSGRulePortAccessRestricted.py (line 8):
INTERNET_ADDRESSES = ("*", "0.0.0.0", "<nw>/0", "/0", "internet", "any") # nosec
... with some regular expression such as this:
INTERNET_ADDRESSES = re.compile(r"^(?:\*|internet|any|0.0.0.0|(?:[\d.]*?)/0)$", re.IGNORECASE)Additionally Microsoft introduced UDP support in RDP 8.0 and later, allowing RDP to use UDP port 3389 alongside TCP. So CKV_AZURE_9 should also be updated to match UDP protocol too. :/
Examples
Sample Terraform code sample that currently fails detection:
resource "azurerm_network_security_rule" "example" {
name = "example"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "Tcp" # should also match on "Udp"
source_port_range = "*"
destination_port_range = "3389"
source_address_prefix = "/0" # should match
source_address_prefix = "0/0" # should match
source_address_prefix = "0.0.0.0/0" # should match
source_address_prefix = "1.2.3.4/0" # should match
source_address_prefixes = ["192.168.100.0/24", "/0", "172.20.100.1/32"] # should match
source_address_prefixes = ["192.168.100.0/24", "0/0", "172.20.100.1/32"] # should match
source_address_prefixes = ["192.168.100.0/24", "0.0.0.0/0", "172.20.100.1/32"] # should match
source_address_prefixes = ["192.168.100.0/24", "1.2.3.4/0", "172.20.100.1/32"] # should match
source_address_prefixes = "something/else", # should not match
source_address_prefixes = "192.168.1.1", # should not match
source_address_prefixes = "192.168.1.1/32", # should not match
source_address_prefixes = "172.20.1.0/24" # should not matchVersion (please complete the following information):
- Checkov Version 3.2.460