Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Unrestricted UDP Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Network-015

Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access (i.e. 0.0.0.0/0) on UDP ports in order to implement the Principle of Least Privilege (POLP) and effectively reduce the attack surface. UDP or User Datagram Protocol is a communication protocol used across the Internet for time-sensitive transmissions such as video streaming or DNS lookups. With UDP, the data can be transferred very quickly, but it can also cause packets to become lost in transit and this can create opportunities for malicious activities such as DDoS attacks.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Unrestricted UDP access can allow attackers to use DDoS amplification techniques to reflect spoofed UDP traffic from your Azure virtual machines. The most common types of attacks use exposed DNS, NTP, SSDP, SNMP, CLDAP, and other UDP-based services as amplification source for disrupting services of other machines on the Azure Virtual Network (VNet), or even attack connected devices running outside of the Azure network.


Audit

To determine if your Azure network security groups allow unrestricted access on UDP ports, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources..

03 From the Subscription filter box, select the Azure account subscription that you want to examine.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name (link) of the network security group that you want to examine.

06 In the blade navigation panel, under Settings, choose Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, verify the value available in the Source column for any inbound rule with the Protocol set to UDP. If one or more rules have the Source set to Any (i.e. 0.0.0.0/0), the selected network security group allows unrestricted traffic on UDP ports, therefore the UDP inbound access to the associated Microsoft Azure cloud resources is not secured.

08 Repeat steps no. 5 – 7 for each network security group available in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network nsg list command (Windows/macOS/Linux) with custom query filters to list the name of each network security group (and the name of its associated resource group) available in the current Azure subscription:

az network nsg list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested information:

Name                    ResourceGroup
----------------------  ------------------------------
cc-project5-server-nsg  cloud-shell-storage-westeurope
cc-windows-server-nsg   cloud-shell-storage-westeurope

03 Run az network nsg rule list command (Windows/macOS/Linux) using the name of the Azure network security group (NSG) that you want to examine and the associated resource group as the identifier parameters to describe the UDP inbound rules defined for the selected network security group:

az network nsg rule list
  --nsg-name cc-project5-server-nsg
  --resource-group cloud-shell-storage-westeurope
  --query "[?direction=='Inbound' && access=='Allow' && protocol=='UDP']"

04 The command output should return the requested security group rule metadata or an empty array, i.e. [], if there are no UDP inbound rules created for the selected NSG:

[
  {
    "access": "Allow",
    "description": null,
    "destinationAddressPrefix": "*",
    "destinationAddressPrefixes": [],
    "destinationApplicationSecurityGroups": null,
    "destinationPortRange": "53",
    "destinationPortRanges": [],
    "direction": "Inbound",
    "etag": "W/\"abcdabcd-abcd-abcd-abcd-abcdabcdabcd\"",
    "id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-project5-server-nsg/securityRules/Port_53",
    "name": "DNS_UDP_ACCESS",
    "priority": 100,
    "protocol": "UDP",
    "provisioningState": "Succeeded",
    "resourceGroup": "cloud-shell-storage-westeurope",
    "sourceAddressPrefix": "*",
    "sourceAddressPrefixes": [],
    "sourceApplicationSecurityGroups": null,
    "sourcePortRange": "*",
    "sourcePortRanges": [],
    "type": "Microsoft.Network/networkSecurityGroups/securityRules"
  }
]

If the "sourceAddressPrefix" attribute value is set to "*", "internet" or "any", the selected network security group (NSG) allows unrestricted traffic on UDP ports, therefore the UDP inbound/ingress access to the associated Microsoft Azure cloud resources is not secured.

05 Repeat steps no. 3 and 4 for each Azure network security group created within the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To update your Azure NSG rule(s) configuration in order to restrict UDP access to trusted entities only such as administrator IP addresses, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to view all your Microsoft Azure cloud resources..

03 From the Subscription filter box, select the Azure account subscription that you want to access.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name of the network security group that you want to reconfigure.

06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules configuration page, click on the name of the non-compliant security group rule that you want to reconfigure, available in the Name column.

08 On the security group rule configuration panel, perform the following actions:

  1. Select IP Addresses from the Source dropdown list to allow inbound traffic on the configured UDP port from trusted IP addresses only.
  2. For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses, or IP address ranges that will be allowed to access the cloud resources associated with the selected network security group (NSG). You can specify a single value or comma-separated list of multiple values. An example of multiple values is 192.168.10.50/32, 10.0.10.20/32.
  3. Ensure that Action is set to Allow and leave the rest of the NSG configuration settings unchanged.
  4. Choose Save to apply the configuration changes.

09 Repeat steps no. 5 – 8 for each network security group that allows unrestricted inbound access on UDP ports, available in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network nsg rule update command (Windows/macOS/Linux) using the name of the network security group rule that you want to reconfigure as the identifier parameter to restrict inbound access on UDP ports to trusted IP addresses only, by setting the --source-address-prefixes parameter to the IP address, IP addresses, or IP address ranges that are allowed to access the cloud resource(s) associated with the selected network security group. You can specify a single value (e.g. 192.168.10.50/32) or a space-separated list of multiple values (e.g. 192.168.10.50/32 10.0.10.20/32):

az network nsg rule update
  --name DNS_UDP_ACCESS
  --nsg-name cc-project5-server-nsg
  --resource-group cloud-shell-storage-westeurope
  --source-address-prefixes 192.168.10.50/32

02 The command output should return the metadata for the reconfigured Azure NSG rule:

{
  "access": "Allow",
  "description": null,
  "destinationAddressPrefix": "*",
  "destinationAddressPrefixes": [],
  "destinationApplicationSecurityGroups": null,
  "destinationPortRange": "53",
  "destinationPortRanges": [],
  "direction": "Inbound",
  "etag": "W/\"abcdabcd-abcd-abcd-abcd-abcdabcdabcd\"",
  "id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-project5-server-nsg/securityRules/Port_53",
  "name": "DNS_UDP_ACCESS",
  "priority": 100,
  "protocol": "UDP",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sourceAddressPrefix": "192.168.10.50/32",
  "sourceAddressPrefixes": [],
  "sourceApplicationSecurityGroups": null,
  "sourcePortRange": "*",
  "sourcePortRanges": [],
  "type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

03 Repeat steps no. 1 and 2 for each network security group (NSG) that allows unrestricted inbound access on UDP ports, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Oct 20, 2021