Allocation of File Descriptors or Handles Without Limits or Throttling

Property
Languagec
Severitymedium
CWECWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelLow

Description

The code opens ‘/dev/random’ or ‘/dev/urandom’ and reads from it without checking if the read operation succeeded or failed. Failing to handle errors can lead to file descriptors not being properly closed or released.

Impact

If file descriptors are exhausted due to unchecked read failures, the application may run out of resources, causing it to crash or become unresponsive. This can be exploited by attackers to trigger denial of service, disrupt critical functionality, or degrade system performance.

An egress security group rule allows traffic to /0.

Property
Languageterraform
Severitycritical
Serviceec2
ProviderAWS
Vulnerability Typemisconfiguration

Description

The security group egress rule permits outbound traffic to 0.0.0.0/0, allowing any instance in the group to send data to any IP address on the internet. This configuration lacks restrictions on destination addresses, exposing resources to unnecessary risk.

Impact

Unrestricted egress enables compromised instances to exfiltrate sensitive data or communicate with malicious external servers. This can lead to data breaches, loss of control over network traffic, and increased risk of compliance violations.

An inbound firewall rule allows traffic from /0.

Property
Languageterraform
Severitycritical
Servicecompute
ProviderGoogle
Vulnerability Typeomission

Description

The firewall rule is configured to allow incoming traffic from any IP address (0.0.0.0/0), making the resource accessible from the entire internet. This broad source range bypasses network segmentation and exposes the service to potential unauthorized access.

Impact

Exposing ports to the public internet significantly increases the risk of external attacks, such as unauthorized access, data breaches, or exploitation of service vulnerabilities. Attackers could scan and target open ports, potentially compromising sensitive systems or data.

An inbound network security rule allows traffic from /0.

Property
Languageterraform
Severitycritical
Servicenetwork
ProviderAzure
Vulnerability Typemisconfiguration

Description

The network security rule is configured to allow inbound traffic from any IP address (0.0.0.0/0), exposing the resource to the entire internet. This overly broad rule bypasses network segmentation and makes the resource accessible to unauthorized parties.

Impact

If exploited, attackers anywhere on the internet can reach the exposed port, increasing the risk of unauthorized access, data breaches, and service disruption. This significantly elevates the attack surface and can lead to compromise of sensitive systems or data within the Azure environment.

An ingress db security group rule allows traffic from /0.

Property
Languageterraform
Severitycritical
Servicerdb
ProviderNifcloud
Vulnerability Typemisconfiguration

Description

The security group rule allows inbound connections from any IP address (0.0.0.0/0), exposing the database to the entire internet. This configuration lacks network-level restrictions and permits unrestricted external access.

Impact

Attackers can directly access the database from anywhere on the internet, increasing the risk of unauthorized data access, data breaches, or service disruption. This exposure can lead to significant data loss, compromise of sensitive information, or full takeover of database resources.

An ingress nas security group rule allows traffic from /0.

Property
Languageterraform
Severitycritical
Servicenas
ProviderNifcloud
Vulnerability Typemisconfiguration

Description

The NAS security group rule permits incoming traffic from any IP address (0.0.0.0/0), effectively exposing the NAS service to the entire internet without restriction. This configuration lacks proper network access controls.

Impact

An attacker anywhere on the internet could attempt to access exposed NAS resources, leading to potential data breaches, unauthorized data manipulation, or disruption of services. This significantly increases the risk of compromise and unauthorized access to sensitive storage.

An ingress Network ACL rule allows specific ports from /0.

Property
Languageterraform
Severitycritical
Serviceec2
ProviderAWS
Vulnerability Typemisconfiguration

Description

The Network ACL rule permits inbound traffic on specific ports from any IP address (0.0.0.0/0), effectively exposing those ports to the entire internet. This configuration lacks restrictions on which networks can access sensitive services.

Impact

Attackers can scan and attempt unauthorized access to exposed services (such as SSH or RDP), increasing the risk of brute-force attacks, exploitation of vulnerabilities, or unauthorized entry into the AWS environment. This can lead to data breaches, service disruption, or full compromise of cloud resources.

An ingress security group rule allows traffic from /0.

Property
Languageterraform
Severitycritical
Servicecomputing
ProviderNifcloud
Vulnerability Typemisconfiguration

Description

The security group rule allows incoming traffic from any IP address (0.0.0.0/0), exposing resources directly to the public internet without restriction. This configuration fails to limit access to trusted sources.

Impact

Unrestricted public exposure enables attackers anywhere to scan for open ports, launch attacks, exploit vulnerabilities, or gain unauthorized access, potentially leading to data breaches, service disruption, or full compromise of the affected systems.

An ingress security group rule allows traffic from /0.

Property
Languageterraform
Severitycritical
Serviceec2
ProviderAWS
Vulnerability Typemisconfiguration

Description

The security group rule permits ingress traffic from all IP addresses (0.0.0.0/0), making the associated port accessible from anywhere on the internet. This configuration exposes resources to unauthorized access by not restricting inbound connections.

Impact

If exploited, attackers could connect to the exposed port from any location, increasing the risk of unauthorized access, brute-force attacks, or exploitation of service vulnerabilities. This could lead to data breaches, service disruption, or full system compromise.

An Network ACL rule allows ALL ports.

Property
Languageterraform
Severitycritical
Serviceec2
ProviderAWS
Vulnerability Typemisconfiguration

Description

A Network ACL rule is configured to allow traffic on all ports, rather than restricting access to only necessary ports. This broad rule removes critical network-layer protections and increases the attack surface.

Impact

Allowing all ports through the Network ACL can enable attackers to probe and exploit any open service on the VPC, leading to unauthorized access, data breaches, or compromise of cloud resources. This can result in significant security incidents and exposure of sensitive assets.