Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Unrestricted Oracle Database Access

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Network-009

Ensure that your Microsoft Azure network security groups (NSGs) restrict inbound/ingress access on TCP port 1521 to trusted entities only (i.e. IP addresses) in order to implement the principle of least privilege and vastly reduce the attack surface. TCP port 1521 is used by Oracle Database Server, which is an object-relational database management system (RDBMS) server developed by Oracle Corporation.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Allowing unrestricted access on TCP port 1521 (Oracle Database Server) via Azure network security groups (NSGs) can increase opportunities for malicious activities such as denial-of-service (DoS) and SQL injections attacks, and ultimately lead to data leak and data loss.

Audit

To determine if your Microsoft Azure network security groups allow unrestricted access on TCP port 1521, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to examine.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name of the network security group (NSG) that you want to examine.

06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, verify the value available in the SOURCE column for any inbound rule with the PORT set to 1521 and the PROTOCOL set to TCP. If one or more rules have the SOURCE set to Any (i.e. anywhere or 0.0.0.0/0), the TCP port 1521 (Oracle Database Server) is publicly exposed to the Internet.

08 Repeat steps no. 5 – 7 for each network security group created in the selected subscription.

09 Repeat steps no. 3 – 8 for each subscription available within your Microsoft Azure account.

Using Azure CLI

01 Run network nsg list command (Windows/macOS/Linux) using custom query filters to list the names of all network security groups (and their associated resource groups) available in the current Azure subscription: 

az network nsg list
    --output table
    --query '[*].{name:name, resourceGroup:resourceGroup}'

02 The command output should return a table with requested Azure resource information: 

Name                    ResourceGroup
----------------------  ------------------------------
cc-oracle-database-nsg  cloud-shell-storage-westeurope
cc-webapp-server-nsg    cloud-shell-storage-westeurope

03 Run az network nsg rule list command (Windows/macOS/Linux) using the name of the Azure network security group (NSG) that you want to examine and its associated resource group as identifier parameters, to describe the Oracle Database Server ingress rule defined for the selected network security group, using custom query filters: 

az network nsg rule list
    --nsg-name cc-oracle-database-nsg
    --resource-group cloud-shell-storage-westeurope
    --query "[?direction=='Inbound' && access=='Allow' && protocol=='TCP' && destinationPortRange=='1521']"

04 The command output should return the requested security group rule metadata or an empty array, i.e. [], if there are no ingress rules created for TCP port 1521: 

[
  {
    "access": "Allow",
    "description": null,
    "destinationAddressPrefix": "*",
    "destinationAddressPrefixes": [],
    "destinationApplicationSecurityGroups": null,
    "destinationPortRange": "1521",
    "destinationPortRanges": [],
    "direction": "Inbound",
    "etag": "W/\"abcdabcd-abcd-abcd-abcd-abcdabcdabcd\"",
    "id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/networkSecurityGroups/cc-oracle-database-nsg/securityRules/ORACLEDB",
    "name": "ORACLEDB",
    "priority": 210,
    "protocol": "TCP",
    "provisioningState": "Succeeded",
    "resourceGroup": "cloud-shell-storage-westeurope",
    "sourceAddressPrefix": "*",
    "sourceAddressPrefixes": [],
    "sourceApplicationSecurityGroups": null,
    "sourcePortRange": "*",
    "sourcePortRanges": [],
    "type": "Microsoft.Network/networkSecurityGroups/securityRules"
  }
]

If the "sourceAddressPrefix" attribute value is set to "*", "internet" or "any", the TCP port 1521 (Oracle Database Server) is publicly exposed to the Internet.

05 Repeat step no. 3 and 4 for each Azure network security group created in the selected subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To reconfigure your Azure NSG rules in order to allow access on TCP port 1521 to trusted IP addresses only, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Subscription filter box, select the Azure account subscription that you want to access.

04 From the Type filter box, select Network security group to list only the security groups available in the selected Azure subscription.

05 Click on the name of the network security group that you want to reconfigure.

06 In the navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, click on the non-compliant security group rule that you want to reconfigure (see Audit section part I to identify the right ingress rule).

08 On the selected security group rule configuration panel, perform the following:

  1. Select IP Addresses from the Source dropdown list to allow inbound/ingress traffic on TCP port 1521 from trusted IP addresses only.
  2. For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses or IP address ranges that will be allowed to access the Azure resources associated with the selected network security group (NSG). You can specify a single value or comma-separated list of multiple values. An example of multiple values is 192.168.205.50/32, 10.0.10.108/32.
  3. Ensure that Action is set to Allow and leave the rest of the configuration settings unchanged.
  4. Click Save to apply the changes.

09 Repeat steps no. 5 – 8 for each network security group that allows unrestricted inbound access on TCP port 1521 (Oracle Database Server), available in the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription created in your Microsoft Azure cloud account.

Using Azure Console

01 Run network nsg rule update command (Windows/macOS/Linux) using the name of the network security group rule that you want to reconfigure as identifier parameter (see Audit section part II to identify the right NSG rule) to restrict inbound/ingress access on TCP port 1521 (Oracle DB Server) to trusted IP address(es) only by setting the --source-address-prefixes parameter to the IP address, IP addresses or IP address ranges that are allowed to access the Azure resources associated with the selected network security group (NSG). You can specify a single value or a space-separated list of multiple values: 

az network nsg rule update
    --name ORACLEDB
    --nsg-name cc-oracle-database-nsg
    --resource-group cloud-shell-storage-westeurope
    --source-address-prefixes 192.168.205.50/32

02 The command output should return the metadata for the reconfigured Azure NSG rule: 

{
  "access": "Allow",
  "description": null,
  "destinationAddressPrefix": "*",
  "destinationAddressPrefixes": [],
  "destinationApplicationSecurityGroups": null,
  "destinationPortRange": "1521",
  "destinationPortRanges": [],
  "direction": "Inbound",
 
  ...
 
  "name": "ORACLEDB",
  "priority": 210,
  "protocol": "TCP",
  "provisioningState": "Succeeded",
  "resourceGroup": "cloud-shell-storage-westeurope",
  "sourceAddressPrefix": "",
  "sourceAddressPrefixes": "192.168.205.50/32",
  "sourcePortRange": "*",
  "sourcePortRanges": [],
  "type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

03 Repeat step no. 1 and 2 for each network security group (NSG) that allows unrestricted inbound/ingress access on TCP port 1521, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.

References

Publication date Oct 26, 2019

Related Network rules