Skip to main content

More Info:

Ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access (i.e. 0.0.0.0/0) on TCP port 3306 in order to protect against malicious actors and significantly reduce the attack surface. TCP port 3306 is used by the MySQL Database Server, a popular open-source Relational Database Management System (RDBMS) server.

Risk Level

High

Address

Security

Compliance Standards

SOC2, GDPR, ISO27001, HIPAA, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the unrestricted MySQL database access issue in Azure, please follow the below steps:
  1. Log in to the Azure portal (https://portal.azure.com/).
  2. Navigate to the Azure Database for MySQL service.
  3. Click on the MySQL server that has the unrestricted access issue.
  4. In the left-hand menu, click on “Firewalls and virtual networks”.
  5. Under “Firewall rules”, click on “Add client IP”.
  6. This will automatically add a firewall rule to allow only your IP address to access the MySQL database.
  7. If you need to grant access to a specific IP range, click on “Add existing virtual network” and select the virtual network and subnet that you want to allow access from.
  8. Save the changes by clicking on “Save”.
By following these steps, you have successfully remediated the unrestricted MySQL database access issue in Azure.

The remediation steps for Unrestricted MySQL Database Access on Azure using Azure CLI are as follows:Step 1: Identify the MySQL Database Server that has unrestricted access.
az mysql server list
Step 2: Get the details of the MySQL Database Server.
az mysql server show --resource-group <resource-group-name> --name <mysql-server-name>
Step 3: Update the firewall rules for the MySQL Database Server to restrict access to specific IP addresses or IP ranges.
az mysql server firewall-rule create --resource-group <resource-group-name> --server <mysql-server-name> --name <firewall-rule-name> --start-ip-address <start-ip-address> --end-ip-address <end-ip-address>
Note: Replace the <resource-group-name>, <mysql-server-name>, <firewall-rule-name>, <start-ip-address>, and <end-ip-address> with the appropriate values.Step 4: Delete the existing firewall rule that allows unrestricted access.
az mysql server firewall-rule delete --resource-group <resource-group-name> --server <mysql-server-name> --name <firewall-rule-name>
Note: Replace the <resource-group-name>, <mysql-server-name>, and <firewall-rule-name> with the appropriate values.Step 5: Verify that the firewall rules have been updated successfully.
az mysql server firewall-rule list --resource-group <resource-group-name> --server <mysql-server-name>
Note: Replace the <resource-group-name> and <mysql-server-name> with the appropriate values.By following these steps, you can remediate the Unrestricted MySQL Database Access issue on Azure using Azure CLI.
To remediate the unrestricted MySQL database access issue in Azure using Python, you can follow the below steps:Step 1: Install the Azure SDK for Python using pip
pip install azure
Step 2: Connect to the Azure account using the Azure SDK for Python
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.rdbms.mysql import MySQLManagementClient

# Define the credentials
subscription_id = 'your-subscription-id'
client_id = 'your-client-id'
secret = 'your-client-secret'
tenant = 'your-tenant-id'

# Authenticate the credentials
credentials = ServicePrincipalCredentials(
    client_id=client_id,
    secret=secret,
    tenant=tenant
)

# Connect to the Azure account
resource_client = ResourceManagementClient(credentials, subscription_id)
mysql_client = MySQLManagementClient(credentials, subscription_id)
Step 3: Get the list of MySQL servers in the Azure account
# Get the list of MySQL servers
mysql_servers = mysql_client.servers.list_by_subscription()

# Loop through the MySQL servers
for server in mysql_servers:
    # Get the firewall rules for the MySQL server
    firewall_rules = mysql_client.firewall_rules.list_by_server(resource_group_name=server.resource_group, server_name=server.name)
    
    # Loop through the firewall rules
    for rule in firewall_rules:
        # Check if the rule is unrestricted
        if rule.start_ip_address == '0.0.0.0' and rule.end_ip_address == '255.255.255.255':
            # Remove the unrestricted rule
            mysql_client.firewall_rules.delete(resource_group_name=server.resource_group, server_name=server.name, firewall_rule_name=rule.name)
Step 4: Save the Python script and run it to remediate the unrestricted MySQL database access issue in Azure.Note: This Python script will remove all the firewall rules that allow unrestricted MySQL database access. If you have specific IP addresses that need access, you will need to modify the script accordingly.