NSAuditor AI EE 0.14.1: Closing the Azure NSG Public-UDP Blind Spot — SNMP, CLDAP, NTP, IPMI, Memcached, rpcbind Now Flagged
EE 0.14.1 adds a dedicated UDP transport lane to plugin 1221 — closing the public-UDP false negative the perimeter auditor shipped with. 17 restricted UDP ports, attachment-aware severity, per-transport priority/deny-override resolution. Plugin count and all six matrices unchanged.
Nsasoft US LLC has shipped NSAuditor AI Enterprise Edition v0.14.1 — a patch cycle on the EE 0.14.0 Azure NSG Perimeter Auditor (plugin 1221) that closes the public-UDP blind spot the perimeter auditor shipped with. It is the thirty-seventh consecutive trio-publish across the enterprise edition, the community edition, and the agent skill — all three are LIVE on npm latest as of May 27, 2026.
The blind spot 0.14.0 left behind
EE 0.14.0 introduced plugin 1221 as the Azure analog of AWS plugin 1170 — with port-tiering, IPv6 wildcard coverage, priority/deny-override resolution, and attachment-awareness. But it tiered only TCP management and data-tier ports. A public-internet UDP management or amplification service — SNMP (161), CLDAP (389), NTP (123), rpcbind / portmapper (111), IPMI (623), IKE (500), Memcached (11211) — fell straight through to the Dim-4 “intentional public web tier” INFO bucket. The scanner blessed a genuinely internet-reachable management service as benign.
That was caught by an adversarial pass through a dedicated false-negative review lens. EE 0.14.1 closes it.
What 0.14.1 adds — the UDP restricted-port lane
A new RESTRICTED_UDP_PORTS set is evaluated over the UDP transport lane in parallel with the existing TCP lane. The set is deliberately UDP-specific (not just a copy of the TCP set) because a port restricted over UDP is not necessarily restricted over TCP, and vice versa.
| Port | Protocol | Why it matters on a public UDP source |
|---|---|---|
| 53 | DNS | Open resolver abuse (amplification, NXDOMAIN attacks). |
| 69 | TFTP | Anonymous file transfer; classic config-leak vector. |
| 111 | rpcbind / portmapper | Reflection amplification; exposes NFS/portmap mappings. |
| 123 | NTP | NTP monlist amplification (the original DDoS amplifier). |
| 137 / 138 | NetBIOS | Workgroup enumeration; pre-domain-era abuse class. |
| 161 / 162 | SNMP | Default-community walk; routinely catalogued at internet scale. |
| 389 | LDAP / CLDAP | CLDAP reflection (one of the most common amplifiers today). |
| 500 / 4500 | IKE / IPsec-NAT-T | VPN endpoint fingerprinting; brute-force IKE PSK. |
| 514 | Syslog | Log injection on internet-exposed loggers. |
| 623 | IPMI | Out-of-band management — internet-reachable IPMI is among the highest-blast-radius mistakes operators still make. |
| 1194 | OpenVPN UDP | VPN endpoint exposure and brute-force surface. |
| 1434 | MSSQL-Monitor | SQL Slammer-class exposure; database server identification. |
| 1900 | SSDP | SSDP amplification. |
| 11211 | Memcached | Memcached amplification (the historic 1.7 Tbps record). |
Two new dimensions are emitted by plugin 1221:
- Dim 2u — UDP inbound from a public source (
*/0.0.0.0/0/Internet) to a restricted UDP service. - Dim 3u — the same from
::/0(the IPv6 wildcard — the dimension a flat per-rule lint misses because operators lock IPv4 and forget IPv6).
Severity is attachment-aware: when the NSG is associated with a subnet or NIC the finding is EFFECTIVE CRITICAL; an orphaned NSG with the same rule is LATENT MEDIUM (the finding becomes effective the moment the operator attaches it). And resolution is per-transport: a higher-priority UDP Deny suppresses a lower UDP Allow, and a TCP Deny does not suppress a UDP Allow on the same port.
Dim 4 was also made protocol-aware. A public UDP/161 rule (or a 160-170 range covering it) is no longer mis-counted as a benign non-restricted port, and a range that already produced a restricted CRITICAL no longer also emits a contradictory “intentional web tier” INFO line.
Six-framework routing — all matrices UNCHANGED
The two per-port 1221 titlePatterns were generalized from permits TCP inbound … to permits (?:TCP|UDP) inbound … across all six framework JSONs. The change preserves the SOC 2 inheritance contract and routes UDP findings to the same controls as the existing TCP exposures:
- SOC 2 — CC6.6
- HIPAA — §164.312(a)(1)
- NIST CSF 2.0 — PR.IR-01 + ID.AM-03
- PCI DSS v4.0.1 — 1.2.1 / 1.3.1 / 1.4.1 / 6.4.1 / 11.4.1
- ISO/IEC 27001:2022 — A.8.20 / A.8.22 / A.8.9
- CIS Controls v8 — 4.4 / 12.2 / 4.2
Plugin count is UNCHANGED at 27 (cloud-audit 26) — this is a patch bump, not a new plugin, and not a schema change. All six coverage matrices remain UNCHANGED: SOC 2 10/4/33 · HIPAA 7/3/45 · NIST CSF 13/10/83 · PCI DSS 20/8/39 · ISO 27001 17/14/62 · CIS v8 17/22/114. UDP findings route into the same CC6.6 / perimeter controls as the existing TCP exposures — the change is substrate-depth uplift, not new coverage surface.
How auditors should read this
If a SOC 2 auditor sampled an Azure NSG from a pre-0.14.1 evidence pack and the operator had a public-internet SNMP/161 rule on it, the auditor would have seen an INFO row labelling it a benign “intentional public web tier” — and the CC6.6 perimeter control would have looked clean. Post-0.14.1, that same NSG produces a CC6.6 CRITICAL when attached, and a MEDIUM latent finding when orphaned. The auditor evidence pack now contains the right verdict from a single scan, with no additional configuration on the operator’s side.
Adversarial review and regression
The fold was built test-first and reviewed through the dedicated cloud-plugin false-negatives lens plus a review subagent. Three folds applied same-session: adding the three highest-blast-radius missing ports (111 rpcbind, 623 IPMI, 1434 MSSQL-Monitor), fixing a Dim-4 range-coverage contradiction, and removing a stale Scope-deferred comment that no longer described the current behaviour. 14 new tests were added (8 UDP-lane + 6 fold). The EE full regression remained 6495/6495 GREEN.
Post-publish validation included a first-customer-install rehearsal (clean license re-bind, no mismatch) and a published-build Azure hexa-framework smoke that confirmed existing NSG verdicts unchanged, and that the all-protocol NSG now emits the 17-port UDP line live from the published artifact (including 111 / 623 / 1434).
Install
npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latestThe EE package requires a license; the CE package and the agent skill are public. The hexa-framework one-scan workflow — --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 — produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration; all evidence is generated inside your infrastructure.
Documentation: nsauditor.com/ai/enterprise.
