Unknown Port Exposed To Internet
- Query id: 829ce3b8-065c-41a3-ad57-e0accfea82d2
- Query name: Unknown Port Exposed To Internet
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- Risk score: 7.1
- URL: Github
Description¶
AWS Security Group should not have an unknown port exposed to the entire Internet
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
# IPv4 Rules
Positive1IPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Expose unknown port to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 1000
ToPort: 2000
CidrIp: 0.0.0.0/0
- IpProtocol: "-1" # "-1" opens all ports
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1IPv4
IpProtocol: "udp"
FromPort: 1000
ToPort: 2000
CidrIp: "0.0.0.0/0"
IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1IPv4
IpProtocol: "-1"
FromPort: 22
ToPort: 22
CidrIp: "0.0.0.0/0"
# IPv6 Rules
Positive1IPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Expose unknown port to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 1000
ToPort: 2000
CidrIpv6: "::/0"
- IpProtocol: "-1" # "-1" opens all ports
FromPort: 22
ToPort: 22
CidrIpv6: "::/0"
IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1IPv6
IpProtocol: "udp"
FromPort: 1000
ToPort: 2000
CidrIpv6: "::/0"
IPv6Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1IPv6
IpProtocol: "-1"
FromPort: 22
ToPort: 22
CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0"
Positive test num. 2 - json file
{
"Resources": {
"Positive1IPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Expose unknown port to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 1000,
"ToPort": 2000,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "-1",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Positive1IPv4" },
"IpProtocol": "udp",
"FromPort": 1000,
"ToPort": 2000,
"CidrIp": "0.0.0.0/0"
}
},
"IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Positive1IPv4" },
"IpProtocol": "-1",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
},
"Positive1IPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Expose unknown port to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 1000,
"ToPort": 2000,
"CidrIpv6": "::/0"
},
{
"IpProtocol": "-1",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "::/0"
}
]
}
},
"IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Positive1IPv6" },
"IpProtocol": "udp",
"FromPort": 1000,
"ToPort": 2000,
"CidrIpv6": "::/0"
}
},
"IPv6Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Positive1IPv6" },
"IpProtocol": "-1",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
# IPv4 Rules
Negative1IPv4_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "udp"
FromPort: 22 # no "unknown" port
ToPort: 22
CidrIp: 0.0.0.0/0
Negative1ArrayTestIPv4:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 0
ToPort: 6000
CidrIp: 192.0.0.0/16 # CidrIP is not 0:0:0:0/0
- IpProtocol: udp # both fields "incorrect"
FromPort: 22
ToPort: 22
CidrIp: 192.120.0.0/16
# IPv6 Rules
Negative1IPv6_1:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "udp"
FromPort: 3389 # no "unknown" port
ToPort: 3389
CidrIpv6: "::/0"
Negative1ArrayTestIPv6:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 0
ToPort: 6000
CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0
- IpProtocol: "udp" # both fields "incorrect"
FromPort: 3389
ToPort: 3389
CidrIpv6: "2400:cb00::/32"
Negative test num. 2 - yaml file
Resources:
Negative2SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Security group for negative test cases"
VpcId: !Ref MyVPC
# IPv4 Rules
Negative2IPv4Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp"
FromPort: 22 # no "unknown" port
ToPort: 22
CidrIp: "0.0.0.0/0"
Negative2IPv4Ingress2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 0
ToPort: 6000
CidrIp: "192.0.0.0/16" # CidrIP is not 0:0:0:0/0
Negative2IPv4Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp" # both fields "incorrect"
FromPort: 22
ToPort: 22
CidrIp: "192.120.0.0/16"
# IPv6 Rules
Negative2IPv6Ingress1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp"
FromPort: 3389 # no "unknown" port
ToPort: 3389
CidrIpv6: "::/0"
Negative2IPv6Ingress3:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "tcp"
FromPort: 0
ToPort: 6000
CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0
Negative2IPv6Ingress4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative2SecurityGroup
IpProtocol: "udp" # both fields "incorrect"
FromPort: 3389
ToPort: 3389
CidrIpv6: "2400:cb00::/32"
Negative test num. 3 - json file
{
"Resources": {
"Negative1IPv4_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Negative1ArrayTestIPv4": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 6000,
"CidrIp": "192.0.0.0/16"
},
{
"IpProtocol": "udp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "192.120.0.0/16"
}
]
}
},
"Negative1IPv6_1": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "udp",
"FromPort": 3389,
"ToPort": 3389,
"CidrIpv6": "::/0"
}
]
}
},
"Negative1ArrayTestIPv6": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Allow http to client host",
"VpcId": { "Ref": "myVPC" },
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 6000,
"CidrIpv6": "2400:cb00::/32"
},
{
"IpProtocol": "udp",
"FromPort": 3389,
"ToPort": 3389,
"CidrIpv6": "2400:cb00::/32"
}
]
}
}
}
}
Negative test num. 4 - json file
{
"Resources": {
"Negative2SecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Security group for negative test cases",
"VpcId": { "Ref": "MyVPC" }
}
},
"Negative2IPv4Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
},
"Negative2IPv4Ingress2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 6000,
"CidrIp": "192.0.0.0/16"
}
},
"Negative2IPv4Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "192.120.0.0/16"
}
},
"Negative2IPv6Ingress1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 3389,
"ToPort": 3389,
"CidrIpv6": "::/0"
}
},
"Negative2IPv6Ingress3": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 6000,
"CidrIpv6": "2400:cb00::/32"
}
},
"Negative2IPv6Ingress4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "Negative2SecurityGroup" },
"IpProtocol": "udp",
"FromPort": 3389,
"ToPort": 3389,
"CidrIpv6": "2400:cb00::/32"
}
}
}
}