Security Groups With Exposed Admin Ports
- Query id: cdbb0467-2957-4a77-9992-7b55b29df7b7
- Query name: Security Groups With Exposed Admin Ports
- Platform: CloudFormation
- Severity: High
- Category: Networking and Firewall
- CWE: 668
- Risk score: 7.7
- URL: Github
Description¶
Security Groups should not have ports 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389 open
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
Positive1_security_group:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
# Standalone IPv4 ingress rule
Positive1_ingress_ipv4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1_security_group
IpProtocol: tcp
FromPort: 0 # exposes 20, 21, 22, 23
ToPort: 100
CidrIp: 0.0.0.0/0
# Standalone IPv6 ingress rule
Positive1_ingress_ipv6:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive1_security_group
IpProtocol: udp
FromPort: 2000 #exposes 2049
ToPort: 2060
CidrIpv6: ::/0
Positive test num. 2 - yaml file
Resources:
Positive2_security_group:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 0
ToPort: 100
CidrIp: 0.0.0.0/0
- IpProtocol: udp
FromPort: 0
ToPort: 100
CidrIpv6: ::/0
- IpProtocol: "-1"
FromPort: 22
ToPort: 22
CidrIpv6: ::/0
# Standalone IPv4 ingress rule
Positive2_ingress_ipv4:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive2_security_group
IpProtocol: "-1"
FromPort: 0
ToPort: 100
CidrIp: 0.0.0.0/0
# Standalone IPv6 ingress rule
Positive1_ingress_ipv6:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Positive2_security_group
IpProtocol: "-1"
FromPort: 0
ToPort: 100
CidrIpv6: ::/0
Positive test num. 3 - json file
{
"Resources": {
"Positive1_security_group": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable SSH access via port 22",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "-1",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"Positive1_ingress_ipv4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Positive1_security_group"
},
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 100,
"CidrIp": "0.0.0.0/0"
}
},
"Positive1_ingress_ipv6": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Positive1_security_group"
},
"IpProtocol": "udp",
"FromPort": 2000,
"ToPort": 2060,
"CidrIpv6": "::/0"
}
}
}
}
Positive test num. 4 - json file
{
"Resources": {
"Positive2_security_group": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable SSH access via port 22",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 0,
"ToPort": 100,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "udp",
"FromPort": 0,
"ToPort": 100,
"CidrIpv6": "::/0"
},
{
"IpProtocol": "-1",
"FromPort": 22,
"ToPort": 22,
"CidrIpv6": "::/0"
}
]
}
},
"Positive2_ingress_ipv4": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Positive2_security_group"
},
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 100,
"CidrIp": "0.0.0.0/0"
}
},
"Positive1_ingress_ipv6": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Positive2_security_group"
},
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 100,
"CidrIpv6": "::/0"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
Negative1_security_group:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Open security group
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 5000 # does not expose admin port
ToPort: 5000
CidrIp: 0.0.0.0/0
- IpProtocol: "-1"
FromPort: 0
ToPort: 0
CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0
- IpProtocol: udp
FromPort: 0
ToPort: 20000
CidrIpv6: 2001:0db8::/32 # cidr is not ::/0
- IpProtocol: udp
FromPort: 5000 # does not expose admin port
ToPort: 5000
CidrIpv6: ::/0
# Standalone IPv4 ingress rules
Negative1_ingress_ipv4_1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative1_security_group
IpProtocol: tcp
FromPort: 5000 # does not expose admin port
ToPort: 5000
CidrIp: 0.0.0.0/0
Negative1_ingress_ipv4_2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative1_security_group
IpProtocol: "-1"
FromPort: 3000
ToPort: 3000
CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0
# Standalone IPv6 ingress rules
Negative1_ingress_ipv6_1:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative1_security_group
IpProtocol: tcp
FromPort: 5000 # does not expose admin port
ToPort: 5000
CidrIpv6: ::/0
Negative1_ingress_ipv6_2:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Negative1_security_group
IpProtocol: udp
FromPort: 0
ToPort: 20000
CidrIpv6: 2001:0db8::/32 # cidr is not ::/0
Negative test num. 2 - json file
{
"Resources": {
"Negative1_security_group": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Open security group",
"VpcId": {
"Ref": "MyVPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "-1",
"FromPort": 0,
"ToPort": 0,
"CidrIp": "192.162.0.0/16"
},
{
"IpProtocol": "udp",
"FromPort": 0,
"ToPort": 20000,
"CidrIpv6": "2001:0db8::/32"
},
{
"IpProtocol": "udp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "::/0"
}
]
}
},
"Negative1_ingress_ipv4_1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative1_security_group"
},
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIp": "0.0.0.0/0"
}
},
"Negative1_ingress_ipv4_2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative1_security_group"
},
"IpProtocol": "-1",
"FromPort": 3000,
"ToPort": 3000,
"CidrIp": "192.162.0.0/16"
}
},
"Negative1_ingress_ipv6_1": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative1_security_group"
},
"IpProtocol": "tcp",
"FromPort": 5000,
"ToPort": 5000,
"CidrIpv6": "::/0"
}
},
"Negative1_ingress_ipv6_2": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": {
"Ref": "Negative1_security_group"
},
"IpProtocol": "udp",
"FromPort": 0,
"ToPort": 20000,
"CidrIpv6": "2001:0db8::/32"
}
}
}
}