Unknown Port Exposed To Internet
- Query id: 590d878b-abdc-428f-895a-e2b68a0e1998
- Query name: Unknown Port Exposed To Internet
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- CWE: 200
- Risk score: 7.1
- URL: Github
Description¶
AWS Security Group should not have an unknown port exposed to the entire Internet
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_security_group" "positive1-1" {
name = "allow_tls"
description = "Unknown port exposed"
ingress {
description = "Unknown port exposed"
from_port = 44
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "positive1-2" {
name = "allow_tls"
description = "Unknown port exposed"
ingress {
description = "Unknown port exposed"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["192.168.0.0/24", "0.0.0.0/0"]
}
ingress {
description = "Unknown port exposed"
from_port = 18
to_port = 18
protocol = "tcp"
cidr_blocks = ["192.168.0.0/24", "0.0.0.0/0"]
}
}
resource "aws_security_group" "positive1-3" {
name = "allow_tls"
description = "Unknown port exposed"
ingress {
description = "Remote desktop open private"
from_port = 600
to_port = 1200
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_security_group" "positive1-4" {
name = "allow_tls"
description = "Unknown port exposed"
ingress {
description = "Unknown port exposed"
from_port = 60
to_port = 85
protocol = "tcp"
ipv6_cidr_blocks = ["fd01::/8"]
}
ingress {
description = "Unknown port exposed"
from_port = 65
to_port = 81
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
resource "aws_security_group" "positive1-5" {
name = "allow_tls"
description = "Unknown port exposed"
ingress {
description = "Unknown port exposed"
from_port = 5001
to_port = 5001
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_security_group" "positive1-6" {
name = "allow_tls"
description = "Unknown port exposed"
ingress {
description = "Unknown port exposed"
from_port = 5001
to_port = 5001
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["fd00::/8"]
}
}
resource "aws_security_group" "positive1-7" {
name = "allow_tls"
description = "Unknown port exposed"
ingress {
description = "Unknown port exposed"
from_port = 5001
to_port = 5001
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
Positive test num. 2 - tf file
resource "aws_security_group" "positive2" {
name = "allow_tls_1"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
}
resource "aws_vpc_security_group_ingress_rule" "positive2-1" {
security_group_id = aws_security_group.positive2.id
description = "Unknown port exposed"
cidr_ipv4 = "0.0.0.0/0"
from_port = 44
to_port = 443
ip_protocol = "tcp"
}
resource "aws_vpc_security_group_ingress_rule" "positive2-2" {
security_group_id = aws_security_group.positive2.id
description = "Unknown port exposed"
cidr_ipv6 = "::/0"
from_port = 600
to_port = 1200
ip_protocol = "tcp"
}
Positive test num. 3 - tf file
resource "aws_security_group" "positive3" {
name = "allow_tls_1"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
}
resource "aws_security_group_rule" "positive3-1" {
type = "ingress"
security_group_id = aws_security_group.positive3.id
description = "Unknown port exposed"
from_port = 44
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
resource "aws_security_group_rule" "positive3-2" {
type = "ingress"
security_group_id = aws_security_group.positive3.id
description = "Unknown port exposed"
from_port = 600
to_port = 1200
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
Positive test num. 4 - tf file
module "vote_service_sg_ipv4" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2300
to_port = 3000
protocol = "-1"
cidr_blocks = ["10.92.168.0/28","0.0.0.0/0"]
}
]
}
module "vote_service_sg_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 29000
to_port = 29000
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0", "1.2.3.4/27"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
},
{
description = "TLS from VPC"
from_port = 2000
to_port = 2500
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
]
}
module "vote_service_sg_ipv6" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2300
to_port = 3000
protocol = "tcp"
ipv6_cidr_blocks = ["2001:0db8:85a3:0000:0000:8a2e:0370:7334/64","::/0"]
}
]
}
module "vote_service_sg_ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 29000
to_port = 29000
protocol = "-1"
ipv6_cidr_blocks = ["::/0","2606:4700:3033::6815:3e3/56"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["2606:4700:3035::6815:3e3/24"]
},
{
description = "TLS from VPC"
from_port = 2000
to_port = 2500
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_security_group" "negative1-1" {
ingress {
description = "Remote desktop open private"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["192.168.0.0/24", "0.0.0.0/0"]
}
}
resource "aws_security_group" "negative1-2" {
ingress {
description = "Remote desktop open private"
from_port = 20
to_port = 20
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_security_group" "negative1-3" {
ingress {
description = "Remote desktop open private"
from_port = 0
to_port = 10000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/24", "192.201.0.0/12"]
}
}
resource "aws_security_group" "negative1-4" {
ingress {
description = "Remote desktop open private"
from_port = 0
to_port = 10000
protocol = "tcp"
ipv6_cidr_blocks = ["2001:db8:abcd:0012::/64"]
}
}
Negative test num. 2 - tf file
resource "aws_security_group" "negative2" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
}
resource "aws_vpc_security_group_ingress_rule" "negative2-1" {
security_group_id = aws_security_group.negative3.id
from_port = 2383
to_port = 2383
ip_protocol = "tcp"
cidr_ipv4 = "0.0.0.0/0"
description = "Remote desktop open private"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-2" {
security_group_id = aws_security_group.negative3.id
from_port = 20
to_port = 20
ip_protocol = "tcp"
cidr_ipv6 = "::/0"
description = "Remote desktop open private"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-3" {
security_group_id = aws_security_group.negative3.id
from_port = 0
to_port = 10000
ip_protocol = "tcp"
cidr_ipv4 = "192.168.0.0/24"
description = "Remote desktop open private"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-4" {
security_group_id = aws_security_group.negative3.id
from_port = 0
to_port = 10000
ip_protocol = "tcp"
cidr_ipv6 = "2001:db8:abcd:0012::/64"
description = "Remote desktop open private"
}
Negative test num. 3 - tf file
resource "aws_security_group" "negative3" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
}
resource "aws_security_group_rule" "negative3-1" {
type = "ingress"
from_port = 2383
to_port = 2383
protocol = "tcp"
cidr_blocks = ["192.168.0.0/24", "0.0.0.0/0"]
security_group_id = aws_security_group.negative3.id
}
resource "aws_security_group_rule" "negative3-2" {
type = "ingress"
from_port = 20
to_port = 20
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.negative3.id
}
resource "aws_security_group_rule" "negative3-3" {
type = "ingress"
from_port = 0
to_port = 10000
protocol = "tcp"
cidr_blocks = ["192.168.0.0/24", "192.162.0.0/24"]
security_group_id = aws_security_group.negative3.id
}
resource "aws_security_group_rule" "negative3-4" {
type = "ingress"
from_port = 0
to_port = 10000
protocol = "tcp"
ipv6_cidr_blocks = ["2001:db8:abcd:0012::/64"]
security_group_id = aws_security_group.negative3.id
}
Negative test num. 4 - tf file
module "vote_service_sg_ipv4" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["1.2.3.4"]
}
]
}
module "vote_service_sg_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2000
to_port = 2420
protocol = "udp"
cidr_blocks = ["0.1.1.1/21", "8.8.8.8/24"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["2606:4700:3035::6815:3e3/24"]
},
{
description = "TLS from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.01.01.02/23","0.0.0.0/0"]
}
]
}
module "vote_service_sg_ipv6" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "tcp"
ipv6_cidr_blocks = ["2001:0db8:85a3:0000:0000:8a2e:0370:7334/64"]
}
]
}
module "vote_service_sg_ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2000
to_port = 2420
protocol = "udp"
ipv6_cidr_blocks = ["2001:0db8:85a3::8a2e:0370:7334/64","2606:4700:3033::6815:3e3/56"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["2606:4700:3035::6815:3e3/24"]
},
{
description = "TLS from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}