Skip to main content

Unrestricted access between network segments - AWS

Description

The infrastructure definition for network segments in the AWS context is too permissive.

Impact

  • Expose resources, processes and sensitive information that could be compromised.
  • Accept incoming or outcoming connections that should be restricted by design

Recommendation

Limit network segments, ports, IP addresses, network protocols, and administrative services only to the required users.

Threat

Anonymous attacker from Internet.

Expected Remediation Time

⌚ 120 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: H
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: U
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C
  • Score:
    • Base: 2.6
    • Temporal: 2.5
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

Define a specific range of ports for the resource

resource "aws_security_group_rule" "not_vulnerable" {
security_group_id = "sg-123456"
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = "127.0.0.1/32"
prefix_list_ids = ["pl-12c4e678"]
}
resource "aws_security_group" "not_vulnerable" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = "someid"

ingress {
from_port = 0
to_port = 8000
protocol = "tcp"
cidr_blocks = "127.0.0.1/32"
}

egress {
from_port = 8080
to_port = 8080
protocol = "udp"
cidr_blocks = ["172.16.0.0/12"]
prefix_list_ids = ["pl-12c4e678"]
}

tags = {
method = "aws.terraform.ec2.allows_all_outbound_traffic"
Name = "aws.terraform.allows_all_outbound_traffic"
}
}

Non compliant code

Some example of resources configured with large range number of ports available

resource "aws_security_group_rule" "vulnerable" {
security_group_id = "sg-123456"
type = "ingress"
from_port = 0
to_port = 65535
protocol = "-1"
cidr_blocks = "0.0.0.0/0"
prefix_list_ids = ["pl-12c4e678"]
}
Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.1/0
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
DestinationSecurityGroupId:
Fn::GetAtt:
- TargetSG
- GroupId
GroupId:
Fn::GetAtt:
- SourceSG
- GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 56
SourceSecurityGroupId:
Fn::GetAtt:
- SourceSG
- GroupId
GroupId:
Fn::GetAtt:
- TargetSG
- GroupId

Example with no profile name defined for the EC2 service

resource "aws_instance" "web" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"

tags = {
Name = "HelloWorld"
}
}

Using the AWS CLI with the following comands

$ aws ec2 describe-security-groups
--region us-east-1
--filters Name=ip-permission.from-port,Values=53 Name=ip-permission.to-port,Values=53 Name=ip-permission.ipv6-cidr,Values='::/0'
--query 'SecurityGroups[*].{Name:GroupName}'

Returns any group that has an insecure DNS configuration

[
{
"Name": "DNSServerSecurityGroup"
}
]

Similarly, the following command returns any group with unrestricted FTP access

$ aws ec2 describe-security-groups
--region us-east-1
--filters Name=ip-permission.from-port,Values=20,21 Name=ip-permission.to-port,Values=20,21 Name=ip-permission.ipv6-cidr,Values='::/0'
--query 'SecurityGroups[*].{Name:GroupName}'

The following command checks if a security group has unrestricted outbound access on all ports

$ aws ec2 describe-security-groups
--region us-east-1
--group-ids {group_id}
--query 'SecurityGroups[*].IpPermissionsEgress[]'

Requirements