Skip to main content

Insecure service configuration - ELB

Description

A misconfiguration or default setting on Elastic Load Balancers that can cause to unintentionally increase the attack surface of the company cloud infrastructure.

Impact

  • Result in the connection between load balancer and server being exploited.
  • The front-end connection between the client and the load balancer is vulnerable to eavesdropping and man-in-the-middle (MitM) attacks.

Recommendation

  • Application load balancers should use acceptable policies.
  • Create a custom ELB SSL security policy that contains secure ciphers.
  • Strongly advised that the load balancer uses a secure listener.

Threat

Unauthorized attacker from adjacent network performing a MitM.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: A
  • Attack complexity: H
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: L
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 3.7
    • Temporal: 3.7
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The port property and security policy are set to secure values

<resource "aws_lb_listener" "front_end" {
load_balancer_arn = aws_lb.front_end.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS13-1-3-2021-06"
certificate_arn = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"

default_action {
type = "forward"
target_group_arn = aws_lb_target_group.front_end.arn
}
}
Resources:
listener1:
Type: "AWS::ElasticLoadBalancingV2::Listener"
Properties:
DefaultActions:
- Type: "redirect"
RedirectConfig:
Protocol: "HTTPS"
Port: 443
Host: "#{host}"
Path: "/#{path}"
Query: "#{query}"
StatusCode: "HTTP_301"
LoadBalancerArn: myLoadBalancer
Port: 80
Protocol: "HTTPS"
SslPolicy: ELBSecurityPolicy-TLS13-1-3-2021-06

Non compliant code

The port property of the resource is not set to a secure value

resource "aws_lb_listener" "front_end" {
load_balancer_arn = aws_lb.front_end.arn
port = "40"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-FS-1-1-2019-08"
certificate_arn = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"

default_action {
type = "forward"
target_group_arn = aws_lb_target_group.front_end.arn
}
}

Resource uses unsafe http protocol

Resources:
listener1:
Type: "AWS::ElasticLoadBalancingV2::Listener"
Properties:
DefaultActions:
- Type: "redirect"
RedirectConfig:
Protocol: "HTTPS"
Port: 443
Host: "#{host}"
Path: "/#{path}"
Query: "#{query}"
StatusCode: "HTTP_301"
LoadBalancerArn: myLoadBalancer
Port: 80
Protocol: "HTTP"
SslPolicy: ELBSecurityPolicy-2016-08

Using the AWS CLI, check the ELBv2 security policy using the following command

$ aws elbv2 describe-listeners
--region us-east-1
--load-balancer-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/cc-internet-facing-alb/aaaabbbbccccdddd
--query 'Listeners[*].SslPolicy'

Verify that the return output uses the most recent secutiry default configurations defined by AWS

Requirements