About
Network security groups with accidental or intentional access to the open internet can provide attackers potential pivots to other services. Often rules are added for troubleshooting purposes, not audited, and forgotten. Eventually, they are detected as the result of either an incident or a compliance audit.
Understanding Impact
Business Impact
Network security groups control the traffic that can flow into Azure services. When they are wide open to the internet, they allow anyone to send traffic to your workloads.
This is the equivalent of not running firewalls on the perimeter of your data center. Based on compliance requirements for your business, not monitoring changes or remediating could be a violation.
Technical Impact
While it is common to allow application traffic from the internet (for example: HTTP or HTTPS), management protocols such as SSH or RDP should not be exposed to anyone on the internet. Security group modifications should be monitored and evaluated against a policy on exposure.
Identify affected resources
You can use the following Azure Resource Graph explorer query to identify attached Network Security Groups that allow traffic on sensitive ports:
resources
| where type == "microsoft.network/networksecuritygroups"
| where isnotnull(properties.subnets) or isnotnull(properties.networkInterfaces) // Only attached NSGs
| mv-expand rules=properties.securityRules
| where rules.properties.access == "Allow"
and rules.properties.direction == "Inbound"
and rules.properties.sourceAddressPrefix == "*"
and (
// All ports open
rules.properties.destinationPortRange == "*"
// Specific ports open
or rules.properties.destinationPortRange in ("20", "21", "22", "23", "25", "137", "139", "445", "1433", "2375", "3306", "3389", "5432", "6379", "9200", "9300", "10250", "10255", "16379", "27017", "27018")
// List of ports open
or (isnotnull(rules.properties.destinationPortRanges) and array_length(set_intersect(todynamic(rules.properties.destinationPortRanges), dynamic(["20", "21", "22", "23", "25", "137", "139", "445", "1433", "2375", "3306", "3389", "5432", "6379", "9200", "9300", "10250", "10255", "16379", "27017", "27018"]))) > 0)
// Range of ports, in rules.properties.destinationPortRange, is not supported (e.g. "19-23")
)
| project Resource_Group=resourceGroup,
NSG_Name=name,
NSG_Rule_Name=rules.name,
Destination_Ports=coalesce(rules.properties.destinationPortRange, rules.properties.destinationPortRanges),
subnets=properties.Subnets,
Network_Interfaces=properties.networkInterfaces
Risky ports include, but are not limited to:
- FTP (ports 20 and 21)
- SSH (port 22)
- Telnet (port 23)
- SMTP (port 25)
- NetBIOS (ports 137 and 139)
- SMB (port 445)
- Microsoft SQL Server (port 1433)
- Docker API (port 2375)
- MySQL (3306)
- RDP (port 3389)
- PostgreSQL (port 5432)
- Redis (ports 6379 and 16379)
- ElasticSearch (ports 9200 and 9300)
- Kubelet (10250 and 10255)
- MongoDB (ports 27017 and 27018)
Remediate vulnerable resources
Remove or adapt ingress rules that expose risky ports to the internet. You can also restrict them to specific public IPs.
To remove a network security group rule, remove it from the Azure portal or use the following command:
az network nsg rule delete \
--resource-group your-resource-group \
--nsg-name your-nsg \
--name your-nsg-rule-name
How Datadog can help
Cloud Security Management
Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | The network security group should allow specific port rules".
References
Network Security Groups
azure documentation
Create, change, or delete a network security group
azure documentation