Network Security Group exposes risky ports to the internet

About

Network security groups with accidental or intentional access to the open internet can provide attackers potential pivots to other services. Often rules are added for troubleshooting purposes, not audited, and forgotten. Eventually, they are detected as the result of either an incident or a compliance audit.

Understanding Impact

Business Impact

Network security groups control the traffic that can flow into Azure services. When they are wide open to the internet, they allow anyone to send traffic to your workloads.
This is the equivalent of not running firewalls on the perimeter of your data center. Based on compliance requirements for your business, not monitoring changes or remediating could be a violation.

Technical Impact

While it is common to allow application traffic from the internet (for example: HTTP or HTTPS), management protocols such as SSH or RDP should not be exposed to anyone on the internet. Security group modifications should be monitored and evaluated against a policy on exposure.

Identify affected resources

You can use the following Azure Resource Graph explorer query to identify attached Network Security Groups that allow traffic on sensitive ports:

resources
| where type == "microsoft.network/networksecuritygroups"
| where isnotnull(properties.subnets) or isnotnull(properties.networkInterfaces) // Only attached NSGs
| mv-expand rules=properties.securityRules
| where rules.properties.access == "Allow"
    and rules.properties.direction == "Inbound"
    and rules.properties.sourceAddressPrefix == "*"
    and (
        // All ports open
        rules.properties.destinationPortRange == "*" 
        // Specific ports open
        or rules.properties.destinationPortRange in ("20", "21", "22", "23", "25", "137", "139", "445", "1433", "2375", "3306", "3389", "5432", "6379", "9200", "9300", "10250", "10255", "16379", "27017", "27018")
        // List of ports open
        or (isnotnull(rules.properties.destinationPortRanges) and array_length(set_intersect(todynamic(rules.properties.destinationPortRanges), dynamic(["20", "21", "22", "23", "25", "137", "139", "445", "1433", "2375", "3306", "3389", "5432", "6379", "9200", "9300", "10250", "10255", "16379", "27017", "27018"]))) > 0)
        // Range of ports, in rules.properties.destinationPortRange, is not supported (e.g. "19-23")
    )
| project Resource_Group=resourceGroup, 
          NSG_Name=name, 
          NSG_Rule_Name=rules.name, 
          Destination_Ports=coalesce(rules.properties.destinationPortRange, rules.properties.destinationPortRanges), 
          subnets=properties.Subnets, 
          Network_Interfaces=properties.networkInterfaces

Risky ports include, but are not limited to:

FTP (ports 20 and 21)
SSH (port 22)
Telnet (port 23)
SMTP (port 25)
NetBIOS (ports 137 and 139)
SMB (port 445)
Microsoft SQL Server (port 1433)
Docker API (port 2375)
MySQL (3306)
RDP (port 3389)
PostgreSQL (port 5432)
Redis (ports 6379 and 16379)
ElasticSearch (ports 9200 and 9300)
Kubelet (10250 and 10255)
MongoDB (ports 27017 and 27018)

Remediate vulnerable resources

Remove or adapt ingress rules that expose risky ports to the internet. You can also restrict them to specific public IPs.

To remove a network security group rule, remove it from the Azure portal or use the following command:

az network nsg rule delete \
  --resource-group your-resource-group \
  --nsg-name your-nsg \
  --name your-nsg-rule-name

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the out-of-the-box rule "Datadog CSM Misconfigurations Rule | Network security group should allow specific port rules".

References

Network Security Groups

azure documentation

Create, change, or delete a network security group