Security group exposes risky ports to the internet

PLATFORM

SERVICE

ec2

DATA BREACHES

known

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

high

medium

About

Security groups with accidental or intentional access to the open internet can provide attackers potential pivots to other services. Often rules are added for troubleshooting purposes, not audited, and forgotten. Eventually, they are detected as the result of either an incident or a compliance audit.

Understanding Impact

Business Impact

Security groups control the traffic that can flow into AWS services. When they are wide open to the internet, they allow anyone to send traffic to your workloads.
This is the equivalent of not running firewalls on the perimeter of your data center. Based on compliance requirements for your business, not monitoring changes or remediating could be a violation.

Technical Impact

Security groups can be attached to workloads such as EC2 instances, load balancers, or Amazon OpenSearch (managed ElasticSearch). While it is common to allow application traffic from the internet (for example: HTTP or HTTPS), management protocols such as SSH or RDP should not be exposed to anyone on the internet. Security group modifications should be monitored and evaluated against a policy on exposure.

Identify affected resources

Use the following command to show information about all security groups in the current region that have at least one ingress rule allowing traffic from anyone on the internet:

aws ec2 describe-security-groups \
--filter Name=ip-permission.cidr,Values=0.0.0.0/0,::/0

Use the values of FromPort and ToPort to identify risky open ports. These ports include, but are not limited to:

  • FTP (ports 20 and 21)
  • SSH (port 22)
  • Telnet (port 23)
  • SMTP (port 25)
  • NetBIOS (ports 137 and 139)
  • SMB (port 445)
  • Microsoft SQL Server (port 1433)
  • Docker API (port 2375)
  • MySQL (3306)
  • RDP (port 3389)
  • PostgreSQL (port 5432)
  • Redis (ports 6379 and 16379)
  • ElasticSearch (ports 9200 and 9300)
  • Kubelet (10250 and 10255)
  • MongoDB (ports 27017 and 27018)

You can use the following command to identify security groups opening one of these ports to the internet:

aws ec2 describe-security-groups \
--filter Name=ip-permission.cidr,Values=0.0.0.0/0,::/0 \
--filter Name=ip-permission.from-port,Values=0,20,21,22,23,25,137,139,445,1433,2375,3306,3389,5432,6379,9200,9300,10250,10255,16379,27017,27018

Remediate vulnerable resources

Remove or adapt ingress rules that expose risky ports to the internet. You can also restrict them to specific public IPs. For remote management, it is recommended to use AWS SSM Session Manager which allows you to authenticate using your existing AWS identity, and does not require opening ingress ports.

To remove a security group rule, use the following command:

aws ec2 revoke-security-group-ingress \
--group-name your-security-group \
--protocol tcp \
--port 3389 \
--cidr 0.0.0.0/0

How Datadog can help

Cloud Security Management

Datadog Cloud Security Management detects this vulnerability using the following out-of-the-box rules:

References

Control traffic to resources using security groups

aws documentation

Creating, configuring, and deleting security groups for Amazon EC2

aws documentation

Did you find this article helpful?