Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive on ec2_securitygroup_allow_ingress_from_internet_to_any_port #5172

Closed
dazzag24 opened this issue Sep 24, 2024 · 5 comments · Fixed by #5215
Closed

False positive on ec2_securitygroup_allow_ingress_from_internet_to_any_port #5172

dazzag24 opened this issue Sep 24, 2024 · 5 comments · Fixed by #5215
Assignees
@MrCloudSec
Labels
bug provider/aws Issues/PRs related with the AWS provider severity/medium Results in some unexpected or undesired behavior.

Comments

@dazzag24
Copy link

Hi,
I can see this was fixed in 3.6.0 last year but I'm seeing the same issue in Prowler version 4.3.5.

I have a security group with ports 80 and 443 open for ingress, and all egress traffic is allowed:

{
    "SecurityGroups": [
        {
            "Description": "Foo",
            "GroupName": "<redacted>",
            "IpPermissions": [
                {
                    "FromPort": 80,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 80,
                    "UserIdGroupPairs": []
                },
                {
                    "FromPort": 443,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 443,
                    "UserIdGroupPairs": []
                }
            ],
            "OwnerId": "<redacted>",
            "GroupId": "sg-<redacted>",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "Tags": [
                {
                    "Key": "Name",
                    "Value": "<redacted>"
                }
            ],
            "VpcId": "vpc-<redacted>"
        }
    ]
}

which is the same as the one above.

which results in a Prowler finding off:

Details

ResourceUid:
arn:aws:ec2:eu-west-2:<redacted>:security-group/sg-<redacted>

FindingUid:
prowler-aws-ec2_securitygroup_allow_ingress_from_internet_to_any_port-<redacted>-eu-west-2-sg-<redacted>

CheckId:
ec2_securitygroup_allow_ingress_from_internet_to_any_port

Type:
AwsEc2SecurityGroup

Details:
<redacted>

StatusExtended:
Security group <redacted>- (sg-<redacted>) has at least one port open to the Internet and neither its network interface type (interface) nor its network interface instance owner (<redacted>) are part of the allowed network interfaces.

Risk:
If Security groups are not properly configured the attack surface is increased.

Notes:

Provider:
aws

Recomendation:
Use a Zero Trust approach. Narrow ingress traffic as much as possible. Consider north-south as well as east-west traffic.

RecomendationUrl:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

Scan Day:
2024-09-20

Originally posted by @dazzag24 in #2442 (comment)
@MrCloudSec
Copy link
Member

Hi @dazzag24, thanks for reaching us out!

I will try to reproduce the false positive and coming back to you with a solution or asking for more information 😄

Have you tried it in the latest Prowler version?

@MrCloudSec MrCloudSec self-assigned this Sep 24, 2024
@MrCloudSec MrCloudSec added bug severity/medium Results in some unexpected or undesired behavior. provider/aws Issues/PRs related with the AWS provider labels Sep 24, 2024
@MrCloudSec
Copy link
Member

Hi @dazzag24, I was able to reproduce your finding.

What are you expecting to get?
If the security group is not attached to any network interface, Prowler gives a PASS.

@dazzag24
Copy link
Author

Hi,

I have tested with Prowler 4.3.6.

prowler aws -f eu-west-2 --mutelist-file mute_list.yaml --checks ec2_securitygroup_allow_ingress_from_internet_to_any_port --verbose

returns:

FAIL eu-west-2: Security group <REDACTED_DESCRIPTION (REDACTED_SG_ID) has at least one port open to the Internet and neither its network interface type (interface) nor its network interface instance owner (<REDACTED_AWS_ACCOUNT_ID>) are part of the allowed network interfaces.

my confusion is that in #2442 there is an identical SG config that was triggering the same issue and it was flagged as a bug and fixed.

Furthermore I have 2 identical SGs, one that passes while the other fails:

Failing SG:

{
    "SecurityGroups": [
        {
            "Description": "Foo,
            "GroupName": "<redacted>",
            "IpPermissions": [
                {
                    "FromPort": 80,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 80,
                    "UserIdGroupPairs": []
                },
                {
                    "FromPort": 443,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 443,
                    "UserIdGroupPairs": []
                }
            ],
            "OwnerId": "<redacted>",
            "GroupId": "<redacted>",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "VpcId": "<redacted>"
        }
    ]
}

this is attached to a Network Interface that has the instance owner set to the AWS Account ID.

Passing SG:

{
    "SecurityGroups": [
        {
            "Description": "Goo",
            "GroupName": "<redacted>",
            "IpPermissions": [
                {
                    "FromPort": 80,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0",
                            "Description": ""
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 80,
                    "UserIdGroupPairs": []
                },
                {
                    "FromPort": 443,
                    "IpProtocol": "tcp",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0",
                            "Description": ""
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "ToPort": 443,
                    "UserIdGroupPairs": []
                }
            ],
            "OwnerId": "<redacted>",
            "GroupId": "<redacted>",
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "Ipv6Ranges": [],
                    "PrefixListIds": [],
                    "UserIdGroupPairs": []
                }
            ],
            "VpcId": "<redacted>"
        }
    ]
}

this is attached to a Network Interface that has the instance owner set to "amazon-elb".

Why would one be considered OK while the other triggers a FAIL?

Many thanks

@MrCloudSec
Copy link
Member

Hi @dazzag24, in this check, Prowler alerts a FAIL if the security group has any open ports and it is attached to a network interface where either the instance owner or the type are not in the configurable variables:

  • ec2_allowed_interface_types
  • ec2_allowed_instance_owners

Those variables can be found here.

By default, the Network Interface types that are allowed are: api_gateway_managed and vpc_endpoint, and amazon-elb as the instance owner. But you can change them in the config file.

What do you think about this logic?

However, I am going to document more this check so the logic is more understandable.

@MrCloudSec MrCloudSec mentioned this issue Sep 26, 2024
Merged
3 tasks
@dazzag24
Copy link
Author

Thanks for the explanation. I have added the org ID to the config. Adding more docs to make this clearer would be much appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MrCloudSec MrCloudSec

Labels
bug provider/aws Issues/PRs related with the AWS provider severity/medium Results in some unexpected or undesired behavior.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(ec2): enhance security group with any open port check prowler-cloud/prowler
2 participants
@dazzag24 @MrCloudSec