Network Security Group

Restricted Ports Open To Public 

Risk Level: High

Description: 

This plugin guarantees that public access to any port other than those whitelisted by the network security group is denied. While some ports, like HTTP and HTTPS, must be available to the public in order to work, services should be limited to recognized IP addresses.

PingSafe strongly recommends restricting ports to known IP addresses or whitelist ports in PingSafe configuration as per requirements.

Configuration Parameters

Whitelisted Open Ports: This parameter denies the public access to any ports other than those whitelisted by the network security group. An alert is generated if these ports are publicly accessible.

By default, the value is set to null, and it will not show any vulnerability.

About the Service :

In an Azure virtual network, a network security group may be used to restrict network traffic to and from Azure resources. A network security group is a collection of security rules that allow or disallow incoming and outgoing network traffic to and from various Azure services. Source and destination, port, and protocol can all be specified for each rule.

Impact : 

If the ports are unrestricted, they can make the account vulnerable to attacks. This could lead to the accessibility of sensitive data to the people it’s not meant to be accessible by. If we do not restrict TCP port 5900 to known IP addresses the best security practices will not be followed and attacks can be invoked.

Steps to reproduce :

  1. Sign in to your Azure portal with your Azure account.
    https://portal.azure.com/#home 
  2. Navigate to Azure’s Network Security Groups.
  3. Click on the Security Group that you want to examine. Next, click on the inbound security rules.
  4. For each inbound rule established, double-check the value in the Port column. If the Port attribute on one or more rules is set to a range of ports (e.g., 0 – 65535, 80 – 8080, 111 – 32800), the chosen Azure network security group (NSG) will allow traffic over a range of ports, which means inbound access to the associated Microsoft Azure virtual machines will not be secure.
  5. Follow the same steps for other security groups as well.

To check if the restricted ports are accessible to the general public or not we examined the port Inbound Security Rules.

Steps for remediation :

  1. Sign in to your Azure portal with your Azure account.
    https://portal.azure.com/#home 
  2. Navigate to Azure’s Network Security Groups.
  3. Click on the Security Group that you want to examine. Next, click on the inbound security rules.
  4. For each inbound rule established, double-check the value in the Port column. If the Port attribute on one or more rules is set to a range of ports (e.g., 0 – 65535, 80 – 8080, 111 – 32800), the chosen Azure network security group (NSG) will allow traffic over a range of ports, which means inbound access to the associated Microsoft Azure virtual machines will not be secure.
  5. Click on the security group rule and change the source from ANY to specific IP addresses & source port ranges to only necessary IP to run the application.
  6. Click on the Save button.
  7. Now the restricted ports are not accessible by the public.
  8. Follow the same steps for other security groups as well.

References :

Please feel free to reach out to support@pingsafe.com with any questions that you may have.

Thanks

PingSafe Support