Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Unrestricted NetBIOS Access

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: EC2-041

Check your Amazon EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) on TCP port 139 and UDP ports 137 and 138 in order to reduce the possibility of a security breach and protect the EC2 instances associated with your security groups. TCP port 139 and UDP ports 137 and 138 are used for NetBIOS name resolution (i.e. mapping a NetBIOS name to an IP address) by services such as File and Printer Sharing service running on Microsoft Windows Server OS.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Allowing unrestricted NetBIOS access to your Amazon EC2 instances can increase opportunities for malicious activities such as man-in-the-middle attacks (MITM), Denial of Service (DoS) attacks or BadTunnel exploits.

Audit

To determine if your Amazon EC2 security groups allow unrestricted NetBIOS access, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Click inside the Filter security groups box located under the console top menu and select the following options from the Properties dropdown menu:

  1. Choose Protocol and select TCP from the protocols list.
  2. Choose again Protocol and select UDP from the list.

05 Choose Port range, type 137-139 for the port range, and press Enter.

06 Select the security group that you want to examine and choose the Inbound rules tab from the console bottom panel to access the inbound rules created for the selected group.

07 Check the configuration value available in the Source column for any inbound/ingress rules with the Port range set to 137 - 139. If one or more rules have the Source value set to 0.0.0.0/0 or ::/0(i.e. Anywhere), the selected Amazon EC2 security group allows unrestricted traffic on TCP/UDP ports 137, 138, and 139, therefore the NetBIOS access to the associated EC2 instance(s) is not secured.

08 Repeat steps no. 5 and 6 for each Amazon EC2 security group returned as result at step no. 4.

09 Change the AWS cloud region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) with predefined and custom query filters to expose the ID of each Amazon EC2 security group that allows unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS): 

aws ec2 describe-security-groups
  --region us-east-1
  --filters Name=ip-permission.from-port,Values=137,138,139 Name=ip-permission.to-port,Values=137,138,139 Name=ip-permission.cidr,Values='0.0.0.0/0'
  --output table
  --query 'SecurityGroups[*].GroupId'

02 The command output should return a table with the requested security group ID(s): 

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
+------------------------+

If the describe-security-groups command does not produce an output, there are no security groups that allow unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS) in the selected AWS region. If the command output returns a table with one or more security group IDs, those Amazon EC2 security groups allow unrestricted traffic on TCP port 139 and UDP ports 137 and 138, therefore the NetBIOS access to the associated EC2 instance(s) is not secured.

03 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To update the inbound rule configuration for your Amazon EC2 security groups in order to restrict NetBIOS access to trusted entities only (i.e. authorized IP addresses and IP ranges, or other security groups), perform the following actions:

Using AWS CloudFormation

01 CloudFormation template (JSON): 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Configure security group to restrict inbound NetBIOS access to trusted entities only",
	"Resources": {
		"EC2SecurityGroup": {
			"Type": "AWS::EC2::SecurityGroup",
			"Properties": {
				"GroupName": "cc-instance-security-group",
				"GroupDescription": "Allow NetBIOS access",
				"VpcId": "vpc-01234abcd1234abcd",
				"SecurityGroupIngress": [
					{
						"Description": "Allow inbound NetBIOS traffic",
						"IpProtocol": "udp",
						"FromPort": 137,
						"ToPort": 138,
						"CidrIp": "0.0.0.0/0"
						"CidrIp": "10.0.0.45/32"
					},
					{
						"Description": "Allow inbound NetBIOS traffic",
						"IpProtocol": "tcp",
						"FromPort": 139,
						"ToPort": 139,
						"CidrIp": "0.0.0.0/0"
						"CidrIp": "10.0.0.45/32"
					}
				],
				"SecurityGroupEgress": [
					{
						"Description": "Allow all outbound traffic",
						"IpProtocol": "-1",
						"FromPort": 0,
						"ToPort": 65535,
						"CidrIp": "0.0.0.0/0"
					}
				]
			}
		}
	}
}

02 CloudFormation template (YAML): 

AWSTemplateFormatVersion: '2010-09-09'
	Description: Configure security group to restrict inbound NetBIOS access to trusted entities only
	Resources:
	EC2SecurityGroup:
		Type: AWS::EC2::SecurityGroup
		Properties:
		GroupName: cc-instance-security-group
		GroupDescription: Allow NetBIOS access
		VpcId: vpc-01234abcd1234abcd
		SecurityGroupIngress:
			- Description: Allow inbound NetBIOS traffic
			IpProtocol: udp
			FromPort: 137
			ToPort: 138
			CidrIp: '0.0.0.0/0'
			CidrIp: '10.0.0.45/32'
			- Description: Allow inbound NetBIOS traffic
			IpProtocol: tcp
			FromPort: 139
			ToPort: 139
			CidrIp: '0.0.0.0/0'
			CidrIp: '10.0.0.45/32'
		SecurityGroupEgress:
			- Description: Allow all outbound traffic
			IpProtocol: '-1'
			FromPort: 0
			ToPort: 65535
			CidrIp: '0.0.0.0/0'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf): 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}
	required_version = ">= 0.14.9"
}
provider "aws" {
	profile = "default"
	region  = "us-east-1"
}
resource "aws_security_group" "ec2-security-group" {
	name        = "cc-instance-security-group"
	description = "Allow NetBIOS access"
	vpc_id      = "vpc-01234abcd1234abcd"
	ingress {
		description      = "Allow inbound NetBIOS traffic"
		from_port        = 137
		to_port          = 138
		protocol         = "udp"
		cidr_blocks      = ["0.0.0.0/0"]
		cidr_blocks      = ["10.0.0.45/32"]
	}
	ingress {
		description      = "Allow inbound NetBIOS traffic"
		from_port        = 139
		to_port          = 139
		protocol         = "tcp"
		cidr_blocks      = ["0.0.0.0/0"]
		cidr_blocks      = ["10.0.0.45/32"]
	}
	egress {
		description      = "Allow all outbound traffic"
		from_port        = 0
		to_port          = 0
		protocol         = "-1"
		cidr_blocks      = ["0.0.0.0/0"]
	}
}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2.

03 In the navigation panel, under Network & Security, choose Security Groups.

04 Select the Amazon EC2 security group that you want to reconfigure (see Audit section part I to identify the right resource).

05 Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.

06 On the Edit inbound rules configuration page, change the traffic source for the inbound rule that allows unrestricted access via TCP port 139 and UDP ports 137 and 138 (NetBIOS), by performing one of the following operations:

  1. Select My IP from the Source dropdown list to allow inbound traffic only from your current IP address.
  2. Select Custom from the Source dropdown list and enter one of the following options based on your access requirements:
    • The static IP address of the permitted host in CIDR notation (e.g. 192.0.8.0/32).
    • The IP address range of the permitted network/subnetwork in CIDR notation, for example 192.0.8.0/24.
    • The name or ID of another security group available in the same AWS cloud region.
  3. Choose Save rules to apply the configuration changes.

07 Repeat steps no. 4 – 6 to reconfigure other EC2 security groups that allow unrestricted NetBIOS access.

08 Change the AWS cloud region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to reconfigure as the identifier parameter (see Audit section part II to identify the right resource), to remove the inbound rules that allow unrestricted access on TCP port 139 and UDP ports 137 and 138 (NetBIOS):

02 For TCP port 139 run the following command: 

aws ec2 revoke-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions IpProtocol=tcp,FromPort=139,ToPort=139,IpRanges=[{CidrIp="0.0.0.0/0"}],Ipv6Ranges=[{CidrIpv6="::/0"}]
  --query 'Return'

03 The command output should return true if the request succeeds. Otherwise, it should return an error: 

true

04 For UDP ports 137 and 138 execute the following command: 

aws ec2 revoke-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --ip-permissions IpProtocol=udp,FromPort=137,ToPort=138,IpRanges=[{CidrIp="0.0.0.0/0"}],Ipv6Ranges=[{CidrIpv6="::/0"}]
  --query 'Return'

05 If successful, the command output should return true, otherwise, it should return an error: 

true

06 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rules removed at the previous step with a different set of parameters in order to restrict NetBIOS access to trusted entities only (IP addresses, IP ranges, or security groups). To create and attach custom inbound/ingress rules to the selected Amazon EC2 security group based on your access requirements, use one of the following options (the command does not produce an output):

  1. Add an inbound rule that allows traffic from an authorized static IP address via TCP port 139, using CIDR notation (e.g. 192.0.8.0/32): 
    aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 139
  --cidr 192.0.8.0/32
  2. Add an inbound/ingress rule that allows traffic from a trusted IP address range via TCP port 139, using CIDR notation (for example, 192.0.8.0/24): 
    aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 139
  --cidr 192.0.8.0/24
  3. Add an inbound rule that allows traffic from another security group (e.g. sg-0abcdabcdabcdabcd) available in the same AWS cloud region via TCP port 139: 
    aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol tcp
  --port 139
  --source-group sg-0abcdabcdabcdabcd
  4. Change the --protocol parameter value to udp and --port value to 137-138, then repeat steps a – c to add the required inbound rule(s) removed at step no. 1, e.g.: 
    aws ec2 authorize-security-group-ingress
  --region us-east-1
  --group-id sg-01234abcd1234abcd
  --protocol udp
  --port 137-138
  --cidr 192.0.8.0/32

07 Repeat steps no. 1 and 2 to reconfigure other EC2 security groups that allow unrestricted NetBIOS access.

08 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation process for other regions.

References

Publication date Jun 23, 2016

Related EC2 rules