More Info:

No AWS EC2 security group should allow unrestricted inbound access to TCP port 139 and UDP ports 137 and 138 (NetBIOS).

Risk Level

High

Address

Security

Compliance Standards

HIPAA, NIST, SOC2, GDPR

Triage and Remediation

Remediation

Using Console

To remediate the “Unrestricted Netbios Access Should Not Be Allowed” misconfiguration in AWS using the AWS console, you can follow these steps:
  1. Log in to your AWS Management Console.
  2. Go to the Amazon VPC dashboard.
  3. Click on “Security Groups” from the left-hand menu.
  4. Select the security group that has unrestricted NetBIOS access.
  5. Click on the “Inbound Rules” tab.
  6. Locate the rule that allows unrestricted NetBIOS access (usually port 137-139).
  7. Click on the “Edit” button next to the rule.
  8. Change the source IP address to a specific IP address or range of IP addresses that should be allowed to access NetBIOS.
  9. Click on the “Save” button to save the changes.
By following these steps, you have successfully remediated the “Unrestricted Netbios Access Should Not Be Allowed” misconfiguration in AWS.

To remediate the unrestricted NetBIOS access issue in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI and run the following command to list all the security groups in your AWS account: 
    aws ec2 describe-security-groups
  2. Identify the security group that has unrestricted NetBIOS access.
  3. Run the following command to revoke the inbound rule that allows unrestricted NetBIOS access: 
    aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 139 --cidr 0.0.0.0/0
    Note: Replace <security-group-id> with the ID of the security group that you identified in step 2.
  4. Run the following command to revoke the inbound rule that allows unrestricted NetBIOS access: 
    aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 445 --cidr 0.0.0.0/0
    Note: Replace <security-group-id> with the ID of the security group that you identified in step 2.
  5. Verify that the inbound rules have been revoked by running the following command: 
    aws ec2 describe-security-groups --group-ids <security-group-id>
    Note: Replace <security-group-id> with the ID of the security group that you identified in step 2.
  6. Repeat steps 3-5 for all the security groups in your AWS account that have unrestricted NetBIOS access.
  7. Once you have revoked the inbound rules for all the security groups, the unrestricted NetBIOS access issue will be remediated.
To remediate the “Unrestricted Netbios Access Should Not Be Allowed” misconfiguration for AWS using python, you can follow these steps:
  1. Import the necessary AWS SDK and modules in your python script.
import boto3
from botocore.exceptions import ClientError
  1. Create an AWS client for EC2 service.
ec2 = boto3.client('ec2')
  1. Get a list of all the security groups in your AWS account.
response = ec2.describe_security_groups()
security_groups = response['SecurityGroups']
  1. Loop through each security group and check if it has unrestricted NetBIOS access. To do this, check if any of the inbound rules of the security group has the protocol set to “UDP” or “TCP”, the port range set to “137-139”, and the source IP range set to “0.0.0.0/0” or ”::/0”.
for sg in security_groups:
    for rule in sg['IpPermissions']:
        if rule['IpProtocol'] in ['tcp', 'udp'] and rule['FromPort'] <= 139 and rule['ToPort'] >= 137:
            for ip_range in rule['IpRanges']:
                if ip_range['CidrIp'] in ['0.0.0.0/0', '::/0']:
                    print(f"Security group {sg['GroupId']} allows unrestricted NetBIOS access.")
  1. If you find any security group that has unrestricted NetBIOS access, remove the offending inbound rule from the security group using the revoke_security_group_ingress() method of the AWS EC2 client. You will need to provide the security group ID, the protocol, the port range, and the source IP range of the offending rule as parameters to this method.
try:
    ec2.revoke_security_group_ingress(
        GroupId=sg['GroupId'],
        IpPermissions=[
            {
                'IpProtocol': rule['IpProtocol'],
                'FromPort': rule['FromPort'],
                'ToPort': rule['ToPort'],
                'IpRanges': [
                    {
                        'CidrIp': ip_range['CidrIp']
                    }
                ]
            }
        ]
    )
    print(f"Removed unrestricted NetBIOS access from security group {sg['GroupId']}.")
except ClientError as e:
    print(f"Error removing unrestricted NetBIOS access from security group {sg['GroupId']}: {e}")
  1. After removing the offending rule, you can verify that the security group no longer allows unrestricted NetBIOS access by repeating step 4.
Note: Make sure you have the necessary permissions to modify security groups in your AWS account.

Additional Reading: