Profile Applicability:

Level : 1

Description: 

This check ensures that no EC2 instances in your AWS environment allow ingress (incoming) traffic from the internet to TCP ports 139 or 445, which are commonly associated with the Server Message Block (SMB) protocol. Allowing such traffic without restrictions can expose your instances to unauthorized access and potential exploits.

Rationale:

Ports 139 and 445 are used by the SMB protocol for file sharing and network communication. Exposing these ports to the internet increases the risk of attacks, such as the WannaCry ransomware exploit, which targeted vulnerabilities in SMB services. Restricting access to these ports helps protect your instances from unauthorized access and potential exploits.

Impact:

• Security: Unauthorized access to EC2 instances can lead to data breaches, service disruptions, or system compromises.

• Compliance: Failure to restrict access to these ports may violate security standards and compliance requirements (e.g., PCI-DSS, HIPAA, SOC 2).

• Service Downtime: Exploits targeting these ports can lead to service outages or security incidents affecting resource availability.

Default Value: 

By default, security groups in AWS do not allow inbound traffic on ports 139 and 445. However, custom security group configurations might have rules that allow ingress to these ports.

Pre-Requisites:

• AWS Management Console access or AWS CLI installed with appropriate permissions to describe and modify security group rules.

• Familiarity with security best practices and the SMB protocol.

Remediation

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to the EC2 dashboard.

3.  under Network & Security, choose Security Groups.

4. Select each security group and review the Inbound Rules.

5. Verify that no rules allow ingress from 0.0.0.0/0 or ::/0 to ports 139 or 445.

6. If such rules exist, they should be modified or removed.

Using AWS CLI:

Run the following command to list all security groups in your AWS region:

aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName,Ingress:IpPermissions}'

1. For each security group, check the inbound rules for any entries allowing ingress to ports 139 or 445 from 0.0.0.0/0 or ::/0.

2. If such entries exist, they should be modified or removed.

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to the EC2 dashboard

3. go to Security Groups.

4. Select each security group and review the Inbound Rules.

5. If any rule allows ingress from 0.0.0.0/0 or ::/0 to ports 139 or 445:

   • Click Edit inbound rules.

• Locate and delete the rule allowing access to these ports.

• Click Save rules.

Using AWS CLI:

To revoke the ingress rule allowing access to ports 139 or 445 from 0.0.0.0/0, run:

aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 139 --cidr 0.0.0.0/0
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 445 --cidr 0.0.0.0/0

1. Replace <security-group-id> with the ID of your security group.

Backout Plan: 

If you restrict internet access to TCP ports 139 or 445 for EC2 instances but need to revert:

Using Console:

• Go to EC2 > Security Groups.

• Re-add inbound rules for ports 139 and 445, allowing 0.0.0.0/0 or ::/0 as the source.

Using CLI:

Use this command to re-add rules:

aws ec2 authorize-security-group-ingress \
--group-id <security-group-id> \
--protocol tcp \
--port 139-445 \
--cidr 0.0.0.0/0

References:

• Unrestricted Security Group Ingress on Uncommon Ports

• Security group exposes risky ports to the internet

• AWS EC2 instance allows public ingress access on SMB port 445

CIS Controls