Fluid Attacks Database

Description

Detects unrestricted DNS access in AWS EC2 security groups that could allow malicious actors to perform DNS exfiltration or DNS tunneling attacks. Open DNS access from untrusted sources can be exploited to bypass network controls and leak sensitive data.

Weakness:

024 - Unrestricted access between network segments - AWS

Category: Access Subversion

Detection Strategy

• Identifies AWS security group and security group rule resources in Terraform configurations

• Checks ingress and egress rules for port 53 (DNS) configurations

• Reports a vulnerability when DNS port 53 is accessible from overly permissive sources (like 0.0.0.0/0)

• Examines both standalone security group rules and inline security group rule blocks

Vulnerable code example

resource "aws_security_group_rule" "vulnerable" {
  security_group_id = "sg-123456"
  type             = "ingress"
  from_port        = 50               # Vulnerable: Non-standard port range
  to_port          = 53
  protocol         = "-1"             # Vulnerable: Allows ALL protocols
  cidr_blocks      = ["0.0.0.0/0"]   # Vulnerable: Allows access from any IP
}

✅ Secure code example

resource "aws_security_group_rule" "secure" {
  security_group_id = "sg-123456"
  type             = "ingress"
  from_port        = 443           # Restrict to HTTPS standard port
  to_port          = 443           # Single port instead of range for specific service
  protocol         = "tcp"         # Explicitly specify TCP protocol only
  cidr_blocks      = ["10.0.0.0/16"]  # Restrict to internal network CIDR
  description      = "Allow inbound HTTPS traffic from internal network"...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.