Terraform Unrestricted Netbios Access
Description
Detects Azure Network Security Group (NSG) rules that allow unrestricted access to NetBIOS ports (137-139). Exposing NetBIOS ports to the internet enables attackers to perform reconnaissance, enumerate network resources, and potentially exploit Windows file sharing vulnerabilities.
Detection Strategy
• Identify Network Security Group (NSG) rules in Azure Terraform configurations
• Check if any security rules allow inbound traffic to NetBIOS ports (137-139)
• Verify if the source address prefix is set to overly permissive values like '*', '0.0.0.0', '0.0.0.0/0', 'Internet', or 'any'
• Flag NSG rules where NetBIOS ports are accessible from unrestricted source IP ranges
Vulnerable code example
resource "azurerm_network_security_group" "example" {
name = "example-nsg"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
# Unsafe: NetBIOS TCP allowed from any source with unrestricted access
security_rule {
name = "NetBIOS-TCP-Unsafe"...✅ Secure code example
resource "azurerm_network_security_group" "example" {
name = "example-nsg"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
# Safe: NetBIOS TCP allowed only from specific internal networks and IPs
security_rule {
name = "NetBIOS-TCP-Safe"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.