Digital Ocean Firewall

Open SMBoTCP

Risk Level: High

Description

This plugin determines if the TCP port 445 for Windows SMB over TCP is open to the public. Unlike HTTP and HTTPS, which can be available to public access, SMB servers must be restricted to known IP addresses. SMB stands for Server Message Blocks and the TCP port 445 is used to share files, printers, and serial ports. To minimize false positives, this plugin reports only those firewalls with public IP associated with any of its networks.

About the Service

Digital Ocean Firewall:

DigitalOcean Cloud Firewalls are an organization-based, stateful firewall administration for Droplets given at no extra expense. Cloud firewalls block all traffic that isn't explicitly allowed by a standard. Firewalls place an obstruction between your servers and different machines in the organization to safeguard them from outer assaults. Firewalls can behave based, which are designed on a for every waiter premise utilizing administrations like IPTables or UFW. Others, such as DigitalOcean Cloud Firewalls, are network-based and stop traffic at the organization layer before it arrives at the server.

Impact

Firewalls for the droplets are used to control the incoming and outgoing traffic. There are rules defined under firewalls that can allow specific IP addresses to access the droplets with the protocol and the Ports specified. SMB (Server Message Blocks) is a protocol that provides access to files, printers, and serial ports in a shared network among the network nodes. Publicly accessible SMB services can possess high-security vulnerabilities. In 2020, two SMB attacks were disclosed which can provide Remote Code Execution rights to the attacker.

Steps to Reproduce

Using Digital Ocean Console-

In order to determine if your Digital Ocean Firewall Rules permit access without restrictions on TCP port 445, follow the steps mentioned below:

  1. Firstly use the administrator account for signing in to Digital Ocean Console. A dashboard will appear on the screen.
  2. Now, from the left Navigation Panel select the name of the Project you want to investigate in.
  3. After selecting the Project, under the Manage section in the left navigation panel, click on the Networking blade.
  4. A Networking page will appear on the screen, select the Firewall tab from the top navigation bar.
  5. A Firewall Dashboard will appear on the screen with a list of all the Firewalls available in the current project.
  6. Click on the name of the firewall you want to investigate in. A new Firewall Page with all the details of inbound and outbound rules will appear on the screen.
  7. Check among the list of Inbound Rules if you may find any Firewall Rule with Type: Custom/All TCP, Protocol: TCP port 445 then this shows that there exist firewall rules that allow unrestricted access on TCP port 445, hence it is vulnerable as Port TCP 445 for VNC Server is open to the public.
  8. Check out the Steps for Remediation to fix this issue.
  9. Repeat the steps mentioned above for reviewing accounts in other folders/projects associated with other Digital Ocean organizations deployed within your record.

Steps for Remediation

In order to update or reestablish your VPC network firewall rules configuration to restrict VNC Server access for trusted authorized IP addresses or IP ranges only, follow the steps given below:

  1. Firstly use the administrator account for signing in to Digital Ocean Console. A dashboard will appear on the screen.
  2. Now, from the left Navigation Panel select the name of the Project you want to investigate in.
  3. After selecting the Project, under the Manage section in the left navigation panel, click on the Networking blade.
  4. A Networking page will appear on the screen, select the Firewall tab from the top navigation bar.
  5. A Firewall Dashboard will appear on the screen with a list of all the Firewalls available in the current project.
  6. Click on the name of the firewall you want to investigate in. A new Firewall Page with all the details of inbound and outbound rules will appear on the screen.
  7. Check among the list of Inbound Rules if you may find any Firewall Rule with Type: Custom/All TCP, Protocol: TCP, and Port: 445 then this shows that there exist firewall rules that allow unrestricted access on TCP port 445, hence it is vulnerable as Port TCP 445 for VNC Server is open to the public.
  8. Click on the Edit Rule button available on the right under the More dropdown link.
  9. Remove the non-compliant or non-biddable 0.0.0.0/0 IP address range under the Source IP ranges configuration section. This is done to deny public inbound access on port: 445 of TCP in the VNC Server.
  10. Now, type the IP address ranges into the Source IP ranges configuration section. The entered IP address range must be in desired CIDR format like 10.128.0.0/9. The IP range can have addressed included in your VPC network and even outside of your network.
  11.  Now click on the Save button to apply the changes done so far.
  12. You may repeat steps 7-11 for other firewall rules with TCP port:445 in your Digital Ocean Project.
  13. You may repeat the above steps for other Digital Ocean Projects under your organization.