Network Security Group
      Back to home
      1. CNS Policies
      2. Azure Knowledge Base
      3. Network Security Group

      Open VNC Client

      Risk Level: High

      Description: 

      This plugin checks if the VNC Client's TCP port 5500 is exposed to the public. While some ports, such as HTTP and HTTPS, must be exposed to the public in order to function, more sensitive services, like VNC Client, should be limited to recognized IP addresses. Virtual Network Computing is the abbreviation for Virtual Network Computing. It's a cross-platform screen-sharing technology that lets you operate another computer from afar.

      PingSafe strongly recommends restricting TCP port 5500 to known IP addresses.

      About the Service :

      In an Azure virtual network, a network security group may be used to restrict network traffic to and from Azure resources. A network security group is a collection of security rules that allow or disallow incoming and outgoing network traffic to and from various Azure services. Source and destination, port, and protocol can all be specified for each rule.

      Impact : 

      If the ports are unrestricted, they can make the account vulnerable to attacks. This could lead to the accessibility of sensitive data to the people it’s not meant to be accessible by. If we do not restrict TCP port 5500 to known IP addresses the best security practices will not be followed and attacks can be invoked.

      Steps to reproduce :

      1. Sign in to your Azure portal with your Azure account.
        https://portal.azure.com/#home 
      2. Navigate to Azure’s Network Security Groups.
      3. Click on the Security Group that you want to examine. Next, click on the inbound security rules.
      4. Check whether TCP port 5500 is showing Allow for all Source and Destination. If it is set to ANY that means it is exposed to the public.
      5. Follow the same steps for other security groups as well.

      To check if TCP port 5500 is accessible to the general public or not we examined the port Inbound Security Rules.

      Steps for remediation :

      1. Sign in to your Azure portal with your Azure account.
        https://portal.azure.com/#home 
      2. Navigate to Azure’s Network Security Groups.
      3. Click on the Security Group that you want to examine. Next, click on the inbound security rules.
      4. Check whether TCP port 5500  is showing Allow for all Source and Destination. If it is set to ANY that means it is exposed to the public.
      5. Next, click on the security group rule and modify the Source from ANY to specific IP addresses or select Application security group and click Save.
      6. Now the TCP port 5500 is not accessible by the public.
      7. Follow the same steps for other security groups as well.

      References :

      Please feel free to reach out to support@pingsafe.com with any questions that you may have.

      Thanks

      PingSafe Support