DigitalOcean Firewall

Open VNC Server

Risk Level: High

Description

This plugin determines if the TCP port 5900 for the VNC (Virtual Network Computing) server is open to the public. Unlike HTTP and HTTPS, which can be available to public access, VNC server ports must be restricted to known IP addresses. VNC server uses TCP port 5900 to grant VNC client remote access. To minimize false positives, this plugin reports only those firewalls with public IP associated with any of its networks.

About the Service

Digital Ocean Firewall:

DigitalOcean Cloud Firewalls are an organization-based, stateful firewall administration for Droplets given at no extra expense. Cloud firewalls block all traffic that isn't explicitly allowed by a standard. Firewalls place an obstruction between your servers and different machines in the organization to safeguard them from outer assaults. Firewalls can be have based, which are designed on a for every waiter premise utilizing administrations like IPTables or UFW. Others, such as DigitalOcean Cloud Firewalls, are network-based and stop traffic at the organization layer before it arrives at the server.

Impact

Firewalls for the droplets are used to control the incoming and outgoing traffic. There are rules defined under firewalls that can allow specific IP addresses to access the droplets with the protocol and the Ports specified. VNC stands for Virtual Network Computing. Using the VNC client, one can gain remote access to VNC servers’ screen, mouse, and keyboard controls. Open VNC server ports are often scanned by attackers. Brute force attack for passwords can be done which provides complete cross-platform access to your VNC server. It is highly recommended to provide access to the VNC server to only trusted IPs.

Steps to Reproduce

Using Digital Ocean Console-

In order to determine if your Digital Ocean Firewall Rules permit access without restrictions on TCP port 5900, follow the steps mentioned below:

  1. Firstly use the administrator account for signing in to Digital Ocean Console. A dashboard will appear on the screen.
  2. Now, from the left Navigation Panel select the name of the Project you want to investigate in.
  3. After selecting the Project, under the Manage section in the left navigation panel, click on the Networking blade.
  4. A Networking page will appear on the screen, select the Firewall tab from the top navigation bar.
  5. A Firewall Dashboard will appear on the screen with a list of all the Firewalls available in the current project.
  6. Click on the name of the firewall you want to investigate in. A new Firewall Page with all the details of inbound and outbound rules will appear on the screen.
  7. Check among the list of Inbound Rules if you may find any Firewall Rule with Type: Custom/All TCP, Protocol: TCP, and Port: 5900 then this shows that there exist firewall rules that allow unrestricted access on Port 5900, hence it is vulnerable as Port TCP 5900 for VNC Server is open to the public.
  8. Check out the Steps for Remediation to fix this issue.
  9. Repeat the steps mentioned above for reviewing accounts in other folders/projects associated with other Digital Ocean organizations deployed within your record.

Steps for Remediation

In order to update or reestablish your VPC network firewall rules configuration to restrict VNC Server access for trusted authorized IP addresses or IP ranges only, follow the steps given below:

  1. Firstly use the administrator account for signing in to Digital Ocean Console. A dashboard will appear on the screen.
  2. Now, from the left Navigation Panel select the name of the Project you want to investigate in.
  3. After selecting the Project, under the Manage section in the left navigation panel, click on the Networking blade.
  4. A Networking page will appear on the screen, select the Firewall tab from the top navigation bar.
  5. A Firewall Dashboard will appear on the screen with a list of all the Firewalls available in the current project.
  6. Click on the name of the firewall you want to investigate in. A new Firewall Page with all the details of inbound and outbound rules will appear on the screen.
  7. Check among the list of Inbound Rules if you may find any Firewall Rule with Type: Custom/All TCP, Protocol: TCP, and Port: 5900 then this shows that there exist firewall rules that allow unrestricted access on Port 5900, hence it is vulnerable as Port TCP 5900 for VNC Server is open to the public.
  8. Click on the Edit Rule button available on the right under the More dropdown link.
  9. Remove the non-compliant or non-biddable 0.0.0.0/0 IP address range under the Source IP ranges configuration section. This is done to deny public inbound access on port:5900 of TCP in the VNC Server.
  10. Now, type the IP address ranges into the Source IP ranges configuration section. The entered IP address range must be in desired CIDR format like 10.128.0.0/9. The IP range can have addressed included in your VPC network and even outside of your network.
  11.  Now click on the Save button to apply the changes done so far.
  12. You may repeat steps 7-11 for other firewall rules with TCP port: 5900 in your Digital Ocean Project.
  13. You may repeat the above steps for other Digital Ocean Projects under your organization.