More Info:

Determines if TCP port 5900 for VNC Server is open to the public. While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as VNC Server should be restricted to known IP addresses.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of VNC Server Port being open in GCP using the GCP console, follow the below steps:
  1. Login to the GCP Console.
  2. Navigate to the Compute Engine section.
  3. Select the VM instance that has the open VNC server port.
  4. Click on the “Edit” button at the top of the page.
  5. Scroll down to the “Firewall” section.
  6. In the “Firewall” section, uncheck the “Allow HTTP traffic” and “Allow HTTPS traffic” options.
  7. Scroll down to the “Cloud API access scopes” section.
  8. In the “Cloud API access scopes” section, uncheck the “Allow default access” option.
  9. Click on the “Save” button to apply the changes.
  10. Verify that the VNC server port is no longer open by running a port scan on the VM instance.
  11. If the VNC server port is still open, repeat the above steps and check for any misconfiguration or errors.
By following these steps, the misconfiguration of the VNC server port being open in GCP using the GCP console can be remediated.

To remediate the misconfiguration of having the VNC server port open on a GCP instance, you can follow the below steps using GCP CLI:
  1. Open the Cloud Shell in the GCP Console.
  2. Identify the instance that has the VNC server port open. You can use the following command to list all instances in your project: 
    gcloud compute instances list
  3. Once you have identified the instance, connect to it using SSH. You can use the following command to connect to the instance: 
    gcloud compute ssh [INSTANCE_NAME]
  4. Once you are connected to the instance, you need to find the VNC server process ID. You can use the following command to find the process ID: 
    ps -ef | grep Xtightvnc
  5. Once you have found the process ID, you can use the following command to kill the process: 
    sudo kill [PROCESS_ID]
  6. Next, you need to disable the VNC server from starting automatically on boot. You can use the following command to remove the VNC server startup script: 
    sudo rm /etc/systemd/system/[email protected]
  7. Finally, you need to ensure that the VNC server port is closed in the firewall. You can use the following command to remove the firewall rule that allows access to the VNC server port: 
    gcloud compute firewall-rules delete [FIREWALL_RULE_NAME]
    Replace [FIREWALL_RULE_NAME] with the name of the firewall rule that allows access to the VNC server port.
After completing these steps, you will have successfully remediated the misconfiguration of having the VNC server port open on the GCP instance.
To remediate the misconfiguration of VNC Server Port being open in GCP using Python, you can follow the below steps:
  1. First, you need to authenticate and authorize the GCP account using the Google Cloud SDK. You can do this by running the following command in the terminal: 
    gcloud auth login
  2. Next, you need to install the Python client library for GCP. You can do this by running the following command in the terminal: 
    pip install google-cloud-storage
  3. Once the library is installed, you can create a Python script to remediate the misconfiguration. The script should perform the following steps: a. Get a list of all the instances running in the GCP project using the Compute Engine API. b. For each instance, check if the VNC server port is open. You can do this by using the googleapiclient.discovery library to make a request to the Compute Engine API. c. If the VNC server port is open, use the googleapiclient.discovery library to make a request to the Compute Engine API to update the firewall rule and close the port.
  4. Here is a sample Python script that you can use to remediate the misconfiguration: 
    from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()

compute = discovery.build('compute', 'v1', credentials=credentials)

project = 'your-project-id'

def list_instances(compute, project):
    result = compute.instances().list(project=project).execute()
    return result['items'] if 'items' in result else None

instances = list_instances(compute, project)

for instance in instances:
    for network_interface in instance['networkInterfaces']:
        for access_config in network_interface['accessConfigs']:
            if 'natIP' in access_config:
                instance_ip = access_config['natIP']
                firewall_rules = compute.firewalls().list(project=project).execute()

                for firewall_rule in firewall_rules['items']:
                    if firewall_rule['name'] == 'vnc-server':
                        if 'allowed' in firewall_rule and 'ports' in firewall_rule['allowed'][0]:
                            if '5900' in firewall_rule['allowed'][0]['ports']:
                                compute.firewalls().update(project=project, firewall=firewall_rule['name'], body={
                                    "name": "vnc-server",
                                    "allowed": [
                                        {
                                            "IPProtocol": "tcp",
                                            "ports": []
                                        }
                                    ],
                                    "sourceRanges": [
                                        "0.0.0.0/0"
                                    ],
                                    "targetTags": [
                                        "vnc-server"
                                    ]
                                }).execute()
    Note: Replace your-project-id with the actual project ID.
  5. Save the script and run it in the terminal using the following command: 
    python script_name.py
    This will remediate the misconfiguration by closing the VNC server port in all the instances running in the GCP project.

Additional Reading: