TCP Dangerous Remote Access

Port 5900 (VNC)

Learn about port 5900 (VNC) - security risks, vulnerabilities, and common uses. Find devices with port 5900 open.

Quick Info

Port Number

5900

Protocol

TCP

Service

VNC

IANA Name

VNC

Service Description

TCP port 5900 is the default port for the Virtual Network Computing (VNC) protocol. VNC is a graphical desktop sharing system that allows users to remotely control another computer's desktop environment. It operates using the Remote Frame Buffer (RFB) protocol, a simple protocol that works at the frame buffer level. The VNC server listens on port 5900 (or 5900+n, where 'n' is the display number, with 0 being the default) and transmits pixel data from the server machine's screen to the client machine, also handling input events (keyboard and mouse) from the client and relaying them to the server. The protocol has undergone several revisions since its initial development at Olivetti Research Laboratory in the mid-1990s, introducing features like encryption and authentication, though many implementations still support older, less secure versions. The RFB protocol's simplicity makes it relatively easy to implement, contributing to its widespread adoption, but also necessitates careful security considerations. VNC's operation involves three key components: the VNC server (running on the machine being controlled), the VNC client (running on the machine doing the controlling), and the RFB protocol which facilitates the communication between them. The server captures screen updates and sends them to the client. The client renders these updates and sends user input back to the server. Authentication occurs as part of the RFB protocol negotiation, and different authentication schemes can be employed, from simple password-based authentication to more sophisticated methods.

## Firewall Recommendations

It is generally recommended to block port 5900 on your firewall unless you have a specific need to allow VNC connections from outside your local network. If remote access is required, consider using a VPN to establish a secure tunnel before initiating a VNC connection. When using VNC, always enable strong authentication mechanisms, use complex passwords, and keep the VNC server software up to date with the latest security patches. Consider using VNC over SSH tunneling to encrypt the VNC traffic. Limit access to the VNC server to specific IP addresses or networks. Regularly audit VNC server configurations to ensure they adhere to security best practices. Avoid exposing VNC directly to the internet without proper security measures.

Security Information

VNC, when not properly secured, presents significant security risks. The protocol, in its older and default configurations, often transmits data without encryption, including passwords, making it vulnerable to eavesdropping and man-in-the-middle attacks. Attackers can intercept the VNC traffic and gain unauthorized access to the remote system. Even with password authentication, weak passwords or default passwords can be easily compromised through brute-force attacks. Furthermore, vulnerabilities in specific VNC server implementations can be exploited to achieve remote code execution, allowing attackers to gain complete control of the server machine. Because VNC provides direct access to a graphical desktop, successful exploitation allows the attacker to perform any action as if they were physically present at the machine. VNC servers are frequently targeted by attackers because they are often left unsecured, misconfigured, or running outdated software with known vulnerabilities.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2018-20330	LibVNC heap-based buffer overflow in CopyRect encoding	High	Heap-based buffer overflow in CopyRect encoding handler in LibVNCServer allows attackers to execute arbitrary code.
CVE-2015-6903	UltraVNC Reflected XSS	Medium	UltraVNC allows Reflected XSS via a crafted URI.