Dear Comodo Developers, (specifically GeekBuddy). This below letter concerns an issue that has been identified where a tcp port 5800 vnc-http is exposed without the user requesting support or having knowledge that the port is naturally by default exposed. This is a concern because unless a secondary hardware firewall exists (i.e segmented network with green and red zones) it may expose httpvnc 5800 tcp port to all comodo firewall users machines, that have geekbuddy, to the outside world. It is infinitely appreciated that Comodo Geekbuddy TightVNC may be hardened to abuse, however the author of the below letter is of the opinion that port 5800 tcp should only be opened as necessary as opposed to permanently by default and it was a surprising and distressing discovery to the author as you may come to understand from the below letter.
I would like to highlight something that is extremely important. I have been recommended here: by one of the community moderators to bring my comments/concerns here where COMODO developers are more likely to see it.
Dear Comodo, and fellow security experts.
As a penetration tester and ethical hacker it has been a joy to use COMODO Internet Security in Safe Mode as it is extremely paranoid and blocks many known attacks. I have used it for many joyful years.
Upon performing a port scan of my local machine with my Kali Penetration Testing Box I was really rather alarmed to see a port 5800 vnc-http tcp/open
when performing an NMAP -Ss and NMAP -St scan from within my Green segment of my local network. In fact I was darn right frightened. Having full knowledge of all the services that run on my machine such a discovery is of course not taken well.
Indeed upon telnetting to the local machine with http-vnc 5800 lit up indeed tightvnc was responding, this was a service! JESUS were my initial impressions, obviously. Upon locally connecting in a browser localhost:5800 I am directed to a message "TIGHTVNC.COM"
root[at]kali:~# nmap -sS 192.168.0.100
Starting Nmap 6.47 ( http://nmap.org
) at 2015-05-12 02:30 BST
Nmap scan report for 192.168.0.100
Host is up (0.00020s latency).
Not shown: 986 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
554/tcp open rtsp
2869/tcp open icslap
5357/tcp open wsdapi
5800/tcp open vnc-http
Naturally, one may note that performing such a scan from within the GREEN zone of my network, this would be considered an almost minor absurdity. Were it not for the fact that the tightvnc service was installed by comodo internet security and this port opened without user knowledge. The concern is that to all users who do not possess an additional layer of security such as a hardware firewall or router then this port is left exposed to the outside world for anyone to connect unless they possess a segmented/zoned network
. How could this happen? Have I been naive? Maybe, but it is not very good is it.
At the very least it was unclear that the Geekbuddy service installed a remote service that would open to all local connections immediately, and this concerns me greatly.
It's only by the stroke of luck that I had a SECOND hardware firewall between my Green and Red zone (that is to say my router and my local network hub) that port 5800 tcp was not directly exposed to the outside world, and whilst I completely appreciate
that Geek Buddy is a remote assistance program that is used by comodo engineers to provide remote assistance to comodo users, I'm rather quite alarmed that the port is open and the service actively running on a permanent basis. Could this port not be opened upon the user requesting geekbuddy remote assistance?
This would be infinitely
more secure and would provide relief of unexpected fright for comodo users and sysadmins all over the world.
In fact it resembles a Back Door application. Which is what frightened me so greatly in the first place.
Surely something can be done about this, is it really necessary to leave that port exposed like that? Not what I would expect from a company such as COMODO who's motto is "Creating Trust Online".
I infinitely appreciate
the fact that I may have been naive to not expect this opened by default, but I think you will find my point is also well made and that something should be done about this! No?
I am happy to say after removing the geek buddy in add/remove programs of my OS that the tcp 5800 http tcp port is no longer open. It would have however been nice to not have had this nasty surprise. Users and staff I am sure will be quick to correct me but I think my initial point DOES STAND!
Thank you for taking the time to read my letter and I hope it has been directed to the right place where proper attention can be given to it!
I certainly was not exposed to any kind of risk, however someone who is behind a router would be unhappy to see this port exposed and would naturally be frightened if not understanding what it is and this could be avoided by more clear message given when installing the Geek Buddy service as it were.
I can't help but mention the user is of course one part to blame, but if this could be avoided then it would be the naturally most secure and sensible routine to actually mention what is being done in this process. Albeit my personal and professional opinion I think it not an entirely unreasonable or disparate one!