I need some advice please.
I have conducted a vulnerability assessment on a client's external network and have discovered an open VNC port (both client and web) which one can conect to from any IP on the Internet.
I know that the vulnerability related to VNC is that you can sniff the credentials as they are by default sent in open text (the client is not tunnelling this through SSH).
As far as I know, to sniff the password you would need to either have access to a router between two connections or else interpose yourself in a 'man-in -the-middle'. You would also be able to sniff the traffic if you were plugged into a hub (or switch with promiscuity set accordingly) with either of the end points.
Taking these scenarios into account it would be a highly unlikely that the password could be sniffed if these vectors were suitably protected. Am I missing something here which makes the risk of password sniffing very likely of occuring?
The client does not need to comply to SOX so I cannot use that as leverage in getting him to close this down. I can only plead to his common sense.
Any advice or insight would be much appreciated.