Scan Report
Need Help Writing an Essay?
Tell us about your assignment and we will find the best writer for your paper
Write My Essay For MeSeptember 20, 2021
Summary
This document reports on the results of an automatic security scan. All dates are dis-
played using the timezone �Coordinated Universal Time�, which is abbreviated �UTC�. The
task was �Robert.Harshberger.20 Sept 2021�. The scan started at and ended at . The report
�rst summarises the results found. Then, for each host, the report describes every issue
found. Please consider the advice given in each description, in order to rectify the issue.
Contents
1 Result Overview 2
1.1 Host Authentications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Results per Host 2
2.1 172.17.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1.1 High 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1.2 Medium 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.3 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 172.17.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.1 High 3632/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.2 High 5432/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.3 High 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.4 High 6200/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.5 High 21/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.6 High 512/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.7 High 1524/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.8 High general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.9 Medium 445/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.10 Medium 25/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.2.11 Medium 5432/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.12 Medium 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.2.13 Medium 21/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
1
CONTENTS 2
2.2.14 Medium 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.2.15 Medium 6667/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
2.2.16 Low 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.2.17 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2 RESULTS PER HOST 3
1 Result Overview
Host High Medium Low Log False Positive
172.17.1.1 1 2 1 0 0
172.17.1.7 11 28 2 0 0
Total: 2 12 30 3 0 0
Vendor security updates are not trusted.
Overrides are on. When a result has an override, this report uses the threat of the override.
Information on overrides is included in the report.
Notes are included in the report.
This report might not show details of all issues that were found.
It only lists hosts that produced issues.
Issues with the threat level �Log� are not shown.
Issues with the threat level �Debug� are not shown.
Issues with the threat level �False Positive� are not shown.
Only results with a minimum QoD of 70 are shown.
This report contains all 45 results selected by the �ltering described above. Before �ltering
there were 360 results.
1.1 Host Authentications
Host Protocol Result Port/User
172.17.1.7 SMB Success Protocol SMB, Port 445, User
2 Results per Host
2.1 172.17.1.1
Host scan start
Host scan end
Service (Port) Threat Level
22/tcp High
80/tcp Medium
general/tcp Low
2.1.1 High 22/tcp
. . .continues on next page . . .
2 RESULTS PER HOST 4
. . .continued from previous page . . .
High (CVSS: 10.0)
NVT: pfSense Default SSH Credentials
Summary
pfSense is prone to a default account authentication bypass vulnerability via SSH.
Vulnerability Detection Result
It was possible to login to pfSense via SSH with the following credentials:
Username: “admin”, Password: “pfsense”
Username: “root”, Password: “pfsense”
It was also possible to execute “cat /etc/passwd” as “admin”. Result:
root:*:0:0:Charlie &:/root:/bin/sh
It was also possible to execute “cat /etc/passwd” as “root”. Result:
root:*:0:0:Charlie &:/root:/bin/sh
Impact
This issue may be exploited by a remote attacker to gain access to sensitive information or modify
the system con�guration.
Solution
Solution type: Mitigation
Change the password.
Vulnerability Detection Method
Try to login with known credentials.
Details: pfSense Default SSH Credentials
OID:1.3.6.1.4.1.25623.1.0.112123
Version used: $Revision: 11747 $
References
Other:
URL:https://www.question-defense.com/2012/11/19/pfsense-default-login
URL:https://doc.pfsense.org/index.php/HOWTO_enable_SSH_access
[ return to 172.17.1.1 ]
2.1.2 Medium 80/tcp
Medium (CVSS: 5.0)
NVT: Missing `httpOnly` Cookie Attribute
Summary
The application is missing the ‘httpOnly’ cookie attribute
Vulnerability Detection Result
. . .continues on next page . . .
2 RESULTS PER HOST 5
. . .continued from previous page . . .
The cookies:
Set-Cookie: __csrf_cookie=c38c99d9374ec49b38670991bbdfc0566f50b1c8
are missing the “httpOnly” attribute.
Solution
Solution type: Mitigation
Set the ‘httpOnly’ attribute for any session cookie.
A�ected Software/OS
Application with session handling in cookies.
Vulnerability Insight
The �aw is due to a cookie is not using the ‘httpOnly’ attribute. This allows a cookie to be
accessed by JavaScript which could lead to session hijacking attacks.
Vulnerability Detection Method
Check all cookies sent by the application for a missing ‘httpOnly’ attribute
Details: Missing `httpOnly` Cookie Attribute
OID:1.3.6.1.4.1.25623.1.0.105925
Version used: $Revision: 5270 $
References
Other:
URL:https://www.owasp.org/index.php/HttpOnly
URL:https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-
→002)
Medium (CVSS: 4.8)
NVT: Cleartext Transmission of Sensitive Information via HTTP
Summary
The host / application transmits sensitive information (username, passwords) in cleartext via
HTTP.
Vulnerability Detection Result
The following input fields where identified (URL:input name):
http://172.17.1.1/:passwordfld
Impact
An attacker could use this situation to compromise or eavesdrop on the HTTP communication
between the client and the server using a man-in-the-middle attack to get access to sensitive data
like usernames or passwords.
Solution
Solution type: Workaround
.. .continues on next page . . .
2 RESULTS PER HOST 6
. . .continued from previous page . . .
Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally
make sure the host / application is redirecting all users to the secured SSL/TLS connection
before allowing to input sensitive data into the mentioned functions.
A�ected Software/OS
Hosts / applications which doesn’t enforce the transmission of sensitive data via an encrypted
SSL/TLS connection.
Vulnerability Detection Method
Evaluate previous collected information and check if the host / application is not enforcing the
transmission of sensitive data via an encrypted SSL/TLS connection.
The script is currently checking the following:
– HTTP Basic Authentication (Basic Auth)
– HTTP Forms (e.g. Login) with input �eld of type ‘password’
Details: Cleartext Transmission of Sensitive Information via HTTP
OID:1.3.6.1.4.1.25623.1.0.108440
Version used: $Revision: 10726 $
References
Other:
URL:https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_S
→ession_Management
URL:https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
URL:https://cwe.mitre.org/data/definitions/319.html
[ return to 172.17.1.1 ]
2.1.3 Low general/tcp
Low (CVSS: 2.6)
NVT: TCP timestamps
Summary
The remote host implements TCP timestamps and therefore allows to compute the uptime.
Vulnerability Detection Result
It was detected that the host implements RFC1323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 3070193604
Packet 2: 755767017
Impact
A side e�ect of this feature is that the uptime of the remote host can sometimes be computed.
Solution
Solution type: Mitigation
. . .continues on next page . . .
2 RESULTS PER HOST 7
. . .continued from previous page . . .
To disable TCP timestamps on linux add the line ‘net.ipv4.tcp_timestamps = 0’ to
/etc/sysctl.conf. Execute ‘sysctl -p’ to apply the settings at runtime.
To disable TCP timestamps on Windows execute ‘netsh int tcp set global timestamps=disabled’
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options
when initiating TCP connections, but use them if the TCP peer that is initiating communication
includes them in their synchronize (SYN) segment.
See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152
A�ected Software/OS
TCP/IPv4 implementations that implement RFC1323.
Vulnerability Insight
The remote host implements TCP timestamps, as de�ned by RFC1323.
Vulnerability Detection Method
Special IP packets are forged and sent with a little delay in between to the target IP. The
responses are searched for a timestamps. If found, the timestamps are reported.
Details: TCP timestamps
OID:1.3.6.1.4.1.25623.1.0.80091
Version used: $Revision: 10411 $
References
Other:
URL:http://www.ietf.org/rfc/rfc1323.txt
[ return to 172.17.1.1 ]
2.2 172.17.1.7
Host scan start
Host scan end
Service (Port) Threat Level
3632/tcp High
5432/tcp High
80/tcp High
6200/tcp High
21/tcp High
512/tcp High
1524/tcp High
general/tcp High
445/tcp Medium
25/tcp Medium
5432/tcp Medium
80/tcp Medium
.. .(continues) . . .
2 RESULTS PER HOST 8
. . .(continued) . . .
Service (Port) Threat Level
21/tcp Medium
22/tcp Medium
6667/tcp Medium
22/tcp Low
general/tcp Low
2.2.1 High 3632/tcp
High (CVSS: 9.3)
NVT: DistCC Remote Code Execution Vulnerability
Summary
DistCC 2.x, as used in XCode 1.5 and others, when not con�gured to restrict access to the server
port, allows remote attackers to execute arbitrary commands via compilation jobs, which are
executed by the server without authorization checks.
Vulnerability Detection Result
It was possible to execute the “id” command.
Result: uid=1(daemon) gid=1(daemon)
Solution
Solution type: VendorFix
Vendor updates are available. Please see the references for more information.
Vulnerability Detection Method
Details: DistCC Remote Code Execution Vulnerability
OID:1.3.6.1.4.1.25623.1.0.103553
Version used: $Revision: 5120 $
References
CVE: CVE-2004-2687
Other:
URL:http://distcc.samba.org/security.html
URL:http://archives.neohapsis.com/archives/bugtraq/2005-03/0183.html
[ return to 172.17.1.7 ]
2.2.2 High 5432/tcp
High (CVSS: 9.0)
NVT: PostgreSQL weak password
Product detection result
. . .continues on next page . . .
2 RESULTS PER HOST 9
. . .continued from previous page . . .
cpe:/a:postgresql:postgresql:8.3.1
Detected by PostgreSQL Detection (OID: 1.3.6.1.4.1.25623.1.0.100151)
Summary
It was possible to login into the remote PostgreSQL as user postgres using weak credentials.
Vulnerability Detection Result
It was possible to login as user postgres with password “postgres”.
Solution
Solution type: Mitigation
Change the password as soon as possible.
Vulnerability Detection Method
Details: PostgreSQL weak password
OID:1.3.6.1.4.1.25623.1.0.103552
Version used: $Revision: 10312 $
Product Detection Result
Product: cpe:/a:postgresql:postgresql:8.3.1
Method: PostgreSQL Detection
OID: 1.3.6.1.4.1.25623.1.0.100151)
[ return to 172.17.1.7 ]
2.2.3 High 80/tcp
High (CVSS: 10.0)
NVT: TWiki XSS and Command Execution Vulnerabilities
Product detection result
cpe:/a:twiki:twiki:01.Feb.2003
Detected by TWiki Version Detection (OID: 1.3.6.1.4.1.25623.1.0.800399)
Summary
The host is running TWiki and is prone to Cross-Site Scripting (XSS) and Command Execution
Vulnerabilities.
Vulnerability Detection Result
Installed version: 01.Feb.2003
Fixed version: 4.2.4
Impact
. . .continues on next page . . .
2 RESULTS PER HOST 10
. . .continued from previous page . . .
Successful exploitation could allow execution of arbitrary script code or commands. This could
let attackers steal cookie-based authentication credentials or compromise the a�ected application.
Impact Level: Application
Solution
Solution type: VendorFix
Upgrade to version 4.2.4 or later, http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x04
A�ected Software/OS
TWiki, TWiki version prior to 4.2.4.
Vulnerability Insight
The �aws are due to, – %URLPARAM}}% variable is not properly sanitized which lets attackers
conduct cross-site scripting attack. – %SEARCH}}% variable is not properly sanitised before
being used in an eval() call which lets the attackers execute perl code through eval injection
attack.
Vulnerability Detection Method
Details: TWiki XSS and Command Execution Vulnerabilities
OID:1.3.6.1.4.1.25623.1.0.800320
Version used: $Revision: 4227 $
Product Detection Result
Product: cpe:/a:twiki:twiki:01.Feb.2003
Method: TWiki Version Detection
OID: 1.3.6.1.4.1.25623.1.0.800399)
References
CVE: CVE-2008-5304, CVE-2008-5305
BID:32668, 32669
Other:
URL:http://twiki.org/cgi-bin/view/Codev.SecurityAlert-CVE-2008-5304
URL:http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305
High (CVSS: 7.5)
NVT: phpinfo() output accessible
Summary
Many PHP installation tutorials instruct the user to create a �le called phpinfo.php or similar
containing the phpinfo() statement. Such a �le is often times left in webserver directory after
completion.
Vulnerability Detection Result
The following files are calling the function phpinfo() which disclose potentiall
→y sensitive information:
http://172.17.1.7/mutillidae/phpinfo.php
. . .continues on next page . . .
2 RESULTS PER HOST 11
. . .continued from previous page . . .
http://172.17.1.7/phpinfo.php
Impact
Some of the information that can be gathered from this �le includes:
The username of the user who installed php, if they are a SUDO user, the IP address of the
host, the web server version, the system version(unix / linux), and the root directory of the web
server.
Solution
Solution type: Workaround
Delete them or restrict access to the listened �les.
Vulnerability Detection Method
Details: phpinfo() output accessible
OID:1.3.6.1.4.1.25623.1.0.11229
Version used: $Revision: 11558 $
High (CVSS: 7.5)
NVT: PHP-CGI-based setups vulnerability when parsing query string parameters from php �les.
Summary
PHP is prone to an information-disclosure vulnerability.
Vulnerability Detection Result
Vulnerable url: http://172.17.1.7/cgi-bin/php
Impact
Exploiting this issue allows remote attackers to view the source code of �les in the context of the
server process. This may allow the attacker to obtain sensitive information and to run arbitrary
PHP code on the a�ected computer. Other attacks are also possible.
Solution
Solution type: VendorFix
PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending
that users upgrade to the latest version of PHP.
Vulnerability Insight
When PHP is used in a CGI-based setup (such as Apache’s mod_cgid), the php-cgi receives
a processed query string parameter as command line arguments which allows command-line
switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to
disclose source code and obtain arbitrary code execution.
An example of the -s command, allowing an attacker to view the source code of index.php is
below:
http://localhost/index.php?-s
Vulnerability Detection Method
. . .continues on next page . . .
2 RESULTS PER HOST 12
. . .continued from previous page . . .
Details: PHP-CGI-based setups vulnerability when parsing query string parameters from ph.
→..
OID:1.3.6.1.4.1.25623.1.0.103482
Version used: $Revision: 11457 $
References
CVE: CVE-2012-1823, CVE-2012-2311, CVE-2012-2336, CVE-2012-2335
BID:53388
Other:
URL:http://www.h-online.com/open/news/item/Critical-open-hole-in-PHP-creates-r
→isks-Update-1567532.html
URL:http://www.kb.cert.org/vuls/id/520827
URL:http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
URL:https://bugs.php.net/bug.php?id=61910
URL:http://www.php.net/manual/en/security.cgi-bin.php
URL:http://www.securityfocus.com/bid/53388
High (CVSS: 7.5)
NVT: Test HTTP dangerous methods
Summary
Miscon�gured web servers allows remote clients to perform dangerous HTTP methods such as
PUT and DELETE. This script checks if they are enabled and can be misused to upload or
delete �les.
Vulnerability Detection Result
We could upload the following files via the PUT method at this web server:
http://172.17.1.7/dav/puttest1443372832.html
We could delete the following files via the DELETE method at this web server:
http://172.17.1.7/dav/puttest1443372832.html
Impact
– Enabled PUT method: This might allow an attacker to upload and run arbitrary code on this
web server.
– Enabled DELETE method: This might allow an attacker to delete additional �les on this web
server.
Solution
Solution type: Mitigation
Use access restrictions to these dangerous HTTP methods or disable them completely.
Vulnerability Detection Method
Details: Test HTTP dangerous methods
OID:1.3.6.1.4.1.25623.1.0.10498
Version used: $Revision: 9335 $
References
. . .continues on next page . . .
2 RESULTS PER HOST 13
. . .continued from previous page . . .
BID:12141
Other:
OWASP:OWASP-CM-001
[ return to 172.17.1.7 ]
2.2.4 High 6200/tcp
High (CVSS: 7.5)
NVT: vsftpd Compromised Source Packages Backdoor Vulnerability
Summary
vsftpd is prone to a backdoor vulnerability.
Vulnerability Detection Result
Vulnerability was detected according to the Vulnerability Detection Method.
Impact
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Successful attacks will compromise the a�ected application.
Solution
Solution type: VendorFix
The repaired package can be downloaded from https://security.appspot.com/vsftpd.html. Please
validate the package with its signature.
A�ected Software/OS
The vsftpd 2.3.4 source package is a�ected.
Vulnerability Detection Method
Details: vsftpd Compromised Source Packages Backdoor Vulnerability
OID:1.3.6.1.4.1.25623.1.0.103185
Version used: $Revision: 5026 $
References
BID:48539
Other:
URL:http://www.securityfocus.com/bid/48539
URL:http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-back
→doored.html
URL:https://security.appspot.com/vsftpd.html
[ return to 172.17.1.7 ]
2.2.5 High 21/tcp
2 RESULTS PER HOST 14
High (CVSS: 7.5)
NVT: vsftpd Compromised Source Packages Backdoor Vulnerability
Summary
vsftpd is prone to a backdoor vulnerability.
Vulnerability Detection Result
Vulnerability was detected according to the Vulnerability Detection Method.
Impact
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Successful attacks will compromise the a�ected application.
Solution
Solution type: VendorFix
The repaired package can be downloaded from https://security.appspot.com/vsftpd.html. Please
validate the package with its signature.
A�ected Software/OS
The vsftpd 2.3.4 source package is a�ected.
Vulnerability Detection Method
Details: vsftpd Compromised Source Packages Backdoor Vulnerability
OID:1.3.6.1.4.1.25623.1.0.103185
Version used: $Revision: 5026 $
References
BID:48539
Other:
URL:http://www.securityfocus.com/bid/48539
URL:http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-back
→doored.html
URL:https://security.appspot.com/vsftpd.html
[ return to 172.17.1.7 ]
2.2.6 High 512/tcp
High (CVSS: 10.0)
NVT: Check for rexecd Service
Summary
Rexecd Service is running at this Host. Rexecd (Remote Process Execution) has the same kind
of functionality that rsh has : you can execute shell commands on a remote computer.
The main di�erence is that rexecd authenticate by reading the username and password *unen-
crypted* from the socket.
. . .continues on next page . . .
2 RESULTS PER HOST 15
. . .continued from previous page . . .
Vulnerability Detection Result
The rexec service is not allowing connections from this host.
Solution
Solution type: Mitigation
Disable rexec Service.
Vulnerability Detection Method
Details: Check for rexecd Service
OID:1.3.6.1.4.1.25623.1.0.100111
Version used: $Revision: 6849 $
References
Other:
URL:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0618
[ return to 172.17.1.7 ]
2.2.7 High 1524/tcp
High (CVSS: 10.0)
NVT: Possible Backdoor: Ingreslock
Summary
A backdoor is installed on the remote host
Vulnerability Detection Result
The service is answering to an ‘id;’ command with the following response: uid=0(
→root) gid=0(root)
Impact
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Successful attacks will compromise the a�ected isystem.
Solution
Solution type: Workaround
Vulnerability Detection Method
Details: Possible Backdoor: Ingreslock
OID:1.3.6.1.4.1.25623.1.0.103549
Version used: $Revision: 11327 $
[ return to 172.17.1.7 ]
2 RESULTS PER HOST 16
2.2.8 High general/tcp
High (CVSS: 10.0)
NVT: OS End Of Life Detection
Product detection result
cpe:/o:canonical:ubuntu_linux:8.04
Detected by OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0
→.105937)
Summary
OS End Of Life Detection
The Operating System on the remote host has reached the end of life and should not be used
anymore.
Vulnerability Detection Result
The “Ubuntu” Operating System on the remote host has reached the end of life.
CPE: cpe:/o:canonical:ubuntu_linux:8.04
Installed version,
build or SP: 8.04
EOL date: 2013-05-09
EOL info: https://wiki.ubuntu.com/Releases
Solution
Solution type: Mitigation
Vulnerability Detection Method
Details: OS End Of Life Detection
OID:1.3.6.1.4.1.25623.1.0.103674
Version used: $Revision: 8927 $
Product Detection Result
Product: cpe:/o:canonical:ubuntu_linux:8.04
Method: OS Detection Consolidation and Reporting
OID: 1.3.6.1.4.1.25623.1.0.105937)
[ return to 172.17.1.7 ]
2.2.9 Medium 445/tcp
Medium (CVSS: 6.0)
NVT: Samba MS-RPC Remote Shell Command Execution Vulnerability (Active Check)
Product detection result
cpe:/a:samba:samba:3.0.20
. . .continues on next page . . .
2 RESULTS PER HOST 17
. . .continued from previous page . . .
Detected by SMB NativeLanMan (OID: 1.3.6.1.4.1.25623.1.0.102011)
Summary
Samba is prone to a vulnerability that allows attackers to execute arbitrary shell commands
because the software fails to sanitize user-supplied input.
Vulnerability Detection Result
Vulnerability was detected according to the Vulnerability Detection Method.
Impact
An attacker may leverage this issue to execute arbitrary shell commands on an a�ected system
with the privileges of the application.
Solution
Solution type: VendorFix
Updates are available. Please see the referenced vendor advisory.
A�ected Software/OS
This issue a�ects Samba 3.0.0 to 3.0.25rc3.
Vulnerability Detection Method
Send a crafted command to the samba server and check for a remote command execution.
Details: Samba MS-RPC Remote Shell Command Execution Vulnerability (Active Check)
OID:1.3.6.1.4.1.25623.1.0.108011
Version used: $Revision: 10398 $
Product Detection Result
Product: cpe:/a:samba:samba:3.0.20
Method: SMB NativeLanMan
OID: 1.3.6.1.4.1.25623.1.0.102011)
References
CVE: CVE-2007-2447
BID:23972
Other:
URL:http://www.securityfocus.com/bid/23972
URL:https://www.samba.org/samba/security/CVE-2007-2447.html
[ return to 172.17.1.7 ]
2.2.10 Medium 25/tcp
2 RESULTS PER HOST 18
Medium (CVSS: 6.8)
NVT: Multiple Vendors STARTTLS Implementation Plaintext Arbitrary Command Injection
Vulnerability
Summary
Multiple vendors’ implementations of STARTTLS are prone to a vulnerability that lets attackers
inject arbitrary commands.
Vulnerability Detection Result
Vulnerability was detected according to the Vulnerability Detection Method.
Impact
An attacker can exploit this issue to execute arbitrary commands in the context of the user
running the application. Successful exploits can allow attackers to obtain email usernames and
passwords.
Solution
Solution type: VendorFix
Updates are available.
A�ected Software/OS
The following vendors are a�ected:
Ipswitch
Kerio
Post�x
Qmail-TLS
Oracle
SCO Group
spamdyke
ISC
Vulnerability Detection Method
Send a special crafted STARTTLS request and check the response.
Details: Multiple Vendors STARTTLS Implementation Plaintext Arbitrary Command Injection .
→..
OID:1.3.6.1.4.1.25623.1.0.103935
Version used: $Revision: 11196 $
References
CVE: CVE-2011-0411, CVE-2011-1430, CVE-2011-1431, CVE-2011-1432, CVE-2011-1506,
→CVE-2011-1575, CVE-2011-1926, CVE-2011-2165
BID:46767
Other:
URL:http://www.securityfocus.com/bid/46767
URL:http://kolab.org/pipermail/kolab-announce/2011/000101.html
URL:http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424
URL:http://cyrusimap.org/mediawiki/index.php/Bugs_Resolved_in_2.4.7
URL:http://www.kb.cert.org/vuls/id/MAPG-8D9M4P
. . .continues on next page . . .
2 RESULTS PER HOST 19
. . .continued from previous page . . .
URL:http://files.kolab.org/server/release/kolab-server-2.3.2/sources/release-
→notes.txt
URL:http://www.postfix.org/CVE-2011-0411.html
URL:http://www.pureftpd.org/project/pure-ftpd/news
URL:http://www.watchguard.com/support/release-notes/xcs/9/en-US/EN_ReleaseNot
→es_XCS_9_1_1/EN_ReleaseNotes_WG_XCS_9_1_TLS_Hotfix.pdf
URL:http://www.spamdyke.org/documentation/Changelog.txt
URL:http://datatracker.ietf.org/doc/draft-josefsson-kerberos5-starttls/?inclu
→de_text=1
URL:http://www.securityfocus.com/archive/1/516901
URL:http://support.avaya.com/css/P8/documents/100134676
URL:http://support.avaya.com/css/P8/documents/100141041
URL:http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
URL:http://inoa.net/qmail-tls/vu555316.patch
URL:http://www.kb.cert.org/vuls/id/555316
Medium (CVSS: 5.0)
NVT: SSL/TLS: Certi�cate Expired
Summary
The remote server’s SSL/TLS certi�cate has already expired.
Vulnerability Detection Result
The certificate of the remote service expired on 2010-04-16 14:07:45.
Certificate details:
subject …: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F6
→3616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of
→Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outsid
→e US,C=XX
subject alternative names (SAN):
None
issued by .: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F6
→3616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of
→Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outsid
→e US,C=XX
serial ….: 00FAF93A4C7FB6B9CC
valid from : 2010-03-17 14:07:45 UTC
valid until: 2010-04-16 14:07:45 UTC
fingerprint (SHA-1): ED093088706603BFD5DC237399B498DA2D4D31C6
fingerprint (SHA-256): E7A7FA0D63E457C7C4A59B38B70849C6A70BDA6F830C7AF1E32DEE436
→DE813CC
Solution
Solution type: Mitigation
Replace the SSL/TLS certi�cate by a new one.
Vulnerability Insight
. . .continues on next page . . .
2 RESULTS PER HOST 20
. . .continued from previous page . . .
This script checks expiry dates of certi�cates associated with SSL/TLS-enabled services on the
target and reports whether any have already expired.
Vulnerability Detection Method
Details: SSL/TLS: Certificate Expired
OID:1.3.6.1.4.1.25623.1.0.103955
Version used: $Revision: 11103 $
Medium (CVSS: 4.3)
NVT: SSL/TLS: RSA Temporary Key Handling ‘RSA_EXPORT’ Downgrade Issue (FREAK)
Summary
This host is accepting ‘RSA_EXPORT’ cipher suites and is prone to man in the middle attack.
Vulnerability Detection Result
‘RSA_EXPORT’ cipher suites accepted by this service via the SSLv3 protocol:
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
‘RSA_EXPORT’ cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
Impact
Successful exploitation will allow remote attacker to downgrade the security of a session to use
‘RSA_EXPORT’ cipher suites, which are signi�cantly weaker than non-export cipher suites.
This may allow a man-in-the-middle attacker to more easily break the encryption and monitor
or tamper with the encrypted stream.
Solution
Solution type: VendorFix
– Remove support for ‘RSA_EXPORT’ cipher suites from the service.
– If running OpenSSL update to version 0.9.8zd or 1.0.0p or 1.0.1k or later For updates refer …
Let our team of professional writers take care of your essay for you! We provide quality and plagiarism free academic papers written from scratch. Sit back, relax, and leave the writing to us! Meet some of our best research paper writing experts. We obey strict privacy policies to secure every byte of information between you and us.
ORDER ORIGINAL ANSWERS WRITTEN FROM SCRATCH