Order Now
digitalmediawritings

Networking task

Scan Report

Need Help Writing an Essay?

Tell us about your assignment and we will find the best writer for your paper

Write My Essay For Me

September 20, 2021

Summary

This document reports on the results of an automatic security scan. All dates are dis-

played using the timezone �Coordinated Universal Time�, which is abbreviated �UTC�. The

task was �Robert.Harshberger.20 Sept 2021�. The scan started at and ended at . The report

�rst summarises the results found. Then, for each host, the report describes every issue

found. Please consider the advice given in each description, in order to rectify the issue.

Contents

1 Result Overview 2

1.1 Host Authentications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Results per Host 2

2.1 172.17.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.1.1 High 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.1.2 Medium 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1.3 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2 172.17.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2.1 High 3632/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2.2 High 5432/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.2.3 High 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2.2.4 High 6200/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2.5 High 21/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2.6 High 512/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.2.7 High 1524/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

2.2.8 High general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2.9 Medium 445/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.2.10 Medium 25/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.2.11 Medium 5432/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2.2.12 Medium 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.2.13 Medium 21/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

1

CONTENTS 2

2.2.14 Medium 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

2.2.15 Medium 6667/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

2.2.16 Low 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.2.17 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

2 RESULTS PER HOST 3

1 Result Overview

Host High Medium Low Log False Positive

172.17.1.1 1 2 1 0 0
172.17.1.7 11 28 2 0 0

Total: 2 12 30 3 0 0

Vendor security updates are not trusted.
Overrides are on. When a result has an override, this report uses the threat of the override.
Information on overrides is included in the report.
Notes are included in the report.
This report might not show details of all issues that were found.
It only lists hosts that produced issues.
Issues with the threat level �Log� are not shown.
Issues with the threat level �Debug� are not shown.
Issues with the threat level �False Positive� are not shown.
Only results with a minimum QoD of 70 are shown.

This report contains all 45 results selected by the �ltering described above. Before �ltering
there were 360 results.

1.1 Host Authentications

Host Protocol Result Port/User

172.17.1.7 SMB Success Protocol SMB, Port 445, User

2 Results per Host

2.1 172.17.1.1

Host scan start
Host scan end

Service (Port) Threat Level

22/tcp High
80/tcp Medium
general/tcp Low

2.1.1 High 22/tcp

. . .continues on next page . . .

2 RESULTS PER HOST 4

. . .continued from previous page . . .

High (CVSS: 10.0)
NVT: pfSense Default SSH Credentials

Summary
pfSense is prone to a default account authentication bypass vulnerability via SSH.

Vulnerability Detection Result
It was possible to login to pfSense via SSH with the following credentials:

Username: “admin”, Password: “pfsense”

Username: “root”, Password: “pfsense”

It was also possible to execute “cat /etc/passwd” as “admin”. Result:

root:*:0:0:Charlie &:/root:/bin/sh

It was also possible to execute “cat /etc/passwd” as “root”. Result:

root:*:0:0:Charlie &:/root:/bin/sh

Impact
This issue may be exploited by a remote attacker to gain access to sensitive information or modify
the system con�guration.

Solution
Solution type: Mitigation
Change the password.

Vulnerability Detection Method
Try to login with known credentials.
Details: pfSense Default SSH Credentials
OID:1.3.6.1.4.1.25623.1.0.112123
Version used: $Revision: 11747 $

References
Other:

URL:https://www.question-defense.com/2012/11/19/pfsense-default-login

URL:https://doc.pfsense.org/index.php/HOWTO_enable_SSH_access

[ return to 172.17.1.1 ]

2.1.2 Medium 80/tcp

Medium (CVSS: 5.0)
NVT: Missing `httpOnly` Cookie Attribute

Summary
The application is missing the ‘httpOnly’ cookie attribute

Vulnerability Detection Result
. . .continues on next page . . .

2 RESULTS PER HOST 5

. . .continued from previous page . . .
The cookies:

Set-Cookie: __csrf_cookie=c38c99d9374ec49b38670991bbdfc0566f50b1c8

are missing the “httpOnly” attribute.

Solution
Solution type: Mitigation
Set the ‘httpOnly’ attribute for any session cookie.

A�ected Software/OS
Application with session handling in cookies.

Vulnerability Insight
The �aw is due to a cookie is not using the ‘httpOnly’ attribute. This allows a cookie to be
accessed by JavaScript which could lead to session hijacking attacks.

Vulnerability Detection Method
Check all cookies sent by the application for a missing ‘httpOnly’ attribute
Details: Missing `httpOnly` Cookie Attribute
OID:1.3.6.1.4.1.25623.1.0.105925
Version used: $Revision: 5270 $

References
Other:

URL:https://www.owasp.org/index.php/HttpOnly

URL:https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-

→002)

Medium (CVSS: 4.8)
NVT: Cleartext Transmission of Sensitive Information via HTTP

Summary
The host / application transmits sensitive information (username, passwords) in cleartext via
HTTP.

Vulnerability Detection Result
The following input fields where identified (URL:input name):

http://172.17.1.1/:passwordfld

Impact
An attacker could use this situation to compromise or eavesdrop on the HTTP communication
between the client and the server using a man-in-the-middle attack to get access to sensitive data
like usernames or passwords.

Solution
Solution type: Workaround
.. .continues on next page . . .

2 RESULTS PER HOST 6

. . .continued from previous page . . .
Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally
make sure the host / application is redirecting all users to the secured SSL/TLS connection
before allowing to input sensitive data into the mentioned functions.

A�ected Software/OS
Hosts / applications which doesn’t enforce the transmission of sensitive data via an encrypted
SSL/TLS connection.

Vulnerability Detection Method
Evaluate previous collected information and check if the host / application is not enforcing the
transmission of sensitive data via an encrypted SSL/TLS connection.
The script is currently checking the following:
– HTTP Basic Authentication (Basic Auth)
– HTTP Forms (e.g. Login) with input �eld of type ‘password’
Details: Cleartext Transmission of Sensitive Information via HTTP
OID:1.3.6.1.4.1.25623.1.0.108440
Version used: $Revision: 10726 $

References
Other:

URL:https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_S

→ession_Management
URL:https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

URL:https://cwe.mitre.org/data/definitions/319.html

[ return to 172.17.1.1 ]

2.1.3 Low general/tcp

Low (CVSS: 2.6)
NVT: TCP timestamps

Summary
The remote host implements TCP timestamps and therefore allows to compute the uptime.

Vulnerability Detection Result
It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:

Packet 1: 3070193604

Packet 2: 755767017

Impact
A side e�ect of this feature is that the uptime of the remote host can sometimes be computed.

Solution
Solution type: Mitigation
. . .continues on next page . . .

2 RESULTS PER HOST 7

. . .continued from previous page . . .
To disable TCP timestamps on linux add the line ‘net.ipv4.tcp_timestamps = 0’ to
/etc/sysctl.conf. Execute ‘sysctl -p’ to apply the settings at runtime.
To disable TCP timestamps on Windows execute ‘netsh int tcp set global timestamps=disabled’
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options
when initiating TCP connections, but use them if the TCP peer that is initiating communication
includes them in their synchronize (SYN) segment.
See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152

A�ected Software/OS
TCP/IPv4 implementations that implement RFC1323.

Vulnerability Insight
The remote host implements TCP timestamps, as de�ned by RFC1323.

Vulnerability Detection Method
Special IP packets are forged and sent with a little delay in between to the target IP. The
responses are searched for a timestamps. If found, the timestamps are reported.
Details: TCP timestamps
OID:1.3.6.1.4.1.25623.1.0.80091
Version used: $Revision: 10411 $

References
Other:

URL:http://www.ietf.org/rfc/rfc1323.txt

[ return to 172.17.1.1 ]

2.2 172.17.1.7

Host scan start
Host scan end

Service (Port) Threat Level

3632/tcp High
5432/tcp High
80/tcp High
6200/tcp High
21/tcp High
512/tcp High
1524/tcp High
general/tcp High
445/tcp Medium
25/tcp Medium
5432/tcp Medium
80/tcp Medium

.. .(continues) . . .

2 RESULTS PER HOST 8

. . .(continued) . . .
Service (Port) Threat Level
21/tcp Medium
22/tcp Medium
6667/tcp Medium
22/tcp Low
general/tcp Low

2.2.1 High 3632/tcp

High (CVSS: 9.3)
NVT: DistCC Remote Code Execution Vulnerability

Summary
DistCC 2.x, as used in XCode 1.5 and others, when not con�gured to restrict access to the server
port, allows remote attackers to execute arbitrary commands via compilation jobs, which are
executed by the server without authorization checks.

Vulnerability Detection Result
It was possible to execute the “id” command.

Result: uid=1(daemon) gid=1(daemon)

Solution
Solution type: VendorFix
Vendor updates are available. Please see the references for more information.

Vulnerability Detection Method
Details: DistCC Remote Code Execution Vulnerability
OID:1.3.6.1.4.1.25623.1.0.103553
Version used: $Revision: 5120 $

References
CVE: CVE-2004-2687

Other:

URL:http://distcc.samba.org/security.html

URL:http://archives.neohapsis.com/archives/bugtraq/2005-03/0183.html

[ return to 172.17.1.7 ]

2.2.2 High 5432/tcp

High (CVSS: 9.0)
NVT: PostgreSQL weak password

Product detection result
. . .continues on next page . . .

2 RESULTS PER HOST 9

. . .continued from previous page . . .
cpe:/a:postgresql:postgresql:8.3.1

Detected by PostgreSQL Detection (OID: 1.3.6.1.4.1.25623.1.0.100151)

Summary
It was possible to login into the remote PostgreSQL as user postgres using weak credentials.

Vulnerability Detection Result
It was possible to login as user postgres with password “postgres”.

Solution
Solution type: Mitigation
Change the password as soon as possible.

Vulnerability Detection Method
Details: PostgreSQL weak password
OID:1.3.6.1.4.1.25623.1.0.103552
Version used: $Revision: 10312 $

Product Detection Result
Product: cpe:/a:postgresql:postgresql:8.3.1
Method: PostgreSQL Detection
OID: 1.3.6.1.4.1.25623.1.0.100151)

[ return to 172.17.1.7 ]

2.2.3 High 80/tcp

High (CVSS: 10.0)
NVT: TWiki XSS and Command Execution Vulnerabilities

Product detection result
cpe:/a:twiki:twiki:01.Feb.2003

Detected by TWiki Version Detection (OID: 1.3.6.1.4.1.25623.1.0.800399)

Summary
The host is running TWiki and is prone to Cross-Site Scripting (XSS) and Command Execution
Vulnerabilities.

Vulnerability Detection Result
Installed version: 01.Feb.2003

Fixed version: 4.2.4

Impact
. . .continues on next page . . .

2 RESULTS PER HOST 10

. . .continued from previous page . . .
Successful exploitation could allow execution of arbitrary script code or commands. This could
let attackers steal cookie-based authentication credentials or compromise the a�ected application.
Impact Level: Application

Solution
Solution type: VendorFix
Upgrade to version 4.2.4 or later, http://twiki.org/cgi-bin/view/Codev/TWikiRelease04x02x04

A�ected Software/OS
TWiki, TWiki version prior to 4.2.4.

Vulnerability Insight
The �aws are due to, – %URLPARAM}}% variable is not properly sanitized which lets attackers
conduct cross-site scripting attack. – %SEARCH}}% variable is not properly sanitised before
being used in an eval() call which lets the attackers execute perl code through eval injection
attack.

Vulnerability Detection Method
Details: TWiki XSS and Command Execution Vulnerabilities
OID:1.3.6.1.4.1.25623.1.0.800320
Version used: $Revision: 4227 $

Product Detection Result
Product: cpe:/a:twiki:twiki:01.Feb.2003
Method: TWiki Version Detection
OID: 1.3.6.1.4.1.25623.1.0.800399)

References
CVE: CVE-2008-5304, CVE-2008-5305

BID:32668, 32669

Other:

URL:http://twiki.org/cgi-bin/view/Codev.SecurityAlert-CVE-2008-5304

URL:http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305

High (CVSS: 7.5)
NVT: phpinfo() output accessible

Summary
Many PHP installation tutorials instruct the user to create a �le called phpinfo.php or similar
containing the phpinfo() statement. Such a �le is often times left in webserver directory after
completion.

Vulnerability Detection Result
The following files are calling the function phpinfo() which disclose potentiall

→y sensitive information:
http://172.17.1.7/mutillidae/phpinfo.php

. . .continues on next page . . .

2 RESULTS PER HOST 11

. . .continued from previous page . . .
http://172.17.1.7/phpinfo.php

Impact
Some of the information that can be gathered from this �le includes:
The username of the user who installed php, if they are a SUDO user, the IP address of the
host, the web server version, the system version(unix / linux), and the root directory of the web
server.

Solution
Solution type: Workaround
Delete them or restrict access to the listened �les.

Vulnerability Detection Method
Details: phpinfo() output accessible
OID:1.3.6.1.4.1.25623.1.0.11229
Version used: $Revision: 11558 $

High (CVSS: 7.5)
NVT: PHP-CGI-based setups vulnerability when parsing query string parameters from php �les.

Summary
PHP is prone to an information-disclosure vulnerability.

Vulnerability Detection Result
Vulnerable url: http://172.17.1.7/cgi-bin/php

Impact
Exploiting this issue allows remote attackers to view the source code of �les in the context of the
server process. This may allow the attacker to obtain sensitive information and to run arbitrary
PHP code on the a�ected computer. Other attacks are also possible.

Solution
Solution type: VendorFix
PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending
that users upgrade to the latest version of PHP.

Vulnerability Insight
When PHP is used in a CGI-based setup (such as Apache’s mod_cgid), the php-cgi receives
a processed query string parameter as command line arguments which allows command-line
switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to
disclose source code and obtain arbitrary code execution.
An example of the -s command, allowing an attacker to view the source code of index.php is
below:
http://localhost/index.php?-s

Vulnerability Detection Method
. . .continues on next page . . .

2 RESULTS PER HOST 12

. . .continued from previous page . . .
Details: PHP-CGI-based setups vulnerability when parsing query string parameters from ph.
→..
OID:1.3.6.1.4.1.25623.1.0.103482
Version used: $Revision: 11457 $

References
CVE: CVE-2012-1823, CVE-2012-2311, CVE-2012-2336, CVE-2012-2335

BID:53388

Other:

URL:http://www.h-online.com/open/news/item/Critical-open-hole-in-PHP-creates-r

→isks-Update-1567532.html
URL:http://www.kb.cert.org/vuls/id/520827

URL:http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

URL:https://bugs.php.net/bug.php?id=61910

URL:http://www.php.net/manual/en/security.cgi-bin.php

URL:http://www.securityfocus.com/bid/53388

High (CVSS: 7.5)
NVT: Test HTTP dangerous methods

Summary
Miscon�gured web servers allows remote clients to perform dangerous HTTP methods such as
PUT and DELETE. This script checks if they are enabled and can be misused to upload or
delete �les.

Vulnerability Detection Result
We could upload the following files via the PUT method at this web server:

http://172.17.1.7/dav/puttest1443372832.html

We could delete the following files via the DELETE method at this web server:

http://172.17.1.7/dav/puttest1443372832.html

Impact
– Enabled PUT method: This might allow an attacker to upload and run arbitrary code on this
web server.
– Enabled DELETE method: This might allow an attacker to delete additional �les on this web
server.

Solution
Solution type: Mitigation
Use access restrictions to these dangerous HTTP methods or disable them completely.

Vulnerability Detection Method
Details: Test HTTP dangerous methods
OID:1.3.6.1.4.1.25623.1.0.10498
Version used: $Revision: 9335 $

References
. . .continues on next page . . .

2 RESULTS PER HOST 13

. . .continued from previous page . . .
BID:12141

Other:

OWASP:OWASP-CM-001

[ return to 172.17.1.7 ]

2.2.4 High 6200/tcp

High (CVSS: 7.5)
NVT: vsftpd Compromised Source Packages Backdoor Vulnerability

Summary
vsftpd is prone to a backdoor vulnerability.

Vulnerability Detection Result
Vulnerability was detected according to the Vulnerability Detection Method.

Impact
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Successful attacks will compromise the a�ected application.

Solution
Solution type: VendorFix
The repaired package can be downloaded from https://security.appspot.com/vsftpd.html. Please
validate the package with its signature.

A�ected Software/OS
The vsftpd 2.3.4 source package is a�ected.

Vulnerability Detection Method
Details: vsftpd Compromised Source Packages Backdoor Vulnerability
OID:1.3.6.1.4.1.25623.1.0.103185
Version used: $Revision: 5026 $

References
BID:48539

Other:

URL:http://www.securityfocus.com/bid/48539

URL:http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-back

→doored.html
URL:https://security.appspot.com/vsftpd.html

[ return to 172.17.1.7 ]

2.2.5 High 21/tcp

2 RESULTS PER HOST 14

High (CVSS: 7.5)
NVT: vsftpd Compromised Source Packages Backdoor Vulnerability

Summary
vsftpd is prone to a backdoor vulnerability.

Vulnerability Detection Result
Vulnerability was detected according to the Vulnerability Detection Method.

Impact
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Successful attacks will compromise the a�ected application.

Solution
Solution type: VendorFix
The repaired package can be downloaded from https://security.appspot.com/vsftpd.html. Please
validate the package with its signature.

A�ected Software/OS
The vsftpd 2.3.4 source package is a�ected.

Vulnerability Detection Method
Details: vsftpd Compromised Source Packages Backdoor Vulnerability
OID:1.3.6.1.4.1.25623.1.0.103185
Version used: $Revision: 5026 $

References
BID:48539

Other:

URL:http://www.securityfocus.com/bid/48539

URL:http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-back

→doored.html
URL:https://security.appspot.com/vsftpd.html

[ return to 172.17.1.7 ]

2.2.6 High 512/tcp

High (CVSS: 10.0)
NVT: Check for rexecd Service

Summary
Rexecd Service is running at this Host. Rexecd (Remote Process Execution) has the same kind
of functionality that rsh has : you can execute shell commands on a remote computer.
The main di�erence is that rexecd authenticate by reading the username and password *unen-
crypted* from the socket.

. . .continues on next page . . .

2 RESULTS PER HOST 15

. . .continued from previous page . . .

Vulnerability Detection Result
The rexec service is not allowing connections from this host.

Solution
Solution type: Mitigation
Disable rexec Service.

Vulnerability Detection Method
Details: Check for rexecd Service
OID:1.3.6.1.4.1.25623.1.0.100111
Version used: $Revision: 6849 $

References
Other:

URL:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0618

[ return to 172.17.1.7 ]

2.2.7 High 1524/tcp

High (CVSS: 10.0)
NVT: Possible Backdoor: Ingreslock

Summary
A backdoor is installed on the remote host

Vulnerability Detection Result
The service is answering to an ‘id;’ command with the following response: uid=0(

→root) gid=0(root)

Impact
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Successful attacks will compromise the a�ected isystem.

Solution
Solution type: Workaround

Vulnerability Detection Method
Details: Possible Backdoor: Ingreslock
OID:1.3.6.1.4.1.25623.1.0.103549
Version used: $Revision: 11327 $

[ return to 172.17.1.7 ]

2 RESULTS PER HOST 16

2.2.8 High general/tcp

High (CVSS: 10.0)
NVT: OS End Of Life Detection

Product detection result
cpe:/o:canonical:ubuntu_linux:8.04

Detected by OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0

→.105937)

Summary
OS End Of Life Detection
The Operating System on the remote host has reached the end of life and should not be used
anymore.

Vulnerability Detection Result
The “Ubuntu” Operating System on the remote host has reached the end of life.

CPE: cpe:/o:canonical:ubuntu_linux:8.04

Installed version,

build or SP: 8.04

EOL date: 2013-05-09

EOL info: https://wiki.ubuntu.com/Releases

Solution
Solution type: Mitigation

Vulnerability Detection Method
Details: OS End Of Life Detection
OID:1.3.6.1.4.1.25623.1.0.103674
Version used: $Revision: 8927 $

Product Detection Result
Product: cpe:/o:canonical:ubuntu_linux:8.04
Method: OS Detection Consolidation and Reporting
OID: 1.3.6.1.4.1.25623.1.0.105937)

[ return to 172.17.1.7 ]

2.2.9 Medium 445/tcp

Medium (CVSS: 6.0)
NVT: Samba MS-RPC Remote Shell Command Execution Vulnerability (Active Check)

Product detection result
cpe:/a:samba:samba:3.0.20

. . .continues on next page . . .

2 RESULTS PER HOST 17

. . .continued from previous page . . .
Detected by SMB NativeLanMan (OID: 1.3.6.1.4.1.25623.1.0.102011)

Summary
Samba is prone to a vulnerability that allows attackers to execute arbitrary shell commands
because the software fails to sanitize user-supplied input.

Vulnerability Detection Result
Vulnerability was detected according to the Vulnerability Detection Method.

Impact
An attacker may leverage this issue to execute arbitrary shell commands on an a�ected system
with the privileges of the application.

Solution
Solution type: VendorFix
Updates are available. Please see the referenced vendor advisory.

A�ected Software/OS
This issue a�ects Samba 3.0.0 to 3.0.25rc3.

Vulnerability Detection Method
Send a crafted command to the samba server and check for a remote command execution.
Details: Samba MS-RPC Remote Shell Command Execution Vulnerability (Active Check)
OID:1.3.6.1.4.1.25623.1.0.108011
Version used: $Revision: 10398 $

Product Detection Result
Product: cpe:/a:samba:samba:3.0.20
Method: SMB NativeLanMan
OID: 1.3.6.1.4.1.25623.1.0.102011)

References
CVE: CVE-2007-2447

BID:23972

Other:

URL:http://www.securityfocus.com/bid/23972

URL:https://www.samba.org/samba/security/CVE-2007-2447.html

[ return to 172.17.1.7 ]

2.2.10 Medium 25/tcp

2 RESULTS PER HOST 18

Medium (CVSS: 6.8)
NVT: Multiple Vendors STARTTLS Implementation Plaintext Arbitrary Command Injection
Vulnerability

Summary
Multiple vendors’ implementations of STARTTLS are prone to a vulnerability that lets attackers
inject arbitrary commands.

Vulnerability Detection Result
Vulnerability was detected according to the Vulnerability Detection Method.

Impact
An attacker can exploit this issue to execute arbitrary commands in the context of the user
running the application. Successful exploits can allow attackers to obtain email usernames and
passwords.

Solution
Solution type: VendorFix
Updates are available.

A�ected Software/OS
The following vendors are a�ected:
Ipswitch
Kerio
Post�x
Qmail-TLS
Oracle
SCO Group
spamdyke
ISC

Vulnerability Detection Method
Send a special crafted STARTTLS request and check the response.
Details: Multiple Vendors STARTTLS Implementation Plaintext Arbitrary Command Injection .
→..
OID:1.3.6.1.4.1.25623.1.0.103935
Version used: $Revision: 11196 $

References
CVE: CVE-2011-0411, CVE-2011-1430, CVE-2011-1431, CVE-2011-1432, CVE-2011-1506,

→CVE-2011-1575, CVE-2011-1926, CVE-2011-2165
BID:46767

Other:

URL:http://www.securityfocus.com/bid/46767

URL:http://kolab.org/pipermail/kolab-announce/2011/000101.html

URL:http://bugzilla.cyrusimap.org/show_bug.cgi?id=3424

URL:http://cyrusimap.org/mediawiki/index.php/Bugs_Resolved_in_2.4.7

URL:http://www.kb.cert.org/vuls/id/MAPG-8D9M4P

. . .continues on next page . . .

2 RESULTS PER HOST 19

. . .continued from previous page . . .
URL:http://files.kolab.org/server/release/kolab-server-2.3.2/sources/release-

→notes.txt
URL:http://www.postfix.org/CVE-2011-0411.html

URL:http://www.pureftpd.org/project/pure-ftpd/news

URL:http://www.watchguard.com/support/release-notes/xcs/9/en-US/EN_ReleaseNot

→es_XCS_9_1_1/EN_ReleaseNotes_WG_XCS_9_1_TLS_Hotfix.pdf
URL:http://www.spamdyke.org/documentation/Changelog.txt

URL:http://datatracker.ietf.org/doc/draft-josefsson-kerberos5-starttls/?inclu

→de_text=1
URL:http://www.securityfocus.com/archive/1/516901

URL:http://support.avaya.com/css/P8/documents/100134676

URL:http://support.avaya.com/css/P8/documents/100141041

URL:http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

URL:http://inoa.net/qmail-tls/vu555316.patch

URL:http://www.kb.cert.org/vuls/id/555316

Medium (CVSS: 5.0)
NVT: SSL/TLS: Certi�cate Expired

Summary
The remote server’s SSL/TLS certi�cate has already expired.

Vulnerability Detection Result
The certificate of the remote service expired on 2010-04-16 14:07:45.

Certificate details:

subject …: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F6

→3616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of
→Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outsid
→e US,C=XX
subject alternative names (SAN):

None

issued by .: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F6

→3616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of
→Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outsid
→e US,C=XX
serial ….: 00FAF93A4C7FB6B9CC

valid from : 2010-03-17 14:07:45 UTC

valid until: 2010-04-16 14:07:45 UTC

fingerprint (SHA-1): ED093088706603BFD5DC237399B498DA2D4D31C6

fingerprint (SHA-256): E7A7FA0D63E457C7C4A59B38B70849C6A70BDA6F830C7AF1E32DEE436

→DE813CC

Solution
Solution type: Mitigation
Replace the SSL/TLS certi�cate by a new one.

Vulnerability Insight
. . .continues on next page . . .

2 RESULTS PER HOST 20

. . .continued from previous page . . .
This script checks expiry dates of certi�cates associated with SSL/TLS-enabled services on the
target and reports whether any have already expired.

Vulnerability Detection Method
Details: SSL/TLS: Certificate Expired
OID:1.3.6.1.4.1.25623.1.0.103955
Version used: $Revision: 11103 $

Medium (CVSS: 4.3)
NVT: SSL/TLS: RSA Temporary Key Handling ‘RSA_EXPORT’ Downgrade Issue (FREAK)

Summary
This host is accepting ‘RSA_EXPORT’ cipher suites and is prone to man in the middle attack.

Vulnerability Detection Result
‘RSA_EXPORT’ cipher suites accepted by this service via the SSLv3 protocol:

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

TLS_RSA_EXPORT_WITH_RC4_40_MD5

‘RSA_EXPORT’ cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA

TLS_RSA_EXPORT_WITH_DES40_CBC_SHA

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

TLS_RSA_EXPORT_WITH_RC4_40_MD5

Impact
Successful exploitation will allow remote attacker to downgrade the security of a session to use
‘RSA_EXPORT’ cipher suites, which are signi�cantly weaker than non-export cipher suites.
This may allow a man-in-the-middle attacker to more easily break the encryption and monitor
or tamper with the encrypted stream.

Solution
Solution type: VendorFix
– Remove support for ‘RSA_EXPORT’ cipher suites from the service.
– If running OpenSSL update to version 0.9.8zd or 1.0.0p or 1.0.1k or later For updates refer …

Let our team of professional writers take care of your essay for you! We provide quality and plagiarism free academic papers written from scratch. Sit back, relax, and leave the writing to us! Meet some of our best research paper writing experts. We obey strict privacy policies to secure every byte of information between you and us.

ORDER ORIGINAL ANSWERS WRITTEN FROM SCRATCH

PLACE YOUR ORDER

SHARE WITH FRIENDS