bruterewritecond

AuditReportMetasploitable2-FullAuditAuditedonAugust202012ReportedonAugust212012Page1AuditReport1.
ExecutiveSummaryThisreportrepresentsasecurityauditperformedbyNexposefromRapid7LLC.
Itcontainsconfidentialinformationaboutthestateofyournetwork.
Accesstothisinformationbyunauthorizedpersonnelmayallowthemtocompromiseyournetwork.
SiteNameStartTimeEndTimeTotalTimeStatusmetasploitable2August20,201216:04,ESTAugust20,201216:11,EST6minutesSuccessThereisnotenoughhistoricaldatatodisplayoverallassettrend.
Theauditwasperformedononesystemwhichwasfoundtobeactiveandwasscanned.
Therewere135vulnerabilitiesfoundduringthisscan.
Ofthese,38werecriticalvulnerabilities.
Criticalvulnerabilitiesrequireimmediateattention.
Theyarerelativelyeasyforattackerstoexploitandmayprovidethemwithfullcontroloftheaffectedsystems.
85vulnerabilitiesweresevere.
Severevulnerabilitiesareoftenhardertoexploitandmaynotprovidethesameaccesstoaffectedsystems.
Therewere12moderatevulnerabilitiesdiscovered.
Theseoftenprovideinformationtoattackersthatmayassisttheminmountingsubsequentattacksonyournetwork.
Theseshouldalsobefixedinatimelymanner,butarenotasurgentastheothervulnerabilities.
Therewere2occurrencesofthecifs-samba-ms-rpc-bof,cifs-samba-nmbd-getdc-mailslot-bof,cifs-samba-reply-netbios-packet-bof,cifs-samba-send-mailslot-bof,cifs-samba-afs-filesystem-acl-mapping-bof,cifs-samba-receive-smb-raw-bof,cifs-samba-file-renaming-dos,cifs-smb-signing-disabled,cifs-samba-shell-command-injection-vulnandcifs-smb-signing-not-requiredvulnerabilities,makingthemthemostcommonvulnerabilities.
Therewere53vulnerabilitiesintheWebcategory,makingitthemostcommonvulnerabilitycategory.
Page2AuditReportThecifs-samba-ms-rpc-bofvulnerabilityposesthehighestrisktotheorganizationwithariskscoreof450.
Vulnerabilityriskscoresarecalculatedbylookingatthelikelihoodofattackandimpact,baseduponCVSSmetrics.
Theimpactandlikelihoodarethenmultipliedbythenumberofinstancesofthevulnerabilitytocomeupwiththefinalriskscore.
Oneoperatingsystemwasidentifiedduringthisscan.
Therewere22servicesfoundtoberunningduringthisscan.
TheCIFS,CIFSNameService,DNS,DNS-TCP,FTP,HTTP,MySQL,NFSandNFSlockdserviceswerefoundon1systems,makingthemthemostcommonservices.
TheHTTPservicewasfoundtohavethemostvulnerabilitiesduringthisscanwith69vulnerabilities.
Page3AuditReport2.
DiscoveredSystemsNodeOperatingSystemRiskAliases192.
168.
56.
3UbuntuLinux8.
0455,660METASPLOITABLEmetasploitable.
localdomainPage4AuditReport3.
DiscoveredandPotentialVulnerabilities3.
1.
CriticalVulnerabilities3.
1.
1.
ApacheHTTPD:APRapr_pallocheapoverflow(CVE-2009-2412)(apache-httpd-cve-2009-2412)Description:TheaffectedassetisvulnerabletothisvulnerabilityONLYifanon-Apacheapplicationcanbepassedunsanitizeduser-providedsizestotheapr_palloc()function.
ReviewyourWebserverconfigurationforvalidation.
TheaffectedassetisvulnerabletothisvulnerabilityONLYifanon-Apacheapplicationcanbepassedunsanitizeduser-providedsizestotheapr_palloc()function.
ReviewyourWebserverconfigurationforvalidation.
Aflawinapr_palloc()inthebundledcopyofAPRcouldcauseheapoverflowsinprogramsthattrytoapr_palloc()ausercontrolledsize.
TheApacheHTTPServeritselfdoesnotpassunsanitizeduser-providedsizestothisfunction,soitcouldonlybetriggeredthroughsomeotherapplicationwhichusesapr_palloc()inavulnerableway.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceAPPLEAPPLE-SA-2009-11-09-1BID35949CVECVE-2009-2412OSVDB56765OSVDB56766OVALOVAL8394OVALOVAL9958SECUNIA36138SECUNIA36140SECUNIA36166SECUNIA36233SECUNIA37152SECUNIA37221SUSESUSE-SA:2009:050URLhttp://httpd.
apache.
org/security/vulnerabilities_20.
htmlURLhttp://httpd.
apache.
org/security/vulnerabilities_22.
htmlPage5AuditReportVulnerabilitySolution:Apache>=2.
0and=2.
2and84:85:82:.
.
.
="0"alt="TheTomcatServlet/JSPContainer"References:SourceReferenceBID38084CVECVE-2009-3843CVECVE-2010-0557OSVDB60317OSVDB62118Page6AuditReportSourceReferenceSECUNIA37444SECUNIA38457XFoperations-manager-unspecified-sec-bypass(54361)VulnerabilitySolution:TheTomcatservicehasanadministratoraccountsettoadefaultconfiguration.
Thiscanbeeasilychangedinconf/tomcat-users.
xml3.
1.
3.
SambaNDRParsingHeapOverflowVulnerability(cifs-samba-ms-rpc-bof)Description:Samba'sNDRparsingcodeisvulnerabletomultipleheapoverflowsviacraftedMS-RPCrequestssuchas"DFSEnum,""RFNPCNEX,""LsarAddPrivilegesToAccount,""NetSetFileSecurity,"and"LsarLookupSids/LsarLookupSids2.
"Successfulexploitationallowsanunauthenticatedattackertoexecutearbitrarycommandsasroot.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:139RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
192.
168.
56.
3:445RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
References:SourceReferenceAPPLEAPPLE-SA-2007-07-31BID23973BID24195BID24196BID24197BID24198BID25159CERT-VN773720CVECVE-2007-2446DEBIANDSA-1291OSVDB34732OVALOVAL11415REDHATRHSA-2007:0354SECUNIA25232SECUNIA25241SECUNIA25246Page7AuditReportSourceReferenceSECUNIA25251SECUNIA25255SECUNIA25256SECUNIA25257SECUNIA25259SECUNIA25270SECUNIA25289SECUNIA25567SECUNIA25675SECUNIA25772SECUNIA26235SECUNIA26909SECUNIA27706SECUNIA28292SUSESUSE-SA:2007:031URLhttp://samba.
org/samba/security/CVE-2007-2446.
htmlXFsamba-lsaioprivilegeset-bo(34309)XFsamba-lsaiotransnames-bo(34316)XFsamba-netdfsiodfsenuminfod-bo(34311)XFsamba-secioacl-bo(34314)XFsamba-smbionotifyoptiontypedata-bo(34312)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://us1.
samba.
org/samba/ftp/old-versions/samba-3.
0.
25.
tar.
gz3.
1.
4.
BINDlibbindinet_network()OffByOneVulnerability(dns-bind-libbind-off-by-one-vuln)Description:Anoff-by-oneerrorintheinet_networkfunctioninlibbindcouldallowcontext-dependentattackerstocauseadenialofserviceandpossiblyexecutearbitrarycodeviaspeciallycraftedinputthattriggersmemorycorruption.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:53RunningvulnerableDNSservice:BIND9.
4.
2.
References:SourceReferencePage8AuditReportSourceReferenceBID27283CERT-VN203611CVECVE-2008-0122OVALOVAL10190REDHATRHSA-2008:0300SECUNIA28367SECUNIA28429SECUNIA28487SECUNIA28579SECUNIA29161SECUNIA29323SECUNIA30313SECUNIA30538SECUNIA30718XFfreebsd-inetnetwork-bo(39670)VulnerabilitySolution:UpgradetoBINDversion9.
3.
5Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
3.
5/bind-9.
3.
5.
tar.
gzUpgradeto9.
3.
5versionofISCBINDWhichwasreleasedonApril14,2008.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
4.
3Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
4.
3/bind-9.
4.
3.
tar.
gzUpgradeto9.
4.
3versionofISCBINDWhichwasreleasedonNovember19,2008.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
5.
0Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
5.
0/bind-9.
5.
0.
tar.
gzUpgradeto9.
5.
0versionofISCBINDWhichwasreleasedonMay29,2008.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
3.
1.
5.
PHPMultipleVulnerabilitiesFixedinversion5.
2.
12(http-php-multiple-vulns-5-2-12)Description:Fixedasafe_modebypassintempnam()identifiedbyGrzegorzStachowiak(CVE-2009-3557)Fixedaopen_basedirbypassinposix_mkfifo()identifiedbyGrzegorzStachowiak(CVE-2009-3558)Added"max_file_uploads"INIdirective,whichcanbesettolimitthenumberoffileuploadsper-requestto20bydefault,topreventpossibleDOSviatemporaryfileexhaustion(CVE-2009-4017)Page9AuditReportAddedprotectionfor$_SESSIONfrominterruptcorruptionandimproved"session.
save_path"check,identifiedbyStefanEsser(CVE-2009-4143)Fixedbug#49785(insufficientinputstringvalidationofhtmlspecialchars())(CVE-2009-4142)AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceAPPLEAPPLE-SA-2010-03-29-1BID37389BID37390CVECVE-2009-3557CVECVE-2009-3558CVECVE-2009-4017CVECVE-2009-4142CVECVE-2009-4143DEBIANDSA-1940DEBIANDSA-2001OVALOVAL10005OVALOVAL10483OVALOVAL6667OVALOVAL7085OVALOVAL7396OVALOVAL7439SECUNIA37412SECUNIA37482SECUNIA37821SECUNIA38648SECUNIA40262SECUNIA41480SECUNIA41490URLhttp://www.
php.
net/ChangeLog-5.
php#5.
2.
12URLhttp://www.
php.
net/releases/5_2_12.
phpPage10AuditReportSourceReferenceXFphp-multipart-formdata-dos(54455)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://www.
php.
net/get/php-5.
2.
12.
tar.
gz/from/a/mirrorUpgradetoPHPv5.
2.
12(releasedonDecember17th,2009).
3.
1.
6.
PHPMultipleVulnerabilitiesFixedinversion5.
2.
6(http-php-multiple-vulns-5-2-6)Description:CertainversionsofPHPshipwithflawedimplementationsoftheinit_reauest_info()andescapeshellcmd()functions,theGENERATE_SEEDmacro,andFastCGISAPI.
Theinit_request_info()functiondoesnotproperlycalculatethelengthofPATH_TRANSLATEDduetoimproperoperatorprecedencehandling.
ThiscouldallowaremoteattackertoexecutearbitrarycodeviaacraftedURI(CVE-2008-0599).
TheFastCGISAPIcontainsastack-basedoverflowofunknownimpactandattackvector(CVE-2008-2050).
TheescapeshellcmdAPIfunctionisvulnerabletoanattackofunknownimpactviaacontext-dependentattack(CVE-2008-2051).
TheGENERATE_SEEDmacrocanproduceazeroseed.
Thiscouldallowaremoteattackertobypassprotectionmechanismsviasubsequentvaluesbasedontheinitialseed(CVE-2008-2107,CVE-2008-2108).
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceAPPLEAPPLE-SA-2008-07-31BID29009CVECVE-2008-2050CVECVE-2008-2051CVECVE-2008-2107CVECVE-2008-2108DEBIANDSA-1572DEBIANDSA-1578DEBIANDSA-1789OVALOVAL10256OVALOVAL10644OVALOVAL10844REDHATRHSA-2008:0505Page11AuditReportSourceReferenceREDHATRHSA-2008:0544REDHATRHSA-2008:0545REDHATRHSA-2008:0546REDHATRHSA-2008:0582SECUNIA30048SECUNIA30083SECUNIA30158SECUNIA30288SECUNIA30345SECUNIA30411SECUNIA30757SECUNIA30828SECUNIA30967SECUNIA31119SECUNIA31124SECUNIA31200SECUNIA31326SECUNIA35003XFphp-fastcgisapi-bo(42133)XFphp-generateseed-security-bypass(42284)XFphp-generateseed-weak-security(42226)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://museum.
php.
net/php5/php-5.
2.
6.
tar.
gzUpgradetoPHPv5.
2.
6.
3.
1.
7.
PHPMultipleVulnerabilitiesFixedinversion5.
2.
8(http-php-multiple-vulns-5-2-8)Description:CertainversionsofPHPshipwithavulnerableversionofthePCRElibrary.
Thiscouldallowacontext-dependentattackertocauseadenialofservice(crash)viaaspeciallycraftedregularexpression.
(CVE-2008-2371)Theimageloadfont()functioncouldallowacontext-dependentattackertocauseadenialofservice(crash)viaacraftedfontfile.
(CVE-2008-3658)Thememnstr()functioncouldallowacontext-dependentattackertocauseadenialofservice(crash)viathedelimiterargumenttotheexplodefunction.
(CVE-2008-3659)CertainversionsofPHP,whenusedasaFastCGImodule,couldallowaremoteattackertocauseadenialofservice(crash).
(CVE-2008-3660)Page12AuditReportCertainversionsofPHPshipwithaheap-basedbufferoverflowinthembstringextension.
Thiscouldallowcontext-dependentattackerstoexecutearbitrarycodeviaacraftedstring.
(CVE-2008-5557)Thepage_uidandpage_gidglobalvariablesarenotproperlyinitializedforusebytheSAPIphp_getuidfunction.
Thiscouldallowcontext-dependentattackerstobypasssafe_moderestrictionsviavariablesettings.
(CVE-2008-5624)CertainversionsofPHPdonotenforcetheerror_logsafe_moderestrictionswhensafe_modeisenabled.
Thiscouldallowcontext-dependentattackerstowritetoarbitraryfiles.
(CVE-2008-5625)TheZipArchive::extractTofunctionincertainversionsofPHPcontainsadirectorytraversalvulnerability.
Thiscouldallowcontext-dependentattackerstowritearbitraryfilesviaaspeciallycraftedZIPfile.
(CVE-2008-5658)CertainversionsofPHPshipwithaflawedimplementationofmagic_quotes_gpc.
Thiscouldallowcontext-dependentattackerstoconductSQLinjectionattacks.
(CVE-2008-5844)AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceAPPLEAPPLE-SA-2008-10-09APPLEAPPLE-SA-2009-05-12BID30087BID31681BID32383BID32625BID32673BID32688BID32948CERTTA09-133ACVECVE-2008-2371CVECVE-2008-5557CVECVE-2008-5624CVECVE-2008-5625CVECVE-2008-5658CVECVE-2008-5844DEBIANDSA-1602DEBIANDSA-1789Page13AuditReportSourceReferenceOSVDB50480OSVDB50483OSVDB52205OSVDB52207OVALOVAL10286REDHATRHSA-2009:0350SECUNIA30916SECUNIA30944SECUNIA30945SECUNIA30958SECUNIA30961SECUNIA30967SECUNIA30972SECUNIA30990SECUNIA31200SECUNIA32222SECUNIA32454SECUNIA34642SECUNIA35003SECUNIA35074SECUNIA35306SECUNIA35650SECUNIA39300URLhttp://bugs.
php.
net/bug.
phpid=42718URLhttp://bugs.
php.
net/bug.
phpid=45722URLhttp://www.
php.
net/ChangeLog-5.
php#5.
2.
8XFphp-error-safemode-bypass(47314)XFphp-getuid-safemode-bypass(47318)XFphp-multibyte-bo(47525)XFphp-ziparchive-directory-traversal(47079)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://museum.
php.
net/php5/php-5.
2.
8.
tar.
gzUpgradetoPHPv5.
2.
8(releasedonDecember8th,2008).
3.
1.
8.
PHPFixedsecurityissue(php-fixed-security-issue)Page14AuditReportDescription:Theinit_request_infofunctioninsapi/cgi/cgi_main.
cinPHPbefore5.
2.
6doesnotproperlyconsideroperatorprecedencewhencalculatingthelengthofPATH_TRANSLATED,whichmightallowremoteattackerstoexecutearbitrarycodeviaacraftedURI.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceAPPLEAPPLE-SA-2008-07-31BID29009CERT-VN147027CVECVE-2008-0599OVALOVAL5510REDHATRHSA-2008:0505SECUNIA30048SECUNIA30083SECUNIA30345SECUNIA30616SECUNIA30757SECUNIA30828SECUNIA31200SECUNIA31326SECUNIA35650XFphp-vector-unspecified(42137)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://museum.
php.
net/php5/php-5.
2.
6.
tar.
gzUpgradetoPHPv5.
2.
6.
3.
1.
9.
VNCpasswordis"password"(vnc-password-password)Description:TheVNCserverisusingthepassword"password".
ThiswouldallowanyonetologintothemachineviaVNCandtakecompletecontrol.
AffectedNodes:Page15AuditReportAffectedNodes:AdditionalInformation:192.
168.
56.
3:5900RunningvulnerableVNCservice.
SuccessfullyauthenticatedtotheVNCservicewithcredentials:uid[null]pw[password]realm[null]References:NoneVulnerabilitySolution:Changethepasswordtoastronger,unpredictableone.
3.
1.
10.
SambaGETDCMailslotProcessingBufferOverflowInNmbd(cifs-samba-nmbd-getdc-mailslot-bof)Description:Versions3.
0.
0through3.
0.
26a(inclusive)ofSamba,theServerMessageBlockprotocolserverarevulnerabletowhatisbelievedtobeanon-exploitablebufferoverflowinnmbdduringtheprocessingofGETDClogonserverrequests.
ThiscodeisonlyusedwhentheSambaserverisconfiguredasaPrimaryorBackupDomainController.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:139RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
192.
168.
56.
3:445RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
References:SourceReferenceAPPLEAPPLE-SA-2007-12-17BID26454CERTTA07-352ACVECVE-2007-4572DEBIANDSA-1409OVALOVAL11132OVALOVAL5643REDHATRHSA-2007:1013REDHATRHSA-2007:1016REDHATRHSA-2007:1017SECUNIA27450SECUNIA27679SECUNIA27682SECUNIA27691Page16AuditReportSourceReferenceSECUNIA27701SECUNIA27720SECUNIA27731SECUNIA27787SECUNIA27927SECUNIA28136SECUNIA28368SECUNIA29341SECUNIA30484SECUNIA30736SECUNIA30835SUSESUSE-SA:2007:065URLhttp://samba.
org/samba/security/CVE-2007-4572.
htmlXFsamba-nmbd-bo(38501)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://us1.
samba.
org/samba/ftp/old-versions/samba-3.
0.
27.
tar.
gz3.
1.
11.
Samba'reply_netbios_packet'NmbdBufferOverflow(cifs-samba-reply-netbios-packet-bof)Description:Versions3.
0.
0through3.
0.
26a(inclusive)ofSamba,theServerMessageBlockprotocolserverarevulnerabletoabufferoverflowinreply_netbios_packet()innmbdwhenprocessingmultiplespeciallycraftedWINS"NameRegistration"requestsfollowedbyaWINS"NameQuery"request.
Thiscouldallowaremoteattackertoexecutearbitrarycode.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:139RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
192.
168.
56.
3:445RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
References:SourceReferenceAPPLEAPPLE-SA-2007-12-17BID26455CERTTA07-352ACVECVE-2007-5398DEBIANDSA-1409OVALOVAL10230Page17AuditReportSourceReferenceOVALOVAL5811REDHATRHSA-2007:1013REDHATRHSA-2007:1016REDHATRHSA-2007:1017SECUNIA27450SECUNIA27679SECUNIA27682SECUNIA27691SECUNIA27701SECUNIA27720SECUNIA27731SECUNIA27742SECUNIA27787SECUNIA27927SECUNIA28136SECUNIA28368SECUNIA29341SECUNIA30484SECUNIA30835SUSESUSE-SA:2007:065URLhttp://samba.
org/samba/security/CVE-2007-5398.
htmlURLhttp://secunia.
com/secunia_research/2007-90/advisory/XFsamba-replynetbiospacket-bo(38502)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://us1.
samba.
org/samba/ftp/old-versions/samba-3.
0.
27.
tar.
gz3.
1.
12.
Sambasend_mailslotGETDCBufferOverflow(cifs-samba-send-mailslot-bof)Description:AbufferoverflowwithinSamba'sWINSserver(nmbd)allowsfortheremoteexecutionofarbitrarycode.
Thisdefectisonlyexploitablewhenthe"domainlogons"parameterhasbeenenabledinsmb.
conf.
ThevulnerabilityisexploitedbysendingamalformeddomainlogonpacketwithanoverlylongGETDCstring,causingastack-basedbufferoverflow.
AffectedNodes:AffectedNodes:AdditionalInformation:Page18AuditReportAffectedNodes:AdditionalInformation:192.
168.
56.
3:139RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
192.
168.
56.
3:445RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
References:SourceReferenceAPPLEAPPLE-SA-2008-02-11BID26791CERTTA08-043BCERT-VN438395CVECVE-2007-6015DEBIANDSA-1427OVALOVAL11572OVALOVAL5605REDHATRHSA-2007:1114REDHATRHSA-2007:1117SECUNIA27760SECUNIA27894SECUNIA27977SECUNIA27993SECUNIA27999SECUNIA28003SECUNIA28028SECUNIA28029SECUNIA28037SECUNIA28067SECUNIA28089SECUNIA28891SECUNIA29032SECUNIA29341SECUNIA30484SECUNIA30835SUSESUSE-SA:2007:068URLhttp://secunia.
com/advisories/27760/URLhttp://us1.
samba.
org/samba/security/CVE-2007-6015.
htmlXFsamba-sendmailslot-bo(38965)Page19AuditReportVulnerabilitySolution:Downloadandapplytheupgradefrom:http://us1.
samba.
org/samba/ftp/old-versions/samba-3.
0.
28.
tar.
gz3.
1.
13.
Handlingofzerolengthrdatacancausenamedtoterminateunexpectedly(dns-bind-cve-2012-1667)Description:ThisproblemwasuncoveredwhiletestingwithexperimentalDNSrecordtypes.
ItispossibletoaddrecordstoBINDwithnull(zerolength)rdatafields.
Processingoftheserecordsmayleadtounexpectedoutcomes.
Recursiveserversmaycrashordisclosesomeportionofmemorytotheclient.
Secondaryserversmaycrashonrestartaftertransferringazonecontainingtheserecords.
Masterserversmaycorruptzonedataifthezoneoption"auto-dnssec"issetto"maintain".
Otherunexpectedproblemsthatarenotlistedheremayalsobeencountered.
Thisissueprimarilyaffectsrecursivenameservers.
Authoritativenameserverswillonlybeimpactedifanadministratorconfiguresexperimentalrecordtypeswithnodata.
Iftheserverisconfiguredthisway,thensecondariescancrashonrestartaftertransferringthatzone.
ZonedataonthemastercanbecomecorruptedifthezonewiththoserecordshasnamedconfiguredtomanagetheDNSSECkeyrotation.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:53RunningvulnerableDNSservice:BIND9.
4.
2.
References:SourceReferenceCVECVE-2012-1667IAVM2012-A-0106VulnerabilitySolution:UpgradetoBINDversion9.
6-ESV-R7-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/cur/9.
6/bind-9.
6-ESV-R7-P1.
tar.
gzUpgradeto9.
6-ESV-R7-P1versionofISCBINDWhichwasreleasedonJune04,2012.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
7.
6-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/cur/9.
7/bind-9.
7.
6-P1.
tar.
gzUpgradeto9.
7.
6-P1versionofISCBINDWhichwasreleasedonJune04,2012.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
8.
3-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/cur/9.
8/bind-9.
8.
3-P1.
tar.
gzUpgradeto9.
8.
3-P1versionofISCBINDWhichwasreleasedonJune04,2012.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
9.
1-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/cur/9.
9/bind-9.
9.
1-P1.
tar.
gzUpgradeto9.
9.
1-P1versionofISCBINDWhichwasreleasedonJune04,2012.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
3.
1.
14.
ObsoleteISCBINDinstallation(dns-bind-obsolete)Page20AuditReportDescription:ISCBIND4andearlier,8andearlier,aswellas9.
4-ESV-R5andearlierareconsideredobsolete.
ISCwillnotfixsecuritybugsintheseversions(evencriticalones).
ISCBIND9.
5.
2-P4,9.
6.
0,9.
6.
3reachedtheirend-of-lifebutcontinuetoreceivesecurityfixes(onlyifcritical,though).
ISCBINDversions9.
7.
6-P1,9.
8.
3-P1,9.
9.
1-P1aretheonlyonesactivelymaintained.
ItisstronglyrecommendedthatyouupgradeyourBINDinstallationtooneoftheseversions.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:53RunningvulnerableDNSservice:BIND9.
4.
2.
References:SourceReferenceURLhttp://www.
isc.
org/software/bindURLhttp://www.
isc.
org/software/bind/versionsVulnerabilitySolution:Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
9.
0b1/bind-9.
9.
0b1.
tar.
gzThelatestversionofBINDisversion9.
9.
0b1,releasedonNovember09,2011.
3.
1.
15.
MySQLdispatch_command()MultipleFormatStringVulnerabilities(mysql-dispatch_command-multiple-format-string)Description:Multipleformatstringvulnerabilitiesinthedispatch_commandfunctioninlibmysqld/sql_parse.
ccinmysqldinMySQL4.
0.
0through5.
0.
83allowremoteauthenticateduserstocauseadenialofservice(daemoncrash)andpossiblyhaveunspecifiedotherimpactviaformatstringspecifiersinadatabasenameina(1)COM_CREATE_DBor(2)COM_DROP_DBrequest.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:3306RunningvulnerableMySQLservice:MySQL5.
0.
51a.
References:SourceReferenceAPPLEAPPLE-SA-2010-03-29-1BID35609CVECVE-2009-2446OSVDB55734Page21AuditReportSourceReferenceOVALOVAL11857REDHATRHSA-2010:0110SECUNIA35767SECUNIA38517XFmysql-dispatchcommand-format-string(51614)VulnerabilitySolution:MySQL>=5.
0.
0and=2.
2and=2.
0and=2.
2andLocalPolicies->SecurityOptions->Networkaccess:AllowanonymousSID/Nametranslation:DisabledFinally,rebootthemachine.
PleasenotethatdisablingNULLsessionsmayhaveanadverseimpactonfunctionality,assomeapplicationsandnetworkenvironmentsmaydependonthemforproperoperation.
RefertoMicrosoftKnowledgeBaseArticle823659formoreinformation.
MicrosoftWindowsXP,MicrosoftWindowsXPHome,MicrosoftWindowsXPProfessionalDisableNULLsessionsModifytheregistrykey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\withthefollowingvalues:ValueName:RestrictAnonymousDataType:REG_DWORDDataValue:1ValueName:RestrictAnonymousSAMDataType:REG_DWORDDataValue:1ValueName:EveryoneIncludesAnonymousPage26AuditReportDataType:REG_DWORDDataValue:0Modifytheregistrykey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\withthefollowingvalues:ValueName:RestrictNullSessAccessDataType:REG_DWORDDataValue:1ValueName:NullSessionPipesDataType:REG_MULTI_SZDataValue:""(emptystring,withoutquotes)OpenLocalSecuritySettings,anddisablethefollowingsetting:SecuritySettings->LocalPolicies->SecurityOptions->Networkaccess:AllowanonymousSID/Nametranslation:DisabledFinally,rebootthemachine.
PleasenotethatdisablingNULLsessionsmayhaveanadverseimpactonfunctionality,assomeapplicationsandnetworkenvironmentsmaydependonthemforproperoperation.
RefertoMicrosoftKnowledgeBaseArticleQ246261formoreinformation.
MicrosoftWindows2000,MicrosoftWindows2000Professional,MicrosoftWindows2000Server,MicrosoftWindows2000AdvancedServer,MicrosoftWindows2000DatacenterServerDisableNULLsessionsModifytheregistrykey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\withthefollowingvalue:ValueName:RestrictAnonymousDataType:REG_DWORDDataValue:2Aftermodifyingtheregistry,rebootthemachine.
PleasenotethatdisablingNULLsessionsmayhaveanadverseimpactonfunctionality,assomeapplicationsandnetworkenvironmentsmaydependonthemforproperoperation.
RefertoMicrosoftKnowledgeBaseArticleQ246261formoreinformation.
MicrosoftWindowsNTServer4.
0,MicrosoftWindowsNTServer,EnterpriseEdition4.
0,MicrosoftWindowsNTWorkstation4.
0InstallMicrosoftservicepackWindowsNT4ServicePack4Downloadandapplytheupgradefrom:http://support.
microsoft.
com/spMicrosoftWindowsNT,MicrosoftWindowsNTWorkstation,MicrosoftWindowsNTServer,MicrosoftWindowsNTAdvancedServer,MicrosoftWindowsNTServer,EnterpriseEdition,MicrosoftWindowsNTServer,TerminalServerEditionDisableNULLsessionsModifytheregistrykey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Page27AuditReportwiththefollowingvalue:ValueName:RestrictAnonymousDataType:REG_DWORDDataValue:1Aftermodifyingtheregistry,rebootthemachine.
ItisimportanttonotethatonWindowsNT4.
0systems,settingthisregistryentrywillstillleavethesystemopentovariousattacks,includingbrute-forceenumerationofusersandgroups.
AcompletesolutionforWindowsNT4.
0systemsisnotavailable.
SambaonLinuxRestrictanonymousaccessTorestrictanonymousaccesstoSamba,modifyyour"smb.
conf"settingsasfollows:guestaccount=nobodyrestrictanonymous=1Note:MakesureyoudoNOTlistauser"nobody"inyourpasswordfile.
NovellNetWareNovellNetwareCIFSAsofMay9,2007NovellNetwareCIFSdoesnotprovideaworkaroundforthisvulnerability.
3.
1.
21.
SambaAFSFilesystemACLMappingFormatStringVulnerability(cifs-samba-afs-filesystem-acl-mapping-bof)Description:CertainversionsofSambaarevulnerabletoaformatstringconditionwhenhandlingACLmappingoperationsonAFSfilesystems.
SuccessfulexploitationallowsanauthenticatedattackerwithwriteaccesstoanAFSsharetoexecutearbitrarycodeastherootuser.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:139RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
192.
168.
56.
3:445RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
References:SourceReferenceBID22403CERT-VN649732CVECVE-2007-0454DEBIANDSA-1257Page28AuditReportSourceReferenceOSVDB33101SECUNIA24021SECUNIA24046SECUNIA24060SECUNIA24067SECUNIA24101SECUNIA24145SECUNIA24151URLhttp://samba.
org/samba/security/CVE-2007-0454.
htmlXFsamba-afsacl-format-string(32304)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://us1.
samba.
org/samba/ftp/old-versions/samba-3.
0.
24.
tar.
gz3.
1.
22.
Sambareceive_smb_raw()BufferOverflow(cifs-samba-receive-smb-raw-bof)Description:Versions3.
0.
0through3.
0.
29a(inclusive)ofSamba,theServerMessageBlockprotocolserverarevulnerabletoaheap-basedbufferoverflowduetoacalculationerrorinthereceive_smb_raw()function.
AnattackercouldconstructamaliciousSMBpackettoexploitthevulnerabilityandexecutearbitrarycodeunderthecontextoftheSambaserveruser.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:139RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
192.
168.
56.
3:445RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
References:SourceReferenceAPPLEAPPLE-SA-2008-06-30BID29404BID31255CVECVE-2008-1105DEBIANDSA-1590OVALOVAL10020OVALOVAL5733REDHATRHSA-2008:0288REDHATRHSA-2008:0289REDHATRHSA-2008:0290Page29AuditReportSourceReferenceSECUNIA30228SECUNIA30385SECUNIA30396SECUNIA30442SECUNIA30449SECUNIA30478SECUNIA30489SECUNIA30543SECUNIA30736SECUNIA30802SECUNIA30835SECUNIA31246SECUNIA31911SECUNIA33696SUSESUSE-SA:2008:026URLhttp://samba.
org/samba/security/CVE-2008-1105.
htmlURLhttp://secunia.
com/secunia_research/2008-20/advisory/XFsamba-receivesmbraw-bo(42664)XFxerox-controller-samba-code-execution(45251)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://us1.
samba.
org/samba/ftp/old-versions/samba-3.
0.
30.
tar.
gz3.
1.
23.
PHPMultipleVulnerabilitiesFixedinversion5.
2.
11(http-php-multiple-vulns-5-2-11)Description:Fixedcertificatevalidationinsidephp_openssl_apply_verification_policy(CVE-2009-3291)Addedmissingsanitychecksaroundexifprocessing(CVE-2009-3292)Fixedsanitycheckforthecolorindexinimagecolortransparent(CVE-2009-3293)Fixedbug#44683(popencrasheswhenaninvalidmodeispassed)AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:Page30AuditReportSourceReferenceAPPLEAPPLE-SA-2009-11-09-1CVECVE-2009-3291CVECVE-2009-3292CVECVE-2009-3293DEBIANDSA-1940OSVDB58185OSVDB58186OSVDB58187OVALOVAL10438OVALOVAL7047OVALOVAL7394OVALOVAL7652OVALOVAL9982SECUNIA36791SECUNIA37412SECUNIA37482SECUNIA40262URLhttp://bugs.
php.
net/44683URLhttp://www.
php.
net/ChangeLog-5.
php#5.
2.
11URLhttp://www.
php.
net/releases/5_2_11.
phpXFphp-certificate-unspecified(53334)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://www.
php.
net/get/php-5.
2.
11.
tar.
gz/from/a/mirrorUpgradetoPHPv5.
2.
11(releasedonSeptember16th,2009).
3.
1.
24.
PHPMultipleVulnerabilitiesFixedinversion5.
2.
13(http-php-multiple-vulns-5-2-13)Description:ImprovedLCGentropy(CVE-2010-1128)Fixedsafe_modevalidationinsidetempnam()whenthedirectorypathdoesnotendwitha/(CVE-2010-1129)Fixedapossibleopen_basedir/safe_modebypassinthesessionextensionidentifiedbyGrzegorzStachowiak(CVE-2010-1130)AffectedNodes:AffectedNodes:AdditionalInformation:Page31AuditReportAffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceAPPLEAPPLE-SA-2010-08-24-1BID38430BID38431CVECVE-2010-1128CVECVE-2010-1129CVECVE-2010-1130REDHATRHSA-2010:0919SECUNIA38708SECUNIA40551SECUNIA42410URLhttp://www.
php.
net/ChangeLog-5.
php#5.
2.
13URLhttp://www.
php.
net/releases/5_2_13.
phpVulnerabilitySolution:Downloadandapplytheupgradefrom:http://www.
php.
net/get/php-5.
2.
13.
tar.
gz/from/a/mirrorUpgradetoPHPv5.
2.
13(releasedonFebruary25th,2010).
3.
1.
25.
PHPUpgradedPCREtoversion7.
8(http-php-multiple-vulns-5-2-7)Description:Heap-basedbufferoverflowinpcre_compile.
cinthePerl-CompatibleRegularExpression(PCRE)library7.
7allowscontext-dependentattackerstocauseadenialofservice(crash)orpossiblyexecutearbitrarycodeviaaregularexpressionthatbeginswithanoptionandcontainsmultiplebranches.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceAPPLEAPPLE-SA-2008-10-09APPLEAPPLE-SA-2009-05-12BID30087BID31681Page32AuditReportSourceReferenceCERTTA09-133ACVECVE-2008-2371DEBIANDSA-1602SECUNIA30916SECUNIA30944SECUNIA30945SECUNIA30958SECUNIA30961SECUNIA30967SECUNIA30972SECUNIA30990SECUNIA31200SECUNIA32222SECUNIA32454SECUNIA35074SECUNIA35650SECUNIA39300VulnerabilitySolution:Downloadandapplytheupgradefrom:http://museum.
php.
net/php5/php-5.
2.
7.
tar.
gzUpgradetoPHPv5.
2.
7.
3.
1.
26.
PHPMultipleVulnerabilitiesFixedinversion5.
3.
1(http-php-multiple-vulns-5-3-1)Description:Added"max_file_uploads"INIdirective,whichcanbesettolimitthenumberoffileuploadsper-requestto20bydefault,topreventpossibleDOSviatemporaryfileexhaustion.
Addedmissingsanitychecksaroundexifprocessing.
Fixedasafe_modebypassintempnam().
Fixedaopen_basedirbypassinposix_mkfifo().
Fixedbug#50063(safe_mode_include_dirfails).
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
Page33AuditReportReferences:SourceReferenceAPPLEAPPLE-SA-2009-11-09-1APPLEAPPLE-SA-2010-03-29-1CVECVE-2009-3292CVECVE-2009-3557CVECVE-2009-3558CVECVE-2009-3559CVECVE-2009-4017DEBIANDSA-1940OSVDB58186OVALOVAL10483OVALOVAL6667OVALOVAL7396OVALOVAL7652OVALOVAL9982SECUNIA36791SECUNIA37412SECUNIA37482SECUNIA37821SECUNIA40262SECUNIA41480SECUNIA41490URLhttp://www.
php.
net/ChangeLog-5.
php#5.
3.
1URLhttp://www.
php.
net/releases/5_3_1.
phpXFphp-multipart-formdata-dos(54455)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://www.
php.
net/get/php-5.
3.
1.
tar.
gz/from/a/mirrorUpgradetoPHPv5.
3.
1(releasedonNovember19th,2009).
3.
1.
27.
MySQLdefaultaccount:root/nopassword(mysql-default-account-root-nopassword)Description:MySQLisinstalledwithadefaultofnopasswordontheroot(superuser)account.
ThepasswordonthisaccountmustbechangedtopreventmalicioususersfromloggingintotheMySQLdatabasewithsuperuserprivileges.
AffectedNodes:Page34AuditReportAffectedNodes:AdditionalInformation:192.
168.
56.
3:3306RunningvulnerableMySQLservice.
SuccessfullyauthenticatedtotheMySQLservicewithcredentials:uid[root]pw[]realm[mysql]References:SourceReferenceBID5503CVECVE-2002-1809XFmysql-default-root-access(9902)VulnerabilitySolution:Thepasswordshouldbechangedtoanon-defaultvalue.
Tochangethepasswordfortheaccount,usethemysqlcommandlinetooltorunthecommands:UPDATEuserSETpassword=password('new-password')WHEREuser='user-name';FLUSHPRIVILEGES;Whereuser-nameshouldbereplacedwiththeappropriateusernameandnew-passwordshouldbereplacedwiththenewpassword.
3.
1.
28.
MySQLyaSSLCertDecoder::GetNameMultipleBufferOverflows(mysql-yassl-certdecodergetname-multiple-bofs)Description:Multiplestack-basedbufferoverflowsintheCertDecoder::GetNamefunctioninsrc/asn.
cppinTaoCryptinyaSSLbefore1.
9.
9,asusedinmysqldinMySQL5.
0.
xbefore5.
0.
90,MySQL5.
1.
xbefore5.
1.
43,MySQL5.
5.
xthrough5.
5.
0-m2,andotherproducts,allowremoteattackerstoexecutearbitrarycodeorcauseadenialofservice(memorycorruptionanddaemoncrash)byestablishinganSSLconnectionandsendinganX.
509clientcertificatewithacraftednamefield,asdemonstratedbymysql_overflow1.
pyandthevd_mysql5moduleinVulnDiscoPackProfessional8.
11.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:3306RunningvulnerableMySQLservice:MySQL5.
0.
51a.
References:SourceReferenceBID37640BID37943BID37974CVECVE-2009-4484DEBIANDSA-1997Page35AuditReportSourceReferenceOSVDB61956SECUNIA37493SECUNIA38344SECUNIA38364SECUNIA38517SECUNIA38573URLhttp://bugs.
mysql.
com/bug.
phpid=50227URLhttp://dev.
mysql.
com/doc/refman/5.
0/en/news-5-0-90.
htmlURLhttp://dev.
mysql.
com/doc/refman/5.
1/en/news-5-1-43.
htmlXFmysql-unspecified-bo(55416)VulnerabilitySolution:MySQL>=5.
0.
0and=5.
1.
0and=5.
0.
0and=2.
2and=2.
0and=2.
2and=5.
0.
0and=5.
1.
0and=5.
0.
0and=5.
1.
0and=2.
2andAuthTransfn="set-variable"remove-headers="transfer-encoding"set-headers="content-length:-1"error="501"Youmustthenrestarttheserverforthechangestotakeeffect.
ForSunONE/iPlanetWebServerpriortov6.
0SP2,followtheinstructionsprovidedthe'Relief/Workaround'sectionofSun'sofficialadvisory:http://sunsolve.
sun.
com/pub-cgi/retrieve.
pldoc=fsalert%2F50603LotusDominoDisableHTTPTRACEMethodforDominoFollowIBM'sinstructionsfordisablingHTTPmethodsontheDominoserverbyaddingthefollowinglinetotheserver'sNOTES.
INIfile:HTTPDisableMethods=TRACEAftersavingNOTES.
INI,restarttheNoteswebserverbyissuingtheconsolecommand"tellhttprestart".
3.
2.
18.
MySQLBug#29801:RemoteFederatedEngineCrash(mysql-bug-29801-remote-federated-engine-crash)Description:VersionsofMySQLserverbefore5.
0.
52and5.
1.
23sufferfromadenialofservicevulnerabilityviaaflawinthefederatedengine.
Onissuanceofacommandtoaremoteserver(e.
g.
,SHOWTABLESTATUSLIKE'table'),thelocalfederatedserverexpectsaquerytocontainfourteencolumns.
Aresponsewithlessthanfourteencolumnscausesthefederatedservertocrash.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:3306RunningvulnerableMySQLservice:MySQL5.
0.
51a.
References:SourceReferenceURLhttp://bugs.
mysql.
com/bug.
phpid=29801Page63AuditReportVulnerabilitySolution:MySQL>=5.
0.
0and=5.
0.
0and=5.
0.
0and=5.
0.
0and=5.
1.
0and=5.
0.
0and=5.
1.
0and=2.
0and=2.
2and=2.
2and=2.
0and=2.
2and=2.
0and=2.
2and=2.
2and=2.
0and=2.
2and=2.
0and=2.
2and=1.
3and=2.
0and=2.
2and=2.
2andLocalPolicies->SecurityOptions->Networkaccess:AllowanonymousSID/Nametranslation:DisabledFinally,rebootthemachine.
PleasenotethatdisablingNULLsessionsmayhaveanadverseimpactonfunctionality,assomeapplicationsandnetworkenvironmentsmaydependonthemforproperoperation.
RefertoMicrosoftKnowledgeBaseArticle823659formoreinformation.
MicrosoftWindowsXP,MicrosoftWindowsXPHome,MicrosoftWindowsXPProfessionalDisableNULLsessionsModifytheregistrykey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\withthefollowingvalues:ValueName:RestrictAnonymousDataType:REG_DWORDDataValue:1ValueName:RestrictAnonymousSAMDataType:REG_DWORDDataValue:1ValueName:EveryoneIncludesAnonymousDataType:REG_DWORDDataValue:0Modifytheregistrykey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\withthefollowingvalues:ValueName:RestrictNullSessAccessDataType:REG_DWORDDataValue:1ValueName:NullSessionPipesDataType:REG_MULTI_SZDataValue:""(emptystring,withoutquotes)OpenLocalSecuritySettings,anddisablethefollowingsetting:SecuritySettings->LocalPolicies->SecurityOptions->Networkaccess:AllowanonymousSID/Nametranslation:DisabledFinally,rebootthemachine.
Page79AuditReportPleasenotethatdisablingNULLsessionsmayhaveanadverseimpactonfunctionality,assomeapplicationsandnetworkenvironmentsmaydependonthemforproperoperation.
RefertoMicrosoftKnowledgeBaseArticleQ246261formoreinformation.
MicrosoftWindows2000,MicrosoftWindows2000Professional,MicrosoftWindows2000Server,MicrosoftWindows2000AdvancedServer,MicrosoftWindows2000DatacenterServerDisableNULLsessionsModifytheregistrykey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\withthefollowingvalue:ValueName:RestrictAnonymousDataType:REG_DWORDDataValue:2Aftermodifyingtheregistry,rebootthemachine.
PleasenotethatdisablingNULLsessionsmayhaveanadverseimpactonfunctionality,assomeapplicationsandnetworkenvironmentsmaydependonthemforproperoperation.
RefertoMicrosoftKnowledgeBaseArticleQ246261formoreinformation.
MicrosoftWindowsNTServer4.
0,MicrosoftWindowsNTServer,EnterpriseEdition4.
0,MicrosoftWindowsNTWorkstation4.
0InstallMicrosoftservicepackWindowsNT4ServicePack4Downloadandapplytheupgradefrom:http://support.
microsoft.
com/spMicrosoftWindowsNT,MicrosoftWindowsNTWorkstation,MicrosoftWindowsNTServer,MicrosoftWindowsNTAdvancedServer,MicrosoftWindowsNTServer,EnterpriseEdition,MicrosoftWindowsNTServer,TerminalServerEditionDisableNULLsessionsModifytheregistrykey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\withthefollowingvalue:ValueName:RestrictAnonymousDataType:REG_DWORDDataValue:1Aftermodifyingtheregistry,rebootthemachine.
ItisimportanttonotethatonWindowsNT4.
0systems,settingthisregistryentrywillstillleavethesystemopentovariousattacks,includingbrute-forceenumerationofusersandgroups.
AcompletesolutionforWindowsNT4.
0systemsisnotavailable.
SambaonLinuxRestrictanonymousaccessTorestrictanonymousaccesstoSamba,modifyyour"smb.
conf"settingsasfollows:guestaccount=nobodyrestrictanonymous=1Note:MakesureyoudoNOTlistauser"nobody"inyourpasswordfile.
Page80AuditReportNovellNetWareNovellNetwareCIFSAsofMay9,2007NovellNetwareCIFSdoesnotprovideaworkaroundforthisvulnerability.
3.
2.
34.
SambaConnectionFloodingDenialofServiceVulnerability(cifs-samba-connection-flooding-dos)Description:CertainversionsofSambaarevulnerabletoadenialofserviceconditionwhenhandlingmultipleincomingconnectionrequests.
Successfulexploitationallowsanunauthenticatedattackertoexhaustallavailablememoryonthetargetsystem,causingthedaemontohang.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:139RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
192.
168.
56.
3:445RunningvulnerableCIFSservice:Samba3.
0.
20-Debian.
References:SourceReferenceAPPLEAPPLE-SA-2006-11-28BID18927CERTTA06-333ACERT-VN313836CVECVE-2006-3403DEBIANDSA-1110OVALOVAL11355REDHATRHSA-2006:0591SECUNIA20980SECUNIA20983SECUNIA21018SECUNIA21019SECUNIA21046SECUNIA21086SECUNIA21143SECUNIA21159SECUNIA21187SECUNIA21190SECUNIA21262Page81AuditReportSourceReferenceSECUNIA22875SECUNIA23155SGI20060703-01-PURLhttp://samba.
org/samba/security/CVE-2006-3403.
htmlXFsamba-smbd-connection-dos(27648)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://us1.
samba.
org/samba/ftp/old-versions/samba-3.
0.
23.
tar.
gz3.
2.
35.
DatabaseOpenAccess(database-open-access)Description:Thedatabaseallowsanyremotesystemtheabilitytoconnecttoit.
Itisrecommendedtolimitdirectaccesstotrustedsystemsbecausedatabasesmaycontainsensitivedata,andnewvulnerabilitiesandexploitsarediscoveredroutinelyforthem.
Forthisreason,itisaviolationofPCIDSSsection1.
3.
7tohavedatabaseslisteningonportsaccessiblefromtheInternet,evenwhenprotectedwithsecureauthenticationmechanisms.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:3306RunningvulnerableMySQLservice.
192.
168.
56.
3:5432RunningvulnerablePostgresservice.
References:SourceReferenceURLhttps://www.
pcisecuritystandards.
org/security_standards/download.
htmlid=pci_dss_v1-2.
pdfVulnerabilitySolution:Configurethedatabaseservertoonlyallowaccesstotrustedsystems.
Forexample,thePCIDSSstandardrequiresyoutoplacethedatabaseinaninternalnetworkzone,segregatedfromtheDMZ3.
2.
36.
BIND9Resolvercrashesafterlogginganerrorinquery.
c(dns-bind-cve-2011-4313)Description:Anas-yetunidentifiednetworkeventcausedBIND9resolverstocacheaninvalidrecord,subsequentqueriesforwhichcouldcrashtheresolverswithanassertionfailure.
ISCisworkingondeterminingtheultimatecausebywhicharecordwiththisparticularinconsistencyiscached.
Atthistimewearemakingavailableapatchwhichmakesnamedrecovergracefullyfromtheinconsistency,preventingtheabnormalexit.
Thepatchhastwocomponents.
Whenaclientqueryishandled,thecodewhichprocessestheresponsetotheclienthastoaskthecachefortherecordsforthenamethatisbeingqueried.
Thefirstcomponentofthepatchpreventsthecachefromreturningtheinconsistentdata.
Thesecondcomponentpreventsnamedfromcrashingifitdetectsthatithasbeengivenaninconsistentanswerofthisnature.
Page82AuditReportAffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:53RunningvulnerableDNSservice:BIND9.
4.
2.
References:SourceReferenceBID50690CERT-VN606539CVECVE-2011-4313DEBIANDSA-2347OSVDB77159REDHATRHSA-2011:1458REDHATRHSA-2011:1459REDHATRHSA-2011:1496SECUNIA46536SECUNIA46829SECUNIA46887SECUNIA46890SECUNIA46905SECUNIA46906SECUNIA46943SECUNIA46984SECUNIA47043SECUNIA47075XFisc-bind-recursive-dos(71332)VulnerabilitySolution:ApplypatchtomitigateBIND9resolvercrashPatchesmitigatingthisissueareavailableat:https://www.
isc.
org/software/bind/981-p1https://www.
isc.
org/software/bind/974-p1https://www.
isc.
org/software/bind/96-esv-r5-p1https://www.
isc.
org/software/bind/94-esv-r5-p1UpgradetoBINDversion9.
4-ESV-R5-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
4-ESV-R5-P1/bind-9.
4-ESV-R5-P1.
tar.
gzUpgradeto9.
4-ESV-R5-P1versionofISCBINDWhichwasreleasedonNovember16,2011.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
Page83AuditReportUpgradetoBINDversion9.
6-ESV-R5-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
6-ESV-R5-P1/bind-9.
6-ESV-R5-P1.
tar.
gzUpgradeto9.
6-ESV-R5-P1versionofISCBINDWhichwasreleasedonNovember16,2011.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
7.
4-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
7.
4-P1/bind-9.
7.
4-P1.
tar.
gzUpgradeto9.
7.
4-P1versionofISCBINDWhichwasreleasedonNovember16,2011.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
8.
1-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
8.
1-P1/bind-9.
8.
1-P1.
tar.
gzUpgradeto9.
8.
1-P1versionofISCBINDWhichwasreleasedonNovember16,2011.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
3.
2.
37.
BIND:GhostDomainNames:RevokedYetStillResolvable(dns-bind-cve-2012-1033)Description:TheresolverinISCBIND9through9.
8.
1-P1doesnotproperlyimplementacacheupdatepolicy,whichallowsremoteattackerstotriggercontinuedresolvabilityofdomainnamesthatarenolongerregisteredviaanunspecified"GhostNamesexploit.
"AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:53RunningvulnerableDNSservice:BIND9.
4.
2.
References:SourceReferenceBID51898CERT-VN542123CVECVE-2012-1033OSVDB78916SECUNIA47884XFisc-bind-update-sec-bypass(73053)VulnerabilitySolution:Ifyouareawarethatyouhavecachedbadrecords,clearingthecachewillremovethembutisnotaneffectiveorpracticalpreventativeapproach.
3.
2.
38.
ISCBINDDNSSECEVP_VerifyFinal()andDSA_do_verify()SpoofingVulnerability(dns-bind-ssl-signature-spoofing)Description:Page84AuditReportOpenSSLsecurityadvisoryCVE-2008-5077mayaffectBINDusers.
TheOpenSSLadvisorysaysSeveralfunctionsinsideOpenSSLincorrectlycheckedtheresultaftercallingtheEVP_VerifyFinalfunction,allowingamalformedsignaturetobetreatedasagoodsignatureratherthanasanerror.
ThisissueaffectedthesignaturechecksonDSAandECDSAkeysusedwithSSL/TLS.
ItistheoreticallypossibletospoofanswersreturnedfromzoneswhoseDNSKEYalgorithmsareaffectedbythatOpenSSLissue.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:53RunningvulnerableDNSservice:BIND9.
4.
2.
References:SourceReferenceAPPLEAPPLE-SA-2009-05-12CERTTA09-133ACVECVE-2009-0025OVALOVAL10879OVALOVAL5569SECUNIA33494SECUNIA33546SECUNIA33551SECUNIA33559SECUNIA33683SECUNIA33882SECUNIA35074URLhttps://www.
isc.
org/node/389VulnerabilitySolution:UpgradetoBINDversion9.
3.
6-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
3.
6-P1/bind-9.
3.
6-P1.
tar.
gzUpgradeto9.
3.
6-P1versionofISCBINDWhichwasreleasedonJanuary07,2009.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
4.
3-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
4.
3-P1/bind-9.
4.
3-P1.
tar.
gzUpgradeto9.
4.
3-P1versionofISCBINDWhichwasreleasedonJanuary07,2009.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
5.
1-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
5.
1-P1/bind-9.
5.
1-P1.
tar.
gzUpgradeto9.
5.
1-P1versionofISCBINDWhichwasreleasedonJanuary07,2009.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
Page85AuditReportUpgradetoBINDversion9.
6.
0-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
6.
0-P1/bind-9.
6.
0-P1.
tar.
gzUpgradeto9.
6.
0-P1versionofISCBINDWhichwasreleasedonJanuary07,2009.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
3.
2.
39.
DebianLinuxhttpdVulnerability(http-apache-0007)Description:TheDebianGNU/Linux2.
1Apachepackagebydefaultallowsanyonetoview/usr/docviatheweb,remotely.
Thisisbecausesrm.
confispreconfiguredwiththeline:Alias/doc//usr/doc/AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
http://192.
168.
56.
3/doc/4:5:6:4:Indexof/docReferences:SourceReferenceBID318CVECVE-1999-0678URLhttp://www.
netspace.
org/cgi-bin/waA2=ind9904a&L=bugtraq&F=&S=&P=2822VulnerabilitySolution:Thefollowingadditionto/etc/apache/access.
confwillrestrictaccess:AllowOverrideNoneorderdeny,allowdenyfromallallowfromlocalhost3.
2.
40.
WebDAVExtensionsareEnabled(http-generic-webdav-enabled)Description:WebDAVisasetofextensionstotheHTTPprotocolthatallowsuserstocollaborativelyeditandmanagefilesonremotewebservers.
ManywebserversenableWebDAVextensionsbydefault,evenwhentheyarenotneeded.
Becauseofitsaddedcomplexity,itisconsideredgoodpracticetodisableWebDAVifitisnotcurrentlyinuse.
Page86AuditReportAffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:NoneVulnerabilitySolution:IIS,PWS,Microsoft-IIS,InternetInformationServices,InternetInformationServices,Microsoft-PWSDisableWebDAVforIISForMicrosoftIIS,followMicrosoft'sinstructionstodisableWebDAVfortheentireserver.
ApacheDisableWebDAVforApacheMakesurethemod_davmoduleisdisabled,orensurethatauthenticationisrequiredondirectorieswhereDAVisrequired.
ApacheTomcat,Tomcat,TomcatWebServerDisableWebDAVforApacheTomcatDisabletheWebDAVServletforallwebapplicationsfoundonthewebserver.
ThiscanbedonebyremovingtheservletdefinitionforWebDAV(theorg.
apache.
catalina.
servlets.
WebdavServletclass)andremoveallservletmappingsreferringtotheWebDAVservlet.
JavaSystemWebServer,iPlanet,SunONEWebServer,Sun-ONE-Web-ServerDisableWebDAVforiPlanet/SunONEDisableWebDAVonthewebserver.
ThiscanbedonebydisablingWebDAVfortheserverinstanceandforallvirtualservers.
TodisableWebDAVfortheserverinstance,entertheServerManageranduncheckthe"EnableWebDAVGlobally"checkboxthenclickthe"OK"button.
TodisableWebDAVforeachvirtualserver,entertheClassManageranduncheckthe"EnableWebDAVGlobally"checkboxnexttoeachserverinstancethenclickthe"OK"button.
3.
2.
41.
PHP5.
2.
5cURLsafe_modebypass(http-php-curl-safe-mode-bypass-other)Description:CertainversionsofPHPcontainaweaknesswherebycallstothecURLextensioncanbypassSafeModerestrictions.
Asaresult,ascriptcanbeconstructedtoaccessfilesitdidnotnormallyhavepermissiontomanipulate.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
Page87AuditReportReferences:SourceReferenceAPPLEAPPLE-SA-2008-07-31APPLEAPPLE-SA-2008-10-09BID27413BID29009BID31681CVECVE-2007-4850SECUNIA30048SECUNIA30411SECUNIA31200SECUNIA31326SECUNIA32222URLhttp://article.
gmane.
org/gmane.
comp.
security.
full-disclosure/58593URLhttp://www.
php.
net/releases/5_2_6.
phpXFphp-curlinit-security-bypass(39852)XFphp-safemode-directive-security-bypass(42134)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://museum.
php.
net/php5/php-5.
2.
6.
tar.
gzUpgradetoPHPv5.
2.
6.
3.
2.
42.
PHPMultipleVulnerabilitiesFixedinversion5.
2.
9(http-php-multiple-vulns-5-2-9)Description:CertainversionsofPHPshipwithavulnerableversionoftheimageRotatefunction.
Thiscouldallowacontext-dependentattackertoreadthecontentsofarbitrarymemoryviaaspeciallycraftedvalueofthethirdargumentforanindexedimage.
(CVE-2008-5498)Anunspecifiederrorinthezipfunctionalitycouldcauseacrashwhenfileordirectorynamescontainarelativepath(CVE-2009-1272)Anunspecifiederrorexistsintheexplode()function.
Anunspecifiederrorexistswhenamalformedstringispassedtothejson_decode()function(CVE-2009-1271)AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:Page88AuditReportSourceReferenceAPPLEAPPLE-SA-2009-09-10-2CVECVE-2009-1271CVECVE-2009-1272DEBIANDSA-1775DEBIANDSA-1789REDHATRHSA-2009:0350SECUNIA34770SECUNIA34830SECUNIA34933SECUNIA35003SECUNIA35007SECUNIA35306SECUNIA35685SECUNIA36701URLhttp://www.
php.
net/ChangeLog-5.
php#5.
2.
9URLhttp://www.
php.
net/releases/5_2_9.
phpVulnerabilitySolution:Downloadandapplytheupgradefrom:http://museum.
php.
net/php5/php-5.
2.
9.
tar.
gzUpgradetoPHPv5.
2.
9.
3.
2.
43.
PHPMultipleVulnerabilitiesFixedinversion5.
3.
2(http-php-multiple-vulns-5-3-2)Description:ImprovedLCGentropy.
Fixedsafe_modevalidationinsidetempnam()whenthedirectorypathdoesnotendwitha/.
Fixedapossibleopen_basedir/safe_modebypassinthesessionextensionidentifiedbyGrzegorzStachowiak.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceURLhttp://www.
php.
net/ChangeLog-5.
php#5.
3.
2URLhttp://www.
php.
net/releases/5_3_2.
phpPage89AuditReportVulnerabilitySolution:Downloadandapplytheupgradefrom:http://www.
php.
net/get/php-5.
3.
2.
tar.
gz/from/a/mirrorUpgradetoPHPv5.
3.
2(releasedonMarch4th,2010).
3.
2.
44.
PHPIMAPtoolkitcrash:rfc822.
clegacyroutinebufferoverflow(http-php-rfc822-write-address-bof)Description:php_imap.
cinPHP5.
2.
5,5.
2.
6,4.
x,andotherversions,usesobsoleteAPIcallsthatallowcontext-dependentattackerstocauseadenialofservice(crash)andpossiblyexecutearbitrarycodeviaalongIMAPrequest,whichtriggersan"rfc822.
clegacyroutinebufferoverflow"errormessage,relatedtotherfc822_write_addressfunction.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceAPPLEAPPLE-SA-2009-05-12BID29829CERTTA09-133ACVECVE-2008-2829OSVDB46641SECUNIA31200SECUNIA35074SECUNIA35306SECUNIA35650XFphp-phpimap-dos(43357)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://museum.
php.
net/php5/php-5.
2.
7.
tar.
gzUpgradetoPHPv5.
2.
7.
3.
2.
45.
PHPFixedsecurityissues(CVE-2008-2665)(http-php-safemode-bypass3)Description:Directorytraversalvulnerabilityintheposix_accessfunctioninPHP5.
2.
6andearlierallowsremoteattackerstobypasssafe_moderestrictionsviaa.
.
(dotdot)inanhttpURL,whichresultsintheURLbeingcanonicalizedtoalocalfilenameafterthesafe_modecheckhassuccessfullyrun.
AffectedNodes:Page90AuditReportAffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceAPPLEAPPLE-SA-2009-05-12BID29797CERTTA09-133ACVECVE-2008-2665SECUNIA35074SECUNIA35650XFphp-posixaccess-security-bypass(43196)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://museum.
php.
net/php5/php-5.
2.
7.
tar.
gzUpgradetoPHPv5.
2.
7.
3.
2.
46.
MySQL'DATADIRECTORY'and'INDEXDIRECTORY'MyISAMTablePrivilegeEscalationVulnerability(mysql-datadir-isam-table-privilege-escalation)Description:MySQL4.
1.
xbefore4.
1.
24,5.
0.
xbefore5.
0.
60,5.
1.
xbefore5.
1.
24,and6.
0.
xbefore6.
0.
5allowslocaluserstobypasscertainprivilegechecksbycallingCREATETABLEonaMyISAMtablewithmodified(1)DATADIRECTORYor(2)INDEXDIRECTORYargumentsthatarewithintheMySQLhomedatadirectory,whichcanpointtotablesthatarecreatedinthefuture.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:3306RunningvulnerableMySQLservice:MySQL5.
0.
51a.
References:SourceReferenceAPPLEAPPLE-SA-2008-10-09APPLEAPPLE-SA-2009-09-10-2BID29106BID31681CVECVE-2008-2079DEBIANDSA-1608OVALOVAL10133REDHATRHSA-2008:0505Page91AuditReportSourceReferenceREDHATRHSA-2008:0510REDHATRHSA-2008:0768SECUNIA30134SECUNIA31066SECUNIA31226SECUNIA31687SECUNIA32222SECUNIA36701URLhttp://bugs.
mysql.
com/32091URLhttp://dev.
mysql.
com/doc/refman/5.
1/en/news-5-1-23.
htmlURLhttp://dev.
mysql.
com/doc/refman/6.
0/en/news-6-0-4.
htmlXFmysql-myisam-security-bypass(42267)VulnerabilitySolution:MySQL(:^4.
1.
)UpgradetoMySQLv4.
1.
24Downloadandapplytheupgradefrom:http://dev.
mysql.
com/downloads/mysql/4.
1.
htmlPleasenotethatindividualplatformsandOSdistributionsmayprovidetheirownmeansofupgradingMySQL(viaanRPM,forexample).
Thesesupportedupgrademethodsshouldbeusedifavailable,insteadofbuildingthedistributionfromscratch.
MySQL>=5.
0.
0and=5.
0.
0and=5.
1.
0and=6.
0.
0and=5.
1.
0and=5.
0.
0and=2.
2and=2.
0and=2.
2and=2.
2and=2.
0and=2.
2and=2.
0and=2.
2and=2.
2and=2.
2and=2.
2and21:22:19:SampleApplicationJSPPageReferences:NoneVulnerabilitySolution:Deletethesescriptsentirely.
Examplescriptsshouldneverbeinstalledonproductionservers.
3.
2.
72.
BIND9DNSSECvalidationcodecouldcausebogusNXDOMAINresponses(dns-bind-cve-2010-0097)Description:TherewasanerrorintheDNSSECNSEC/NSEC3validationcodethatcouldcausebogusNXDOMAINresponses(thatis,NXDOMAINresponsesforrecordsprovenbyNSECorNSEC3toexist)tobecachedasiftheyhadvalidatedcorrectly,sothatfuturequeriestotheresolverwouldreturnthebogusNXDOMAINwiththeADflagset.
ThisproblemaffectsallDNSSEC-validatingresolvers.
Itwouldbedifficulttoexploitduetootherexistingprotectionsagainstcachepoisoning(includingtransactionIDandsourceportrandomization),butitcouldimpairtheabilityofDNSSECtoprotectagainstadenial-of-serviceattackonasecurezone.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:53RunningvulnerableDNSservice:BIND9.
4.
2.
References:SourceReferenceAPPLEAPPLE-SA-2011-10-12-3BID37865CERT-VN360341CVECVE-2010-0097DEBIANDSA-2054OSVDB61853OVALOVAL12205OVALOVAL7212OVALOVAL7430OVALOVAL9357REDHATRHSA-2010:0062REDHATRHSA-2010:0095SECUNIA38169Page114AuditReportSourceReferenceSECUNIA38219SECUNIA38240SECUNIA39334SECUNIA39582SECUNIA40086SUSESUSE-SA:2010:008XFbind-dnssecnsec-cache-poisoning(55753)VulnerabilitySolution:UpgradetoBINDversion9.
4.
3-P5Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
4.
3-P5/bind-9.
4.
3-P5.
tar.
gzUpgradeto9.
4.
3-P5versionofISCBINDWhichwasreleasedonJanuary19,2010.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
5.
2-P2Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
5.
2-P2/bind-9.
5.
2-P2.
tar.
gzUpgradeto9.
5.
2-P2versionofISCBINDWhichwasreleasedonJanuary19,2010.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
6.
1-P3Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
6.
1-P3/bind-9.
6.
1-P3.
tar.
gzUpgradeto9.
6.
1-P3versionofISCBINDWhichwasreleasedonJanuary19,2010.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
3.
2.
73.
BIND:cacheincorrectlyallowsancacheentryandarrsigforthesametype(dns-bind-cve-2010-3613)Description:Addingcertaintypesofsignednegativeresponsestocachedoesn'tclearanymatchingRRSIGrecordsalreadyincache.
Asubsequentlookupofthecacheddatacancausenamedtocrash(INSIST).
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:53RunningvulnerableDNSservice:BIND9.
4.
2.
References:SourceReferenceAPPLEAPPLE-SA-2011-10-12-3BID45133CERT-VN706148CVECVE-2010-3613DEBIANDSA-2130Page115AuditReportSourceReferenceIAVM2011-A-0066NETBSDNetBSD-SA2011-001OSVDB69558OVALOVAL12601REDHATRHSA-2010:0975REDHATRHSA-2010:0976REDHATRHSA-2010:1000SECUNIA42374SECUNIA42459SECUNIA42522SECUNIA42671SECUNIA42707SECUNIA43141VulnerabilitySolution:UpgradetoBINDversion9.
4-ESV-R4Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
4-ESV-R4/bind-9.
4-ESV-R4.
tar.
gzUpgradeto9.
4-ESV-R4versionofISCBINDWhichwasreleasedonDecember01,2010.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
6-ESV-R3Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
6-ESV-R3/bind-9.
6-ESV-R3.
tar.
gzUpgradeto9.
6-ESV-R3versionofISCBINDWhichwasreleasedonDecember01,2010.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
6.
2-P3Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
6.
2-P3/bind-9.
6.
2-P3.
tar.
gzUpgradeto9.
6.
2-P3versionofISCBINDWhichwasreleasedonDecember01,2010.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
7.
2-P3Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
7.
2-P3/bind-9.
7.
2-P3.
tar.
gzUpgradeto9.
7.
2-P3versionofISCBINDWhichwasreleasedonDecember01,2010.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
3.
2.
74.
ISCBIND9RemoteDynamicUpdateMessageDenialofServiceVulnerability(dns-bind-remote-dynamic-update-message-dos)Description:ISCBIND9.
4before9.
4.
3-P2,9.
5before9.
5.
1-P3,and9.
6before9.
6.
1-P1shipwithaflawedimplementationofthedns_db_findrdatasetfunctionindb.
c,whenconfiguredasamasterserver.
Thiscouldallowremoteattackerstocauseadenialofservice(assertionfailureanddaemonexit)viaanANYrecordintheprerequisitesectionofacrafteddynamicupdatemessage,asPage116AuditReportexploitedinthewildinJuly2009.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:53RunningvulnerableDNSservice:BIND9.
4.
2.
References:SourceReferenceCERT-VN725188CVECVE-2009-0696NETBSDNetBSD-SA2009-013OVALOVAL10414OVALOVAL12245OVALOVAL7806SECUNIA36035SECUNIA36038SECUNIA36050SECUNIA36053SECUNIA36056SECUNIA36063SECUNIA36086SECUNIA36098SECUNIA36192SECUNIA37471SECUNIA39334VulnerabilitySolution:UpgradetoBINDversion9.
4.
3-P3Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
4.
3-P3/bind-9.
4.
3-P3.
tar.
gzUpgradeto9.
4.
3-P3versionofISCBINDWhichwasreleasedonJuly29,2009.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
5.
1-P3Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
5.
1-P3/bind-9.
5.
1-P3.
tar.
gzUpgradeto9.
5.
1-P3versionofISCBINDWhichwasreleasedonJuly29,2009.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
UpgradetoBINDversion9.
6.
1-P1Downloadandapplytheupgradefrom:http://ftp.
isc.
org/isc/bind9/9.
6.
1-P1/bind-9.
6.
1-P1.
tar.
gzUpgradeto9.
6.
1-P1versionofISCBINDWhichwasreleasedonJuly29,2009.
Thesourcecodeandbinariesforthisreleasecanbedownloadedfrombind'swebsite.
Page117AuditReport3.
2.
75.
PHPMultipleVulnerabilitiesFixedinversion5.
2.
10(http-php-multiple-vulns-5-2-10)Description:PHPversionsbefore5.
2.
10cansegfaultoncertaincorruptedjpegfilesinexit_read_data().
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:80RunningvulnerableHTTPservice:Apache2.
2.
8.
References:SourceReferenceBID35440CVECVE-2009-2687DEBIANDSA-1940OSVDB55222OVALOVAL10695OVALOVAL6655SECUNIA35441SECUNIA36462SECUNIA37482SECUNIA40262URLhttp://www.
php.
net/ChangeLog-5.
php#5.
2.
10URLhttp://www.
php.
net/releases/5_2_10.
phpXFphp-exifreaddata-dos(51253)VulnerabilitySolution:Downloadandapplytheupgradefrom:http://museum.
php.
net/php5/php-5.
2.
10.
tar.
gzUpgradetoPHPv5.
2.
10(releasedonJune18th,2009).
3.
2.
76.
MySQLBug#29908:ALTERVIEWPrivilegeEscalationVulnerability(mysql-bug-29908-alter-view-priv-esc)Description:AflawintheALTERVIEWroutineofMySQLallowsfortheopportunityofanauthenticatedusertoelevatetheirprivilegesincertaincontexts.
AffectedNodes:Page118AuditReportAffectedNodes:AdditionalInformation:192.
168.
56.
3:3306RunningvulnerableMySQLservice:MySQL5.
0.
51a.
References:SourceReferenceURLhttp://bugs.
mysql.
com/bug.
phpid=29908VulnerabilitySolution:MySQL>=5.
0.
0and=5.
0.
0and=2.
0and=2.
2and 195:196:197:194:.
.
.
meansyou'vesetupTomcatsuccessfully.
Congratulations!
References:SourceReferenceOSVDB2117VulnerabilitySolution:Ifthisserverisrequiredtoprovidenecessaryfunctionality,thenthedefaultpageshouldbereplacedwithrelevantcontent.
Otherwise,thisservershouldberemovedfromthenetwork,followingthesecurityprincipleofminimumcomplexity.
3.
3.
7.
FTPaccesswithftpaccount(ftp-generic-0001)Description:ManyFTPserverssupportadefaultaccountwiththeuserID"ftp"andpassword"ftp".
Itisbestpracticetoremovedefaultaccounts,ifpossible.
Foraccountsrequiredbythesystem,thedefaultpasswordshouldbechanged.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:21RunningvulnerableFTPservice.
SuccessfullyauthenticatedtotheFTPservicewithcredentials:uid[ftp]pw[ftp]realm[null]References:SourceReferencePage131AuditReportSourceReferenceCVECVE-1999-0497VulnerabilitySolution:Removeordisabletheaccountifitisnotcriticalforthesystemtofunction.
Otherwise,thepasswordshouldbechangedtoanon-defaultvalue.
3.
3.
8.
FTPaccesswithanonymousaccount(ftp-generic-0002)Description:ManyFTPserverssupportadefaultaccountwiththeuserID"anonymous"andpassword"ftp@".
Itisbestpracticetoremovedefaultaccounts,ifpossible.
Foraccountsrequiredbythesystem,thedefaultpasswordshouldbechanged.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:21RunningvulnerableFTPservice.
SuccessfullyauthenticatedtotheFTPservicewithcredentials:uid[anonymous]pw[joe@]realm[null]References:SourceReferenceCVECVE-1999-0497VulnerabilitySolution:Removeordisabletheaccountifitisnotcriticalforthesystemtofunction.
Otherwise,thepasswordshouldbechangedtoanon-defaultvalue.
3.
3.
9.
ICMPtimestampresponse(generic-icmp-timestamp)Description:TheremotehostrespondedtoanICMPtimestamprequest.
TheICMPtimestampresponsecontainstheremotehost'sdateandtime.
Thisinformationcouldtheoreticallybeusedagainstsomesystemstoexploitweaktime-basedrandomnumbergeneratorsinotherservices.
Inaddition,theversionsofsomeoperatingsystemscanbeaccuratelyfingerprintedbyanalyzingtheirresponsestoinvalidICMPtimestamprequests.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3Remotesystemtime:01:06:41.
040ESTReferences:SourceReferenceCVECVE-1999-0524Page132AuditReportSourceReferenceOSVDB95XFicmp-netmask(306)XFicmp-timestamp(322)VulnerabilitySolution:HP-UXDisableICMPtimestampresponsesonHP/UXExecutethefollowingcommand:ndd-set/dev/ipip_respond_to_timestamp_broadcast0TheeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
CiscoIOSDisableICMPtimestampresponsesonCiscoIOSUseACLstoblockICMPtypes13and14.
Forexample:denyicmpanyany13denyicmpanyany14NotethatitisgenerallypreferabletouseACLsthatblockeverythingbydefaultandthenselectivelyallowcertaintypesoftrafficin.
Forexample,blockeverythingandthenonlyallowICMPunreachable,ICMPechoreply,ICMPtimeexceeded,andICMPsourcequench:permiticmpanyanyunreachablepermiticmpanyanyecho-replypermiticmpanyanytime-exceededpermiticmpanyanysource-quenchTheeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
SGIIrixDisableICMPtimestampresponsesonSGIIrixIRIXdoesnotofferawaytodisableICMPtimestampresponses.
Therefore,youshouldblockICMPontheaffectedhostusingipfilterd,and/orblockitatanyexternalfirewalls.
TheeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
LinuxDisableICMPtimestampresponsesonLinuxLinuxoffersneitherasysctlnora/proc/sys/net/ipv4interfacetodisableICMPtimestampresponses.
Therefore,youshouldblockICMPontheaffectedhostusingiptables,and/orblockitatthefirewall.
Forexample:ipchains-Ainput-picmp--icmp-typetimestamp-request-jDROPipchains-Aoutput-picmp--icmp-typetimestamp-reply-jDROPTheeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
Page133AuditReportMicrosoftWindowsNT,MicrosoftWindowsNTWorkstation,MicrosoftWindowsNTServer,MicrosoftWindowsNTAdvancedServer,MicrosoftWindowsNTServer,EnterpriseEdition,MicrosoftWindowsNTServer,TerminalServerEditionDisableICMPtimestampresponsesonWindowsNT4WindowsNT4doesnotprovideawaytoblockICMPpackets.
Therefore,youshouldblockthematthefirewall.
TheeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
OpenBSDDisableICMPtimestampresponsesonOpenBSDSetthe"net.
inet.
icmp.
tstamprepl"sysctlvariableto0.
sysctl-wnet.
inet.
icmp.
tstamprepl=0TheeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
CiscoPIXDisableICMPtimestampresponsesonCiscoPIXAproperlyconfiguredPIXfirewallshouldneverrespondtoICMPpacketsonitsexternalinterface.
InPIXSoftwareversions4.
1(6)until5.
2.
1,ICMPtraffictothePIX'sinternalinterfaceispermitted;thePIXcannotbeconfiguredtoNOTrespond.
BeginninginPIXSoftwareversion5.
2.
1,ICMPisstillpermittedontheinternalinterfacebydefault,butICMPresponsesfromitsinternalinterfacescanbedisabledwiththeicmpcommand,asfollows,whereisthenameoftheinternalinterface:icmpdenyany13icmpdenyany14Don'tforgettosavetheconfigurationwhenyouarefinished.
SeeCisco'ssupportdocumentHandlingICMPPingswiththePIXFirewallformoreinformation.
TheeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
SunSolarisDisableICMPtimestampresponsesonSolarisExecutethefollowingcommands:/usr/sbin/ndd-set/dev/ipip_respond_to_timestamp0/usr/sbin/ndd-set/dev/ipip_respond_to_timestamp_broadcast0TheeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
MicrosoftWindows2000,MicrosoftWindows2000Professional,MicrosoftWindows2000Server,MicrosoftWindows2000AdvancedServer,MicrosoftWindows2000DatacenterServerDisableICMPtimestampresponsesonWindows2000UsetheIPSecfilterfeaturetodefineandapplyanIPfilterlistthatblocksICMPtypes13and14.
NotethatthestandardTCP/IPblockingcapabilityunderthe"NetworkingandDialupConnections"controlpanelisNOTcapableofblockingICMP(onlyTCPandUDP).
TheIPSecfilterfeatures,whiletheymayseemstrictlyrelatedtotheIPSecstandards,willallowyoutoselectivelyblocktheseICMPpackets.
Seehttp://support.
microsoft.
com/kb/313190formoreinformation.
TheeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
1.
2.
3.
4.
5.
6.
Page134AuditReportMicrosoftWindowsXP,MicrosoftWindowsXPHome,MicrosoftWindowsXPProfessional,MicrosoftWindowsServer2003,MicrosoftWindowsServer2003,StandardEdition,MicrosoftWindowsServer2003,EnterpriseEdition,MicrosoftWindowsServer2003,DatacenterEdition,MicrosoftWindowsServer2003,WebEdition,MicrosoftWindowsSmallBusinessServer2003DisableICMPtimestampresponsesonWindowsXP/2K3ICMPtimestampresponsescanbedisabledbydeselectingthe"allowincomingtimestamprequest"optionintheICMPconfigurationpanelofWindowsFirewall.
GototheNetworkConnectionscontrolpanel.
Rightclickonthenetworkadapterandselect"properties",orselecttheinternetadapterandselectFile->Properties.
Selectthe"Advanced"tab.
IntheWindowsFirewallbox,select"Settings".
Selectthe"General"tab.
Enablethefirewallbyselectingthe"on(recommended)"option.
Selectthe"Advanced"tab.
IntheICMPbox,select"Settings".
Deselect(uncheck)the"Allowincomingtimestamprequest"option.
Select"OK"toexittheICMPSettingsdialogandsavethesettings.
Select"OK"toexittheWindowsFirewalldialogandsavethesettings.
Select"OK"toexittheinternetadapterdialog.
Formoreinformation,see:http://www.
microsoft.
com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_understanding_firewall.
mspxmfr=trueMicrosoftWindowsVista,MicrosoftWindowsVistaHome,BasicEdition,MicrosoftWindowsVistaHome,BasicNEdition,MicrosoftWindowsVistaHome,PremiumEdition,MicrosoftWindowsVistaUltimateEdition,MicrosoftWindowsVistaEnterpriseEdition,MicrosoftWindowsVistaBusinessEdition,MicrosoftWindowsVistaBusinessNEdition,MicrosoftWindowsVistaStarterEdition,MicrosoftWindowsServer2008,MicrosoftWindowsServer2008StandardEdition,MicrosoftWindowsServer2008EnterpriseEdition,MicrosoftWindowsServer2008DatacenterEdition,MicrosoftWindowsServer2008HPCEdition,MicrosoftWindowsServer2008WebEdition,MicrosoftWindowsServer2008StorageEdition,MicrosoftWindowsSmallBusinessServer2008,MicrosoftWindowsEssentialBusinessServer2008DisableICMPtimestampresponsesonWindowsVista/2008ICMPtimestampresponsescanbedisabledviathenetshcommandlineutility.
GototheWindowsControlPanel.
Select"WindowsFirewall".
IntheWindowsFirewallbox,select"ChangeSettings".
Enablethefirewallbyselectingthe"on(recommended)"option.
OpenaCommandPrompt.
Enter"netshfirewallseticmpsetting13disable"Formoreinformation,see:http://www.
microsoft.
com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_understanding_firewall.
mspxmfr=trueDisableICMPtimestampresponsesDisableICMPtimestamprepliesforthedevice.
Ifthedevicedoesnotsupportthislevelofconfiguration,theeasiestandmosteffectivesolutionistoconfigureyourfirewalltoblockincomingandoutgoingICMPpacketswithICMPtypes13(timestamprequest)and14(timestampresponse).
Page135AuditReport3.
3.
10.
TCPtimestampresponse(generic-tcp-timestamp)Description:TheremotehostrespondedwithaTCPtimestamp.
TheTCPtimestampresponsecanbeusedtoapproximatetheremotehost'suptime,potentiallyaidinginfurtherattacks.
Additionally,someoperatingsystemscanbefingerprintedbasedonthebehavioroftheirTCPtimestamps.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3Apparentsystemboottime:MonAug2005:33:48EST2012References:SourceReferenceURLhttp://uptime.
netcraft.
comURLhttp://www.
forensicswiki.
org/wiki/TCP_timestampsURLhttp://www.
ietf.
org/rfc/rfc1323.
txtVulnerabilitySolution:CiscoDisableTCPtimestampresponsesonCiscoRunthefollowingcommandtodisableTCPtimestamps:noiptcptimestampFreeBSDDisableTCPtimestampresponsesonFreeBSDSetthevalueofnet.
inet.
tcp.
rfc1323to0byrunningthefollowingcommand:sysctl-wnet.
inet.
tcp.
rfc1323=0Additionally,putthefollowingvalueinthedefaultsysctlconfigurationfile,generallysysctl.
conf:net.
inet.
tcp.
rfc1323=0LinuxDisableTCPtimestampresponsesonLinuxSetthevalueofnet.
ipv4.
tcp_timestampsto0byrunningthefollowingcommand:sysctl-wnet.
ipv4.
tcp_timestamps=0Page136AuditReportAdditionally,putthefollowingvalueinthedefaultsysctlconfigurationfile,generallysysctl.
conf:net.
ipv4.
tcp_timestamps=0OpenBSDDisableTCPtimestampresponsesonOpenBSDSetthevalueofnet.
inet.
tcp.
rfc1323to0byrunningthefollowingcommand:sysctl-wnet.
inet.
tcp.
rfc1323=0Additionally,putthefollowingvalueinthedefaultsysctlconfigurationfile,generallysysctl.
conf:net.
inet.
tcp.
rfc1323=0MicrosoftWindowsDisableTCPtimestampresponsesonWindowsSettheTcp1323Optsvalueinthefollowingkeyto1:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters3.
3.
11.
OpenSSH"X11UseLocalhost"X11ForwardingSessionHijackingVulnerability(ssh-openssh-x11uselocalhost-x11-forwarding-session-hijack)Description:CertainversionsofOpenSSHsettheSO_REUSEADDRsocketoptionwhentheX11UseLocalhostconfigurationsettingisdisabled.
ThiscouldallowalocalattackertohijacktheX11forwardingportviaabindtoasingleIPaddress.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3:22OpenSSH4.
7p1onUbuntuLinux8.
04References:SourceReferenceBID30339CVECVE-2008-3259SECUNIA31179XFopenssh-x11forwarding-info-disclosure(43940)Page137AuditReportVulnerabilitySolution:Downloadandapplytheupgradefrom:ftp://ftp.
openbsd.
org/pub/OpenBSD/OpenSSH/portable/openssh-5.
1p1.
tar.
gzVersion5.
1ofOpenSSHwasreleasedonJuly21st,2008.
WhileyoucanalwaysbuildOpenSSHfromsource,manyplatformsanddistributionsprovidepre-builtbinarypackagesforOpenSSH.
Thesepre-builtpackagesareusuallycustomizedandoptimizedforaparticulardistribution,thereforewerecommendthatyouusethepackagesiftheyareavailableforyouroperatingsystem.
3.
3.
12.
UDPIPIDZero(udp-ipid-zero)Description:TheremotehostrespondedwithaUDPpacketwhoseIPIDwaszero.
NormallytheIPIDshouldbesettoauniquevalueandisusedinthereconstructionoffragmentedpackets.
GenerallythisbehaviorisonlyseenwithsystemsderivedfromaLinuxkernel,whichmayallowanattackertofingerprintthetarget'soperatingsystem.
AffectedNodes:AffectedNodes:AdditionalInformation:192.
168.
56.
3ReceivedUDPpacketwithIPIDofzero:IPv4SRC[192.
168.
56.
3]TGT[192.
168.
56.
1]TOS[0]TTL[64]Flags[40]Proto[17]ID[0]FragOff[0]HDR-LENGTH[20]TOTAL-LENGTH[52]CKSUM[18788]UDPSRC-PORT[48701]TGT-PORT[47159]CKSUM[29994]RAWDATA[24]:3EECE3CA0000000100000000000000000000000000000001.
.
.
.
.
.
.
.
References:NoneVulnerabilitySolution:Manyvendorsdonotconsiderthistobeavulnerability,oravulnerabilityworthfixing,sotherearenovendor-providedsolutionsasidefromputtingafirewallorotherfilteringdevicebetweenthetargetandhostileattackersthatiscapableofrandomizingIPIDs.
Page138AuditReport4.
DiscoveredServices4.
1.
CIFSCIFS,theCommonInternetFileSystem,wasdefinedbyMicrosofttoprovidefilesharingservicesovertheInternet.
CIFSextendstheServerMessageBlock(SMB)protocoldesignedbyIBMandenhancedbyIntelandMicrosoft.
CIFSprovidesmechanismsforsharingresources(files,printers,etc.
)andexecutingremoteprocedurecallsovernamedpipes.
4.
1.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp1396Samba3.
0.
20-Debian192.
168.
56.
3tcp4456Samba3.
0.
20-Debian4.
2.
CIFSNameServiceCIFS,theCommonInternetFileSystem,wasdefinedbyMicrosofttoprovidefilesharingservicesovertheInternet.
CIFSextendstheServerMessageBlock(SMB)protocoldesignedbyIBMandenhancedbyIntelandMicrosoft.
CIFSprovidesmechanismsforsharingresources(files,printers,etc.
)andexecutingremoteprocedurecallsovernamedpipes.
ThisserviceisusedtohandleCIFSbrowsing(name)requests.
ResponsescontainthenamesandtypesofservicesthatcanbeaccessedviaCIFSnamedpipes.
4.
2.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3udp1370advertised-name-1:METASPLOITABLE(ComputerName)advertised-name-2:METASPLOITABLE(Logged-onUser)advertised-name-3:METASPLOITABLE(FileServerService)advertised-name-4:__MSBROWSE__(MasterBrowser)advertised-name-5:WORKGROUP(DomainName)advertised-name-6:WORKGROUP(MasterBrowser)advertised-name-7:WORKGROUP(BrowserServiceElections)advertised-name-count:7mac-address:0000000000004.
3.
DNSDNS,theDomainNameSystem,providesnamingservicesontheInternet.
DNSisprimarilyusedtoconvertnames,suchaswww.
rapid7.
comtotheircorrespondingIPaddressforusebynetworkprograms,suchasabrowser.
Page139AuditReport4.
3.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3udp536BIND9.
4.
24.
4.
DNS-TCPDNS,theDomainNameSystem,providesnamingservicesontheInternet.
DNSisprimarilyusedtoconvertnames,suchaswww.
rapid7.
comtotheircorrespondingIPaddressforusebynetworkprograms,suchasabrowser.
ThisserviceisusedprimarilyforzonetransfersbetweenDNSservers.
Itcan,however,beusedforstandardDNSqueriesaswell.
4.
4.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp530BIND9.
4.
24.
5.
FTPFTP,theFileTransferProtocol,isusedtotransferfilesbetweensystems.
OntheInternet,itisoftenusedonwebpagestodownloadfilesfromawebsiteusingabrowser.
FTPusestwoconnections,oneforcontrolconnectionsusedtoauthenticate,navigatetheFTPserverandinitiatefiletransfers.
Theotherconnectionisusedtotransferdata,suchasfilesordirectorylistings.
4.
5.
1.
GeneralSecurityIssuesCleartextauthenticationTheoriginalFTPspecificationonlyprovidedmeansforauthenticationwithcleartextuseridsandpasswords.
ThoughFTPhasaddedsupportformoresecuremechanismssuchasKerberos,cleartextauthenticationisstilltheprimarymechanism.
IfamalicioususerisinapositiontomonitorFTPtraffic,useridsandpasswordscanbestolen.
4.
5.
2.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp212vsFTPd2.
3.
4ftp.
banner:220(vsFTPd2.
3.
4)4.
6.
HTTPHTTP,theHyperTextTransferProtocol,isusedtoexchangemultimediacontentontheWorldWideWeb.
ThemultimediafilescommonlyusedwithHTTPincludetext,sound,imagesandvideo.
4.
6.
1.
GeneralSecurityIssuesSimpleauthenticationschemeManyHTTPserversuseBASICastheirprimarymechanismforuserauthentication.
Thisisaverysimpleschemethatusesbase64toencodethecleartextuseridandpassword.
IfamalicioususerisinapositiontomonitorHTTPtraffic,useridsandpasswordscanbestolenbydecodingthebase64authenticationdata.
Tosecuretheauthenticationprocess,useHTTPS(HTTPoverTLS/SSL)connectionstotransmittheauthenticationdata.
4.
6.
2.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp807Apache2.
2.
8Page140AuditReportDeviceProtocolPortVulnerabilitiesAdditionalInformationDAV:2PHP:5.
2.
4-2ubuntu5.
10WebDAV:http.
banner:Apache/2.
2.
8(Ubuntu)DAV/2http.
banner.
server:Apache/2.
2.
8(Ubuntu)DAV/2http.
banner.
x-powered-by:PHP/5.
2.
4-2ubuntu5.
10192.
168.
56.
3tcp81803ApacheTomcatCoyote:1.
1http.
banner:Apache-Coyote/1.
1http.
banner.
server:Apache-Coyote/1.
14.
7.
MySQL4.
7.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp33067MySQL5.
0.
51aauto_increment_increment:1auto_increment_offset:1automatic_sp_privileges:ONback_log:50basedir:/usr/binlog_cache_size:32768bulk_insert_buffer_size:8388608character_set_client:latin1character_set_connection:latin1character_set_database:latin1character_set_filesystem:binarycharacter_set_results:character_set_server:latin1character_set_system:utf8character_sets_dir:/usr/share/mysql/charsets/collation_connection:latin1_swedish_cicollation_database:latin1_swedish_cicollation_server:latin1_swedish_cicompletion_type:0Page141AuditReportDeviceProtocolPortVulnerabilitiesAdditionalInformationconcurrent_insert:1connect_timeout:5datadir:/var/lib/mysql/date_format:%Y-%m-%ddatetime_format:%Y-%m-%d%H:%i:%sdefault_week_format:0delay_key_write:ONdelayed_insert_limit:100delayed_insert_timeout:300delayed_queue_size:1000div_precision_increment:4engine_condition_pushdown:OFFexpire_logs_days:10flush:OFFflush_time:0ft_boolean_syntax:ft_max_word_len:84ft_min_word_len:4ft_query_expansion_limit:20ft_stopword_file:(built-in)group_concat_max_len:1024have_archive:YEShave_bdb:NOhave_blackhole_engine:YEShave_compress:YEShave_crypt:YEShave_csv:YEShave_dynamic_loading:YEShave_example_engine:NOhave_federated_engine:YEShave_geometry:YEShave_innodb:YEShave_isam:NOhave_merge_engine:YEShave_ndbcluster:DISABLEDhave_openssl:YEShave_query_cache:YEShave_raid:NOhave_rtree_keys:YEShave_ssl:YEShave_symlink:YEShostname:metasploitablePage142AuditReportDeviceProtocolPortVulnerabilitiesAdditionalInformationinit_connect:init_file:init_slave:innodb_additional_mem_pool_size:1048576innodb_autoextend_increment:8innodb_buffer_pool_awe_mem_mb:0innodb_buffer_pool_size:8388608innodb_checksums:ONinnodb_commit_concurrency:0innodb_concurrency_tickets:500innodb_data_file_path:ibdata1:10M:autoextendinnodb_data_home_dir:innodb_doublewrite:ONinnodb_fast_shutdown:1innodb_file_io_threads:4innodb_file_per_table:OFFinnodb_flush_log_at_trx_commit:1innodb_flush_method:innodb_force_recovery:0innodb_lock_wait_timeout:50innodb_locks_unsafe_for_binlog:OFFinnodb_log_arch_dir:innodb_log_archive:OFFinnodb_log_buffer_size:1048576innodb_log_file_size:5242880innodb_log_files_in_group:2innodb_log_group_home_dir:.
/innodb_max_dirty_pages_pct:90innodb_max_purge_lag:0innodb_mirrored_log_groups:1innodb_open_files:300innodb_rollback_on_timeout:OFFinnodb_support_xa:ONinnodb_sync_spin_loops:20innodb_table_locks:ONinnodb_thread_concurrency:8innodb_thread_sleep_delay:10000interactive_timeout:28800join_buffer_size:131072Page143AuditReportDeviceProtocolPortVulnerabilitiesAdditionalInformationkeep_files_on_create:OFFkey_buffer_size:16777216key_cache_age_threshold:300key_cache_block_size:1024key_cache_division_limit:100language:/usr/share/mysql/english/large_files_support:ONlarge_page_size:0large_pages:OFFlc_time_names:en_USlicense:GPLlocal_infile:ONlocked_in_memory:OFFlog:OFFlog_bin:OFFlog_bin_trust_function_creators:OFFlog_error:log_queries_not_using_indexes:OFFlog_slave_updates:OFFlog_slow_queries:OFFlog_warnings:1logging:disabledlong_query_time:10low_priority_updates:OFFlower_case_file_system:OFFlower_case_table_names:0max_allowed_packet:16776192max_binlog_cache_size:4294967295max_binlog_size:104857600max_connect_errors:10max_connections:100max_delayed_threads:20max_error_count:64max_heap_table_size:16777216max_insert_delayed_threads:20max_join_size:18446744073709551615max_length_for_sort_data:1024max_prepared_stmt_count:16382max_relay_log_size:0max_seeks_for_key:4294967295max_sort_length:1024Page144AuditReportDeviceProtocolPortVulnerabilitiesAdditionalInformationmax_sp_recursion_depth:0max_tmp_tables:32max_user_connections:0max_write_lock_count:4294967295multi_range_count:256myisam_data_pointer_size:6myisam_max_sort_file_size:2147483647myisam_recover_options:OFFmyisam_repair_threads:1myisam_sort_buffer_size:8388608myisam_stats_method:nulls_unequalndb_autoincrement_prefetch_sz:32ndb_cache_check_time:0ndb_connectstring:ndb_force_send:ONndb_use_exact_count:ONndb_use_transactions:ONnet_buffer_length:16384net_read_timeout:30net_retry_count:10net_write_timeout:60new:OFFold_passwords:OFFopen_files_limit:1024optimizer_prune_level:1optimizer_search_depth:62pid_file:/var/run/mysqld/mysqld.
pidport:3306preload_buffer_size:32768profiling:OFFprofiling_history_size:15protocolVersion:10protocol_version:10query_alloc_block_size:8192query_cache_limit:1048576query_cache_min_res_unit:4096query_cache_size:16777216query_cache_type:ONquery_cache_wlock_invalidate:OFFquery_prealloc_size:8192range_alloc_block_size:2048Page145AuditReportDeviceProtocolPortVulnerabilitiesAdditionalInformationread_buffer_size:131072read_only:OFFread_rnd_buffer_size:262144relay_log_purge:ONrelay_log_space_limit:0rpl_recovery_rank:0secure_auth:OFFsecure_file_priv:server_id:0skip_external_locking:ONskip_networking:OFFskip_show_database:OFFslave_compressed_protocol:OFFslave_load_tmpdir:/tmp/slave_net_timeout:3600slave_skip_errors:OFFslave_transaction_retries:10slow_launch_time:2socket:/var/run/mysqld/mysqld.
socksort_buffer_size:2097144sql_big_selects:ONsql_mode:STRICT_TRANS_TABLESsql_notes:ONsql_warnings:OFFssl_ca:/etc/mysql/cacert.
pemssl_capath:ssl_cert:/etc/mysql/server-cert.
pemssl_cipher:ssl_key:/etc/mysql/server-key.
pemstorage_engine:MyISAMsync_binlog:0sync_frm:ONsystem_time_zone:EDTtable_cache:64table_lock_wait_timeout:50table_type:MyISAMthread_cache_size:8thread_stack:131072time_format:%H:%i:%stime_zone:SYSTEMtimed_mutexes:OFFtmp_table_size:33554432Page146AuditReportDeviceProtocolPortVulnerabilitiesAdditionalInformationtmpdir:/tmptransaction_alloc_block_size:8192transaction_prealloc_size:4096tx_isolation:REPEATABLE-READupdatable_views_with_limit:YESversion:5.
0.
51a-3ubuntu5version_comment:(Ubuntu)version_compile_machine:i486version_compile_os:debian-linux-gnuwait_timeout:288004.
8.
NFSTheNetworkFileSystemprovidesremotefileaccesstosharedfilesystemsacrossanetwork.
NFSprovidesmethodstolistandbrowsedirectoriesandtoaccessandalterfiles.
NFSisbuiltontheRPCprotocolandisthusindependentofmachine,operatingsystems,orevenunderlyingprotocol.
ThemainNFSprotocoloftenoperatesintandemwithotherNFSstyleprotocols.
TheNFSMountprotocoldealswithattachingtheremotefilesystemstoapointonthelocalmachine'sfilesystem,andadvertisingwhatfilesystemsareavailabletobemounted.
TheNFSLockmanageraddssupportforfilelockingtopreventtheoccurrenceoffilechangeconflicts.
4.
8.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp20490program-number:100003program-version:4192.
168.
56.
3udp20490program-number:100003program-version:44.
9.
NFSlockdTheNetworkFileSystemprovidesremotefileaccesstosharedfilesystemsacrossanetwork.
NFSprovidesmethodstolistandbrowsedirectoriesandtoaccessandalterfiles.
NFSisbuiltontheRPCprotocolandisthusindependentofmachine,operatingsystems,orevenunderlyingprotocol.
Thisservice,NFSLockmanager,addssupportforfilelockingtopreventtheoccurrenceoffilechangeconflicts.
SincetheNFSprotocolisstateless,theNFSLockManagertakescareofallthestatefulaspectsoffilelockingacrossanetwork4.
9.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp445010program-number:100021program-version:4192.
168.
56.
3udp589300program-number:100021program-version:44.
10.
PostgresPage147AuditReport4.
10.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp543214.
11.
RemoteExecutionRemoteExecution,rexec,isusedtoexecuteacommandonaremotesystem.
4.
11.
1.
GeneralSecurityIssuesAuthenticationeasilyspoofedTheRemoteExecutionprotocoldoesnotuseuserid/passwordauthenticationtovalidateusers.
Insteaditusestrustrelationshipsbasedoninformationthatiseasilyspoofedbyanattacker.
Whenaclientconnectstoarexecserver,itsendsausernametotheserver.
Theserververifiesclientaccessby:1.
verifyingtheclient'sTCPportisreserved(below1024)2.
verifyingthatthespecifiedusernameexists3.
verifyingtheclient'sIPaddressisin/etc/hosts.
equivfile(or/.
rhostsifrootwasspecifiedastheusername).
4.
verifyingthatloginshavenotbeendisabled(eg,/etc/nologin).
4.
11.
2.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp51214.
12.
RemoteLoginRemoteLogin,rlogin,isusedtocreateavirtualterminalontheremotesystem,similartoaTelnetconnection.
UnlikeTelnetconnections,rlogindoesnotrequireapasswordfromtrustedhosts.
4.
12.
1.
GeneralSecurityIssuesAuthenticationeasilyspoofedTheRemoteLoginprotocoldoesnotuseuserid/passwordauthenticationtovalidateusers.
Insteaditusestrustrelationshipsbasedoninformationthatiseasilyspoofedbyanattacker.
Whenaclientconnectstoarloginserver,itsendsausernametotheserver.
Theserververifiesclientaccessby:1.
verifyingtheclient'sTCPportisreserved(below1024)2.
verifyingthatthespecifiedusernameexists3.
verifyingtheclient'sIPaddressisin/etc/hosts.
equivfile(or/.
rhostsifrootwasspecifiedastheusername).
4.
verifyingthatloginshavenotbeendisabled(eg,/etc/nologin).
4.
12.
2.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp51314.
13.
RemoteShellRemoteShell,rsh,isusedtoopenashellontheremotesystem.
Onceashellisestablished,theclientcanexecutecommandsontheremotesystemandreceivetheprogramoutput.
4.
13.
1.
GeneralSecurityIssuesAuthenticationeasilyspoofedTheRemoteShellprotocoldoesnotuseuserid/passwordauthenticationtovalidateusers.
Insteaditusestrustrelationshipsbasedoninformationthatiseasilyspoofedbyanattacker.
Whenaclientconnectstoarshserver,itsendsausernametotheserver.
Theserververifiesclientaccessby:1.
verifyingtheclient'sTCPportisreserved(below1024)2.
verifyingthatthespecifiedusernamePage148AuditReportexists3.
verifyingtheclient'sIPaddressisin/etc/hosts.
equivfile(or/.
rhostsifrootwasspecifiedastheusername).
4.
verifyingthatloginshavenotbeendisabled(eg,/etc/nologin).
4.
13.
2.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp51414.
14.
SMTPSMTP,theSimpleMailTransferProtocol,istheInternetstandardwaytosende-mailmessagesbetweenhosts.
Clientstypicallysubmitoutgoinge-mailtotheirSMTPserver,whichthenforwardsthemessageonthroughotherSMTPserversuntilitreachesitsfinaldestination.
4.
14.
1.
GeneralSecurityIssuesInstalledbydefaultBydefault,mostUNIXworkstationscomeinstalledwiththesendmail(orequivalent)SMTPservertohandlemailforthelocalhost(e.
g.
theoutputofsomecronjobsissenttotherootaccountviaemail).
Checkyourworkstationstoseeifsendmailisrunning,bytelnettingtoport25/tcp.
Ifsendmailisrunning,youwillseesomethinglikethis:$telnetmybox25Trying192.
168.
0.
1.
.
.
Connectedtomybox.
Escapecharacteris'^]'.
220mybox.
ESMTPSendmail8.
12.
2/8.
12.
2;Thu,9May200203:16:26-0700(PDT)Ifsendmailisrunningandyoudon'tneedit,thendisableitvia/etc/rc.
conforyouroperatingsystem'sequivalentstartupconfigurationfile.
IfyoudoneedSMTPforthelocalhost,makesurethattheserverisonlylisteningontheloopbackinterface(127.
0.
0.
1)andisnotreachablebyotherhosts.
Alsobesuretocheckport587/tcp,whichsomeversionsofsendmailuseforoutgoingmailsubmissions.
PromiscuousrelayPerhapsthemostcommonsecurityissuewithSMTPserversisserverswhichactasa"promiscuousrelay",or"openrelay".
Thisdescribesserverswhichacceptandrelaymailfromanywheretoanywhere.
Thissetupallowsunauthenticated3rdparties(spammers)touseyourmailservertosendtheirspamtounwittingrecipients.
PromiscuousrelaychecksareperformedonalldiscoveredSMTPservers.
See"smtp-general-openrelay"formoreinformationonthisvulnerabilityandhowtofixit.
4.
14.
2.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp253Postfixadvertise-esmtp:1advertised-esmtp-extension-count:8advertises-esmtp:TRUEmax-message-size:10240000smtp.
banner:220metasploitable.
localdomainESMTPPostfix(Ubuntu)ssl.
cert.
issuer.
dn:EMAILADDRESS=root@ubuntu804-base.
localdomain,CN=ubuntu804-base.
localdomain,OU=OfficeforComplicationofOtherwiseSimpleAffairs,O=OCOSA,L=Everywhere,ST=ThereisnosuchthingoutsidePage149AuditReportDeviceProtocolPortVulnerabilitiesAdditionalInformationUS,C=XXssl.
cert.
key.
alg.
name:RSAssl.
cert.
key.
rsa.
modulusBits:1024ssl.
cert.
not.
valid.
after:Sat,17Apr201000:07:45ESTssl.
cert.
not.
valid.
before:Thu,18Mar201001:07:45ESTssl.
cert.
selfsigned:truessl.
cert.
serial.
number:18084549878917544396ssl.
cert.
sig.
alg.
name:SHA1withRSAssl.
cert.
subject.
dn:EMAILADDRESS=root@ubuntu804-base.
localdomain,CN=ubuntu804-base.
localdomain,OU=OfficeforComplicationofOtherwiseSimpleAffairs,O=OCOSA,L=Everywhere,ST=ThereisnosuchthingoutsideUS,C=XXssl.
cert.
validsignature:truesupports-8bitmime:TRUEsupports-debug:FALSEsupports-dsn:TRUEsupports-enhancedstatuscodes:TRUEsupports-etrn:TRUEsupports-expand:FALSEsupports-pipelining:TRUEsupports-size:TRUEsupports-starttls:TRUEsupports-turn:FALSEsupports-verify:FALSEsupports-vrfy:TRUE4.
15.
SSHSSH,orSecureSHell,isdesignedtobeareplacementfortheagingTelnetprotocol.
ItprimarilyaddsencryptionanddataintegritytoTelnet,butcanalsoprovidesuperiorauthenticationmechanismssuchaspublickeyauthentication.
4.
15.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp222OpenSSH4.
7p1ssh.
banner:SSH-2.
0-OpenSSH_4.
7p1Debian-8ubuntu1Page150AuditReportDeviceProtocolPortVulnerabilitiesAdditionalInformationssh.
protocol.
version:2.
0ssh.
rsa.
pubkey.
fingerprint:5656240F211DDEA72BAE61B1243DE8F34.
16.
TelnetThetelnetserviceprovidesconsoleaccesstoamachineremotely.
Alldata,includingusernamesandpasswords,issentincleartextoverTCP.
Inrecenttimes,mostnetworkshavephasedoutitsuseinfavorfortheSSH,orSecureSHell,protocol,whichprimarilyprovidesstrongencryptionandsuperiorauthenticationmechanisms.
4.
16.
1.
GeneralSecurityIssuesNoSupportForEncryptionThenumberonevulnerabilitythatthetelnetservicefacesisitsinherentlackofsupportforencryption.
Thisisanartifactfromthetimeperiodinwhichitwasinvented,1971.
Thereexistedlittleknowledgeofcryptographyoutsideofmilitaryenvironments,andcomputertechnologywasnotyetadvancedenoughtohandleitsreal-timeuse.
SSHshouldbeusedinsteadoftelnet.
SystemArchitectureInformationLeakageMosttelnetserverswillbroadcastabannerwhichdetailstheexactsystemtype(ie:hardwareandoperatingsystemversions)toanyconnectingclient,withoutrequiringauthentication.
Thisinformationiscrucialforcarryingoutseriousattacksonthesystem.
4.
16.
2.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp2314.
17.
VNCAT&TVNCisusedtoprovidegraphicalcontrolofasystem.
AVNCservercanrunonaMicrosoftWindows,AppleMacintoshorUnix(XWindows)system.
Bysupplyingtheappropriatepassword,aVNCserversystemcanbeaccessedbyaVNCclient.
FullcontrolofthesystemisprovidedthroughVNC,includingcommandexecution.
4.
17.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp59002protocol-version:3.
3supported-auth-1:VNCAuthenticationsupported-auth-count:14.
18.
XWindows4.
18.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp600004.
19.
ingreslock(ingres)Page151AuditReport4.
19.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp152404.
20.
mountd4.
20.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3udp336491program-number:100005program-version:3192.
168.
56.
3tcp370001program-number:100005program-version:34.
21.
portmapperTheRemoteProcedureCallportmapperisaservicethatmapsRPCprogramstospecificports,andprovidesthatinformationtoclientprograms.
SincemostRPCprogramsdonothaveawelldefinedportnumber,theyaredynamicallyallocatedaportnumberwhentheyarefirstrun.
AnyclientprogramthatwishestouseaparticularRPCprogramfirstcontactstheportmappertodeterminetheportandprotocolofthespecifiedRPCprogram.
TheclientthenusesthatinformationtocontacttheRPCprogramdirectly.
InadditionsomeimplementationsoftheportmapperallowtunnelingcommandstoRPCprogramsthroughtheportmapper.
4.
21.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3tcp1110program-number:100000program-version:2192.
168.
56.
3udp1110program-number:100000program-version:24.
22.
status4.
22.
1.
DiscoveredInstancesofthisServiceDeviceProtocolPortVulnerabilitiesAdditionalInformation192.
168.
56.
3udp487010program-number:100024program-version:1192.
168.
56.
3tcp571760program-number:100024program-version:1Page152AuditReport5.
DiscoveredUsersandGroups5.
1.
System5.
1.
1.
192.
168.
56.
3AccountNameTypeAdditionalInformationbackupUsercomment:user-id:1068binUsergid:2loginShell:/bin/shpassword:xuser-id:2userDir:/binbindUserfull-name:gid:113loginShell:/bin/falsepassword:xuser-id:105userDir:/var/cache/binddaemonUsergid:1loginShell:/bin/shpassword:xuser-id:1userDir:/usr/sbindhcpUsercomment:full-name:user-id:1202distccdUsercomment:full-name:user-id:1222ftpUsercomment:full-name:user-id:1214gamesUsercomment:user-id:1010gnatsUsercomment:full-name:GnatsBug-ReportingSystem(admin)user-id:1082Page153AuditReportAccountNameTypeAdditionalInformationircUserfull-name:ircdgid:39loginShell:/bin/shpassword:xuser-id:39userDir:/var/run/ircdklogUserfull-name:gid:104loginShell:/bin/falsepassword:xuser-id:103userDir:/home/kloglibuuidUserfull-name:gid:101loginShell:/bin/shpassword:xuser-id:100userDir:/var/lib/libuuidlistUsercomment:full-name:MailingListManageruser-id:1076lpUsergid:7loginShell:/bin/shpassword:xuser-id:7userDir:/var/spool/lpdmailUsercomment:user-id:1016manUsergid:12loginShell:/bin/shpassword:xuser-id:6userDir:/var/cache/manmsfadminUsercomment:full-name:msfadmin,,,user-id:3000mysqlUsercomment:full-name:MySQLServer,,,user-id:1218newsUserPage154AuditReportAccountNameTypeAdditionalInformationgid:9loginShell:/bin/shpassword:xuser-id:9userDir:/var/spool/newsnobodyUsergid:65534loginShell:/bin/shpassword:xuser-id:65534userDir:/nonexistentpostfixUserfull-name:gid:115loginShell:/bin/falsepassword:xuser-id:106userDir:/var/spool/postfixpostgresUsercomment:full-name:PostgreSQLadministrator,,,user-id:1216proftpdUserfull-name:gid:65534loginShell:/bin/falsepassword:xuser-id:113userDir:/var/run/proftpdproxyUsergid:13loginShell:/bin/shpassword:xuser-id:13userDir:/binrootUsercomment:user-id:1000serviceUsercomment:full-name:,,,user-id:3004snmpUserfull-name:gid:65534loginShell:/bin/falsepassword:xuser-id:115Page155AuditReportAccountNameTypeAdditionalInformationuserDir:/var/lib/snmpsshdUserfull-name:gid:65534loginShell:/usr/sbin/nologinpassword:xuser-id:104userDir:/var/run/sshdstatdUserfull-name:gid:65534loginShell:/bin/falsepassword:xuser-id:114userDir:/var/lib/nfssyncUsercomment:user-id:1008sysUsercomment:user-id:1006syslogUserfull-name:gid:103loginShell:/bin/falsepassword:xuser-id:102userDir:/home/syslogtelnetdUsercomment:full-name:user-id:1224tomcat55Userfull-name:gid:65534loginShell:/bin/falsepassword:xuser-id:110userDir:/usr/share/tomcat5.
5userUsercomment:full-name:justauser,111,,user-id:3002uucpUsergid:10loginShell:/bin/shpassword:xuser-id:10userDir:/var/spool/uucpPage156AuditReportAccountNameTypeAdditionalInformationwww-dataUsergid:33loginShell:/bin/shpassword:xuser-id:33userDir:/var/www5.
2.
MySQL5.
2.
1.
192.
168.
56.
3AccountNameTypeAdditionalInformationdebian-sys-maintUserguestUserrootUserPage157AuditReport6.
DiscoveredDatabases6.
1.
MySQL6.
1.
1.
192.
168.
56.
3dvwainformation_schemametasploitmysqlowasp10tikiwikitikiwiki195Page158AuditReport7.
DiscoveredFilesandDirectories7.
1.
192.
168.
56.
3File/DirectoryNameTypePropertiesoptDirectorycomment:mount-point:C:\tmpprint$Directorycomment:PrinterDriversmount-point:C:\var\lib\samba\printerstmpDirectorycomment:ohnoes!
mount-point:C:\tmpPage159AuditReport8.
PolicyEvaluationsNopolicyevaluationswereperformed.
Page160AuditReport9.
SpideredWebSitesNowebsiteswerespideredduringthescan.