|
Security Issues
and Fixes: 151.108.232.232
|
|
Type
|
Port
|
Issue and Fix
|
|
Warning
|
chargen (19/tcp)
|
The chargen service is running.
The 'chargen' service should only be enabled when
testing the machine.
When contacted, chargen responds with some random
characters (something
like all the characters in the alphabet in a row). When contacted via UDP,
it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' in which an attacker
spoofs a packet between two
machines running chargen. This will cause them to
spew characters at each
other, slowing the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10043
|
|
Informational
|
chargen (19/tcp)
|
Chargen is running on this
port
Nessus ID : 10330
|
|
Warning
|
discard (9/tcp)
|
The 'discard' port is open. This port is
not of any use nowadays, and may be a source of problems,
Solution : comment out 'discard' in /etc/inetd.conf
Risk factor : Low
CVE : CAN-1999-0636
Nessus ID : 11367
|
|
Warning
|
echo (7/tcp)
|
The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low
Solution : disable this service
CVE : CVE-1999-0103
Nessus ID : 10061
|
|
Informational
|
echo (7/tcp)
|
An echo server is running on this port
Nessus ID : 10330
|
|
Warning
|
telnet (23/tcp)
|
The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH
instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
Nessus ID : 10280
|
|
Informational
|
telnet (23/tcp)
|
A telnet server seems to be running on this port
Nessus ID : 10330
|
|
Informational
|
telnet (23/tcp)
|
Remote telnet banner :
SunOS 5.8
Nessus ID : 10281
|
|
Vulnerability
|
ftp (21/tcp)
|
You seem to be running an FTP server which is vulnerable to
the
'glob heap corruption' flaw.
An attacker may use this problem to execute arbitrary commands on this
host.
*** Nessus relied solely on the banner of the
server to issue this warning,
*** so this alert might be a false positive
Solution : Upgrade your ftp server software to the latest version.
Risk factor : High
CVE : CAN-2001-0249,
CVE-2001-0550
BID : 2550, 3581
Nessus ID : 10821
|
|
Informational
|
ftp (21/tcp)
|
An FTP server is running on this port.
Here is its banner :
220 unknown FTP server (SunOS 5.8) ready.
Nessus ID : 10330
|
|
Informational
|
ftp (21/tcp)
|
Remote FTP server banner :
220 unknown FTP server (SunOS 5.8) ready.
Nessus ID : 10092
|
|
Vulnerability
|
smtp (25/tcp)
|
smrsh (supplied by Sendmail) is designed to prevent the execution of
commands outside of the restricted environment. However, when commands
are entered using either double pipes (||) or a mixture of dot
and slash characters, a user may be able to bypass the checks
performed by smrsh. This can lead to the
execution of commands
outside of the restricted environment.
Solution : upgrade to the latest version of Sendmail (or at least 8.12.8).
Risk factor : Medium
CVE : CAN-2002-1165
BID : 5845
Nessus ID : 11321
|
|
Vulnerability
|
smtp (25/tcp)
|
The remote sendmail server, according to its
version number,
may be vulnerable to a remote buffer overflow allowing remote
users to gain root privileges.
Sendmail versions from 5.79 to 8.12.7 are
vulnerable.
Solution : Upgrade to Sendmail
ver 8.12.8 or greater or
if you cannot upgrade, apply patches for 8.10-12 here:
http://www.sendmail.org/patchcr.html
NOTE: manual patches do not change the version numbers.
Vendors who have released patched versions of sendmail
may still falsely show vunerabilty.
*** Nessus reports this vulnerability using only
*** the banner of the remote SMTP server. Therefore,
*** this might be a false positive.
see http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
http://www.cert.org/advisories/CA-2003-07.html
http://www.kb.cert.org/vuls/id/398025
Risk factor : High
CVE : CAN-2002-1337
BID : 6991
Nessus ID : 11316
|
|
Vulnerability
|
smtp (25/tcp)
|
The remote sendmail server, according to its
version number,
may be vulnerable to a buffer overflow its DNS handling code.
The owner of a malicious name server could use this flaw
to execute arbitrary code on this host.
Solution : Upgrade to Sendmail 8.12.5
Risk factor : High
CVE : CAN-2002-0906
BID : 5122
Nessus ID : 11232
|
|
Warning
|
smtp (25/tcp)
|
The remote SMTP server
answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to
use any of these commands, because it gives
them too much information.
Solution : if you are using Sendmail,
add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CAN-1999-0531
Nessus ID : 10249
|
|
Warning
|
smtp (25/tcp)
|
According to the version number of the remote mail server,
a local user may be able to obtain the complete mail configuration
and other interesting information about the mail queue even if
he is not allowed to access those information
directly, by running
sendmail -q -d0-nnnn.xxx
where nnnn & xxx are debugging levels.
If users are not allowed to process the queue (which is the default)
then you are not vulnerable.
Solution : upgrade to the latest version of Sendmail
or
do not allow users to process the queue (RestrictQRun
option)
Risk factor : Very low / none
Note : This vulnerability is _local_ only
CVE : CAN-2001-0715
BID : 3898
Nessus ID : 11088
|
|
Informational
|
smtp (25/tcp)
|
An SMTP server is running on this port
Here is its banner :
220 unknown ESMTP Sendmail 8.11.6+Sun/8.11.6; Tue, 15 Apr 2003 11:23:03 -0400 (EDT)
Nessus ID : 10330
|
|
Informational
|
smtp (25/tcp)
|
Remote SMTP server banner :
220 unknown ESMTP Sendmail 8.11.6+Sun/8.11.6; Tue, 15 Apr 2003 11:23:39 -0400 (EDT)
This is probably: Sendmail version 8.11.6+Sun
Nessus ID : 10263
|
|
Informational
|
smtp (25/tcp)
|
Nessus sent several emails containing the EICAR
test strings in them to the postmaster of
the remote SMTP server.
The EICAR test string is a fake virus which
triggers anti-viruses, in order to make sure
they run.
Nessus attempted to e-mail this string five times,
with different codings each time, in order to
attempt
to fool the remote anti-virus (if any).
If there is an antivirus filter, these messages should
all be blocked.
*** To determine if the remote host is vulnerable, see
*** if any mail arrived to the postmaster of this host
Solution: Install an antivirus / upgrade it
Reference : http://online.securityfocus.com/archive/1/256619
Reference : http://online.securityfocus.com/archive/1/44301
Reference : http://online.securityfocus.com/links/188
Risk factor : Low
Nessus ID : 11034
|
|
Informational
|
time (37/tcp)
|
A time server seems to be running on this port
Nessus ID : 10330
|
|
Warning
|
finger (79/tcp)
|
The remote finger daemon accepts
to redirect requests. That is, users can perform
requests like :
finger user@host@victim
This allows an attacker to use your computer
as a relay to gather information on another
network, making the other network think you
are making the requests.
Solution: disable your finger daemon (comment out
the finger line in /etc/inetd.conf) or
install a more secure one.
Risk factor : Low
CVE : CAN-1999-0105
Nessus ID : 10073
|
|
Warning
|
finger (79/tcp)
|
The 'finger' service provides useful information
to attackers, since it allow them to gain usernames, check if a machine
is being used, and so on...
Risk factor : Low
Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612
Nessus ID : 10068
|
|
Informational
|
finger (79/tcp)
|
A finger server seems to be running on this port
Nessus ID : 10330
|
|
Informational
|
sunrpc (111/tcp)
|
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list
of RPC services. We recommand you filter traffic
going to this port.
Risk factor : Low
CVE : CAN-1999-0632
Nessus ID : 10223
|
|
Informational
|
sunrpc (111/tcp)
|
RPC program #100000 version 4 'portmapper'
(portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
|
|
Informational
|
sunrpc (111/tcp)
|
RPC program #100000 version 3 'portmapper'
(portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
|
|
Informational
|
sunrpc (111/tcp)
|
RPC program #100000 version 2 'portmapper'
(portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
|
|
Warning
|
exec (512/tcp)
|
The rexecd service is open.
Because rexecd does not provide any good
means of authentication, it can be
used by an attacker to scan a third party
host, giving you troubles or bypassing
your firewall.
Solution : comment out the 'exec' line
in /etc/inetd.conf.
Risk factor : Medium
CVE : CAN-1999-0618
Nessus ID : 10203
|
|
Warning
|
login (513/tcp)
|
The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.
You should disable this service and use openssh instead
(www.openssh.com)
Solution : Comment out the 'rlogin' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10205
|
|
Warning
|
shell (514/tcp)
|
The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.
You should disable this service and use ssh
instead.
Solution : Comment out the 'rsh'
line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
Nessus ID : 10245
|
|
Informational
|
printer (515/tcp)
|
A LPD server seems to be running on this port
Nessus ID : 10330
|
|
Informational
|
uucp (540/tcp)
|
An UUCP server seems to be running on this port
Nessus ID : 10330
|
|
Vulnerability
|
submission (587/tcp)
|
smrsh (supplied by Sendmail) is designed to prevent the execution of
commands outside of the restricted environment. However, when commands
are entered using either double pipes (||) or a mixture of dot
and slash characters, a user may be able to bypass the checks
performed by smrsh. This can lead to the
execution of commands
outside of the restricted environment.
Solution : upgrade to the latest version of Sendmail (or at least 8.12.8).
Risk factor : Medium
CVE : CAN-2002-1165
BID : 5845
Nessus ID : 11321
|
|
Vulnerability
|
submission (587/tcp)
|
The remote sendmail server, according to its
version number,
may be vulnerable to a remote buffer overflow allowing remote
users to gain root privileges.
Sendmail versions from 5.79 to 8.12.7 are
vulnerable.
Solution : Upgrade to Sendmail
ver 8.12.8 or greater or
if you cannot upgrade, apply patches for 8.10-12 here:
http://www.sendmail.org/patchcr.html
NOTE: manual patches do not change the version numbers.
Vendors who have released patched versions of sendmail
may still falsely show vunerabilty.
*** Nessus reports this vulnerability using only
*** the banner of the remote SMTP server. Therefore,
*** this might be a false positive.
see http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
http://www.cert.org/advisories/CA-2003-07.html
http://www.kb.cert.org/vuls/id/398025
Risk factor : High
CVE : CAN-2002-1337
BID : 6991
Nessus ID : 11316
|
|
Vulnerability
|
submission (587/tcp)
|
The remote sendmail server, according to its
version number,
may be vulnerable to a buffer overflow its DNS handling code.
The owner of a malicious name server could use this flaw
to execute arbitrary code on this host.
Solution : Upgrade to Sendmail 8.12.5
Risk factor : High
CVE : CAN-2002-0906
BID : 5122
Nessus ID : 11232
|
|
Warning
|
submission (587/tcp)
|
According to the version number of the remote mail server,
a local user may be able to obtain the complete mail configuration
and other interesting information about the mail queue even if
he is not allowed to access those information
directly, by running
sendmail -q -d0-nnnn.xxx
where nnnn & xxx are debugging levels.
If users are not allowed to process the queue (which is the default)
then you are not vulnerable.
Solution : upgrade to the latest version of Sendmail
or
do not allow users to process the queue (RestrictQRun
option)
Risk factor : Very low / none
Note : This vulnerability is _local_ only
CVE : CAN-2001-0715
BID : 3898
Nessus ID : 11088
|
|
Informational
|
submission (587/tcp)
|
An SMTP server is running on this port
Here is its banner :
220 unknown ESMTP Sendmail 8.11.6+Sun/8.11.6; Tue, 15 Apr 2003 11:23:11 -0400 (EDT)
Nessus ID : 10330
|
|
Informational
|
submission (587/tcp)
|
Remote SMTP server banner :
220 unknown ESMTP Sendmail 8.11.6+Sun/8.11.6; Tue, 15 Apr 2003 11:23:47 -0400 (EDT)
This is probably: Sendmail version 8.11.6+Sun
Nessus ID : 10263
|
|
Informational
|
submission (587/tcp)
|
Nessus sent several emails containing the EICAR
test strings in them to the postmaster of
the remote SMTP server.
The EICAR test string is a fake virus which
triggers anti-viruses, in order to make sure
they run.
Nessus attempted to e-mail this string five times,
with different codings each time, in order to
attempt
to fool the remote anti-virus (if any).
If there is an antivirus filter, these messages should
all be blocked.
*** To determine if the remote host is vulnerable, see
*** if any mail arrived to the postmaster of this host
Solution: Install an antivirus / upgrade it
Reference : http://online.securityfocus.com/archive/1/256619
Reference : http://online.securityfocus.com/archive/1/44301
Reference : http://online.securityfocus.com/links/188
Risk factor : Low
Nessus ID : 11034
|
|
Vulnerability
|
unknown (898/tcp)
|
Older versions of JServ (including
the version
shipped with Oracle9i App Server v1.0.2) are vulnerable to a
cross site scripting attack using a request for a non-existent
.JSP file.
Solution: Upgrade to the latest version of JServ
available at
java.apache.org. Also consider switching from JServ
to TomCat,
since JServ is no longer maintained.
Risk factor : Medium
Nessus ID : 10957
|
|
Warning
|
unknown (898/tcp)
|
The remote web server seems to be vulnerable to the Cross Site
Scripting vulnerability (XSS). The vulnerability is caused
by the result returned to the user when a non-existing file is requested
(e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the
user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the
trust
level of the server (for example, the trust level of banks, shopping
centers, etc. would usually be high).
Risk factor : Medium
Solutions:
Allaire/Macromedia Jrun:
http://www.macromedia.com/software/jrun/download/update/
http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
Microsoft IIS:
http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
Apache:
http://httpd.apache.org/info/css-security/
ColdFusion:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23047
General:
http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
http://www.cert.org/advisories/CA-2000-02.html
Nessus ID : 10815
|
|
Warning
|
unknown (898/tcp)
|
Your webserver supports the TRACE and/or TRACK
methods. It has been
shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
'Cross-Site-Tracing', when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan
tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
Risk factor : Medium
Nessus ID : 11213
|
|
Informational
|
unknown (898/tcp)
|
A web server is running on this port
Nessus ID : 10330
|
|
Informational
|
unknown (898/tcp)
|
The following directories were discovered:
, /help, /images, /servlet
Nessus ID : 11032
|