vulnerability report 2

Audit Report

FGX-201407-099 2

Audited on August 28, 2014

Reported on August 28, 2014

Audit Report

1. Executive SummaryThis report represents a security audit performed by Nexpose from Rapid7 LLC. It contains confidential information about the state of

your network. Access to this information by unauthorized personnel may allow them to compromise your network.

Site Name Start Time End Time Total Time Status

FGX099 Science August 28, 2014 09:10,

GMT

August 28, 2014 09:36,

GMT

25 minutes Success

There is not enough historical data to display overall asset trend.

The audit was performed on one system which was found to be active and was scanned.

There were 40 vulnerabilities found during this scan. Of these, 6 were critical vulnerabilities. Critical vulnerabilities require immediate

attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 28

vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems.

There were 6 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting

subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.

There were 5 occurrences of the ssl-weak-ciphers vulnerability, making it the most common vulnerability. There were 17 vulnerabilities

in the Denial of Service, HTTP and PHP categories, making them the most common vulnerability categories.

Audit Report

The imap-plaintext-auth, ftp-plaintext-auth, smtp-plaintext-auth and pop-plaintext-auth vulnerabilities pose the highest risk to the

organization with a risk score of 853. Risk scores are based on the types and numbers of vulnerabilities on affected assets.

One operating system was identified during this scan.

There were 15 services found to be running during this scan.

The DNS, DNS-TCP, FTP, HTTP, HTTPS, IMAP, IMAPS and MySQL services were found on 1 systems, making them the most

common services. The HTTPS service was found to have the most vulnerabilities during this scan with 25 vulnerabilities.

•

Page 3

Audit Report

2. Discovered Systems

Node Operating System Risk Aliases

192.169.82.178 Linux 2.6.18 14,247 server.sciencesuppliesdirect.com

•

•

•

Page 4

Audit Report

3. Discovered and Potential Vulnerabilities

3.1. Critical Vulnerabilities

3.1.1. CVE-2012-1667: Handling of zero length rdata can cause named to terminate unexpectedly (dns-bind-cve-2012-

1667)

Description:

ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not

properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service

(daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record.

Affected Nodes:

Affected Nodes: Additional Information:

192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-

20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-

RedHat-9.3.6-20.P1.el5_8.6

References:

Source Reference

APPLE APPLE-SA-2012-09-19-2

CVE CVE-2012-1667

REDHAT RHSA-2012:1110

SECUNIA 51096

URL https://kb.isc.org/article/AA-00698/74/CVE-2012-1667%3A-Handling-of-zero-length-rdata-can-cause-

named-to-terminate-unexpectedly.html

Vulnerability Solution:

Upgrade to ISC BIND version 9.6-ESV-R7-P1

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R7-P1/bind-9.6-ESV-R7-P1.tar.gz

Upgrade to ISC BIND version 9.6-ESV-R7-P1. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.7.6-P1

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.6-P1/bind-9.7.6-P1.tar.gz

Upgrade to ISC BIND version 9.7.6-P1. The source code and binaries for this release can be downloaded from BIND website



http://docs.info.apple.com/article.html?artnum=61798

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1667

http://rhn.redhat.com/errata/RHSA-2012-1110.html

http://secunia.com/advisories/51096/

https://kb.isc.org/article/AA-00698/74/CVE-2012-1667%3A-Handling-of-zero-length-rdata-can-cause-named-to-terminate-unexpectedly.html

https://kb.isc.org/article/AA-00698/74/CVE-2012-1667%3A-Handling-of-zero-length-rdata-can-cause-named-to-terminate-unexpectedly.html

http://ftp.isc.org/isc/bind9/9.6-ESV-R7-P1/bind-9.6-ESV-R7-P1.tar.gz


http://ftp.isc.org/isc/bind9/9.7.6-P1/bind-9.7.6-P1.tar.gz



•

Page 5

Audit Report





3.1.2. Obsolete ISC BIND installation (dns-bind-obsolete)

Description:

ISC BIND versions before 9.8 are considered obsolete. ISC will not fix security bugs in these versions (even critical ones).

It is strongly recommended that you upgrade your BIND installation to a supported version.

Affected Nodes:




RedHat-9.3.6-20.P1.el5_8.6

References:

Source Reference

URL https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html

URL https://www.isc.org/software/bind

Vulnerability Solution:Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.10.1b2/bind-9.10.1b2.tar.gz

The latest version of BIND is version 9.10.1b2.

3.1.3. CVE-2012-4244: A specially crafted Resource Record could cause named to terminate (dns-bind-cve-2012-4244)

Description:

ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows

remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record.

Affected Nodes:







https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html

https://www.isc.org/software/bind

http://ftp.isc.org/isc/bind9/9.10.1b2/bind-9.10.1b2.tar.gz

•

•

•

•

•

Page 6

Audit Report


RedHat-9.3.6-20.P1.el5_8.6

References:

Source Reference


CVE CVE-2012-4244

DEBIAN DSA-2547





SECUNIA 50560

SECUNIA 50579

SECUNIA 50582

SECUNIA 50645

SECUNIA 50673

SECUNIA 51096

URL https://kb.isc.org/article/AA-00778/74/CVE-2012-4244%3A-A-specially-crafted-Resource-Record-could-

cause-named-to-terminate.html





Upgrade to ISC BIND version 9.6-ESV-R8

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R8/bind-9.6-ESV-R8.tar.gz

Upgrade to ISC BIND version 9.6-ESV-R8. The source code and binaries for this release can be downloaded from BIND website




Upgrade to ISC BIND version 9.7.7

Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.7/bind-9.7.7.tar.gz

Upgrade to ISC BIND version 9.7.7. The source code and binaries for this release can be downloaded from BIND website





http://www.debian.org/security/dsa-2547











https://kb.isc.org/article/AA-00778/74/CVE-2012-4244%3A-A-specially-crafted-Resource-Record-could-cause-named-to-terminate.html

https://kb.isc.org/article/AA-00778/74/CVE-2012-4244%3A-A-specially-crafted-Resource-Record-could-cause-named-to-terminate.html



http://ftp.isc.org/isc/bind9/9.6-ESV-R8/bind-9.6-ESV-R8.tar.gz




http://ftp.isc.org/isc/bind9/9.7.7/bind-9.7.7.tar.gz



•

•

•

Page 7

Audit Report











3.1.4. CVE-2012-5166: Specially crafted DNS data can cause a lockup in named (dns-bind-cve-2012-5166)

Description:

ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows

remote attackers to cause a denial of service (named daemon hang) via unspecified combinations of resource records.

Affected Nodes:




RedHat-9.3.6-20.P1.el5_8.6

References:

Source Reference


BID 55852

CVE CVE-2012-5166

DEBIAN DSA-2560

OSVDB 86118

OVAL OVAL19706












http://www.securityfocus.com/bid/55852



http://www.osvdb.org/86118

http://oval.mitre.org/oval/definitions/data/OVAL19706.html




•

•

•

•

•

•

•

Page 8

Audit Report

Source Reference

SECUNIA 50903

SECUNIA 50909

SECUNIA 50956

SECUNIA 51054

SECUNIA 51078

SECUNIA 51096

SECUNIA 51106

SECUNIA 51178

URL https://kb.isc.org/article/AA-00801/74/CVE-2012-5166%3A-Specially-crafted-DNS-data-can-cause-a-

lockup-in-named.html































https://kb.isc.org/article/AA-00801/74/CVE-2012-5166%3A-Specially-crafted-DNS-data-can-cause-a-lockup-in-named.html

https://kb.isc.org/article/AA-00801/74/CVE-2012-5166%3A-Specially-crafted-DNS-data-can-cause-a-lockup-in-named.html















•

Page 9

Audit Report




3.1.5. OpenSSH X11 Cookie Local Authentication Bypass Vulnerability (openssh-x11-cookie-auth-bypass)

Description:

ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie

instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.

Affected Nodes:


192.169.82.178:22 OpenBSD OpenSSH 4.3 on Linux 2.6.18

References:

Source Reference

APPLE APPLE-SA-2008-03-18

BID 25628

CVE CVE-2007-4752

DEBIAN DSA-1576

DISA_SEVERITY Category II

DISA_VMSKEY V0017144

IAVM 2008-T-0046

OVAL OVAL10809

OVAL OVAL5599


SECUNIA 27399

SECUNIA 29420

SECUNIA 30249

SECUNIA 31575

SECUNIA 32241

XF 36637

Vulnerability Solution:OpenBSD OpenSSH < 4.7







http://iase.disa.mil/stigs/iavm-cve.html











http://xforce.iss.net/xforce/xfdb/36637

•

•

Page 10

Audit Report

Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH

While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.

These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the

packages if they are available for your operating system.

3.1.6. PHP Vulnerability: CVE-2014-3515 (php-cve-2014-3515)

Description:

The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array

data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a

Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.

Affected Nodes:


192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable

version of component PHP found -- PHP 5.3.28

References:

Source Reference

CVE CVE-2014-3515

SECUNIA 59794

SECUNIA 59831


Upgrade to PHP version 5.4.30

Download and apply the upgrade from: http://www.php.net/releases/



3.2. Severe Vulnerabilities

3.2.1. FTP credentials transmitted unencrypted (ftp-plaintext-auth)

Description:

The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to

intercept traffic between a client and this server, the credentials would be exposed.

Affected Nodes:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH

http://www.openssh.com/portable.html




http://www.php.net/releases/


Audit Report


192.169.82.178:21 Running FTP serviceConfiguration item ftp.plaintext.authentication set to 'true'

matched

References:None

Vulnerability Solution: Disable plaintext authentication methods or enable encryption for the FTP service. Refer to the software's documentation for specific

instructions.

3.2.2. IMAP credentials transmitted unencrypted (imap-plaintext-auth)

Description:

The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to


Affected Nodes:


192.169.82.178:143 Running IMAP serviceConfiguration item imap.plaintext.authentication set to

'true' matched

References:None

Vulnerability Solution: Follow the product-specific documentation to disable plaintext authentication methods for the IMAP service.


Description:

Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by

specifying a session ID.

Affected Nodes:




•

•

Page 12

Audit Report

References:

Source Reference

CVE CVE-2011-4718

Vulnerability Solution:Download and apply the upgrade from: http://www.php.net/releases/


Description:

sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions

for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-0185






3.2.5. POP credentials transmitted unencrypted (pop-plaintext-auth)

Description:

The server supports authentication methods where credentials are sent in plaintext over unencrypted channels. If an attacker can


Affected Nodes:


192.169.82.178:110 Running POP serviceConfiguration item pop.plaintext.authentication set to 'true'

matched






Audit Report

References:None

Vulnerability Solution: Follow the product-specific documentation to disable plaintext authentication methods for the POP service.

3.2.6. SMTP credentials transmitted unencrypted (smtp-plaintext-auth)

Description:

The server supports authentication methods where credentials are sent in plaintext over unencrypted channels. If an attacker can


Affected Nodes:


192.169.82.178:25 Running SMTP serviceConfiguration item smtp.plaintext.authentication set to

'true' matched

192.169.82.178:587 Running SMTP serviceConfiguration item smtp.plaintext.authentication set to

'true' matched

References:None

Vulnerability Solution: Follow the product-specific documentation to disable plaintext authentication methods for the SMTP service.

3.2.7. OpenSSH X11 Forwarding Information Disclosure Vulnerability (ssh-openssh-x11-forwarding-info-disclosure)

Description:

OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to

:10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a

cookie sent by Emacs.

Affected Nodes:



References:

Source Reference

APPLE APPLE-SA-2008-09-15


Audit Report

Source Reference

BID 28444

CERT TA08-260A

CVE CVE-2008-1483

DEBIAN DSA-1576

NETBSD NetBSD-SA2008-005

OVAL OVAL6085

SECUNIA 29522

SECUNIA 29537

SECUNIA 29554

SECUNIA 29626

SECUNIA 29676

SECUNIA 29683

SECUNIA 29686

SECUNIA 29721

SECUNIA 29735

SECUNIA 29873

SECUNIA 29939

SECUNIA 30086

SECUNIA 30230

SECUNIA 30249

SECUNIA 30347

SECUNIA 30361

SECUNIA 31531

SECUNIA 31882

XF 41438

Vulnerability Solution:Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH

The latest version of OpenSSH is 6.6.




3.2.8. CVE-2010-3614: Key algorithm rollover bug in bind9 (dns-bind-cve-2010-3614)

Description:


http://www.us-cert.gov/cas/techalerts/TA08-260A.html



ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-005.txt.asc























•

•

•

Page 15

Audit Report

named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not

properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to

cause a denial of service (DNSSEC validation error) by triggering a rollover.

Affected Nodes:




RedHat-9.3.6-20.P1.el5_8.6

References:

Source Reference


BID 45137

CERT-VN 837744

CVE CVE-2010-3614

DEBIAN DSA-2130

OSVDB 69559



SECUNIA 42435

SECUNIA 42459

SECUNIA 42522

SECUNIA 42671

URL https://kb.isc.org/article/AA-00936/187/CVE-2010-3614%3A-Key-algorithm-rollover-bug-in-bind9.html













http://www.kb.cert.org/vuls/id/837744










https://kb.isc.org/article/AA-00936/187/CVE-2010-3614%3A-Key-algorithm-rollover-bug-in-bind9.html







•

•

•

•

Page 16

Audit Report




3.2.9. TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)

Description:

The TLS/SSL server supports cipher suites based on weak algorithms. This may enable an attacker to launch man-in-the-middle

attacks and monitor or tamper with sensitive data. In general, the following ciphers are considered weak:

So called "null" ciphers, because they do not encrypt data.

Export ciphers using secret key lengths restricted to 40 bits. This is usually indicated by the word EXP/EXPORT in the name of the

cipher suite.

Obsolete encryption algorithms with secret key lengths considered short by today's standards, eg. DES or RC4 with 56-bit keys.

Affected Nodes:


192.169.82.178:443 Negotiated with the following insecure cipher suites. SSLv3 ciphers:

SSL_RSA_WITH_RC4_128_SHA


SSL_RSA_WITH_RC4_128_SHA


SSL_CK_RC4_128_WITH_MD5SSL_CK_RC4_128_EXPORT40_WITH_MD5

SSL_CK_RC2_128_CBC_WITH_MD5

SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5

SSL_CK_DES_64_CBC_WITH_MD5

SSL_CK_DES_192_EDE3_CBC_WITH_MD5SSLv3 ciphers:

SSL_RSA_WITH_RC4_128_SHASSL_RSA_EXPORT_WITH_RC4_40_MD5

SSL_RSA_WITH_DES_CBC_SHA

SSL_RSA_EXPORT_WITH_DES40_CBC_SHA













•

•

•

•

•

Page 17

Audit Report










References:None

Vulnerability Solution:Configure the server to disable support for weak ciphers.

For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling weak ciphers.

For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:

SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For other servers, refer to the respective vendor documentation to disable the weak ciphers

3.2.10. TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)

Description:

Although the server accepts clients using TLS or SSLv3, it also accepts clients using SSLv2. SSLv2 is an older implementation of the

Secure Sockets Layer protocol. It suffers from a number of security flaws allowing attackers to capture and alter information passed

between a client and the server, including the following weaknesses:

No protection from against man-in-the-middle attacks during the handshake.

Weak MAC construction and MAC relying solely on the MD5 hash function.

Exportable cipher suites unnecessarily weaken the MACs

Same cryptographic keys used for message authentication and encryption.

Vulnerable to truncation attacks by forged TCP FIN packets

SSLv2 has been deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard,

which governs cryptographic modules for use in federal information systems. Only the newer TLS (Transport Layer Security) protocol

meets FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host is deemed a failure by the PCI (Payment

Card Industry) Data Security Standard.

Note that this vulnerability will be reported when the remote server supports SSLv2 regardless of whether TLS or SSLv3 are also

supported.

Affected Nodes:


192.169.82.178:2083 SSLv2 is supported

http://support.microsoft.com/kb/245030/

•

•

Page 18

Audit Report




References:

Source Reference

URL http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm

URL https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf


Apache HTTPD

Disable SSLv2 protocol support in Apache HTTPD

For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2

The ! (exclamation point) before SSLv2 is what disables this protocol.

Windows

Disable SSLv2 protocol support in Microsoft Windows

Configure the server to require clients to use at least SSLv3 or TLS.

For Microsoft Windows before Windows 2003, see KB187498. For newer versions of Microsoft Windows, see KB245030.

3.2.11. Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)

Description:

The server's TLS/SSL certificate is signed by a Certification Authority (CA) that is not a well-known, trusted one. It could indicate that a

TLS/SSL man-in-the-middle is taking place and is eavesdropping on TLS/SSL connections.

Affected Nodes:


192.169.82.178:25 TLS/SSL certificate signed by unknown, untrusted CA: CN=thawte EV SSL CA -

G2, O="thawte, Inc.", C=US -- Path does not chain with any of the trust anchors.

The list of well-known, trusted CAs is:CN=DigiCert Assured ID Root

CA,OU=www.digicert.com,O=DigiCert Inc,C=USCN=TC TrustCenter Class 2

CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE

1.2.840.113549.1.9.1=#16197072656d69756d2d736572766572407468617774

652e636f6d,CN=Thawte Premium Server CA,OU=Certification Services

Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA

CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CHCN=SwissSign Silver

CA - G2,O=SwissSign AG,C=CH

1.2.840.113549.1.9.1=#16177365727665722d6365727473407468617774652e

http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm

https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf

http://support.microsoft.com/kb/187498


Audit Report


636f6d,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte

Consulting cc,L=Cape Town,ST=Western Cape,C=ZACN=Equifax Secure

eBusiness CA-1,O=Equifax Secure Inc.,C=USCN=UTN-USERFirst-Client

Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST

Network,L=Salt Lake City,ST=UT,C=US

1.2.840.113549.1.9.1=#161c706572736f6e616c2d667265656d61696c4074686

17774652e636f6d,CN=Thawte Personal Freemail CA,OU=Certification Services

Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA

CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust\,

Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust\,

Inc.,C=USCN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The

USERTRUST Network,L=Salt Lake City,ST=UT,C=USCN=Certum

CA,O=Unizeto Sp. z o.o.,C=PLCN=AddTrust Class 1 CA Root,OU=AddTrust

TTP Network,O=AddTrust AB,C=SECN=Entrust Root Certification Authority -

G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See

www.entrust.net/legal-terms,O=Entrust\, Inc.,C=USOU=Equifax Secure

Certificate Authority,O=Equifax,C=USCN=QuoVadis Root CA 3,O=QuoVadis

Limited,C=BMCN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert

Inc,C=US

1.2.840.113549.1.9.1=#1611696e666f4076616c69636572742e636f6d,CN=http:

//www.valicert.com/,OU=ValiCert Class 1 Policy Validation

Authority,O=ValiCert\, Inc.,L=ValiCert Validation NetworkCN=Equifax Secure

Global eBusiness CA-1,O=Equifax Secure Inc.,C=USCN=GeoTrust Universal

CA,O=GeoTrust Inc.,C=USOU=Class 3 Public Primary Certification

Authority,O=VeriSign\, Inc.,C=USCN=thawte Primary Root CA - G3,OU=(c)

2008 thawte\, Inc. - For authorized use only,OU=Certification Services

Division,O=thawte\, Inc.,C=USCN=thawte Primary Root CA - G2,OU=(c) 2007

thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=USCN=Deutsche

Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom

AG,C=DECN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The

USERTRUST Network,L=Salt Lake City,ST=UT,C=USCN=GeoTrust Primary

Certification Authority,O=GeoTrust Inc.,C=USCN=Baltimore CyberTrust Code

Signing Root,OU=CyberTrust,O=Baltimore,C=IEOU=Class 1 Public Primary

Certification Authority,O=VeriSign\, Inc.,C=USCN=Baltimore CyberTrust

Root,OU=CyberTrust,O=Baltimore,C=IEOU=Starfield Class 2 Certification

Authority,O=Starfield Technologies\, Inc.,C=USCN=Chambers of Commerce

Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF

A82743287,C=EUCN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust

Center,O=T-Systems Enterprise Services GmbH,C=DECN=VeriSign Class 3

Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For

authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USCN=T-

TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems

Enterprise Services GmbH,C=DECN=TC TrustCenter Universal CA I,OU=TC

TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DECN=VeriSign Class 3


authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US

Audit Report


CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999

VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust

Network,O=VeriSign\, Inc.,C=USCN=Class 3P Primary CA,O=Certplus,C=FR

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto

Technologies S.A.,C=PLOU=VeriSign Trust Network,OU=(c) 1998 VeriSign\,

Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority

- G2,O=VeriSign\, Inc.,C=USCN=GlobalSign,O=GlobalSign,OU=GlobalSign

Root CA - R3CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The

USERTRUST Network,L=Salt Lake City,ST=UT,C=USOU=Security

Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JPCN=GTE

CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE

Corporation,C=USOU=Security Communication RootCA1,O=SECOM

Trust.net,C=JPCN=TC TrustCenter Class 4 CA II,OU=TC TrustCenter Class 4

CA,O=TC TrustCenter GmbH,C=DECN=VeriSign Universal Root Certification

Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign

Trust Network,O=VeriSign\, Inc.,C=US

CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2CN=Class 2

Primary CA,O=Certplus,C=FRCN=DigiCert Global Root

CA,OU=www.digicert.com,O=DigiCert Inc,C=USCN=GlobalSign Root

CA,OU=Root CA,O=GlobalSign nv-sa,C=BECN=thawte Primary Root

CA,OU=(c) 2006 thawte\, Inc. - For authorized use only,OU=Certification

Services Division,O=thawte\, Inc.,C=USCN=GeoTrust Global CA,O=GeoTrust

Inc.,C=USCN=Sonera Class2 CA,O=Sonera,C=FICN=Thawte Timestamping

CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

CN=Sonera Class1 CA,O=Sonera,C=FICN=QuoVadis Root Certification

Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM

1.2.840.113549.1.9.1=#1611696e666f4076616c69636572742e636f6d,CN=http:


Authority,O=ValiCert\, Inc.,L=ValiCert Validation NetworkCN=AAA Certificate

Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust

AB,C=SECN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR

CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US

CN=AddTrust External CA Root,OU=AddTrust External TTP

Network,O=AddTrust AB,C=SECN=VeriSign Class 2 Public Primary

Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use

only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USCN=America Online

Root Certification Authority 1,O=America Online Inc.,C=USOU=VeriSign Trust

Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2

Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US

CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. -

For authorized use only,O=GeoTrust Inc.,C=USCN=GeoTrust Primary

Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use

only,O=GeoTrust Inc.,C=USCN=SwissSign Gold CA - G2,O=SwissSign

AG,C=CHCN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net

Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits

liab.),O=Entrust.netCN=GTE CyberTrust Root 5,OU=GTE CyberTrust

Audit Report


Solutions\, Inc.,O=GTE Corporation,C=USCN=Global Chambersign Root -

2008,O=AC Camerfirma S.A.,2.5.4.5=#1309413832373433323837,L=Madrid

(see current address at www.camerfirma.com/address),C=EUCN=Chambers of

Commerce Root - 2008,O=AC Camerfirma

S.A.,2.5.4.5=#1309413832373433323837,L=Madrid (see current address at

www.camerfirma.com/address),C=EUCN=Entrust.net Secure Server

Certification Authority,OU=(c) 1999 Entrust.net

Limited,OU=www.entrust.net/CPS incorp. by ref. (limits

liab.),O=Entrust.net,C=USOU=Go Daddy Class 2 Certification Authority,O=The

Go Daddy Group\, Inc.,C=USCN=VeriSign Class 1 Public Primary Certification

Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use

only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USOU=Security

Communication EV RootCA1,O=SECOM Trust Systems CO.\,LTD.,C=JP

OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use

only,OU=Class 1 Public Primary Certification Authority - G2,O=VeriSign\,

Inc.,C=US

192.169.82.178:587 TLS/SSL certificate signed by unknown, untrusted CA: CN=thawte EV SSL CA -

G2, O="thawte, Inc.", C=US -- Path does not chain with any of the trust anchors.

The list of well-known, trusted CAs is:CN=DigiCert Assured ID Root

CA,OU=www.digicert.com,O=DigiCert Inc,C=USCN=TC TrustCenter Class 2

CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE

1.2.840.113549.1.9.1=#16197072656d69756d2d736572766572407468617774

652e636f6d,CN=Thawte Premium Server CA,OU=Certification Services

Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA

CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CHCN=SwissSign Silver

CA - G2,O=SwissSign AG,C=CH

1.2.840.113549.1.9.1=#16177365727665722d6365727473407468617774652e

636f6d,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte

Consulting cc,L=Cape Town,ST=Western Cape,C=ZACN=Equifax Secure

eBusiness CA-1,O=Equifax Secure Inc.,C=USCN=UTN-USERFirst-Client

Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST

Network,L=Salt Lake City,ST=UT,C=US

1.2.840.113549.1.9.1=#161c706572736f6e616c2d667265656d61696c4074686

17774652e636f6d,CN=Thawte Personal Freemail CA,OU=Certification Services

Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA

CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust\,

Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust\,

Inc.,C=USCN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The

USERTRUST Network,L=Salt Lake City,ST=UT,C=USCN=Certum

CA,O=Unizeto Sp. z o.o.,C=PLCN=AddTrust Class 1 CA Root,OU=AddTrust

TTP Network,O=AddTrust AB,C=SECN=Entrust Root Certification Authority -

G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See

www.entrust.net/legal-terms,O=Entrust\, Inc.,C=USOU=Equifax Secure

Certificate Authority,O=Equifax,C=USCN=QuoVadis Root CA 3,O=QuoVadis

Limited,C=BMCN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert

Inc,C=US

Audit Report


1.2.840.113549.1.9.1=#1611696e666f4076616c69636572742e636f6d,CN=http:


Authority,O=ValiCert\, Inc.,L=ValiCert Validation NetworkCN=Equifax Secure

Global eBusiness CA-1,O=Equifax Secure Inc.,C=USCN=GeoTrust Universal

CA,O=GeoTrust Inc.,C=USOU=Class 3 Public Primary Certification

Authority,O=VeriSign\, Inc.,C=USCN=thawte Primary Root CA - G3,OU=(c)

2008 thawte\, Inc. - For authorized use only,OU=Certification Services

Division,O=thawte\, Inc.,C=USCN=thawte Primary Root CA - G2,OU=(c) 2007

thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=USCN=Deutsche

Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom

AG,C=DECN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The

USERTRUST Network,L=Salt Lake City,ST=UT,C=USCN=GeoTrust Primary

Certification Authority,O=GeoTrust Inc.,C=USCN=Baltimore CyberTrust Code

Signing Root,OU=CyberTrust,O=Baltimore,C=IEOU=Class 1 Public Primary

Certification Authority,O=VeriSign\, Inc.,C=USCN=Baltimore CyberTrust

Root,OU=CyberTrust,O=Baltimore,C=IEOU=Starfield Class 2 Certification

Authority,O=Starfield Technologies\, Inc.,C=USCN=Chambers of Commerce

Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF

A82743287,C=EUCN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust

Center,O=T-Systems Enterprise Services GmbH,C=DECN=VeriSign Class 3


authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USCN=T-

TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems

Enterprise Services GmbH,C=DECN=TC TrustCenter Universal CA I,OU=TC

TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DECN=VeriSign Class 3


authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US

CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999

VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust

Network,O=VeriSign\, Inc.,C=USCN=Class 3P Primary CA,O=Certplus,C=FR

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto

Technologies S.A.,C=PLOU=VeriSign Trust Network,OU=(c) 1998 VeriSign\,

Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority

- G2,O=VeriSign\, Inc.,C=USCN=GlobalSign,O=GlobalSign,OU=GlobalSign

Root CA - R3CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The

USERTRUST Network,L=Salt Lake City,ST=UT,C=USOU=Security

Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JPCN=GTE

CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE

Corporation,C=USOU=Security Communication RootCA1,O=SECOM

Trust.net,C=JPCN=TC TrustCenter Class 4 CA II,OU=TC TrustCenter Class 4

CA,O=TC TrustCenter GmbH,C=DECN=VeriSign Universal Root Certification

Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign

Trust Network,O=VeriSign\, Inc.,C=US

CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2CN=Class 2

Primary CA,O=Certplus,C=FRCN=DigiCert Global Root

CA,OU=www.digicert.com,O=DigiCert Inc,C=USCN=GlobalSign Root

CA,OU=Root CA,O=GlobalSign nv-sa,C=BECN=thawte Primary Root

Audit Report


CA,OU=(c) 2006 thawte\, Inc. - For authorized use only,OU=Certification

Services Division,O=thawte\, Inc.,C=USCN=GeoTrust Global CA,O=GeoTrust

Inc.,C=USCN=Sonera Class2 CA,O=Sonera,C=FICN=Thawte Timestamping

CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

CN=Sonera Class1 CA,O=Sonera,C=FICN=QuoVadis Root Certification

Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM

1.2.840.113549.1.9.1=#1611696e666f4076616c69636572742e636f6d,CN=http:


Authority,O=ValiCert\, Inc.,L=ValiCert Validation NetworkCN=AAA Certificate

Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB

CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust

AB,C=SECN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR

CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US

CN=AddTrust External CA Root,OU=AddTrust External TTP

Network,O=AddTrust AB,C=SECN=VeriSign Class 2 Public Primary

Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use

only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USCN=America Online

Root Certification Authority 1,O=America Online Inc.,C=USOU=VeriSign Trust

Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2

Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US

CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. -

For authorized use only,O=GeoTrust Inc.,C=USCN=GeoTrust Primary

Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use

only,O=GeoTrust Inc.,C=USCN=SwissSign Gold CA - G2,O=SwissSign

AG,C=CHCN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net

Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits

liab.),O=Entrust.netCN=GTE CyberTrust Root 5,OU=GTE CyberTrust

Solutions\, Inc.,O=GTE Corporation,C=USCN=Global Chambersign Root -

2008,O=AC Camerfirma S.A.,2.5.4.5=#1309413832373433323837,L=Madrid

(see current address at www.camerfirma.com/address),C=EUCN=Chambers of

Commerce Root - 2008,O=AC Camerfirma

S.A.,2.5.4.5=#1309413832373433323837,L=Madrid (see current address at

www.camerfirma.com/address),C=EUCN=Entrust.net Secure Server

Certification Authority,OU=(c) 1999 Entrust.net

Limited,OU=www.entrust.net/CPS incorp. by ref. (limits

liab.),O=Entrust.net,C=USOU=Go Daddy Class 2 Certification Authority,O=The

Go Daddy Group\, Inc.,C=USCN=VeriSign Class 1 Public Primary Certification

Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use

only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USOU=Security

Communication EV RootCA1,O=SECOM Trust Systems CO.\,LTD.,C=JP

OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use

only,OU=Class 1 Public Primary Certification Authority - G2,O=VeriSign\,

Inc.,C=US

References:None

Audit Report

Vulnerability Solution: Obtain a new certificate signed by a trusted CA, such as Thawte or Verisign.

The exact instructions for obtaining a new certificate depend on your organization's requirements. Generally, you will need to generate

a certificate request and save the request as a file. This file is then sent to a Certificate Authority (CA) for processing. After you have

received a new certificate file from the Certificate Authority, you will have to install it on the TLS/SSL server. The exact instructions for

installing a certificate differ for each product. Follow their documentation.

3.2.12. Database Open Access (database-open-access)

Description:

The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because

databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a

violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure

authentication mechanisms.

Affected Nodes:


192.169.82.178:3306 Running MySQL service

References:

Source Reference

URL https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

Vulnerability Solution: Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the

database in an internal network zone, segregated from the DMZ

3.2.13. CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c (dns-bind-cve-2011-4313)

Description:

query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0

through 9.8.1, and 9.9.0a1 through 9.9.0b1 allows remote attackers to cause a denial of service (assertion failure and named exit) via

unknown vectors related to recursive DNS queries, error logging, and the caching of an invalid record by the resolver.

Affected Nodes:




RedHat-9.3.6-20.P1.el5_8.6

http://www.thawte.com

http://www.verisign.com

https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

•

•

•

•

•

•

Page 25

Audit Report

References:

Source Reference


BID 50690

CERT-VN 606539

CVE CVE-2011-4313

DEBIAN DSA-2347

OSVDB 77159

OVAL OVAL14343




SECUNIA 46536

SECUNIA 46829

SECUNIA 46887

SECUNIA 46890

SECUNIA 46905

SECUNIA 46906

SECUNIA 46943

SECUNIA 46984

SECUNIA 47043

SECUNIA 47075

URL https://kb.isc.org/article/AA-00544/74/CVE-2011-4313%3A-BIND-9-Resolver-crashes-after-logging-an-

error-in-query.c.html

XF 71332


Apply patch to mitigate BIND 9 resolver crash

Patches mitigating this issue are available at:

https://www.isc.org/software/bind/981-p1


https://www.isc.org/software/bind/96-esv-r5-p1

























https://kb.isc.org/article/AA-00544/74/CVE-2011-4313%3A-BIND-9-Resolver-crashes-after-logging-an-error-in-query.c.html

https://kb.isc.org/article/AA-00544/74/CVE-2011-4313%3A-BIND-9-Resolver-crashes-after-logging-an-error-in-query.c.html








•

•

•

•

•

Page 26

Audit Report











Description:

The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote

attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-0237

URL http://www.php.net/ChangeLog-5.php

URL https://bugs.php.net/bug.php?id=67328







Description:








http://www.php.net/ChangeLog-5.php

https://bugs.php.net/bug.php?id=67328



•

•

Page 27

Audit Report

The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote

attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too

long.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-0238

URL http://www.php.net/ChangeLog-5.php

URL https://bugs.php.net/bug.php?id=67327







Description:

Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and

5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a

FILE_PSTRING conversion.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-3478

SECUNIA 59794


http://www.php.net/ChangeLog-5.php

https://bugs.php.net/bug.php?id=67327





•

•

•

•

Page 28

Audit Report

Source Reference

SECUNIA 59831







Description:

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to

cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting

environments.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-4670

SECUNIA 59831







Description:

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to

cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-

hosting environments.








•

•

Page 29

Audit Report

Affected Nodes:




References:

Source Reference

CVE CVE-2014-4698

SECUNIA 59831






3.2.19. TCP Sequence Number Approximation Vulnerability (tcp-seq-num-approximation)

Description:

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service

(connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived

connections, such as BGP.

Affected Nodes:


192.169.82.178 TCP reset with incorrect sequence number triggered this fault on

192.169.82.178:465: Connection reset by peer

References:

Source Reference

BID 10183

CERT TA04-111A

CERT-VN 415294

CVE CVE-2004-0230

MS MS05-019

MS MS06-064










http://technet.microsoft.com/security/bulletin/MS05-019



•

•

•

•

•

•

Page 30

Audit Report

Source Reference

OSVDB 4030

OVAL OVAL2689

OVAL OVAL270

OVAL OVAL3508

OVAL OVAL4791

OVAL OVAL5711

SECUNIA 11440

SECUNIA 11458

SECUNIA 22341

SGI 20040403-01-A

URL ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc

URL http://tools.ietf.org/html/draft-ietf-tcpm-tcpsecure-12

URL http://www.uniras.gov.uk/vuls/2004/236929/index.htm

XF 15886


Enable TCP MD5 Signatures

Enable the TCP MD5 signature option as documented in RFC 2385. It was designed to reduce the danger from certain security

attacks on BGP, such as TCP resets.

Microsoft Windows 2000 SP4 OR SP3 (x86), Microsoft Windows 2000 Professional SP4 OR SP3 (x86), Microsoft Windows 2000

Server SP4 OR SP3 (x86), Microsoft Windows 2000 Advanced Server SP4 OR SP3 (x86), Microsoft Windows 2000 Datacenter Server

SP4 OR SP3 (x86)

MS05-019: Security Update for Windows 2000 (KB893066)

Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=36661

Microsoft Windows Server 2003 < SP1 (x86), Microsoft Windows Server 2003, Standard Edition < SP1 (x86), Microsoft Windows

Server 2003, Enterprise Edition < SP1 (x86), Microsoft Windows Server 2003, Datacenter Edition < SP1 (x86), Microsoft Windows

Server 2003, Web Edition < SP1 (x86), Microsoft Windows Small Business Server 2003 < SP1 (x86)

MS05-019: Security Update for Windows Server 2003 (KB893066)


Microsoft Windows XP Professional SP2 OR SP1 (x86), Microsoft Windows XP Home SP2 OR SP1 (x86)

MS05-019: Security Update for Windows XP (KB893066)


Microsoft Windows XP Professional SP1 OR SP2 (x86), Microsoft Windows XP Home SP1 OR SP2 (x86)

MS06-064: Security Update for Windows XP (KB922819)


Microsoft Windows Server 2003 SP1 (x86_64), Microsoft Windows Server 2003, Standard Edition SP1 (x86_64), Microsoft Windows

Server 2003, Enterprise Edition SP1 (x86_64), Microsoft Windows Server 2003, Datacenter Edition SP1 (x86_64), Microsoft Windows










ftp://patches.sgi.com/support/free/security/advisories/20040403-01-A


http://tools.ietf.org/html/draft-ietf-tcpm-tcpsecure-12

http://www.uniras.gov.uk/vuls/2004/236929/index.htm


http://www.ietf.org/rfc/rfc2385.txt

http://go.microsoft.com/fwlink/?LinkId=36661




•

•

•

•

Page 31

Audit Report

Server 2003, Web Edition SP1 (x86_64), Microsoft Windows Small Business Server 2003 SP1 (x86_64)

MS06-064: Security Update for Windows Server 2003 x64 Edition (KB922819)


Microsoft Windows XP Professional SP1 (x86_64)

MS06-064: Security Update for Windows XP x64 Edition (KB922819)


Microsoft Windows Server 2003 SP1 OR < SP1 (ia64), Microsoft Windows Server 2003, Standard Edition SP1 OR < SP1 (ia64),

Microsoft Windows Server 2003, Enterprise Edition SP1 OR < SP1 (ia64), Microsoft Windows Server 2003, Datacenter Edition SP1

OR < SP1 (ia64), Microsoft Windows Server 2003, Web Edition SP1 OR < SP1 (ia64), Microsoft Windows Small Business Server 2003

SP1 OR < SP1 (ia64)

MS06-064: Security Update for Windows Server 2003 for Itanium-based Systems (KB922819)


Microsoft Windows Server 2003 SP1 OR < SP1 (x86), Microsoft Windows Server 2003, Standard Edition SP1 OR < SP1 (x86),

Microsoft Windows Server 2003, Enterprise Edition SP1 OR < SP1 (x86), Microsoft Windows Server 2003, Datacenter Edition SP1 OR

< SP1 (x86), Microsoft Windows Server 2003, Web Edition SP1 OR < SP1 (x86), Microsoft Windows Small Business Server 2003 SP1

OR < SP1 (x86)

MS06-064: Security Update for Windows Server 2003 (KB922819)


Locate and fix vulnerable traffic inspection devices along the route to the target

In many situations, target systems are, by themselves, patched or otherwise unaffected by this vulnerability. In certain configurations,

however, unaffected systems can be made vulnerable if the path between an attacker and the target system contains an affected and

unpatched network device such as a firewall or router and that device is responsible for handling TCP connections for the target. In this

case, locate and apply remediation steps for network devices along the route that are affected.

3.2.20. CVE-2010-3613: cache incorrectly allows a ncache entry and a rrsig for the same type (dns-bind-cve-2010-3613)

Description:

named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the

combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a

denial of service (daemon crash) via a query for cached data.

Affected Nodes:




RedHat-9.3.6-20.P1.el5_8.6

References:

Source Reference





•

•

•

Page 32

Audit Report

Source Reference


BID 45133

CERT-VN 706148

CVE CVE-2010-3613

DEBIAN DSA-2130


OSVDB 69558

OVAL OVAL12601




SECUNIA 42374

SECUNIA 42459

SECUNIA 42522

SECUNIA 42671

SECUNIA 42707

SECUNIA 43141

URL https://kb.isc.org/article/AA-00938/187/CVE-2010-3613%3A-cache-incorrectly-allows-a-ncache-entry-and-

a-rrsig-for-the-same-type.html











3.2.21. CVE-2009-0696: BIND Dynamic Update DoS (dns-bind-remote-dynamic-update-message-dos)

Description:


















https://kb.isc.org/article/AA-00938/187/CVE-2010-3613%3A-cache-incorrectly-allows-a-ncache-entry-and-a-rrsig-for-the-same-type.html

https://kb.isc.org/article/AA-00938/187/CVE-2010-3613%3A-cache-incorrectly-allows-a-ncache-entry-and-a-rrsig-for-the-same-type.html







•

Page 33

Audit Report

The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1,

when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an

ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.

Affected Nodes:




RedHat-9.3.6-20.P1.el5_8.6

References:

Source Reference

CERT-VN 725188

CVE CVE-2009-0696


OVAL OVAL10414

OVAL OVAL12245

OVAL OVAL7806

SECUNIA 36035

SECUNIA 36038

SECUNIA 36050

SECUNIA 36053

SECUNIA 36056

SECUNIA 36063

SECUNIA 36086

SECUNIA 36098

SECUNIA 36192

SECUNIA 37471

SECUNIA 39334

URL https://kb.isc.org/article/AA-00926/187/CVE-2009-0696%3A-BIND-Dynamic-Update-DoS.html






















https://kb.isc.org/article/AA-00926/187/CVE-2009-0696%3A-BIND-Dynamic-Update-DoS.html



•

•

•

•

Page 34

Audit Report








Description:

The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka

carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted

URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and

Google Chrome.

Affected Nodes:




References:

Source Reference

CVE CVE-2011-1398


SECUNIA 55078






3.2.23. PHP Fixed possible attack in SSL sockets with SSL 3.0 / TLS 1.0 (php-cve-2011-3389)

Description:

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google

Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-

middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in










Audit Report

conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight

WebClient API, aka a "BEAST" attack.

Affected Nodes:




References:

Source Reference








BID 49388

BID 49778

CERT TA12-010A

CERT-VN 864643

CVE CVE-2011-3389

MS MS12-006

OSVDB 74829

OVAL OVAL14752




SECUNIA 45791

SECUNIA 48692

SECUNIA 48915

SECUNIA 48948

SECUNIA 49198

SECUNIA 55322

























•

•

Page 36

Audit Report

Source Reference

SECUNIA 55350

SECUNIA 55351

Vulnerability Solution:Download and apply the upgrade from: http://www.php.net/releases/


Description:

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly

handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle

attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-

2009-2408.

Affected Nodes:




References:

Source Reference

CVE CVE-2013-4248

DEBIAN DSA-2742



SECUNIA 54478

SECUNIA 54657

SECUNIA 55078

SECUNIA 59652




















•

•

Page 37

Audit Report

Description:

The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before

5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-0207

SECUNIA 59794

SECUNIA 59831







Description:

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x

before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a

crafted stream offset in a CDF file.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-3479

SECUNIA 59794








•

•

•

•

Page 38

Audit Report

Source Reference

SECUNIA 59831







Description:

The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before

5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a

crafted CDF file.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-3480

SECUNIA 59794

SECUNIA 59831







Description:

The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14,

does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted

CDF file.









•

•

Page 39

Audit Report

Affected Nodes:




References:

Source Reference

CVE CVE-2014-3487

SECUNIA 59794

SECUNIA 59831






3.3. Moderate Vulnerabilities

3.3.1. CVE-2009-4022: BIND 9 Cache Update from Additional Section (dns-bind9-dnssec-cache-poisoning)

Description:

Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta

before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning

attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not

properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.

Affected Nodes:




RedHat-9.3.6-20.P1.el5_8.6

References:

Source Reference








•

•

•

Page 40

Audit Report

Source Reference

BID 37118

CERT-VN 418861

CVE CVE-2009-4022

OSVDB 60493

OVAL OVAL10821

OVAL OVAL11745

OVAL OVAL7261

OVAL OVAL7459


SECUNIA 37426

SECUNIA 37491

SECUNIA 38219

SECUNIA 38240

SECUNIA 38794

SECUNIA 38834

SECUNIA 39334

SECUNIA 40730

URL https://kb.isc.org/article/AA-00931/187/CVE-2009-4022%3A-BIND-9-Cache-Update-from-Additional-

Section.html

XF 54416





























https://kb.isc.org/article/AA-00931/187/CVE-2009-4022%3A-BIND-9-Cache-Update-from-Additional-Section.html

https://kb.isc.org/article/AA-00931/187/CVE-2009-4022%3A-BIND-9-Cache-Update-from-Additional-Section.html








•

•

Page 41

Audit Report

Description:

acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack

on the /tmp/phpglibccheck file.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-3981







Description:

The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data

type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent

attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type

confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with

mod_ssl and a PHP 5.3.x mod_php.

Affected Nodes:




References:

Source Reference

CVE CVE-2014-4721

SECUNIA 59794






•

•

Page 42

Audit Report

Source Reference

SECUNIA 59831






3.3.4. OpenSSH CBC Mode Information Disclosure Vulnerability (ssh-openssh-cbc-mode-info-disclosure)

Description:

Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3

through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS

5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly

other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to

recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.

Affected Nodes:



References:

Source Reference


BID 32319

CERT-VN 958563

CVE CVE-2008-5161

OSVDB 49872

OSVDB 50035

OSVDB 50036

OVAL OVAL11279


SECUNIA 32740

SECUNIA 32760

SECUNIA 32833

SECUNIA 33121

















•

Page 43

Audit Report

Source Reference

SECUNIA 33308

SECUNIA 34857

SECUNIA 36558

URL http://www.ssh.com/company/news/article/953/

XF 46620






3.3.5. ICMP timestamp response (generic-icmp-timestamp)

Description:

The remote host responded to an ICMP timestamp request. The ICMP timestamp response contains the remote host's date and time.

This information could theoretically be used against some systems to exploit weak time-based random number generators in other

services.

In addition, the versions of some operating systems can be accurately fingerprinted by analyzing their responses to invalid ICMP

timestamp requests.

Affected Nodes:


192.169.82.178 Remote system time: 09:33:01.396 GMT+00:00

References:

Source Reference

CVE CVE-1999-0524

OSVDB 95

XF 306

XF 322


HP-UX

Disable ICMP timestamp responses on HP/UX

Execute the following command:

ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0




http://www.ssh.com/company/news/article/953/








•

•

•

•

Page 44

Audit Report

The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13

(timestamp request) and 14 (timestamp response).

Cisco IOS

Disable ICMP timestamp responses on Cisco IOS

Use ACLs to block ICMP types 13 and 14. For example:

deny icmp any any 13

deny icmp any any 14

Note that it is generally preferable to use ACLs that block everything by default and then selectively allow certain types of traffic in. For

example, block everything and then only allow ICMP unreachable, ICMP echo reply, ICMP time exceeded, and ICMP source quench:

permit icmp any any unreachable

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any source-quench



SGI Irix

Disable ICMP timestamp responses on SGI Irix

IRIX does not offer a way to disable ICMP timestamp responses. Therefore, you should block ICMP on the affected host using ipfilterd,

and/or block it at any external firewalls.



Linux

Disable ICMP timestamp responses on Linux

Linux offers neither a sysctl nor a /proc/sys/net/ipv4 interface to disable ICMP timestamp responses. Therefore, you should block ICMP

on the affected host using iptables, and/or block it at the firewall. For example:

ipchains -A input -p icmp --icmp-type timestamp-request -j DROP

ipchains -A output -p icmp --icmp-type timestamp-reply -j DROP



Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server,

Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition

Disable ICMP timestamp responses on Windows NT 4

Windows NT 4 does not provide a way to block ICMP packets. Therefore, you should block them at the firewall.



•

•

•

•

•

Page 45

Audit Report

OpenBSD

Disable ICMP timestamp responses on OpenBSD

Set the "net.inet.icmp.tstamprepl" sysctl variable to 0.

sysctl -w net.inet.icmp.tstamprepl=0



Cisco PIX

Disable ICMP timestamp responses on Cisco PIX

A properly configured PIX firewall should never respond to ICMP packets on its external interface. In PIX Software versions 4.1(6) until

5.2.1, ICMP traffic to the PIX's internal interface is permitted; the PIX cannot be configured to NOT respond. Beginning in PIX Software

version 5.2.1, ICMP is still permitted on the internal interface by default, but ICMP responses from its internal interfaces can be

disabled with the icmp command, as follows, where <inside> is the name of the internal interface:

icmp deny any 13 <inside>

icmp deny any 14 <inside>

Don't forget to save the configuration when you are finished.

See Cisco's support document Handling ICMP Pings with the PIX Firewall for more information.



Sun Solaris

Disable ICMP timestamp responses on Solaris

Execute the following commands:

/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0

/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0



Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced

Server, Microsoft Windows 2000 Datacenter Server

Disable ICMP timestamp responses on Windows 2000

Use the IPSec filter feature to define and apply an IP filter list that blocks ICMP types 13 and 14. Note that the standard TCP/IP

blocking capability under the "Networking and Dialup Connections" control panel is NOT capable of blocking ICMP (only TCP and

UDP). The IPSec filter features, while they may seem strictly related to the IPSec standards, will allow you to selectively block these

ICMP packets. See http://support.microsoft.com/kb/313190 for more information.



Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft

Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003,

Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003

Disable ICMP timestamp responses on Windows XP/2K3

http://www.cisco.com/warp/public/110/31.html


1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

•

1.

2.

3.

4.

5.

6.

•

Page 46

Audit Report

ICMP timestamp responses can be disabled by deselecting the "allow incoming timestamp request" option in the ICMP configuration

panel of Windows Firewall.

Go to the Network Connections control panel.

Right click on the network adapter and select "properties", or select the internet adapter and select File->Properties.

Select the "Advanced" tab.

In the Windows Firewall box, select "Settings".

Select the "General" tab.

Enable the firewall by selecting the "on (recommended)" option.

Select the "Advanced" tab.

In the ICMP box, select "Settings".

Deselect (uncheck) the "Allow incoming timestamp request" option.

Select "OK" to exit the ICMP Settings dialog and save the settings.

Select "OK" to exit the Windows Firewall dialog and save the settings.

Select "OK" to exit the internet adapter dialog.

For more information, see: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-

us/hnw_understanding_firewall.mspx?mfr=true

Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft

Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition,

Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition,

Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition,

Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008

Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows

Essential Business Server 2008

Disable ICMP timestamp responses on Windows Vista/2008

ICMP timestamp responses can be disabled via the netsh command line utility.

Go to the Windows Control Panel.

Select "Windows Firewall".

In the Windows Firewall box, select "Change Settings".

Enable the firewall by selecting the "on (recommended)" option.

Open a Command Prompt.

Enter "netsh firewall set icmpsetting 13 disable"

For more information, see: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-

us/hnw_understanding_firewall.mspx?mfr=true

Disable ICMP timestamp responses

Disable ICMP timestamp replies for the device. If the device does not support this level of configuration, the easiest and most effective

solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14

(timestamp response).

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/hnw_understanding_firewall.mspx?mfr=true




Audit Report

3.3.6. OpenSSH "X11UseLocalhost" X11 Forwarding Session Hijacking Vulnerability (ssh-openssh-x11uselocalhost-x11-

forwarding-session-hijack)

Description:

OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which

allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX

platform.

Affected Nodes:



References:

Source Reference

BID 30339

CVE CVE-2008-3259

SECUNIA 31179

XF 43940












•

•

Page 48

Audit Report

4. Discovered Services

4.1. <unknown>

4.1.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities Additional Information

192.169.82.178 tcp 17611 0

4.2. DNS DNS, the Domain Name System, provides naming services on the Internet. DNS is primarily used to convert names, such as

www.rapid7.com to their corresponding IP address for use by network programs, such as a browser.



192.169.82.178 udp 53 6 BIND 9.3.6-P1-RedHat-9.3.6-

20.P1.el5_8.6

4.3. DNS-TCP DNS, the Domain Name System, provides naming services on the Internet. DNS is primarily used to convert names, such as

www.rapid7.com to their corresponding IP address for use by network programs, such as a browser. This service is used primarily for

zone transfers between DNS servers. It can, however, be used for standard DNS queries as well.



192.169.82.178 tcp 53 0 BIND 9.3.6-P1-RedHat-9.3.6-

20.P1.el5_8.6

4.4. FTP FTP, the File Transfer Protocol, is used to transfer files between systems. On the Internet, it is often used on web pages to download

files from a web site using a browser. FTP uses two connections, one for control connections used to authenticate, navigate the FTP

server and initiate file transfers. The other connection is used to transfer data, such as files or directory listings.

4.4.1. General Security Issues

Cleartext authentication The original FTP specification only provided means for authentication with cleartext user ids and passwords. Though FTP has added

support for more secure mechanisms such as Kerberos, cleartext authentication is still the primary mechanism. If a malicious user is in

a position to monitor FTP traffic, user ids and passwords can be stolen.


•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Page 49

Audit Report


192.169.82.178 tcp 21 1 ftp.banner: 220---------- Welcome to

Pure-FTPd [privsep] [TLS] ----------

ftp.plaintext.authentication: true

ftp.supports-starttls: true

4.5. HTTP HTTP, the HyperText Transfer Protocol, is used to exchange multimedia content on the World Wide Web. The multimedia files

commonly used with HTTP include text, sound, images and video.


Simple authentication scheme Many HTTP servers use BASIC as their primary mechanism for user authentication. This is a very simple scheme that uses base 64 to

encode the cleartext user id and password. If a malicious user is in a position to monitor HTTP traffic, user ids and passwords can be

stolen by decoding the base 64 authentication data. To secure the authentication process, use HTTPS (HTTP over TLS/SSL)

connections to transmit the authentication data.



192.169.82.178 tcp 80 0 Apache HTTPD

http.banner: Apache

http.banner.server: Apache

verbs-1: GET

verbs-2: HEAD

verbs-3: OPTIONS

verbs-4: POST

verbs-count: 4

192.169.82.178 tcp 2077 0 cPanel

http.banner: cPanel

http.banner.server: cPanel

192.169.82.178 tcp 2082 0 cpsrvd 11.44.1.17

http.banner: cpsrvd/11.44.1.17

http.banner.server: cpsrvd/11.44.1.17

192.169.82.178 tcp 2086 0 cpsrvd 11.44.1.17



192.169.82.178 tcp 2095 0 cpsrvd 11.44.1.17


•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Page 50

Audit Report



4.6. HTTPS HTTPS, the HyperText Transfer Protocol over TLS/SSL, is used to exchange multimedia content on the World Wide Web using

encrypted (TLS/SSL) connections. Once the TLS/SSL connection is established, the standard HTTP protocol is used. The multimedia

files commonly used with HTTP include text, sound, images and video.



192.169.82.178 tcp 443 6 Apache HTTPD

PHP: 5.3.28

http.banner: Apache

http.banner.server: Apache

http.banner.x-powered-by: PHP/5.3.28

ssl: true

ssl.cert.issuer.dn: CN=thawte EV SSL

CA - G2, O="thawte, Inc.", C=US

ssl.cert.key.alg.name: RSA

ssl.cert.key.rsa.modulusBits: 2048

ssl.cert.not.valid.after: Tue, 28 Jul

2015 23:59:59 GMT+00:00

ssl.cert.not.valid.before: Mon, 28 Jul

2014 00:00:00 GMT+00:00

ssl.cert.selfsigned: false

ssl.cert.serial.number:

100077727732222274903927816937

957920598

ssl.cert.sig.alg.name: SHA1withRSA

ssl.cert.subject.dn:

CN=www.sciencesuppliesdirect.com,

OU=Sales, L=london, ST=london,

C=GB, SERIALNUMBER=07629738,

O=Northbank Trading LTD,

OID.2.5.4.15=Private Organization,

OID.1.3.6.1.4.1.311.60.2.1.3=GB

ssl.cert.validchain: true

192.169.82.178 tcp 2078 1 cPanel

http.banner: cPanel

http.banner.server: cPanel

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Page 51

Audit Report


ssl: true






2015 23:59:59 GMT+00:00


2014 00:00:00 GMT+00:00



100077727732222274903927816937

957920598








OID.1.3.6.1.4.1.311.60.2.1.3=GB


192.169.82.178 tcp 2083 1 cpsrvd 11.44.1.17



ssl: true






2015 23:59:59 GMT+00:00


2014 00:00:00 GMT+00:00



100077727732222274903927816937

957920598


•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Page 52

Audit Report








OID.1.3.6.1.4.1.311.60.2.1.3=GB


ssl.version.ssl20: true

192.169.82.178 tcp 2087 1 cpsrvd 11.44.1.17



ssl: true






2015 23:59:59 GMT+00:00


2014 00:00:00 GMT+00:00



100077727732222274903927816937

957920598








OID.1.3.6.1.4.1.311.60.2.1.3=GB



192.169.82.178 tcp 2096 1 cpsrvd 11.44.1.17



ssl: true

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Page 53

Audit Report







2015 23:59:59 GMT+00:00


2014 00:00:00 GMT+00:00



100077727732222274903927816937

957920598








OID.1.3.6.1.4.1.311.60.2.1.3=GB



4.7. IMAP IMAP, the Interactive Mail Access Protocol or Internet Message Access Protocol, is used to access and manipulate electronic mail (e-

mail). IMAP servers can contain several folders, aka mailboxes, containing messages (e-mails) for users.



192.169.82.178 tcp 143 1 Dovecot

imap.banner: * OK [CAPABILITY

IMAP4rev1 LITERAL+ SASL-IR

LOGIN-REFERRALS ID ENABLE

IDLE NAMESPACE STARTTLS

AUTH=PLAIN AUTH=LOGIN] Dovecot

ready.

imap.plaintext.authentication: true

4.8. IMAPS

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Page 54

Audit Report

IMAPS, the Internet Message Access Protocol over TLS/SSL, is used to access and manipulate electronic mail (e-mail) using

encrypted (TLS/SSL) connections. Once the TLS/SSL connection is established, the standard IMAP protocol is used. IMAP servers can

contain several folders, aka mailboxes, containing messages (e-mails) for users.



192.169.82.178 tcp 993 0 Dovecot

imap.banner: * OK [CAPABILITY

IMAP4rev1 LITERAL+ SASL-IR

LOGIN-REFERRALS ID ENABLE

IDLE NAMESPACE AUTH=PLAIN

AUTH=LOGIN] Dovecot ready.

imap.plaintext.authentication: false

ssl: true






2015 23:59:59 GMT+00:00


2014 00:00:00 GMT+00:00



100077727732222274903927816937

957920598








OID.1.3.6.1.4.1.311.60.2.1.3=GB


4.9. MySQL



•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Page 55

Audit Report


192.169.82.178 tcp 3306 1

4.10. POP The Post Office Protocol allows workstations to retrieve e-mail dynamically from a mailbox server.



192.169.82.178 tcp 110 1 Dovecot

pop.banner: +OK Dovecot ready.

pop.plaintext.authentication: true

4.11. POPS The Post Office Protocol allows workstations to retrieve e-mail dynamically from a mailbox server. POPS simply adds SSL support to

POP3.



192.169.82.178 tcp 995 0 Dovecot

pop.banner: +OK Dovecot ready.

pop.plaintext.authentication: true

ssl: true






2015 23:59:59 GMT+00:00


2014 00:00:00 GMT+00:00



100077727732222274903927816937

957920598







•

•

•

•

•

•

•

•

•

Page 56

Audit Report



OID.1.3.6.1.4.1.311.60.2.1.3=GB


4.12. SMTP SMTP, the Simple Mail Transfer Protocol, is the Internet standard way to send e-mail messages between hosts. Clients typically

submit outgoing e-mail to their SMTP server, which then forwards the message on through other SMTP servers until it reaches its final

destination.


Installed by default By default, most UNIX workstations come installed with the sendmail (or equivalent) SMTP server to handle mail for the local host (e.g.

the output of some cron jobs is sent to the root account via email). Check your workstations to see if sendmail is running, by telnetting

to port 25/tcp. If sendmail is running, you will see something like this: $ telnet mybox 25 Trying 192.168.0.1... Connected to mybox.

Escape character is '^]'. 220 mybox. ESMTP Sendmail 8.12.2/8.12.2; Thu, 9 May 2002 03:16:26 -0700 (PDT) If sendmail is running and

you don't need it, then disable it via /etc/rc.conf or your operating system's equivalent startup configuration file. If you do need SMTP for

the localhost, make sure that the server is only listening on the loopback interface (127.0.0.1) and is not reachable by other hosts. Also

be sure to check port 587/tcp, which some versions of sendmail use for outgoing mail submissions.

Promiscuous relay Perhaps the most common security issue with SMTP servers is servers which act as a "promiscuous relay", or "open relay". This

describes servers which accept and relay mail from anywhere to anywhere. This setup allows unauthenticated 3rd parties (spammers)

to use your mail server to send their spam to unwitting recipients. Promiscuous relay checks are performed on all discovered SMTP

servers. See "smtp-general-openrelay" for more information on this vulnerability and how to fix it.



192.169.82.178 tcp 25 2 exim 4.82

advertise-esmtp: 1

advertised-esmtp-extension-count: 6

advertises-esmtp: TRUE

max-message-size: 52428800

smtp.banner: 220-

server.sciencesuppliesdirect.com

ESMTP Exim 4.82 #2 Thu, 28 Aug

2014 04:12:05 -0500 220-We do not

authorize the use of this system to

transport unsolicited, 220 and/or bulk

e-mail.

smtp.plaintext.authentication: true

ssl.cert.chainerror: Path does not

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Page 57

Audit Report


chain with any of the trust anchors






2015 23:59:59 GMT+00:00


2014 00:00:00 GMT+00:00



100077727732222274903927816937

957920598








OID.1.3.6.1.4.1.311.60.2.1.3=GB

ssl.cert.validchain: false

supported-auth-method-count: 2

supported-auth-method:1: PLAIN

supported-auth-method:2: LOGIN

supports-8bitmime: TRUE

supports-auth: TRUE

supports-debug: FALSE

supports-expand: FALSE

supports-help: TRUE

supports-pipelining: TRUE

supports-size: TRUE

supports-starttls: TRUE

supports-turn: FALSE

supports-verify: FALSE

192.169.82.178 tcp 587 2 exim 4.82

advertise-esmtp: 1

advertised-esmtp-extension-count: 6

advertises-esmtp: TRUE

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

Page 58

Audit Report


max-message-size: 52428800

smtp.banner: 220-

server.sciencesuppliesdirect.com

ESMTP Exim 4.82 #2 Thu, 28 Aug

2014 04:17:52 -0500 220-We do not

authorize the use of this system to

transport unsolicited, 220 and/or bulk

e-mail.

smtp.plaintext.authentication: true

ssl.cert.chainerror: Path does not

chain with any of the trust anchors






2015 23:59:59 GMT+00:00


2014 00:00:00 GMT+00:00



100077727732222274903927816937

957920598








OID.1.3.6.1.4.1.311.60.2.1.3=GB

ssl.cert.validchain: false

supported-auth-method-count: 2

supported-auth-method:1: PLAIN

supported-auth-method:2: LOGIN

supports-8bitmime: TRUE

supports-auth: TRUE

supports-debug: FALSE

supports-expand: FALSE

supports-help: TRUE

•

•

•

•

•

•

•

•

•

Page 59

Audit Report


supports-pipelining: TRUE

supports-size: TRUE

supports-starttls: TRUE

supports-turn: FALSE

supports-verify: FALSE

4.13. SMTPS SMTPS, the Simple Mail Transfer Protocol over TLS/SSL, is used to send e-mail messages between hosts using encrypted (TLS/SSL)

connections. Once the TLS/SSL connection is established, the standard SMTP protocol is used. Clients typically submit outgoing e-mail

to their SMTP server, which then forwards the message on through other SMTP servers until it reaches its final destination.



192.169.82.178 tcp 465 0

4.14. SSH SSH, or Secure SHell, is designed to be a replacement for the aging Telnet protocol. It primarily adds encryption and data integrity to

Telnet, but can also provide superior authentication mechanisms such as public key authentication.



192.169.82.178 tcp 22 4 OpenBSD OpenSSH 4.3

ssh.banner: SSH-2.0-OpenSSH_4.3

ssh.protocol.version: 2.0

ssh.rsa.pubkey.fingerprint:

D5A4877B7D17B0CCAF8A433487C1

E5FE

4.15. zeroconf (Rendezvous)



192.169.82.178 udp 5353 0

Audit Report

5. Discovered Users and GroupsNo user or group information was discovered during the scan.

Audit Report

6. Discovered DatabasesNo database information was discovered during the scan.

Audit Report

7. Discovered Files and DirectoriesNo file or directory information was discovered during the scan.

Audit Report

8. Policy EvaluationsNo policy evaluations were performed.

Audit Report

9. Spidered Web SitesNo web sites were spidered during the scan.

vulnerability report 2

Documents

auth vulnerabilities

severe vulnerabilities

numbers of vulnerabilities

moderate vulnerabilities

dns serviceproduct bind

security audit

audit report3

audit report2