SummaryThis document reports on the results of an automatic security scan. The report first summarises the results found. Then, for each host, the report describes every issue found. Please consider the advice given in each description, in order to rectify the issue. Overrides are on. When a result has an override, this report uses the threat of the override. Notes are included in the report. This report might not show details of all issues that were found. It only lists hosts that produced issues. Issues with the threat level "Debug" are not shown. This report contains all 38 results selected by the filtering described above. Before filtering there were 38 results.
Host Summary
Results per HostHost 5.0.22.149
Port Summary for Host 5.0.22.149
Security Issues for Host 5.0.22.149http (80/tcp)
High
(CVSS: 7.8)
NVT:
Apache httpd Web Server Range Header Denial of Service Vulnerability
(OID: 1.3.6.1.4.1.25623.1.0.901203)
Overview: This host is running Apache httpd web server and is prone to denial of service vulnerability. Vulnerability Insight: The flaw is caused the way Apache httpd web server handles certain requests with multiple overlapping ranges, which causes significant memory and CPU usage on the server leading to application crash and system can become unstable. Impact: Successful exploitation will let the remote unauthenticated attackers to cause a denial of service. Impact Level: System/Application Affected Software/OS: Apache 1.3.x, 2.0.x through 2.0.64 and 2.2.x through 2.2.19 Fix: Please refer below link for fix and mitigate this issue until full fix, http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3CCAAPSnn2PO-d-C4nQt_TES? 2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3E http://marc.info/?l=apache-httpd-dev&m=131420013520206&w=2 References: http://www.exploit-db.com/exploits/17696 http://packetstormsecurity.org/files/view/104441 http://marc.info/?l=apache-httpd-dev&m=131420013520206&w=2 CVE : CVE-2011-3192 BID : 49303 http (80/tcp)
Medium
(CVSS: 4.3)
NVT:
Apache Web Server ETag Header Information Disclosure Weakness
(OID: 1.3.6.1.4.1.25623.1.0.103122)
Overview: A weakness has been discovered in Apache web servers that are configured to use the FileETag directive. Due to the way in which Apache generates ETag response headers, it may be possible for an attacker to obtain sensitive information regarding server files. Specifically, ETag header fields returned to a client contain the file's inode number. Exploitation of this issue may provide an attacker with information that may be used to launch further attacks against a target network. OpenBSD has released a patch that addresses this issue. Inode numbers returned from the server are now encoded using a private hash to avoid the release of sensitive information. Solution: OpenBSD has released a patch to address this issue. Novell has released TID10090670 to advise users to apply the available workaround of disabling the directive in the configuration file for Apache releases on NetWare. Please see the attached Technical Information Document for further details. References: https://www.securityfocus.com/bid/6939 http://httpd.apache.org/docs/mod/core.html#fileetag http://www.openbsd.org/errata32.html http://support.novell.com/docs/Tids/Solutions/10090670.html Information that was gathered: Inode: 267606 Size: 177 CVE : CVE-2003-1418 BID : 6939 smtp (25/tcp)
Medium
NVT:
Check if Mailserver answer to VRFY and EXPN requests
(OID: 1.3.6.1.4.1.25623.1.0.100072)
Overview: The Mailserver on this host answers to VRFY and/or EXPN requests. VRFY and EXPN ask the server for information about an address. They are inherently unusable through firewalls, gateways, mail exchangers for part-time hosts, etc. OpenVAS suggests that, if you really want to publish this type of information, you use a mechanism that legitimate users actually know about, such as Finger or HTTP. Solution: Disable VRFY and/or EXPN on your Mailserver. For postfix add 'disable_vrfy_command=yes' in 'main.cf'. For Sendmail add the option 'O PrivacyOptions=goaway'. See also: http://cr.yp.to/smtp/vrfy.html Details: 'VRFY root' produces the following answer: 252 2.0.0 root smtp (25/tcp)
Medium
NVT:
TCP Sequence Number Approximation Reset Denial of Service Vulnerability
(OID: 1.3.6.1.4.1.25623.1.0.902815)
Overview: The host is running TCP services and is prone to denial of service vulnerability. Vulnerability Insight: The flaw is triggered when spoofed TCP Reset packets are received by the targeted TCP stack and will result in loss of availability for the attacked TCP services. Impact: Successful exploitation will allow remote attackers to guess sequence numbers and cause a denial of service to persistent TCP connections by repeatedly injecting a TCP RST packet. Impact Level: System Affected Software/OS: TCP Fix: Please see the referenced advisories for more information on obtaining and applying fixes. References: http://www.osvdb.org/4030 http://xforce.iss.net/xforce/xfdb/15886 http://www.us-cert.gov/cas/techalerts/TA04-111A.html http://www-01.ibm.com/support/docview.wss?uid=isg1IY55949 http://www-01.ibm.com/support/docview.wss?uid=isg1IY55950 http://www-01.ibm.com/support/docview.wss?uid=isg1IY62006 http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx http://www.microsoft.com/technet/security/bulletin/ms06-064.mspx http://www.cisco.com/en/US/products/csa/cisco-sa-20040420-tcp-nonios.html http://www.cisco.com/en/US/products/csa/cisco-sa-20040420-tcp-nonios.html CVE : CVE-2004-0230 BID : 10183 general/tcp
Low
(CVSS: 0.0)
NVT:
Traceroute
(OID: 1.3.6.1.4.1.25623.1.0.51662)
Here is the route from 5.0.22.228 to 5.0.22.149 5.0.22.228 5.0.22.149 general/tcp
Low
NVT:
TCP timestamps
(OID: 1.3.6.1.4.1.25623.1.0.80091)
Synopsis : The remote service implements TCP timestamps. Description : The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. See also : http://www.ietf.org/rfc/rfc1323.txt http (80/tcp)
Low
(CVSS: 0.0)
NVT:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
A web server is running on this port http (80/tcp)
Low
(CVSS: 0.0)
NVT:
HTTP Server type and version
(OID: 1.3.6.1.4.1.25623.1.0.10107)
The remote web server type is : Apache/2.2.14 (Ubuntu) Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. http (80/tcp)
Low
(CVSS: 0.0)
NVT:
Directory Scanner
(OID: 1.3.6.1.4.1.25623.1.0.11032)
The following directories were discovered: /admin, /cgi-bin, /icons, /ganglia While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 netscape-adm (8649/tcp)
Low
(CVSS: 0.0)
NVT:
Identify unknown services with 'HELP'
(OID: 1.3.6.1.4.1.25623.1.0.11153)
Ganglia monitoring daemon seems to be running on this port smtp (25/tcp)
Low
(CVSS: 0.0)
NVT:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
An SMTP server is running on this port Here is its banner : 220 ubuntu-testing.tag.internal ESMTP Postfix (Ubuntu) smtp (25/tcp)
Low
NVT:
SMTP Server type and version
(OID: 1.3.6.1.4.1.25623.1.0.10263)
Remote SMTP server banner : 220 ubuntu-testing.tag.internal ESMTP Postfix (Ubuntu) This is probably: Postfix smtp (25/tcp)
Low
(CVSS: 0.0)
NVT:
SMTP STARTTLS Detection Detection
(OID: 1.3.6.1.4.1.25623.1.0.103118)
Overview: The remote Mailserver supports the STARTTLS command. ssh (22/tcp)
Low
(CVSS: 0.0)
NVT:
Services
(OID: 1.3.6.1.4.1.25623.1.0.10330)
An ssh server is running on this port sunrpc (111/tcp)
Low
(CVSS: 0.0)
NVT:
rpcinfo -p
(OID: 1.3.6.1.4.1.25623.1.0.11111)
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on port 111 sunrpc (111/tcp)
Low
(CVSS: 0.0)
NVT:
rpcinfo -p
(OID: 1.3.6.1.4.1.25623.1.0.11111)
RPC program #100024 version 1 'status' is running on port 57035 sunrpc (111/udp)
Low
(CVSS: 0.0)
NVT:
rpcinfo -p
(OID: 1.3.6.1.4.1.25623.1.0.11111)
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on port 111 sunrpc (111/udp)
Low
(CVSS: 0.0)
NVT:
rpcinfo -p
(OID: 1.3.6.1.4.1.25623.1.0.11111)
RPC program #100024 version 1 'status' is running on port 41700 general/CPE-T
Log
(CVSS: 0.0)
NVT:
CPE Inventory
(OID: 1.3.6.1.4.1.25623.1.0.810002)
5.0.22.149|cpe:/a:apache:http_server:2.2.14 5.0.22.149|cpe:/a:openbsd:openssh:5.3p1 5.0.22.149|cpe:/o:canonical:ubuntu_linux general/HOST-T
Log
(CVSS: 0.0)
NVT:
Host Summary
(OID: 1.3.6.1.4.1.25623.1.0.810003)
traceroute:5.0.22.228,5.0.22.149 TCP ports:111,22,25,8649,80 UDP ports: general/icmp
Log
(CVSS: 0.0)
NVT:
ICMP Timestamp Detection
(OID: 1.3.6.1.4.1.25623.1.0.103190)
Overview: The remote host responded to an ICMP timestamp request. The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp. This information could theoretically be used to exploit weak time-based random number generators in other services. See also: http://www.ietf.org/rfc/rfc0792.txt CVE : CVE-1999-0524 general/tcp
Log
(CVSS: 0.0)
NVT:
Apache Web ServerVersion Detection
(OID: 1.3.6.1.4.1.25623.1.0.900498)
Detected Apache version 2.2.14 CPE: cpe:/a:apache:http_server:2.2.14 Concluded from version identification result: HTTP/1.1 200 OK Date: Mon, 14 May 2012 15:39:09 GMT Server: Apache/2.2.14 (Ubuntu) Last-Modified: Fri, 04 May 2012 08:13:09 GMT ETag: "41556-b1-4bf317daf6c0c" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Connection: close Content-Type: text/html <html><body><h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body></html> general/tcp
Log
(CVSS: 0.0)
NVT:
Checks for open udp ports
(OID: 1.3.6.1.4.1.25623.1.0.103978)
Open UDP ports: [None found] general/tcp
Log
(CVSS: 0.0)
NVT:
OS fingerprinting
(OID: 1.3.6.1.4.1.25623.1.0.102002)
ICMP based OS fingerprint results: (100% confidence) Linux Kernel general/tcp
Log
(CVSS: 0.0)
NVT:
Checks for open tcp ports
(OID: 1.3.6.1.4.1.25623.1.0.900239)
Open TCP ports: 111, 22, 25, 8649, 80 general/tcp
Log
(CVSS: 0.0)
NVT:
arachni (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.110001)
Arachni could not be found in your system path. OpenVAS was unable to execute Arachni and to perform the scan you requested. Please make sure that Arachni is installed and that arachni is available in the PATH variable defined for your environment. general/tcp
Log
(CVSS: 0.0)
NVT:
DIRB (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.103079)
DIRB could not be found in your system path. OpenVAS was unable to execute DIRB and to perform the scan you requested. Please make sure that DIRB is installed and is available in the PATH variable defined for your environment. general/tcp
Log
(CVSS: 0.0)
NVT:
Nikto (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.14260)
Nikto could not be found in your system path. OpenVAS was unable to execute Nikto and to perform the scan you requested. Please make sure that Nikto is installed and that nikto.pl or nikto is available in the PATH variable defined for your environment. general/tcp
Log
(CVSS: 0.0)
NVT:
Information about the scan
(OID: 1.3.6.1.4.1.25623.1.0.19506)
Information about this scan : OpenVAS version : 4.0.6 Plugin feed version : 201205071204 Type of plugin feed : OpenVAS NVT Feed Scanner IP : 5.0.22.228 Port scanner(s) : nmap Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 20 Max checks : 4 Scan Start Date : 2012/5/14 16:39 Scan duration : 1185 sec http (80/tcp)
Log
NVT:
(OID: 0)
Open port. http (80/tcp)
Log
(CVSS: 0.0)
NVT:
wapiti (NASL wrapper)
(OID: 1.3.6.1.4.1.25623.1.0.80110)
wapiti could not be found in your system path. OpenVAS was unable to execute wapiti and to perform the scan you requested. Please make sure that wapiti is installed and that wapiti is available in the PATH variable defined for your environment. netscape-adm (8649/tcp)
Log
NVT:
(OID: 0)
Open port. smtp (25/tcp)
Log
NVT:
(OID: 0)
Open port. ssh (22/tcp)
Log
NVT:
(OID: 0)
Open port. ssh (22/tcp)
Log
(CVSS: 0.0)
NVT:
SSH Authorization
(OID: 1.3.6.1.4.1.25623.1.0.90022)
No SSH credentials were supplied. Hence local security checks are not enabled. ssh (22/tcp)
Log
(CVSS: 0.0)
NVT:
SSH Server type and version
(OID: 1.3.6.1.4.1.25623.1.0.10267)
Detected SSH server version: SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 Remote SSH supported authentication: publickey,password Remote SSH banner: (not available) CPE: cpe:/a:openbsd:openssh:5.3p1 Concluded from remote connection attempt with credentials: Login: OpenVAS Password: OpenVAS ssh (22/tcp)
Log
(CVSS: 0.0)
NVT:
SSH Protocol Versions Supported
(OID: 1.3.6.1.4.1.25623.1.0.100259)
The remote SSH Server supports the following SSH Protocol Versions: 1.99 2.0 SSHv2 Fingerprint: 43:76:aa:34:de:16:66:7f:26:b3:0a:72:7d:9c:2c:14 sunrpc (111/tcp)
Log
NVT:
(OID: 0)
Open port.
This file was automatically generated.
|