A2E-Dataway High Severity Report- IntranetScan

Dataway High Severity Report page 1

Dataway High Severity ReportNovember 12, 2009

This report was generated with an evaluation version of qualysguardThis report was generated with an evaluation version of qualysguard

Report SummaryUser Name: eoghan o'neillLogin Name: ccsf_enCompany: ccsfUser Role: ManagerAddress: 180 redwood st suite 300City: san franciscoState: CaliforniaZip: 94102Country: United States of AmericaCreated: 11/12/2009 at 18:12:48 (GMT-0800)Template Title: Dataway High Severity ReportSort by: VulnerabilityIP Restriction: -Hosts Matching Filters: 25scan/1246807525.1079: 07/05/2009 at 07:25:25 (GMT-0800)scan/1246810541.23046: 07/05/2009 at 08:15:41 (GMT-0800)

Summary of Vulnerabilities

Vulnerabilities Total 45 (+28) Average Security Risk 1.9

by StatusStatus Confirmed Potential Total New 28 - 28Active 17 - 17Re-Opened 0 - 0Total 45 - 45Fixed 0 - 0Changed 28 - 28

by SeveritySeverity Confirmed (Trend) Potential (Trend) Information Gathered Total (Trend) 5 17 (0) - - - 17 (+13)4 28 (0) - - - 28 (+15)3 0 (0) - - - 0 (0) -2 0 (0) - - - 0 (0) -1 0 (0) - - - 0 (0) -Total 45 (0) - - - 45 (+28)

5 Biggest CategoriesCategory Confirmed (Trend) Potential (Trend) Information Gathered Total (Trend) General remote services 25 (0) - - - 25 (+11)Database 8 (0) - - - 8 (+8)File Transfer Protocol 4 (0) - - - 4 (+1)

dhotchkiss

Text Box

Attachment 2E


Category Confirmed (Trend) Potential (Trend) Information Gathered Total (Trend) Web server 2 (0) - - - 2 (+2)SMB / NETBIOS 2 (0) - - - 2 (+2)Total 41 (0) - - - 41 (+24)

Vulnerabilities by Severity

Potential Vulnerabilities by Severity


Information Gathered by Severity

Operating Systems Detected


Services Detected


Services Detected (Continued)

Detailed Results

Vulnerabilities

5 Multiple CUPS Vulnerabilities (1)

QID: 38160Category: General remote servicesCVE ID: CVE-2002-1369, CVE-2002-1371, CVE-2002-1367, CVE-2002-1368, CVE-2002-1372, CVE-2002-1383Vendor Reference: RHSA-2002-295Bugtraq ID: 6438Modified: 06/11/2009Edited: No

THREAT:CUPS, Common Unix Printing System, is a widely used set of printing utilities for Unix-based systems. Several vulnerabilities have been reported inversions prior to 1.1.18.

1) CUPS makes it possible for attackers to execute code with root privileges. The vulnerability exists in the jobs.c source file. Some functions use thestrncat() function call improperly. strncat()is used in an insecure manner to build the "options" string. When the CUPS daemon receivesspecially-constructed printer attributes, it will trigger a buffer overflow condition when building the "options" string, which may result in the corruption ofsensitive memory with attacker-supplied values. (CVE ID: CAN-2002-1369)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1369






http://rhn.redhat.com/errata/RHSA-2002-295.html

http://www.securityfocus.com/bid/6438


2) The image handling component of CUPS is vulnerable to integer overflow conditions. Flaws may be exploited by local attackers to execute instructionswith elevated privileges. Attackers may gain user "lp", group "sys" privileges. Depending on system configuration, other privileges may be gained.

3) CUPS image filters do not properly handle GIF files with a width field set to zero. As a result, if an attacker submits a properly malformed image, itmay be possible to manipulate and corrupt chunk headers with attacker-supplied data. Given the ability to corrupt memory with attacker-supplied data, itmay be possible for an attacker to cause arbitrary code to be executed. Successful exploitation results in code execution in the security context of CUPS.(CVE ID: CAN-2002-1371)

4) Some versions of CUPS may create temporary files in an insecure manner. The vulnerability occurs when creating the "/etc/cups/certs/" file. Anattacker can exploit this vulnerability to create or overwrite any file with elevated privileges. Successful exploitation is time dependent and requires theattacker to obtain the "lp" user privileges.

5) CUPS is prone to a vulnerability that makes it possible for attackers to add printers. It has been reported that an attacker may send a specially craftedUDP packet to the CUPS server, which will cause a printer to be temporarily added and configured to listen on a high port. Then it's reportedly possiblefor the attacker to request and receive the local root certificate. This certificate may be used to authenticate to the Web administrative interface, where it ispossible to create a printer with root privileges. Technical details about the exact nature of this issue are not known at this time. This issue is believed to becaused, in part, by a design flaw in the certificate authentication scheme employed by CUPS. (CVE ID: CAN-2002-1367)

6) A vulnerability has been reported that, if exploited, may result in a DoS or the execution of code on affected systems. An attacker can exploit thisvulnerability by connecting to a vulnerable system on TCP port 631 and issuing malformed HTTP headers with a negative value for the "Content-Length"or "Transfer-Encoding" field. When the cupsd service receives this request, it will crash. (CVE ID: CAN-2002-1368)

7) CUPS may leak file descriptor information under some circumstances. This issue exists because CUPS does not adequately check any return values onfile and socket operations. By exploiting this vulnerability, it's possible for a remote attacker to cause a denial of service. (CVE ID: CAN-2002-1372)

8) An integer overflow vulnerability has been reported in the HTTP server component of CUPS. The condition is related to the processing of HTMLvariables and their values. It's reportedly possible for remote attackers to exploit this vulnerability to execute instructions on target systems. Successfulattacks may grant local access to adversaries with user "lp" and group "sys" privileges. (CVE ID: CAN-2002-1383)

IMPACT:By exploiting these vulnerabilities, remote attackers can execute arbitary code under the user ID of the Daemon.

SOLUTION:Upgrade to CUPS Version 1.1.18 or later. Upgrade packages are available for all affected distributions.

Check CUP's Web site (http://www.cups.org/software.html) for more information.

COMPLIANCE:Not Applicable

147.144.1.18 (-, -) IBM 4400 Printer port 631/tcp New

RESULTS:No results available

5 Debian OpenSSL Package Random Number Generator Weakness (2)

QID: 42007Category: General remote servicesCVE ID: CVE-2008-0166Vendor Reference: OpenSSH Debian Patch, OpenSSL Debain PatchBugtraq ID: 29179Modified: 06/30/2008Edited: No

THREAT:


http://www.debian.org/security/2008/dsa-1571

http://www.debian.org/security/2008/dsa-1576



OpenSSL is an open source implementation of the SSL protocol which is used by a number of other projects, including but not restricted to Apache,Sendmail and Bind. It is commonly found on Linux and Unix systems.

The Debian OpenSSL package is prone to a random number generator weakness which causes the keys generated by this package to be predictable.

IMPACT:Attackers can exploit this issue to predict random data used to generate encryption keys by certain applications. An attacker can record encrypted sessions(SSL,SSH, VPN) then in an off-line mode use a library of weak keys to find out the private key values used by the communication parties and decrypt theencrypted traffic. Specifically affected keys include RSA, SSH, OpenVPN and DNSSEC keys as well as X.509 certificates and session keys used in theSSL/TLS sessions.

Attackers may exploit this issue to potentially compromise encryption keys and gain access to sensitive data. This may aid in further attacks. In the case ofSSH attackers can gain full access to the target system.

This issue affects only a modified OpenSSL package for Debian prior to Version 0.9.8c-4etch3.

Please note that the keys that were generated on a vulnerable system and then moved to a different non-Debian system are still vulnerable and can cause acompromise of that non-Debian system.

SOLUTION:The vendor has released updates to address this issue. See the references for more information.

The Results section contains identifications for the weak keys detected on the target system. The keys are identified by calculating a hash over the publickey. The hash function as well as the information the hash function is calculated upon is different for SSH and SSL keys.

For SSL the following command can be used to calculate the hash of a key in a X.509 certificate:

openssl x509 -in [cert name.pem] -modulus -noout|openssl sha1

For an SSH key the following command can be used to obtain the hash of the public key:

ssh-keygen -f [SSH public key file name.pub] -l

All the keys listed in the Results section are weak and need to be regenerated on a non-vulnerable or patched system. In the case of certificates, they needto be regenerated and signed again.


147.144.1.62 (ezproxy.ccsf.edu, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 443/tcp over SSL Active

RESULTS:Certificate #0 RSA(1024), SSL, Hash: 2E202BACC1C4CF8762B5D3F157858B0989C23998

147.144.1.62 (ezproxy.ccsf.edu, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 22/tcp Active

RESULTS:RSA(2048), SSH, Hash: 08FF698725A668282FC337BE4E89745B

5 Microsoft SQL Server 2000 Service Pack 4 Missing (2)

QID: 19124Category: DatabaseCVE ID: -Vendor Reference: -


Bugtraq ID: -Modified: 05/11/2009Edited: No

THREAT:The Microsoft SQL Server / MSDE 2000 host is missing Service Pack 4.

IMPACT:SQL Server 2000 Service Pack 4 includes all security hotfixes released after the release of Service Pack 3.

SOLUTION:Read Microsoft article KB290211 (http://support.microsoft.com/kb/290211) for details on downloading SQL Server 2000 Service Pack 4.


147.144.1.69 (-, S-LIB-PC-COP01) Windows 2003 Service Pack 2 New

RESULTS:8.0.313

147.144.40.253 (rpg1.ccsf.cc.ca.us, -) Windows 2000 Service Pack 3-4 New

RESULTS:8.0.820

5 Microsoft SQL Server Multiple Vulnerabilities (1)

QID: 90086Category: DatabaseCVE ID: CVE-2003-0230, CVE-2003-0231, CVE-2003-0232Vendor Reference: MS03-031Bugtraq ID: 8275Modified: 02/23/2005Edited: No

THREAT:Multiple vulnerabilities are present on the Microsoft SQL Server installed on the target, including the following: LPC port request buffer overflowvulnerability, Named Pipe denial of service vulnerability, and Named Pipe hijacking vulnerability.

Local Procedure Calls (LPC) provide a mechanism for interprocess communications on some Microsoft platforms. Each LPC utilizes a collection ofcommunication ports to allow for information exchange between the client and the server. Microsoft SQL Server is prone to a buffer overflow in themechanism that accepts LPC port requests. If a specifically malformed message is received by the LPC port, stack memory may be overwritten due toinsufficient bounds checking.

Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a Named Pipe denial of service attack. Any local or remote user, whocan authenticate and is part of the Everyone Group, may trigger a denial of service condition in an affected SQL Server. It has been reported that if aremote attacker sends an unusually large request to a named pipe, the SQL Server will become unresponsive.

Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a privilege escalation vulnerability via named pipes. A named pipe is aconduit for interprocess communication that is identified by a specific name; it is used to pass information between a pipe server and its clients. It has beenreported that a named pipe, used to control certain connection attempts to the SQL server, is prone to a vulnerability that may provide escalation ofprivileges. The issue presents itself within the checking routines for the affected pipe. Under certain circumstances, specifically during the authenticationprocedure, a local attacker may seize control of the named pipe.


http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0231

http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0232

http://www.microsoft.com/technet/security/Bulletin/MS03-031.mspx



IMPACT:Successful exploitation of the LPC Port request buffer overrun vulnerability would allow an attacker to execute code with the privilege level of the SQLServer process. Under most conditions, exploitation would only allow an attacker to gain full access to the SQL database. However, if the SQL Server isrunning as Administrator or Local System, exploitation would allow for full system compromise. It's important to note that an attacker must beauthenticated to the SQL Server in order to exploit this vulnerability.

The impact of the denial of service vulnerability may vary between service packs and versions. It has been reported that on SQL Server 2000 withoutService Pack 3 installed, the service will crash and must be restarted to restore normal operations. However, on SQL Server 2000 with Service Pack 3applied, this is not the case. The service does not appear to crash but does not process requests received post-attack. It has also been reported that it's notpossible to stop the affected service, and the system will require a reboot to restore normal operations.

If the Named Pipe hijacking vulnerability is successfully exploited, the attacker may thereby inherit the permissions of the user who is attempting toconnect to the SQL server via the compromised pipe.

SOLUTION:Microsoft has released patches to address the issue. Check Microsoft Security Bulletin MS03-031(http://www.microsoft.com/technet/security/bulletin/ms03-031.mspx) for the latest information on these vulnerabilities.


147.144.1.69 (-, S-LIB-PC-COP01) Windows 2003 Service Pack 2 New

RESULTS:8.0.313

5 Microsoft SQL Server 2000 SP1 Not Installed (1)

QID: 19094Category: DatabaseCVE ID: -Vendor Reference: -Bugtraq ID: -Modified: 05/21/2009Edited: No

THREAT:The host is missing SQL Server 2000 Service Pack 1.

IMPACT:Microsoft SQL Server Service Pack 1 contains several security fixes.

SOLUTION:Refer to the SQL Server version 2000 Service Pack 1 Readme(http://support.microsoft.com/default.aspx?scid=%2fsupport%2fservicepacks%2fSQL%2f2000%2fSP1ReadMe.asp) for details.

It's recommended that you install the latest Microsoft SQL Server service pack (sp3a or later). You can download the latest service pack from Microsoft'sSQL Server Download page (http://www.microsoft.com/sql/downloads/default.asp).


147.144.1.69 (-, S-LIB-PC-COP01) Windows 2003 Service Pack 2 port 1433/tcp New

RESULTS:8.0.313


5 Microsoft SQL Server 2000 SP2 Not Installed (1)


THREAT:Microsoft SQL Server 2000 Service Pack 2 not installed on the host.

IMPACT:SQL Server 2000 Service Pack 2 fixes several security holes which can be exploited by malicious users.

SOLUTION:Refer to the SQL Server version 2000 Service Pack 2 Readme(http://support.microsoft.com/default.aspx?scid=%2fsupport%2fservicepacks%2fSQL%2f2000%2fSP2ReadMe.asp) for details.

It's recommended that you install the latest Microsoft SQL Server service pack (sp3a or later). You can download the latest service pack from Microsoft'sSQL Server Download page (http://www.microsoft.com/sql/downloads/default.asp).



RESULTS:8.0.313

5 Microsoft SQL Server 2000 Service Pack 3 Not Installed (1)


THREAT:Microsoft SQL Server 2000 Service Pack 3 is not installed on the host.

IMPACT:Microsoft SQL Server 2000 Service Pack 3 fixes several security holes, which may be exploited by malicious users.

SOLUTION:Refer to the Microsoft Service Packs for SQL Server Downloads page (http://www.microsoft.com/sql/downloads/servicepacks.asp) for instructions ondownloading and installing the service pack.



RESULTS:


8.0.313

5 Sun Solaris SAdmind Client Credentials Remote Administrative Access Vulnerability (1)

QID: 68524Category: RPCCVE ID: CVE-2003-0722Vendor Reference: -Bugtraq ID: 8615Modified: 06/11/2009Edited: No

THREAT:Solaris is the Unix operating system variant maintained and distributed by Sun Microsystems.

A problem has been discovered in the Sun Solaris "sadmin" service. Because of this issue, it may be possible for a remote user to gain unauthorizedadministrative access to the target.

The problem is in the handling of authentication credentials. In the default configuration, the "sadmin" service uses the AUTH_SYS or AUTH_UNIXRPC authentication mechanism, which is vulnerable to spoofing attacks. Since the authentication credentials (uid, gid, and hostname of client) arecompletely in an attacker's control, an attacker can circumvent any access restrictions the service may have in place.

Note: The "sadmin" service is enabled by default.

IMPACT:This vulnerability can be exploited to run arbitrary privileged commands on the vulnerable host, and can lead to a complete system compromise.

SOLUTION:A solution is to either disable the "sadmin" service if it is not required, or restart the service with stronger authentication.

The service may be disabled by commenting the service out of the inetd.conf configuration file, and restarting inetd.

The service may be reconfigured to use stronger AUTH_DES authentication instead. To do this, append "-S 2" to the inetd.conf configuration and restartinetd. Please check Sun's Sadmind Alert (http://sunsolve.sun.com/search/document.do?assetkey=1-26-56740-1), which provides details about thisconfiguration process.


147.144.1.211 (sol.ccsf.cc.ca.us, -) Solaris 8 New

RESULTS:/bin/sh could be executed on the target host.

5 Null Authentication VNC Server Access (2)

QID: 38161Category: General remote servicesCVE ID: CVE-2002-2088Vendor Reference: -Bugtraq ID: 4581Modified: 05/13/2009Edited: No

THREAT:






VNC (Virtual Network Computing) is similar to Xwindows in that it is a remote, graphical interface. It is freely available from multiple vendors (forexample AT&T Cambridge).

To create a session with VNC server, a primitive sort of authentication is implemented. There is an option to not use authentication at all, in which caseanyone is allowed to connect to the VNC server.

An example of such default configuration is ClumpOS.ClumpOS is a CD-based Linux and Mosix distribution that is maintained and distributed by the Mosix project. ClumpOS does not prompt a user to set apassword for VNC when installed. Instead, ClumpOS leaves the default password for VNC blank, which allows remote root access to the system.

IMPACT:By exploiting this vulnerability, an unauthenticated user can have the same privileges as the privileges of the user who launched a VNC server.

SOLUTION:As a possible workaround, manually set a VNC password or remove the VNC server (if not needed).


147.144.1.245 (gw3.ccsf.edu, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 5901/tcp New


147.144.1.246 (gw4.ccsf.edu, BAT-GW4) Linux 2.4-2.6 / Embedded Device / F5 Net port 5901/tcp New


5 Apache Chunked-Encoding Memory Corruption Vulnerability (2)

QID: 86352Category: Web serverCVE ID: CVE-2002-0392Vendor Reference: -Bugtraq ID: 5033Modified: 10/22/2007Edited: No

THREAT:Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems. Various products, such as StrongHold,Oracle 9iAS and IBM Websphere, use or bundle Apache.

The HTTP protocol specifies a method of data coding called 'Chunked Encoding', designed to facilitate fragmentation of HTTP requests in transit. Avulnerability has been discovered in the Apache implementation of 'Chunked Encoding'. When processing requests coded with the 'Chunked Encoding'mechanism, Apache fails to properly calculate required buffer sizes. This is due to improper (signed) interpretation of an unsigned integer value.

On Windows and Netware platforms, Apache uses threads within a single server process to handle concurrent connections. Causing the server process tocrash on these platforms may result in a denial of service.The link http://httpd.apache.org/info/security_bulletin_20020617.txt (http://httpd.apache.org/info/security_bulletin_20020617.txt) provides additional informationon this vulnerability for Apache running on Windows.

IMPACT:This vulnerability can be exploited by an attacker to cause a Denial of Service and even execute arbitrary code on the vulnerable machine.




SOLUTION:This vulnerability has been fixed in Apache 1.3.26 and Apache 2.0.37. Please upgrade to the latest version (http://httpd.apache.org/download.cgi).

An efix (via APAR PQ62369) (http://www.ibm.com/software/webservers/httpservers/support.html) is available for IHS from the IBM HTTP ServerDownloads webpage.

A complete list of vendor status and fixes can be found in CERT advisory CA-2002-17 (http://www.cert.org/advisories/CA-2002-17.html)

To manually verify this vulnerability, one may telnet to the host/port that the HTTP service is running on, and issue the following request directly:-----[snip]-----GET / HTTP/1.1Host: iopjfdsTransfer-Encoding: Chunked

AAAAAAAA-----[/snip]-----

A vulnerable webserver should respond by immediately closing the connection, while a patched webserver should respond with a valid HTTP responsecode; it may be necessary to try large integers other than AAAAAAAA (e.g. FFFFFFFF or 80000000).In order to eliminate erroneous behavior from intervening networking equipment, it is important to run the manual verification locally on the target host inquestion.


147.144.4.4 (-, -) HP-UX 11 port 5050/tcp New


147.144.19.11 (peachie.ccsf.cc.ca.us, -) Linux 2.2 port 9876/tcp New


5 WU-FTPD Remote Root Access with 'SITE EXEC' Command (1)

QID: 27080Category: File Transfer ProtocolCVE ID: CVE-2000-0573Vendor Reference: -Bugtraq ID: 1387Modified: 06/03/2009Edited: No

THREAT:

WU-FTPD is the most popular FTP server used on Internet.

WU-FTPD Version 2.6 (shipped with RedHat Version 6.2) contains a vulnerability in the "SITE EXEC" command. The behavior of a "vsnprintf()"function can be modified by overwriting the return address on the stack. Therefore, unauthorized remote users can execute code on the host. AnonymousFTP access is the only requirement for exploiting this vulnerability.

IMPACT:




By exploiting this vulnerability, unauthorized users can execute arbitrary commands as root on your server.

SOLUTION:As a temporary patch, you can disable anonymous access on your server. However, this will not prevent legitimate users from exploiting the vulnerability.You can download a patch directly from the WU-FTPD Web site (http://www.wuftpd.org).


147.144.19.11 (peachie.ccsf.cc.ca.us, -) Linux 2.2 port 21/tcp Active


5 WU-FTPd File Globbing Heap Corruption Vulnerability (1)

QID: 27126Category: File Transfer ProtocolCVE ID: CVE-2001-0550Vendor Reference: RHSA-2001-157Bugtraq ID: 3581Modified: 06/17/2009Edited: No

THREAT:WU-FTPd is a popular Unix FTP server. It's based on the BSD FTPd, which is maintained by Washington University.

WU-FTPd allows clients to organize files for FTP actions based on "file globbing" patterns. File globbing is also used by various shells. Theimplementation of file globbing included in WU-FTPd contains a heap corruption vulnerability that may allow a malicious remote user to executearbitrary code on a server.

During the processing of a globbing pattern, the WU-FTPd implementation creates a list of the files that match. The memory where this data is stored ison the heap, allocated using malloc(). The globbing function simply returns a pointer to the list. It is up to the calling functions to free the allocatedmemory.If an error occurs processing the pattern, memory will not be allocated and a variable indicating this should be set. The calling functions must check thevalue of this variable before attempting to use the globbed filenames (and later freeing the memory).

Under certain circumstances, the globbing function does not set this variable when an error occurs. As a result of this, WU-FTPd will eventually attemptto free uninitialized memory. If this region of memory contained user-controllable data before the free call, it may be possible to have an arbitrary word inmemory overwritten with an arbitrary value. This can lead to execution of arbitrary code if function pointers or return addresses are overwritten.

If anonymous FTP is not enabled, then valid user credentials are required to exploit this vulnerability.

IMPACT:If successfully exploited, a remote malicious user may be able to execute arbitrary code with the privileges of WU-FTPd, typically root.

SOLUTION:Apply the patch supplied by your vendor. Alternatively, apply the patch provided by WU-FTPd.

Workaround:

Block or restrict access to the port used by WU-FTPd, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provideimproved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPd.Disable anonymous FTP access.Disable WU-FTPd until a patch can be applied.



http://rhn.redhat.com/errata/RHSA-2001-157.html



147.144.19.11 (peachie.ccsf.cc.ca.us, -) Linux 2.2 port 21/tcp Active


5 Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067) (1)

QID: 90464Category: WindowsCVE ID: CVE-2008-4250Vendor Reference: MS08-067Bugtraq ID: 31874Modified: 02/12/2009Edited: No

THREAT:The Microsoft Windows Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows thesharing of local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communicationbetween applications running on other computers and your computer, which is used for RPC.

The Server service is vulnerable to remote code execution issue, due to the service not properly handling specially-crafted RPC requests. Any anonymoususer who can deliver a specially-crafted message to the affected system could try to exploit this vulnerability.Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):December 2008 Updates are Available (including for XPe SP3 and Standard)(http://blogs.msdn.com/embedded/archive/2008/12/26/december-2008-updates-are-available-including-for-xpe-sp3-and-standard.aspx)(KB958644)October 2008 Security Updates Include a Bonus(http://blogs.msdn.com/embedded/archive/2008/10/30/october-2008-security-updates-include-a-bonus.aspx) (KB958644)

IMPACT:An attacker who successfully exploits this vulnerability could take complete control of the affected system.

SOLUTION:Patch:Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4:http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3(http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3)Windows XP Service Pack 2:http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03(http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03)Windows XP Service Pack 3:http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03(http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03)Windows XP Professional x64 Edition:http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25(http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25)Windows XP Professional x64 Edition Service Pack 2:http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25(http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25)Windows Server 2003 Service Pack 1:http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D(http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D)Windows Server 2003 Service Pack 2:http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D(http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D)Windows Server 2003 x64 Edition:http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400(http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400)Windows Server 2003 x64 Edition Service Pack 2:http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400(http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400)Windows Server 2003 with SP1 for Itanium-based Systems:http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF(http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF)Windows Server 2003 with SP2 for Itanium-based Systems:


http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx



http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF(http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF)Windows Vista and Windows Vista Service Pack 1:http://www.microsoft.com/downloads/details.aspx?familyid=18FDFF67-C723-42BD-AC5C-CAC7D8713B21(http://www.microsoft.com/downloads/details.aspx?familyid=18FDFF67-C723-42BD-AC5C-CAC7D8713B21)For a complete list of patch download links, please refer to Micrsoft Security Bulletin MS08-067(http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx).


147.144.49.242 (s-arx169-kcsf.ccsf.cc.ca.us, -) Windows XP Service Pack 0-1 New

RESULTS:Detected through MSRPC Interface

4 SSH Protocol Version 1 Supported (17)

QID: 38304Category: General remote servicesCVE ID: CVE-2001-1473Vendor Reference: -Bugtraq ID: -Modified: 06/10/2009Edited: No

THREAT:SSH1 protocol was deprecated due to multiple vulnerabilities and design flaws.Among multiple vulnerabilities that exist in SSH protocol Version 1 are:

a CRC32 compensation attack detector vulnerability (buffer overflow)an unauthorized session key recovery problem

Multiple vendors' implementations are vulnerable due to the fact that these are protocol design errors. Version 2 of the SSH protocol fixed these errors.

Please refer to the following URLs for more information:

http://www.ciac.org/ciac/bulletins/m-017.shtml (http://www.ciac.org/ciac/bulletins/m-017.shtml)

http://www.kb.cert.org/vuls/id/684820 (http://www.kb.cert.org/vuls/id/684820)

IMPACT:The consequences of vulnerabilities present is SSH Version 1 include:

SSH protected traffic compromiseroot shell access to the system running SSH server

SOLUTION:Disable SSH1 support. See your vendor's Web site for information on how to disable SSH protocol Version 1 support. Some references are providedbelow:SSH Communications Security (http://www.ssh.com)F-Secure (http://www.f-secure.com)OpenSSH (http://www.openssh.org)

Note: Do not enable SSH Version 1 Fallback since systems with upgraded versions of SSH and with Fallback Version 1 enabled are still vulnerable.


147.144.1.214 (-, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 22/tcp New



RESULTS:SSH1 supported yesSupported ciphers for SSH1 3des, blowfishSupported authentications for SSH1 RSA, password

147.144.1.249 (ns9.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 22/tcp New


147.144.1.250 (ns7.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 22/tcp New


147.144.1.251 (ns3.ccsf.cc.ca.us, -) Linux 2.4-2.6 / SonicWALL port 22/tcp New

RESULTS:SSH1 supported yesSupported ciphers for SSH1 3des, blowfishSupported authentications for SSH1 RSA, keyboard_interactive, password

147.144.1.252 (-, -) Linux 2.4-2.6 / SonicWALL port 22/tcp New


147.144.1.254 (-, INST-DC1) Windows 2000 Service Pack 3-4 port 22/tcp New



147.144.4.4 (-, -) HP-UX 11 port 22/tcp New


147.144.1.2 (hills.ccsf.cc.ca.us, -) HP-UX 11 port 22/tcp Active


147.144.1.3 (fog.ccsf.cc.ca.us, -) HP-UX 11 port 22/tcp Active


147.144.1.43 (ocean.ccsf.cc.ca.us, -) HP-UX 11 port 22/tcp Active


147.144.1.206 (webct0.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 22/tcp Active


147.144.1.211 (sol.ccsf.cc.ca.us, -) Solaris 8 port 22/tcp Active



147.144.1.215 (webct3.ccsf.edu, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 22/tcp Active


147.144.1.220 (cloudz.ccsf.cc.ca.us, -) BSDI BSD/OS 4.0.1 port 22/tcp Active


147.144.1.245 (gw3.ccsf.edu, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 22/tcp Active

RESULTS:SSH1 supported yesSupported ciphers for SSH1 3des, blowfishSupported authentications for SSH1 RSA, keyboard_interactive

147.144.1.246 (gw4.ccsf.edu, BAT-GW4) Linux 2.4-2.6 / Embedded Device / F5 Net port 22/tcp Active


147.144.17.71 (wiz.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 22/tcp Active


4 Microsoft SQL Server 2000 Latest Patch Not Installed (2)

QID: 19090Category: DatabaseCVE ID: -Vendor Reference: -Bugtraq ID: -Modified: 05/14/2009


Edited: No

THREAT:The latest Microsoft SQL security hotfixes are not installed. This check makes sure that Service Pack 4 is installed. The current version detected is shownin the result section of the vulnerability report.

IMPACT:Microsoft SQL service packs and hotfixes are important because they fix a lot of security issues.

SOLUTION:Apply the latest service packs and hotfixes available for download from the Microsoft SQL Server Support Center (http://www.microsoft.com/sql/).



RESULTS:8.0.313

147.144.40.253 (rpg1.ccsf.cc.ca.us, -) Windows 2000 Service Pack 3-4 port 1433/tcp New

RESULTS:8.0.820

4 SSL Server Allows Anonymous Authentication Vulnerability (1)

QID: 38142Category: General remote servicesCVE ID: -Vendor Reference: -Bugtraq ID: -Modified: 07/07/2008Edited: No

THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server usingan algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft InternetExplorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.

A vulnerability exists in SSL communcations when clients are allowed to connectusing no authentication algorithm. SSL client-server communication may use several different types ofauthentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, thecommunications are vulnerable to a man-in-the-middle attack."

IMPACT:An attacker can exploit this vulnerability to impersonate your server to clients.

SOLUTION:Disable support for anonymous authentication.

1) Apache:Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:SSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

2) IIS:For IIS please see: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services(http://support.microsoft.com/kb/187498/en-us), How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll(http://support.microsoft.com/kb/245030/en-us), How to Determine the Cipher Suite for the Server and Client(http://support.microsoft.com/kb/299520/en-us), , and How to restrict the use of certain ciphers in Internet Information Services 5.0(http://support.microsoft.com/kb/241447)

3) Wu-FTP:For Wu-FTP which supports TLS, the ciphers parameter in TLS configuration file should be set to -ALL +SSLv3 +TLSv1 For more details please consultthe docs/HOWTO/ssl_and_tls_ftpd.HOWTO file provided by wu-ftpd distribution.

Additional reading:http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html(http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html)

http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite)

http://www.megasecurity.org/Info/ssl_servers.html (http://www.megasecurity.org/Info/ssl_servers.html)


147.144.1.206 (webct0.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 443/tcp over SSL Active

RESULTS:CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH

)GRADE

SSLv3 SUPPORTS CIPHERS WITH NOAUTHENTICATIONADH-RC4-MD5 DH None MD5 RC4(128) MEDIUMEXP-ADH-RC4-MD5 DH(512) None MD5 RC4(40) LOWTLSv1 SUPPORTS CIPHERS WITH NOAUTHENTICATIONADH-RC4-MD5 DH None MD5 RC4(128) MEDIUMEXP-ADH-RC4-MD5 DH(512) None MD5 RC4(40) LOWADH-DES-CBC3-SHA DH None SHA1 3DES(168) HIGHADH-DES-CBC-SHA DH None SHA1 DES(56) LOWEXP-ADH-DES-CBC-SHA DH(512) None SHA1 DES(40) LOW

4 SSL Server Allows Cleartext Communication Vulnerability (1)


THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.


The client-server communication is general encrypted using a symmetric cipher like RC2, RC4, DES or 3DES. However, some SSL ciphers allowcommunication without encryption. This vulnerability allows anyone who can sniff the traffic between the client and the server to see the communication.

Please note that this detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data layer.For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error message and abortfurther communication on the secure channel. This vulnerability may not be exploitable for such configurations.

IMPACT:An attacker can exploit this vulnerability to read apparently secure communication.

SOLUTION:Disable ciphers which support cleartext communication.

Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:SSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUMFor Apache/apache_ssl include the following line in the configuration file (httpsd.conf):SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

How to Control the Ciphers for SSL and TLS on IIS (http://support.microsoft.com/kb/245030)

For Novell Netware 6.5 please refer to the following document SSL Allows the use of Weak Ciphers. -TID10100633 (http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm)


147.144.1.206 (webct0.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Net port 443/tcp over SSL Active

RESULTS:CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADESSLv3 SUPPORTS CIPHERS WITH NO ENCRYPTIONNULL-SHA RSA RSA SHA1 None LOWNULL-MD5 RSA RSA MD5 None LOWTLSv1 SUPPORTS CIPHERS WITH NO ENCRYPTIONNULL-SHA RSA RSA SHA1 None LOWNULL-MD5 RSA RSA MD5 None LOW

4 Database Files Present on Anonymous FTP Server Vulnerability (2)

QID: 27026Category: File Transfer ProtocolCVE ID: CVE-1999-0527Vendor Reference: -Bugtraq ID: -Modified: 04/03/2009Edited: No

THREAT:Database files with a ".db" extension were found on the FTP Server.

IMPACT:Files with the .db extension may contain sensitive information. Please verify that these documents should be on the FTP server. If the document(s) areencrypted, they can easily be cracked. And, if the user uses the same password for encrypting documents as for logging on to the server, their useraccounts can be compromised.

SOLUTION:Remove all *.db files that are not required.

COMPLIANCE:



Not Applicable

147.144.1.219 (cloudy.ccsf.cc.ca.us, -) FreeBSD port 21/tcp New

RESULTS:/etc/pwd.db [user anonymous]

147.144.1.212 (cloud.ccsf.cc.ca.us, -) FreeBSD port 21/tcp Active

RESULTS:/etc/pwd.db [user anonymous]/etc/pwd.db [user ftp]

4 Null Session/Password NetBIOS Access (2)

QID: 70003Category: SMB / NETBIOSCVE ID: CVE-1999-0519Vendor Reference: -Bugtraq ID: -Modified: 10/08/2009Edited: No

THREAT:Unauthorized users can connect to this NetBIOS service without a password.

IMPACT:Unauthorized users may be able to exploit this vulnerability to obtain sensitive information about your system resources, such as a list of all accounts orshared resources on this host. For Windows hosts, unauthorized users may also be able to access the registry, and depending on the Windows version andregistry permission settings, make modifications to the registry.

SOLUTION:Null NetBIOS sessions can be disabled using the following methods:

Windows NT:

1. Set the following registry key: HKLM\System\CurrentControlSet\Control\Lsa Name: RestrictAnonymous Type: REG_DWORD Value: 12. Restart your computer.

Windows 2000:

1. Start "Control Panel-->Administrative Tools-->Local Security Policy".2. Open "Local Policies-->Security Options".3. Make sure "Additional restrictions of anonymous connections" is set to"No access without explicit anonymous permissions". 4. Restart your computer.

Windows XP/2003:

1. Start "Control Panel-->Administrative Tools-->Local Security Policy".2. Open "Local Policies-->Security Options".3. Make sure the following two policies are enabled: * Network Access: Do not allow anonymous enumeration of SAM accounts



* Network Access: Do not allow anonymous enumeration of SAM accounts and shares4. Disable Network Access: Let Everyone permissions apply to anonymous users.5. Restart your computer.

The above settings have no impact on domain controllers. If this vulnerability was discovered on a domain controller, please note that some of therecommended settings may not have any effect. Read the Microsoft article Description of Dcpromo Permissions Choices(http://support.microsoft.com/kb/257988/) for more information regarding Pre-Windows 2000 Compatible Access. Please read the Microsoft documentscalled How to Use the RestrictAnonymous Registry Value (http://support.microsoft.com/default.aspx?scid=kb;en-us;246261) and Restricting AnonymousAccess (http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx?mfr=true) for more information.

Samba: Make the following settings in smb.conf:* set "security" to "user" or "domain" or "server" as per your requirements.* set "map_to_guest" to "Never"

SECURITY = USERThis is the default security setting in Samba 2.2. With user-level security a client must first "log=on" with a valid username and password (which can bemapped using the username map parameter). Encrypted passwords can also be used in this security mode. Parameters such as user and guest only if set arethen applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated.

SECURITY = SERVERIn this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert tosecurity = user, but note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it musthave a valid smbpasswd file to check users against. See the documentation file in the docs/ directory ENCRYPTION.txt for details on how to set this up.

SECURITY = DOMAINThis mode will only work correctly if smbpasswd(8) has been used to add this machine into a Windows NT Domain. It expects the encrypted passwordsparameter to be set to true. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup DomainController, in exactly the same way that a Windows NT Server would do.

A suggested workaround.Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment.Adding 'restrict anonymous = 2' in smb.conf can help resolve the issue.

For SAMBA 3.0 and Active DirectoryMake the following settings in smb.conf:security = ADS


147.144.1.246 (gw4.ccsf.edu, BAT-GW4) Linux 2.4-2.6 / Embedded Device / F5 Net New


147.144.1.254 (-, INST-DC1) Windows 2000 Service Pack 3-4 New


4 Remote User List Disclosure Using NetBIOS (1)

QID: 45003Category: Information gatheringCVE ID: CVE-2000-1200Vendor Reference: -



Bugtraq ID: 959Modified: 10/08/2009Edited: No

THREAT:A null session connection to the IPC$ share was successful. NetBIOS access can be obtained with any authenticated account on this host. Thereforeunauthorized users can steal the remote user list. This kind of attack is commonly exploited by users with weak passwords, such as the GUEST account.

IMPACT:By exploiting this vulnerability, unauthorized users can launch brute force password attacks and other intrusive attacks based on collected information.Employee, customer, and partner information may be gathered. Spamming the user list is also possible.

SOLUTION:It is recommended that you disable null sessions. Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment.Read the Microsoft documents called How to Use the RestrictAnonymous Registry Value(http://support.microsoft.com/default.aspx?scid=kb;en-us;246261) and Restricting Anonymous Access(http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx?mfr=true) for more information. If thisvulnerability was discovered on a domain controller, please note that some of the recommended settings may not have any effect. Read the Microsoftarticle Description of Dcpromo Permissions Choices (http://support.microsoft.com/kb/257988/) for more information regarding Pre-Windows 2000Compatible Access.

For Windows NT, setting this registry value limits only certain interfaces to this data. It is not possible to completely eliminate this vulnerability through aregistry setting.

There is another interesting Microsoft document called Local Policies(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6d1cf160-25c8-4b0f-90b5-428bf5c24eae.mspx) about Windowssecurity policies settings for local policies.

Windows XP onwards Microsoft has added more granular control to the anonymous user access by adding couple of more DWORD registry values in thesame key location as RestrictAnonymous, RestrictAnonymousSAM and EveryoneIncludesAnonymous. Set RestrictAnonymous = 1 to restrict shareinformation access, RestrictAnonymousSAM = 1 to prevent enumeration of SAM accounts (User Accounts) and EveryoneIncludesAnonymous = 0 toprevent null-sessions from having any rights. Setting the RestrictAnonymous value to 1 restricts null session access to unauthenticated users to all serverpipes and shares except those listed in the NullSessionPipes and NullSessionShares entries. Additionally setHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, NullSessionPipes and NullSessionShares, to a null string.

For Samba servers there is no direct way of disabling null session access. A workaround is to specify a non exisiting UNIX account in global section ofSamba config file. guest account = NON EXISTING USER.

Adding 'restrict anonymous = 2' in smb.conf can help resolve the issue.Note: Please be aware that changing the restrictanonymous setting to the highest security level for example restrictanonymous = 2 in windows 2000 maydisable older programs that make use of this account. It will also affect Windows NT 4.0 Domain Controllers from communicating with each otherbetween trust relationships.

If possible, filter out Microsoft networking ports such as TCP ports 135, 137, 138, 139, and UDP ports 135, 137, 138.


147.144.1.254 (-, INST-DC1) Windows 2000 Service Pack 3-4 New

RESULTS:bookloan 1190tboegel 1376gknapp 2083lindao 3086



ccruz 3095schou 3105creyes 3154arichard 3176mhock01 3266mvipusit 3336emmorris 3341fbanh 3634mentor-student 3644monizuka 3707mfelice 3839rallyn 3880tlamb 4006plee 4471ibell 4472lbritton 4474ecastill 4475nchinn 4476jchiu 4477mchu 4478tdang 4479cdevore 4480dgong 4482khanamur 4483kharper 4484shuey 4485njulin 4486akerrar 4487klau 4488tle 4489alira 4490hma 4491smance 4492amonroe 4494jpopely 4498asalonga 4499asimpson 4500astanley 4501pstrobel 4502ltsang 4504abader 4506cchu 4507kcolom 4508bhall 4509rheiman 4510ahoward 4511lhuynh 4512vkartash 4513ukukharc 4514klam 4515lleiva 4516tmccullo 4517emelnice 4518jmockbee 4519rmoore 4520


pnabhan 4521tnarlite 4522dnichols 4523aprum 4524msong 4525avelez 4526jwang 4527dyap 4528eyussen 4529vcrooks 4530abrawley 4531knawtsah 4532ssmith 4533llim 4534pcheung 4535hweeks 4536mgrier 4537jluddeke 4562ytang 4563tyip 4564acanning 4573ddarmo 4582

4 Linux Kernel Multiple Memory Leak Local Denial of Service Vulnerabilities (1)

QID: 115292Category: LocalCVE ID: -Vendor Reference: 2.6.14rc4Bugtraq ID: 15076Modified: 09/28/2007Edited: No

THREAT:Two local denial of service vulnerabilities affect the Linux kernel. These issues are due to a design flaw that creates memory leaks.

IMPACT:These vulnerabilities may be exploited by local users to consume excessive kernel resources, likely triggering a kernel crash and denying service tolegitimate users.

SOLUTION:For more information, read Red Hat advisory RHSA-2005:808-14 (http://www.redhat.com/support/errata/RHSA-2005-808.html).

A newer update RHSA-2007-0937 (http://rhn.redhat.com/errata/RHSA-2007-0937.html) is also available which obsoletes RHSA-2005-808


147.144.17.71 (wiz.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Net New

RESULTS:Detected through OS checks.

4 PPTP VPN Configuration Allows Weak MS-CHAPv1 Authentication (1)

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.14-rc4




THREAT:The configuration of a PPTP Virtual Private Network server on this host allows clients to authenticate using the weak MS-CHAPv1 protocol (Microsoft'svariation of Challenge Handshake Authentication Protocol, version 1), which contains several weaknesses. The most significant weakness is thatencryption keys negotiated by MS-CHAPv1 are used for both directions of the link. This allows an attacker with access to the encrypted data stream toeffectively decrypt all data in the data stream using a trivial XOR attack.

IMPACT:An attacker with access to the data stream between client and server may be able to decrypt the data stream, thus negating the effects of data encryption.This may lead to further attacks, such as session hijacking or password theft.

SOLUTION:Disable MS-CHAPv1 support on the VPN server, and only allow the stronger CHAP or MS-CHAPv2 protocols instead. Instructions on enabling theMS-CHAPv2 protocol are available at the MS-CHAP version 2 Web page(http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_RASS_MSCHAPv2.htm) on Microsoft's site.

For machines running Windows NT 4.0, Windows 95, or Windows 98, this may require applying the latest security patch. Refer to this document(http://www.schneier.com/paper-pptp.html) for details.


147.144.40.253 (rpg1.ccsf.cc.ca.us, -) Windows 2000 Service Pack 3-4 port 1723/tcp New



Appendix

Selected ScansDate : 07/05/2009 at 07:25:25 (GMT-0800)Active Hosts : 59Total Hosts : 269Type : On demandStatus : FinishedReference : scan/1246807525.1079Scanner Appliance : 64.39.104.154 (Scanner 5.1.39-1,Web 6.5.117-1,Vulnsigs 1.23.19-2)Duration : 00:47:34Title : InternetScanAsset Groups : ServerGroupIPs : 147.144.1.0-147.144.1.255, 147.144.4.4, 147.144.17.71-147.144.17.72, 147.144.19.11,

147.144.20.19, 147.144.20.40, 147.144.33.130, 147.144.40.253, 147.144.49.242,147.144.51.52, 147.144.55.252, 147.144.55.254, 147.144.79.245

Options Profile : Initial OptionsDate : 07/05/2009 at 08:15:41 (GMT-0800)Active Hosts : 58Total Hosts : 269Type : On demandStatus : FinishedReference : scan/1246810541.23046Scanner Appliance : 64.39.104.177 (Scanner 5.1.39-1,Web 6.5.117-1,Vulnsigs 1.23.19-2)Duration : 00:39:30Title : full-access-scanAsset Groups : ServerGroupIPs : 147.144.1.0-147.144.1.255, 147.144.4.4, 147.144.17.71-147.144.17.72, 147.144.19.11,

147.144.20.19, 147.144.20.40, 147.144.33.130, 147.144.40.253, 147.144.49.242,147.144.51.52, 147.144.55.252, 147.144.55.254, 147.144.79.245

Options Profile : Initial Options

Options Profile

Initial Options

Scan SettingsPorts:Scanned TCP Ports: Standard ScanScanned UDP Ports: Standard ScanScan Dead Hosts: OffLoad Balancer Detection: OffPerform 3-way Handshake: OffVulnerability Detection: CompletePassword Brute Forcing:System: DisabledCustom: DisabledAuthentication:Windows: DisabledUnix: DisabledOracle: DisabledOracle Listener: DisabledSNMP: DisabledOverall Performance: NormalHosts to Scan in Parallel:


External Scanners: 15Scanner Appliances: 30Processes to Run in Parallel:Total: 10HTTP: 10Packet (Burst) Delay: MediumPort Scanning and Host Discovery:Intensity: Normal

Advanced SettingsHost Discovery: TCP Standard Scan, UDP Standard Scan, ICMP OnIgnore RST packets: OffIgnore firewall-generated SYN-ACK packets: OffDo not send ACK or SYN-ACK packets during host discovery: Off

Report FiltersVulnerability Lists: Scan Report Template: High Severity ReportQIDs: 1001, 1002, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1016, 1017,

1019, 1021, 1022, 1023, 1024, 1025, 1026, 1114, 1115, 1116, 1117, 1119, 1120, 1121,1122, 1125, 1126, 1128, 1129, 1131, 1132, 1133, 1134, 1135, 1137, 1138, 1139, 1140,1141, 1142, 1143, 1144, 1145, 1146, 1147, 1148, 1149, 1150, 1151, 1152, 1153, 1154,1155, 1156, 1157, 1158, 1159, 1160, 1161, 1163, 1166, 1167, 1168, 1169, 1171, 1172,1173, 1175, 1176, 1177, 1178, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188,1190, 1191, 1192, 1193, 1195, 1199, 1201, 1203, 1204, 1205, 1206, 1207, 1210, 1212,1213, 1214, 1216, 1217, 1222, 1224, 1225, 1226, 1227, 1228, 1232, 1406, 2600, 5000,5005, 10000, 10001, 10003, 10004, 10006, 10007, 10008, 10009, 10010, 10012, 10013,10014, 10017, 10018, 10021, 10022, 10024, 10025, 10026, 10027, 10028, 10029, 10031,10032, 10034, 10035, 10036, 10037, 10038, 10040, 10042, 10044, 10045, 10048, 10049,10053, 10054, 10056, 10057, 10059, 10062, 10065, 10066, 10067, 10069, 10070, 10071,10072, 10073, 10074, 10079, 10082, 10087, 10090, 10094, 10096, 10098, 10103, 10107,10109, 10113, 10114, 10117, 10122, 10123, 10124, 10126, 10127, 10129, 10130, 10131,10132, 10134, 10135, 10137, 10141, 10142, 10143, 10144, 10146, 10151, 10154, 10158,10161, 10162, 10163, 10164, 10165, 10167, 10168, 10170, 10171, 10174, 10177, 10180,10181, 10184, 10188, 10191, 10192, 10194, 10195, 10197, 10200, 10204, 10206, 10208,10212, 10216, 10218, 10220, 10221, 10222, 10223, 10230, 10232, 10233, 10236, 10237,10239, 10243, 10244, 10245, 10249, 10250, 10252, 10253, 10254, 10257, 10258, 10259,10260, 10263, 10265, 10266, 10268, 10328, 10329, 10332, 10333, 10335, 10336, 10341,10342, 10346, 10349, 10353, 10355, 10356, 10357, 10359, 10361, 10364, 10365, 10367,10371, 10374, 10375, 10381, 10383, 10386, 10389, 10392, 10394, 10396, 10397, 10398,10399, 10401, 10402, 10403, 10404, 10405, 10406, 10409, 10410, 10411, 10412, 10413,10415, 10416, 10417, 10418, 10428, 10429, 10430, 10431, 10435, 10436, 10438, 10451,10454, 10467, 10486, 10490, 10493, 10521, 10524, 10525, 10534, 10536, 10537, 10540,10557, 10558, 10568, 10570, 10571, 10572, 10577, 10578, 10580, 10581, 10583, 10584,10585, 10586, 10587, 10590, 10623, 10624, 10625, 10626, 10630, 10633, 10636, 10647,10650, 10651, 10655, 10656, 10662, 10664, 10669, 10670, 10681, 10684, 10694, 10701,10702, 10703, 10704, 10710, 10711, 10712, 10715, 10719, 10720, 10723, 10730, 10732,10734, 10739, 10740, 10746, 10752, 10753, 10758, 10760, 10779, 10784, 10789, 10794,10798, 10802, 10808, 10810, 10812, 10821, 10822, 10832, 10837, 10848, 10849, 10850,10854, 10855, 10856, 10861, 10863, 10865, 10867, 10869, 10870, 10871, 10872, 10873,10874, 10875, 10876, 10877, 10879, 10885, 10886, 10888, 10890, 10893, 10897, 10900,10901, 10916, 10918, 10932, 10935, 10942, 10943, 10949, 10952, 10957, 10958, 10964,10965, 10966, 10967, 10968, 10969, 10970, 10971, 10972, 10975, 10977, 10978, 10979,10980, 10982, 10984, 10987, 10988, 10989, 10990, 10991, 10992, 10997, 11003, 11005,11008, 11009, 11013, 11024, 11027, 11039, 11040, 11041, 11048, 11050, 11054, 11057,11058, 11060, 11064, 11068, 11080, 11081, 11083, 11085, 11089, 11090, 11092, 11093,11096, 11098, 11104, 11105, 11106, 11108, 11112, 11113, 11116, 11118, 11119, 11120,11123, 11132, 11133, 11145, 11157, 11158, 11159, 11161, 11164, 11166, 11167, 11170,11177, 11180, 11182, 11184, 11186, 11187, 11188, 11194, 11195, 11196, 11198, 11200,11202, 11205, 11210, 11211, 11212, 11213, 11214, 11215, 11218, 11219, 11223, 11230,11232, 11233, 11236, 11237, 11238, 11241, 11243, 11245, 11246, 11247, 11250, 11251,11259, 11263, 11265, 11270, 11271, 11272, 11278, 11281, 11283, 11285, 11296, 11297,11300, 11304, 11305, 11307, 11309, 11310, 11312, 11318, 11326, 11327, 11329, 11337,11339, 11348, 11362, 11364, 11366, 11371, 11372, 11384, 11386, 11390, 11396, 11400,11413, 11415, 11417, 11419, 11430, 11436, 11437, 11438, 11439, 11440, 11452, 11453,11455, 11458, 11464, 11465, 11466, 11467, 11468, 11473, 11481, 11482, 11483, 11485,12001, 12002, 12003, 12005, 12010, 12017, 12018, 12020, 12023, 12025, 12026, 12027,12030, 12032, 12035, 12036, 12039, 12041, 12042, 12043, 12045, 12047, 12050, 12052,12053, 12054, 12055, 12056, 12057, 12060, 12062, 12067, 12068, 12069, 12075, 12077,12079, 12080, 12081, 12082, 12085, 12097, 12098, 12099, 12100, 12103, 12119, 12121,12128, 12133, 12135, 12138, 12139, 12141, 12142, 12151, 12153, 12157, 12165, 12168,12175, 12177, 12178, 12183, 12186, 12191, 12193, 12195, 12196, 12205, 12210, 12211,12212, 12214, 12221, 12236, 12258, 12260, 12263, 12278, 15033, 15037, 15039, 15040,15041, 15042, 15043, 15044, 15047, 19001, 19003, 19004, 19005, 19013, 19029, 19058,19059, 19060, 19061, 19064, 19065, 19066, 19067, 19068, 19069, 19070, 19071, 19078,19086, 19089, 19090, 19091, 19093, 19094, 19096, 19099, 19103, 19106, 19107, 19108,19109, 19112, 19124, 19146, 19147, 19150, 19151, 19154, 19155, 19156, 19157, 19158,


19159, 19160, 19161, 19162, 19164, 19197, 19203, 19205, 19210, 19211, 19215, 19216,19219, 19223, 19227, 19231, 19232, 19238, 19260, 19267, 19277, 19278, 19279, 19280,19281, 19282, 19283, 19284, 19285, 19286, 19287, 19288, 19289, 19290, 19291, 19292,19293, 19294, 19295, 19296, 19297, 19298, 19299, 19300, 19301, 19302, 19303, 19304,19305, 19306, 19308, 19309, 19310, 19311, 19312, 19313, 19314, 19315, 19316, 19317,19318, 19319, 19320, 19321, 19322, 19323, 19324, 19325, 19326, 19327, 19328, 19329,19330, 19331, 19332, 19333, 19334, 19336, 19337, 19338, 19339, 19340, 19341, 19342,19343, 19344, 19345, 19346, 19347, 19348, 19349, 19350, 19351, 19352, 19353, 19354,19355, 19356, 19357, 19358, 19359, 19360, 19361, 19362, 19363, 19364, 19365, 19366,19367, 19368, 19369, 19370, 19371, 19372, 19373, 19374, 19375, 19376, 19377, 19378,19379, 19380, 19381, 19382, 19383, 19384, 19385, 19386, 19387, 19388, 19389, 19390,19391, 19392, 19393, 19394, 19395, 19396, 19397, 19398, 19399, 19400, 19401, 19402,19403, 19404, 19405, 19406, 19407, 19408, 19409, 19413, 19414, 19415, 19416, 19417,19418, 19419, 19420, 19421, 19422, 19423, 19424, 19425, 19426, 19427, 19428, 19429,19430, 19431, 19432, 19433, 19434, 19435, 19436, 19437, 19438, 19439, 19440, 19441,19442, 19443, 19444, 19445, 19446, 19447, 19448, 19449, 19450, 19451, 19452, 19453,19454, 19455, 19456, 19457, 19458, 19459, 19460, 19461, 19462, 19463, 19468, 19469,19470, 19471, 19472, 19474, 19475, 19476, 19477, 19478, 19479, 19480, 19481, 19482,19483, 19484, 19485, 19486, 19487, 19488, 19489, 19490, 19491, 19494, 19495, 19496,19497, 19498, 19499, 23004, 23005, 23007, 23008, 23009, 23011, 23012, 23013, 23014,23016, 27002, 27004, 27006, 27007, 27009, 27011, 27014, 27017, 27018, 27023, 27024,27026, 27027, 27028, 27031, 27032, 27040, 27041, 27045, 27047, 27049, 27051, 27064,27068, 27069, 27071, 27075, 27076, 27078, 27080, 27081, 27086, 27089, 27092, 27094,27095, 27099, 27101, 27104, 27106, 27107, 27110, 27111, 27112, 27116, 27117, 27118,27125, 27126, 27130, 27133, 27135, 27142, 27143, 27145, 27146, 27150, 27151, 27152,27153, 27160, 27161, 27163, 27164, 27165, 27166, 27167, 27169, 27170, 27171, 27174,27179, 27181, 27185, 27191, 27192, 27193, 27197, 27203, 27204, 27205, 27206, 27207,27210, 27211, 27217, 27221, 27222, 27223, 27228, 27229, 27234, 27236, 27244, 27245,27247, 27257, 27258, 27265, 27279, 27302, 31004, 31005, 31006, 31007, 31008, 31013,31014, 34008, 34016, 34019, 34023, 34024, 34025, 34030, 34039, 38008, 38022, 38023,38024, 38026, 38027, 38028, 38031, 38036, 38037, 38043, 38048, 38053, 38054, 38064,38066, 38068, 38071, 38075, 38076, 38078, 38083, 38087, 38097, 38103, 38105, 38106,38108, 38109, 38110, 38123, 38125, 38133, 38134, 38137, 38142, 38143, 38146, 38156,38157, 38158, 38160, 38161, 38162, 38175, 38176, 38180, 38182, 38183, 38184, 38185,38187, 38188, 38189, 38197, 38207, 38212, 38215, 38216, 38222, 38224, 38225, 38227,38228, 38231, 38233, 38244, 38259, 38261, 38264, 38271, 38272, 38276, 38278, 38279,38281, 38283, 38286, 38288, 38304, 38305, 38308, 38314, 38315, 38316, 38317, 38318,38320, 38321, 38326, 38330, 38332, 38334, 38335, 38338, 38340, 38345, 38346, 38347,38350, 38355, 38356, 38357, 38358, 38360, 38361, 38362, 38363, 38364, 38365, 38367,38368, 38369, 38370, 38371, 38373, 38374, 38376, 38377, 38380, 38381, 38382, 38385,38386, 38387, 38388, 38389, 38390, 38391, 38392, 38393, 38394, 38395, 38396, 38398,38399, 38400, 38403, 38405, 38406, 38410, 38412, 38415, 38417, 38419, 38423, 38446,38455, 38461, 38469, 38473, 38475, 38482, 38483, 38484, 38486, 38490, 38504, 38506,38511, 38516, 38531, 38535, 38545, 38546, 38553, 38554, 38555, 38560, 38561, 38562,38565, 38566, 38569, 38570, 38571, 38574, 38575, 38576, 38578, 38583, 38586, 38590,38595, 42005, 42006, 42007, 42008, 42020, 43001, 43002, 43005, 43008, 43010, 43014,43016, 43017, 43018, 43021, 43023, 43057, 43061, 43064, 43065, 43066, 43067, 43068,43069, 43070, 43072, 43076, 43088, 43090, 43117, 43119, 43122, 43123, 43124, 43125,43126, 43127, 43128, 43129, 45003, 50001, 50002, 50007, 50008, 50014, 50015, 50023,50025, 50027, 50029, 50034, 50035, 50036, 50037, 50039, 50044, 50051, 50054, 50062,50066, 50067, 50068, 50071, 50073, 50074, 50076, 50077, 50080, 50081, 50083, 50085,50086, 50088, 54000, 54001, 54002, 54003, 54010, 62004, 62005, 62013, 62024, 62025,62029, 62030, 62033, 62034, 62036, 62037, 62040, 62042, 62043, 62045, 62046, 62052,62054, 62059, 66001, 66010, 66011, 66031, 66034, 66038, 66049, 68504, 68507, 68517,68518, 68520, 68522, 68524, 68528, 68530, 68531, 68532, 68533, 70002, 70003, 70005,70006, 70014, 70016, 70017, 70023, 70024, 70029, 70032, 70034, 70036, 70037, 70042,70043, 70044, 70046, 70050, 74016, 74024, 74027, 74030, 74031, 74047, 74048, 74049,74051, 74052, 74054, 74057, 74059, 74062, 74063, 74064, 74065, 74066, 74070, 74071,74072, 74074, 74075, 74080, 74081, 74086, 74106, 74111, 74112, 74121, 74129, 74131,74133, 74135, 74138, 74139, 74140, 74143, 74146, 74149, 74151, 74152, 74154, 74155,74156, 74157, 74162, 74164, 74167, 74168, 74169, 74170, 74172, 74174, 74175, 74177,74178, 74179, 74180, 74181, 74182, 74185, 74198, 74206, 74213, 74214, 74219, 74228,74232, 78029, 78031, 78035, 78039, 78041, 78043, 78044, 82043, 82051, 82060, 86011,86019, 86020, 86021, 86026, 86027, 86028, 86030, 86034, 86036, 86038, 86040, 86042,86043, 86052, 86053, 86056, 86059, 86060, 86061, 86067, 86070, 86073, 86075, 86083,86084, 86088, 86092, 86109, 86112, 86114, 86135, 86140, 86164, 86168, 86169, 86170,86182, 86183, 86185, 86187, 86188, 86195, 86211, 86212, 86213, 86215, 86217, 86218,86219, 86220, 86224, 86225, 86227, 86228, 86231, 86235, 86236, 86237, 86238, 86239,86242, 86243, 86250, 86255, 86260, 86261, 86266, 86271, 86276, 86281, 86294, 86300,86305, 86328, 86329, 86352, 86353, 86355, 86368, 86372, 86375, 86385, 86389, 86398,86401, 86403, 86411, 86418, 86426, 86427, 86430, 86440, 86441, 86443, 86446, 86447,86450, 86451, 86452, 86453, 86458, 86459, 86460, 86461, 86464, 86465, 86466, 86467,86468, 86470, 86479, 86504, 86505, 86507, 86508, 86510, 86512, 86514, 86515, 86518,86520, 86522, 86525, 86526, 86527, 86530, 86531, 86536, 86537, 86546, 86547, 86548,86551, 86553, 86555, 86560, 86561, 86566, 86568, 86571, 86574, 86582, 86588, 86596,86598, 86603, 86604, 86607, 86614, 86620, 86631, 86634, 86635, 86644, 86651, 86652,86654, 86655, 86661, 86663, 86668, 86669, 86673, 86674, 86675, 86678, 86682, 86684,86686, 86689, 86690, 86691, 86702, 86707, 86832, 86837, 90005, 90028, 90032, 90049,90050, 90051, 90054, 90056, 90064, 90070, 90071, 90072, 90073, 90075, 90078, 90079,90085, 90086, 90089, 90102, 90103, 90104, 90108, 90109, 90110, 90111, 90112, 90113,90115, 90122, 90123, 90125, 90131, 90132, 90133, 90134, 90135, 90137, 90140, 90141,90153, 90155, 90158, 90160, 90161, 90162, 90164, 90166, 90167, 90168, 90169, 90171,90172, 90176, 90178, 90180, 90182, 90183, 90184, 90185, 90186, 90187, 90188, 90189,90190, 90192, 90193, 90198, 90199, 90200, 90201, 90202, 90203, 90204, 90205, 90207,90211, 90212, 90215, 90216, 90217, 90221, 90222, 90223, 90225, 90227, 90228, 90229,90230, 90231, 90233, 90234, 90237, 90240, 90241, 90242, 90243, 90247, 90249, 90252,90253, 90256, 90261, 90262, 90267, 90268, 90270, 90271, 90273, 90274, 90275, 90276,90278, 90280, 90282, 90283, 90284, 90286, 90289, 90291, 90292, 90296, 90297, 90301,


90303, 90305, 90307, 90308, 90309, 90311, 90312, 90314, 90316, 90318, 90319, 90327,90328, 90329, 90336, 90337, 90338, 90339, 90340, 90341, 90342, 90343, 90345, 90351,90352, 90355, 90356, 90361, 90363, 90364, 90365, 90367, 90368, 90370, 90371, 90372,90377, 90378, 90379, 90380, 90381, 90382, 90383, 90385, 90388, 90389, 90390, 90392,90393, 90394, 90395, 90397, 90398, 90401, 90403, 90404, 90405, 90406, 90407, 90408,90409, 90414, 90417, 90418, 90419, 90420, 90423, 90425, 90427, 90428, 90430, 90431,90432, 90433, 90434, 90435, 90437, 90438, 90439, 90441, 90444, 90445, 90448, 90449,90450, 90452, 90453, 90455, 90457, 90458, 90459, 90460, 90461, 90462, 90463, 90464,90466, 90467, 90469, 90470, 90471, 90472, 90473, 90474, 90475, 90477, 90478, 90479,90481, 90482, 90483, 90484, 90488, 90490, 90493, 90495, 90499, 90501, 90502, 90503,90504, 90506, 90510, 90511, 90512, 90513, 90514, 90515, 90516, 90517, 90518, 90519,90521, 90522, 90523, 90524, 90525, 90526, 90527, 90528, 90529, 90530, 90531, 90535,90537, 90543, 90544, 90545, 90546, 90547, 90549, 90550, 90551, 90552, 90554, 90565,90566, 90567, 90568, 95001, 95005, 95006, 95007, 100000, 100001, 100002, 100003,100004, 100006, 100007, 100008, 100018, 100022, 100024, 100025, 100026, 100028,100029, 100030, 100031, 100032, 100033, 100034, 100035, 100036, 100037, 100038,100039, 100045, 100046, 100047, 100050, 100051, 100052, 100053, 100054, 100055,100056, 100057, 100058, 100059, 100063, 100064, 100065, 100067, 100070, 100071,100073, 105007, 105010, 105012, 105029, 105030, 105081, 105082, 105095, 105096,110001, 110002, 110003, 110004, 110006, 110007, 110008, 110009, 110010, 110011,110012, 110014, 110015, 110017, 110018, 110019, 110020, 110023, 110025, 110026,110027, 110028, 110029, 110031, 110032, 110033, 110034, 110035, 110036, 110038,110041, 110042, 110043, 110044, 110045, 110046, 110048, 110049, 110050, 110051,110052, 110053, 110054, 110055, 110056, 110057, 110059, 110060, 110062, 110063,110064, 110065, 110066, 110067, 110069, 110070, 110071, 110072, 110073, 110074,110075, 110076, 110077, 110078, 110079, 110080, 110081, 110082, 110083, 110084,110085, 110086, 110088, 110090, 110092, 110093, 110094, 110095, 110096, 110097,110098, 110099, 110100, 110101, 110111, 115000, 115001, 115002, 115003, 115005,115006, 115007, 115013, 115014, 115015, 115016, 115018, 115020, 115021, 115022,115024, 115025, 115028, 115036, 115037, 115038, 115039, 115043, 115047, 115053,115060, 115260, 115270, 115272, 115280, 115281, 115289, 115292, 115293, 115297,115299, 115301, 115302, 115304, 115306, 115312, 115341, 115345, 115346, 115354,115359, 115361, 115363, 115372, 115373, 115375, 115376, 115382, 115383, 115384,115385, 115388, 115395, 115398, 115400, 115403, 115406, 115409, 115411, 115413,115414, 115416, 115417, 115419, 115422, 115425, 115427, 115429, 115431, 115436,115437, 115440, 115441, 115445, 115446, 115447, 115448, 115449, 115454, 115461,115462, 115466, 115470, 115471, 115475, 115478, 115479, 115480, 115483, 115486,115488, 115492, 115493, 115499, 115500, 115501, 115512, 115515, 115516, 115517,115520, 115521, 115523, 115527, 115532, 115533, 115535, 115539, 115540, 115541,115544, 115545, 115550, 115551, 115557, 115560, 115564, 115568, 115571, 115574,115578, 115579, 115581, 115582, 115586, 115589, 115592, 115593, 115595, 115596,115597, 115598, 115599, 115601, 115603, 115604, 115620, 115622, 115629, 115631,115634, 115640, 115641, 115647, 115648, 115649, 115650, 115656, 115658, 115659,115661, 115665, 115666, 115668, 115670, 115673, 115674, 115675, 115676, 115678,115679, 115681, 115683, 115687, 115688, 115689, 115690, 115694, 115695, 115698,115701, 115707, 115708, 115709, 115710, 115711, 115722, 115725, 115732, 115739,115740, 115746, 115748, 115752, 115753, 115754, 115763, 115764, 115765, 115772,115775, 115778, 115779, 115781, 115785, 115790, 115793, 115796, 115802, 115803,115807, 115808, 115809, 115811, 115812, 115816, 115817, 115818, 115819, 115823,115824, 115828, 115829, 115836, 115838, 115842, 115847, 115848, 115851, 115852,115855, 115859, 115860, 115862, 115865, 115866, 115870, 115872, 115876, 115879,115885, 115894, 115901, 115903, 115908, 115918, 115921, 115924, 115925, 115926,115928, 115932, 115935, 115937, 115940, 115943, 115944, 115949, 115955, 115959,115960, 115963, 115967, 115969, 115978, 115979, 115983, 115987, 115989, 115991,115992, 115995, 115996, 116003, 116007, 116011, 116012, 116017, 116025, 116027,116031, 116032, 116035, 116039, 116044, 116046, 116063, 116068, 116069, 116081,116086, 116088, 116089, 116091, 116109, 116114, 116134, 116136, 116137, 116139,116142, 116143, 116145, 116148, 116149, 116151, 116155, 116164, 116170, 116172,116173, 116174, 116178, 116179, 116180, 116181, 116182, 116184, 116185, 116194,116195, 116196, 116197, 116205, 116215, 116219, 116220, 116232, 116234, 116238,116244, 116247, 116255, 116257, 116258, 116261, 116263, 116264, 116273, 116275,116281, 116311, 116318, 116328, 116333, 116334, 116339, 116345, 116348, 116351,116353, 116358, 116360, 116363, 116367, 116369, 116374, 116384, 116385, 116387,116389, 116390, 116391, 116393, 116395, 116396, 116399, 116400, 116403, 116407,116408, 116416, 116420, 116423, 116424, 116428, 116429, 116431, 116437, 116440,116443, 116453, 116455, 116459, 116461, 116463, 116471, 116473, 116474, 116477,116484, 116496, 116509, 116510, 116517, 116521, 116528, 116529, 116530, 116535,116536, 116539, 116542, 116547, 116548, 116552, 116553, 116556, 116602, 116603,116607, 116608, 116609, 116624, 116635, 116637, 116645, 116650, 116660, 116672,116677, 150000, 150001, 150003, 150012, 150013, 150046, 150047, 150048, 150049,155358, 175000, 175001, 175002, 175003

Status: New, Active, Re-OpenedVulnerabilities: State:ActiveIncluded Operating Systems: All Operating Systems

Report Legend

Vulnerability LevelsA Vulnerability is a design flaw or mis-configuration which makes your network (or a host on your network) susceptible to malicious attacks from local or remote users.Vulnerabilities can exist in several areas of your network, such as in your firewalls, FTP servers, Web servers, operating systems or CGI bins. Depending on the level of thesecurity risk, the successful exploitation of a vulnerability can vary from the disclosure of information about the host to a complete compromise of the host.

Severity Level Description



1 Minimal Intruders can collect information about the host (open ports, services, etc.) and may beable to use this information to find other vulnerabilities.

2 Medium Intruders may be able to collect sensitive information from the host, such as theprecise version of software installed. With this information, intruders can easilyexploit known vulnerabilities specific to software versions.

3 Serious Intruders may be able to gain access to specific information stored on the host,including security settings. This could result in potential misuse of the host byintruders. For example, vulnerabilities at this level may include partial disclosure offile contents, access to certain files on the host, directory browsing, disclosure offiltering rules and security mechanisms, denial of service attacks, and unauthorized useof services, such as mail-relaying.

4 Critical Intruders can possibly gain control of the host, or there may be potential leakage ofhighly sensitive information. For example, vulnerabilities at this level may includefull read access to files, potential backdoors, or a listing of all the users on thehost.

5 Urgent Intruders can easily gain control of the host, which can lead to the compromise of yourentire network security. For example, vulnerabilities at this level may include fullread and write access to files, remote execution of commands, and the presence ofbackdoors.

Potential Vulnerability LevelsA potential vulnerability is one which we cannot confirm exists. The only way to verify the existence of such vulnerabilities on your network would be to perform anintrusive scan, which could result in a denial of service. This is strictly against our policy. Instead, we urge you to investigate these potential vulnerabilities further.


1 Minimal If this vulnerability exists on your system, intruders can collect information about thehost (open ports, services, etc.) and may be able to use this information to find othervulnerabilities.

2 Medium If this vulnerability exists on your system, intruders may be able to collect sensitiveinformation from the host, such as the precise version of software installed. With thisinformation, intruders can easily exploit known vulnerabilities specific to softwareversions.

3 Serious If this vulnerability exists on your system, intruders may be able to gain access tospecific information stored on the host, including security settings. This could resultin potential misuse of the host by intruders. For example, vulnerabilities at this levelmay include partial disclosure of file contents, access to certain files on the host,directory browsing, disclosure of filtering rules and security mechanisms, denial ofservice attacks, and unauthorized use of services, such as mail-relaying.

4 Critical If this vulnerability exists on your system, intruders can possibly gain control of thehost, or there may be potential leakage of highly sensitive information. For example,vulnerabilities at this level may include full read access to files, potentialbackdoors, or a listing of all the users on the host.

5 Urgent If this vulnerability exists on your system, intruders can easily gain control of thehost, which can lead to the compromise of your entire network security. For example,vulnerabilities at this level may include full read and write access to files, remoteexecution of commands, and the presence of backdoors.

Information GatheredInformation Gathered includes visible information about the network related to the host, such as traceroute information, Internet Service Provider (ISP), or a list ofreachable hosts. Information Gathered severity levels also include Network Mapping data, such as detected firewalls, SMTP banners, or a list of open TCP services.


1 Minimal Intruders may be able to retrieve sensitive information related to the host, such asopen UDP and TCP services lists, and detection of firewalls.

2 Medium Intruders may be able to determine the operating system running on the host, and view banner versions.

3 Serious Intruders may be able to detect highly sensitive data, such as global system user lists.


This report was generated with an evaluation version of qualysguardThis report was generated with an evaluation version of qualysguard

CONFIDENTIAL AND PROPRIETARY INFORMATION.Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete orerror-free. Copyright 2009, Qualys, Inc.

A2E-Dataway High Severity Report- IntranetScan

Documents

Transcript of A2E-Dataway High Severity Report- IntranetScan