A2F-Dataway High Severity Host Report- IntranetScan

Dataway High Severity Host Report page 1

Dataway High Severity Host ReportNovember 12, 2009

This report was generated with an evaluation version of qualysguardThis report was generated with an evaluation version of qualysguard

Report SummaryUser Name: eoghan o'neillLogin Name: ccsf_enCompany: ccsfUser Role: ManagerAddress: 180 redwood st suite 300City: san franciscoState: CaliforniaZip: 94102Country: United States of AmericaCreated: 11/12/2009 at 18:10:50 (GMT-0800)Template Title: Dataway High Severity Host ReportSort by: HostIP Restriction: -Hosts Matching Filters: 25scan/1246807525.1079: 07/05/2009 at 07:25:25 (GMT-0800)scan/1246810541.23046: 07/05/2009 at 08:15:41 (GMT-0800)

Summary of Vulnerabilities

Vulnerabilities Total 45 (+28) Average Security Risk 1.9

by StatusStatus Confirmed Potential Total New 28 - 28Active 17 - 17Re-Opened 0 - 0Total 45 - 45Fixed 0 - 0Changed 28 - 28

by SeveritySeverity Confirmed (Trend) Potential (Trend) Information Gathered Total (Trend) 5 17 (0) - - - 17 (+13)4 28 (0) - - - 28 (+15)3 0 (0) - - - 0 (0) -2 0 (0) - - - 0 (0) -1 0 (0) - - - 0 (0) -Total 45 (0) - - - 45 (+28)

5 Biggest CategoriesCategory Confirmed (Trend) Potential (Trend) Information Gathered Total (Trend) General remote services 25 (0) - - - 25 (+11)Database 8 (0) - - - 8 (+8)File Transfer Protocol 4 (0) - - - 4 (+1)

dhotchkiss

Text Box

Attachment 2F


Category Confirmed (Trend) Potential (Trend) Information Gathered Total (Trend) Web server 2 (0) - - - 2 (+2)SMB / NETBIOS 2 (0) - - - 2 (+2)Total 41 (0) - - - 41 (+24)

Vulnerabilities by Severity

Potential Vulnerabilities by Severity


Information Gathered by Severity

Operating Systems Detected


Services Detected


Services Detected (Continued)

Detailed Results

147.144.1.2 (hills.ccsf.cc.ca.us, -) HP-UX 11

Vulnerabilities (1)

4 Activeport 22/tcpSSH Protocol Version 1 Supported

QID: 38304Category: General remote servicesCVE ID: CVE-2001-1473Vendor Reference: -Bugtraq ID: -Modified: 06/10/2009Edited: No

THREAT:SSH1 protocol was deprecated due to multiple vulnerabilities and design flaws.Among multiple vulnerabilities that exist in SSH protocol Version 1 are:

a CRC32 compensation attack detector vulnerability (buffer overflow)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1473


an unauthorized session key recovery problem

Multiple vendors' implementations are vulnerable due to the fact that these are protocol design errors. Version 2 of the SSH protocol fixed these errors.

Please refer to the following URLs for more information:

http://www.ciac.org/ciac/bulletins/m-017.shtml (http://www.ciac.org/ciac/bulletins/m-017.shtml)

http://www.kb.cert.org/vuls/id/684820 (http://www.kb.cert.org/vuls/id/684820)

IMPACT:The consequences of vulnerabilities present is SSH Version 1 include:

SSH protected traffic compromiseroot shell access to the system running SSH server

SOLUTION:Disable SSH1 support. See your vendor's Web site for information on how to disable SSH protocol Version 1 support. Some references are provided below:SSH Communications Security (http://www.ssh.com)F-Secure (http://www.f-secure.com)OpenSSH (http://www.openssh.org)

Note: Do not enable SSH Version 1 Fallback since systems with upgraded versions of SSH and with Fallback Version 1 enabled are still vulnerable.

COMPLIANCE:Not Applicable

RESULTS:SSH1 supported yesSupported ciphers for SSH1 3des, blowfishSupported authentications for SSH1 RSA, keyboard_interactive, password

147.144.1.3 (fog.ccsf.cc.ca.us, -) HP-UX 11

Vulnerabilities (1)




a CRC32 compensation attack detector vulnerability (buffer overflow)an unauthorized session key recovery problem













147.144.1.18 (-, -) IBM 4400 Printer

Vulnerabilities (1)

5 Newport 631/tcpMultiple CUPS Vulnerabilities

QID: 38160Category: General remote servicesCVE ID: CVE-2002-1369, CVE-2002-1371, CVE-2002-1367, CVE-2002-1368, CVE-2002-1372, CVE-2002-1383Vendor Reference: RHSA-2002-295Bugtraq ID: 6438Modified: 06/11/2009Edited: No

THREAT:CUPS, Common Unix Printing System, is a widely used set of printing utilities for Unix-based systems. Several vulnerabilities have been reported in versions priorto 1.1.18.

1) CUPS makes it possible for attackers to execute code with root privileges. The vulnerability exists in the jobs.c source file. Some functions use the strncat()function call improperly. strncat()is used in an insecure manner to build the "options" string. When the CUPS daemon receives specially-constructed printerattributes, it will trigger a buffer overflow condition when building the "options" string, which may result in the corruption of sensitive memory withattacker-supplied values. (CVE ID: CAN-2002-1369)

2) The image handling component of CUPS is vulnerable to integer overflow conditions. Flaws may be exploited by local attackers to execute instructions withelevated privileges. Attackers may gain user "lp", group "sys" privileges. Depending on system configuration, other privileges may be gained.

3) CUPS image filters do not properly handle GIF files with a width field set to zero. As a result, if an attacker submits a properly malformed image, it may bepossible to manipulate and corrupt chunk headers with attacker-supplied data. Given the ability to corrupt memory with attacker-supplied data, it may be possiblefor an attacker to cause arbitrary code to be executed. Successful exploitation results in code execution in the security context of CUPS. (CVE ID:CAN-2002-1371)

4) Some versions of CUPS may create temporary files in an insecure manner. The vulnerability occurs when creating the "/etc/cups/certs/" file. An attacker canexploit this vulnerability to create or overwrite any file with elevated privileges. Successful exploitation is time dependent and requires the attacker to obtain the







http://rhn.redhat.com/errata/RHSA-2002-295.html

http://www.securityfocus.com/bid/6438


"lp" user privileges.

5) CUPS is prone to a vulnerability that makes it possible for attackers to add printers. It has been reported that an attacker may send a specially crafted UDP packetto the CUPS server, which will cause a printer to be temporarily added and configured to listen on a high port. Then it's reportedly possible for the attacker torequest and receive the local root certificate. This certificate may be used to authenticate to the Web administrative interface, where it is possible to create a printerwith root privileges. Technical details about the exact nature of this issue are not known at this time. This issue is believed to be caused, in part, by a design flaw inthe certificate authentication scheme employed by CUPS. (CVE ID: CAN-2002-1367)

6) A vulnerability has been reported that, if exploited, may result in a DoS or the execution of code on affected systems. An attacker can exploit this vulnerabilityby connecting to a vulnerable system on TCP port 631 and issuing malformed HTTP headers with a negative value for the "Content-Length" or"Transfer-Encoding" field. When the cupsd service receives this request, it will crash. (CVE ID: CAN-2002-1368)

7) CUPS may leak file descriptor information under some circumstances. This issue exists because CUPS does not adequately check any return values on file andsocket operations. By exploiting this vulnerability, it's possible for a remote attacker to cause a denial of service. (CVE ID: CAN-2002-1372)

8) An integer overflow vulnerability has been reported in the HTTP server component of CUPS. The condition is related to the processing of HTML variables andtheir values. It's reportedly possible for remote attackers to exploit this vulnerability to execute instructions on target systems. Successful attacks may grant localaccess to adversaries with user "lp" and group "sys" privileges. (CVE ID: CAN-2002-1383)

IMPACT:By exploiting these vulnerabilities, remote attackers can execute arbitary code under the user ID of the Daemon.

SOLUTION:Upgrade to CUPS Version 1.1.18 or later. Upgrade packages are available for all affected distributions.

Check CUP's Web site (http://www.cups.org/software.html) for more information.


RESULTS:No results available

147.144.1.43 (ocean.ccsf.cc.ca.us, -) HP-UX 11

Vulnerabilities (1)

















147.144.1.62 (ezproxy.ccsf.edu, -) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (2)

5 Activeport 443/tcp over SSLDebian OpenSSL Package Random Number Generator Weakness

QID: 42007Category: General remote servicesCVE ID: CVE-2008-0166Vendor Reference: OpenSSH Debian Patch, OpenSSL Debain PatchBugtraq ID: 29179Modified: 06/30/2008Edited: No

THREAT:OpenSSL is an open source implementation of the SSL protocol which is used by a number of other projects, including but not restricted to Apache, Sendmail andBind. It is commonly found on Linux and Unix systems.

The Debian OpenSSL package is prone to a random number generator weakness which causes the keys generated by this package to be predictable.

IMPACT:Attackers can exploit this issue to predict random data used to generate encryption keys by certain applications. An attacker can record encrypted sessions(SSL,SSH, VPN) then in an off-line mode use a library of weak keys to find out the private key values used by the communication parties and decrypt theencrypted traffic. Specifically affected keys include RSA, SSH, OpenVPN and DNSSEC keys as well as X.509 certificates and session keys used in the SSL/TLSsessions.

Attackers may exploit this issue to potentially compromise encryption keys and gain access to sensitive data. This may aid in further attacks. In the case of SSHattackers can gain full access to the target system.

This issue affects only a modified OpenSSL package for Debian prior to Version 0.9.8c-4etch3.

Please note that the keys that were generated on a vulnerable system and then moved to a different non-Debian system are still vulnerable and can cause a


http://www.debian.org/security/2008/dsa-1571




compromise of that non-Debian system.

SOLUTION:The vendor has released updates to address this issue. See the references for more information.

The Results section contains identifications for the weak keys detected on the target system. The keys are identified by calculating a hash over the public key. Thehash function as well as the information the hash function is calculated upon is different for SSH and SSL keys.

For SSL the following command can be used to calculate the hash of a key in a X.509 certificate:

openssl x509 -in [cert name.pem] -modulus -noout|openssl sha1

For an SSH key the following command can be used to obtain the hash of the public key:

ssh-keygen -f [SSH public key file name.pub] -l

All the keys listed in the Results section are weak and need to be regenerated on a non-vulnerable or patched system. In the case of certificates, they need to beregenerated and signed again.


RESULTS:Certificate #0 RSA(1024), SSL, Hash: 2E202BACC1C4CF8762B5D3F157858B0989C23998

5 Activeport 22/tcpDebian OpenSSL Package Random Number Generator Weakness

QID: 42007Category: General remote servicesCVE ID: CVE-2008-0166Vendor Reference: OpenSSH Debian Patch, OpenSSL Debain PatchBugtraq ID: 29179Modified: 06/30/2008Edited: No

THREAT:OpenSSL is an open source implementation of the SSL protocol which is used by a number of other projects, including but not restricted to Apache, Sendmail andBind. It is commonly found on Linux and Unix systems.

The Debian OpenSSL package is prone to a random number generator weakness which causes the keys generated by this package to be predictable.

IMPACT:Attackers can exploit this issue to predict random data used to generate encryption keys by certain applications. An attacker can record encrypted sessions(SSL,SSH, VPN) then in an off-line mode use a library of weak keys to find out the private key values used by the communication parties and decrypt theencrypted traffic. Specifically affected keys include RSA, SSH, OpenVPN and DNSSEC keys as well as X.509 certificates and session keys used in the SSL/TLSsessions.

Attackers may exploit this issue to potentially compromise encryption keys and gain access to sensitive data. This may aid in further attacks. In the case of SSHattackers can gain full access to the target system.

This issue affects only a modified OpenSSL package for Debian prior to Version 0.9.8c-4etch3.

Please note that the keys that were generated on a vulnerable system and then moved to a different non-Debian system are still vulnerable and can cause acompromise of that non-Debian system.

SOLUTION:The vendor has released updates to address this issue. See the references for more information.

The Results section contains identifications for the weak keys detected on the target system. The keys are identified by calculating a hash over the public key. The






hash function as well as the information the hash function is calculated upon is different for SSH and SSL keys.

For SSL the following command can be used to calculate the hash of a key in a X.509 certificate:

openssl x509 -in [cert name.pem] -modulus -noout|openssl sha1

For an SSH key the following command can be used to obtain the hash of the public key:

ssh-keygen -f [SSH public key file name.pub] -l

All the keys listed in the Results section are weak and need to be regenerated on a non-vulnerable or patched system. In the case of certificates, they need to beregenerated and signed again.


RESULTS:RSA(2048), SSH, Hash: 08FF698725A668282FC337BE4E89745B

147.144.1.69 (-, S-LIB-PC-COP01) Windows 2003 Service Pack 2

Vulnerabilities (6)

5 NewMicrosoft SQL Server 2000 Service Pack 4 Missing

QID: 19124Category: DatabaseCVE ID: -Vendor Reference: -Bugtraq ID: -Modified: 05/11/2009Edited: No

THREAT:The Microsoft SQL Server / MSDE 2000 host is missing Service Pack 4.

IMPACT:SQL Server 2000 Service Pack 4 includes all security hotfixes released after the release of Service Pack 3.

SOLUTION:Read Microsoft article KB290211 (http://support.microsoft.com/kb/290211) for details on downloading SQL Server 2000 Service Pack 4.


RESULTS:8.0.313

5 NewMicrosoft SQL Server Multiple Vulnerabilities

QID: 90086Category: DatabaseCVE ID: CVE-2003-0230, CVE-2003-0231, CVE-2003-0232Vendor Reference: MS03-031Bugtraq ID: 8275Modified: 02/23/2005Edited: No


http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0231

http://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0232

http://www.microsoft.com/technet/security/Bulletin/MS03-031.mspx



THREAT:Multiple vulnerabilities are present on the Microsoft SQL Server installed on the target, including the following: LPC port request buffer overflow vulnerability,Named Pipe denial of service vulnerability, and Named Pipe hijacking vulnerability.

Local Procedure Calls (LPC) provide a mechanism for interprocess communications on some Microsoft platforms. Each LPC utilizes a collection ofcommunication ports to allow for information exchange between the client and the server. Microsoft SQL Server is prone to a buffer overflow in the mechanismthat accepts LPC port requests. If a specifically malformed message is received by the LPC port, stack memory may be overwritten due to insufficient boundschecking.

Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a Named Pipe denial of service attack. Any local or remote user, who canauthenticate and is part of the Everyone Group, may trigger a denial of service condition in an affected SQL Server. It has been reported that if a remote attackersends an unusually large request to a named pipe, the SQL Server will become unresponsive.

Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a privilege escalation vulnerability via named pipes. A named pipe is a conduitfor interprocess communication that is identified by a specific name; it is used to pass information between a pipe server and its clients. It has been reported that anamed pipe, used to control certain connection attempts to the SQL server, is prone to a vulnerability that may provide escalation of privileges. The issue presentsitself within the checking routines for the affected pipe. Under certain circumstances, specifically during the authentication procedure, a local attacker may seizecontrol of the named pipe.

IMPACT:Successful exploitation of the LPC Port request buffer overrun vulnerability would allow an attacker to execute code with the privilege level of the SQL Serverprocess. Under most conditions, exploitation would only allow an attacker to gain full access to the SQL database. However, if the SQL Server is running asAdministrator or Local System, exploitation would allow for full system compromise. It's important to note that an attacker must be authenticated to the SQLServer in order to exploit this vulnerability.

The impact of the denial of service vulnerability may vary between service packs and versions. It has been reported that on SQL Server 2000 without Service Pack3 installed, the service will crash and must be restarted to restore normal operations. However, on SQL Server 2000 with Service Pack 3 applied, this is not thecase. The service does not appear to crash but does not process requests received post-attack. It has also been reported that it's not possible to stop the affectedservice, and the system will require a reboot to restore normal operations.

If the Named Pipe hijacking vulnerability is successfully exploited, the attacker may thereby inherit the permissions of the user who is attempting to connect to theSQL server via the compromised pipe.

SOLUTION:Microsoft has released patches to address the issue. Check Microsoft Security Bulletin MS03-031(http://www.microsoft.com/technet/security/bulletin/ms03-031.mspx) for the latest information on these vulnerabilities.


RESULTS:8.0.313

5 Newport 1433/tcpMicrosoft SQL Server 2000 SP1 Not Installed


THREAT:The host is missing SQL Server 2000 Service Pack 1.

IMPACT:


Microsoft SQL Server Service Pack 1 contains several security fixes.

SOLUTION:Refer to the SQL Server version 2000 Service Pack 1 Readme(http://support.microsoft.com/default.aspx?scid=%2fsupport%2fservicepacks%2fSQL%2f2000%2fSP1ReadMe.asp) for details.

It's recommended that you install the latest Microsoft SQL Server service pack (sp3a or later). You can download the latest service pack from Microsoft's SQLServer Download page (http://www.microsoft.com/sql/downloads/default.asp).


RESULTS:8.0.313

5 Newport 1433/tcpMicrosoft SQL Server 2000 SP2 Not Installed


THREAT:Microsoft SQL Server 2000 Service Pack 2 not installed on the host.

IMPACT:SQL Server 2000 Service Pack 2 fixes several security holes which can be exploited by malicious users.

SOLUTION:Refer to the SQL Server version 2000 Service Pack 2 Readme(http://support.microsoft.com/default.aspx?scid=%2fsupport%2fservicepacks%2fSQL%2f2000%2fSP2ReadMe.asp) for details.

It's recommended that you install the latest Microsoft SQL Server service pack (sp3a or later). You can download the latest service pack from Microsoft's SQLServer Download page (http://www.microsoft.com/sql/downloads/default.asp).


RESULTS:8.0.313

5 Newport 1433/tcpMicrosoft SQL Server 2000 Service Pack 3 Not Installed


THREAT:Microsoft SQL Server 2000 Service Pack 3 is not installed on the host.

IMPACT:


Microsoft SQL Server 2000 Service Pack 3 fixes several security holes, which may be exploited by malicious users.

SOLUTION:Refer to the Microsoft Service Packs for SQL Server Downloads page (http://www.microsoft.com/sql/downloads/servicepacks.asp) for instructions on downloadingand installing the service pack.


RESULTS:8.0.313

4 Newport 1433/tcpMicrosoft SQL Server 2000 Latest Patch Not Installed


THREAT:The latest Microsoft SQL security hotfixes are not installed. This check makes sure that Service Pack 4 is installed. The current version detected is shown in theresult section of the vulnerability report.

IMPACT:Microsoft SQL service packs and hotfixes are important because they fix a lot of security issues.

SOLUTION:Apply the latest service packs and hotfixes available for download from the Microsoft SQL Server Support Center (http://www.microsoft.com/sql/).


RESULTS:8.0.313

147.144.1.206 (webct0.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (3)

4 Activeport 443/tcp over SSLSSL Server Allows Anonymous Authentication Vulnerability

QID: 38142Category: General remote servicesCVE ID: -Vendor Reference: -Bugtraq ID: -Modified: 07/07/2008Edited: No

THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using analgorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer,Netscape and Mozilla do not use anonymous authentication ciphers by default.


A vulnerability exists in SSL communcations when clients are allowed to connectusing no authentication algorithm. SSL client-server communication may use several different types ofauthentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, thecommunications are vulnerable to a man-in-the-middle attack."

IMPACT:An attacker can exploit this vulnerability to impersonate your server to clients.

SOLUTION:Disable support for anonymous authentication.

1) Apache:Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:SSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUMFor Apache/apache_ssl include the following line in the configuration file (httpsd.conf):SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

2) IIS:For IIS please see: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services (http://support.microsoft.com/kb/187498/en-us), How toRestrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (http://support.microsoft.com/kb/245030/en-us), How to Determine the CipherSuite for the Server and Client (http://support.microsoft.com/kb/299520/en-us), , and How to restrict the use of certain ciphers in Internet Information Services 5.0(http://support.microsoft.com/kb/241447)

3) Wu-FTP:For Wu-FTP which supports TLS, the ciphers parameter in TLS configuration file should be set to -ALL +SSLv3 +TLSv1 For more details please consult thedocs/HOWTO/ssl_and_tls_ftpd.HOWTO file provided by wu-ftpd distribution.

Additional reading:http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html (http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html)

http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite)

http://www.megasecurity.org/Info/ssl_servers.html (http://www.megasecurity.org/Info/ssl_servers.html)


RESULTS:CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH

)GRADE

SSLv3 SUPPORTS CIPHERS WITH NOAUTHENTICATIONADH-RC4-MD5 DH None MD5 RC4(128) MEDIUMEXP-ADH-RC4-MD5 DH(512) None MD5 RC4(40) LOWTLSv1 SUPPORTS CIPHERS WITH NOAUTHENTICATIONADH-RC4-MD5 DH None MD5 RC4(128) MEDIUMEXP-ADH-RC4-MD5 DH(512) None MD5 RC4(40) LOWADH-DES-CBC3-SHA DH None SHA1 3DES(168) HIGHADH-DES-CBC-SHA DH None SHA1 DES(56) LOWEXP-ADH-DES-CBC-SHA DH(512) None SHA1 DES(40) LOW

4 Activeport 443/tcp over SSLSSL Server Allows Cleartext Communication Vulnerability

QID: 38143Category: General remote servicesCVE ID: -Vendor Reference: -Bugtraq ID: -Modified: 08/05/2008


Edited: No

THREAT:The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.

The client-server communication is general encrypted using a symmetric cipher like RC2, RC4, DES or 3DES. However, some SSL ciphers allow communicationwithout encryption. This vulnerability allows anyone who can sniff the traffic between the client and the server to see the communication.

Please note that this detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data layer. Forexample, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error message and abort furthercommunication on the secure channel. This vulnerability may not be exploitable for such configurations.

IMPACT:An attacker can exploit this vulnerability to read apparently secure communication.

SOLUTION:Disable ciphers which support cleartext communication.

Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:SSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUMFor Apache/apache_ssl include the following line in the configuration file (httpsd.conf):SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

How to Control the Ciphers for SSL and TLS on IIS (http://support.microsoft.com/kb/245030)

For Novell Netware 6.5 please refer to the following document SSL Allows the use of Weak Ciphers. -TID10100633 (http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm)


RESULTS:CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADESSLv3 SUPPORTS CIPHERS WITH NO ENCRYPTIONNULL-SHA RSA RSA SHA1 None LOWNULL-MD5 RSA RSA MD5 None LOWTLSv1 SUPPORTS CIPHERS WITH NO ENCRYPTIONNULL-SHA RSA RSA SHA1 None LOWNULL-MD5 RSA RSA MD5 None LOW
















RESULTS:SSH1 supported yesSupported ciphers for SSH1 3des, blowfishSupported authentications for SSH1 RSA, password

147.144.1.211 (sol.ccsf.cc.ca.us, -) Solaris 8

Vulnerabilities (2)

5 NewSun Solaris SAdmind Client Credentials Remote Administrative Access Vulnerability

QID: 68524Category: RPCCVE ID: CVE-2003-0722Vendor Reference: -Bugtraq ID: 8615Modified: 06/11/2009Edited: No

THREAT:Solaris is the Unix operating system variant maintained and distributed by Sun Microsystems.

A problem has been discovered in the Sun Solaris "sadmin" service. Because of this issue, it may be possible for a remote user to gain unauthorized administrativeaccess to the target.

The problem is in the handling of authentication credentials. In the default configuration, the "sadmin" service uses the AUTH_SYS or AUTH_UNIX RPCauthentication mechanism, which is vulnerable to spoofing attacks. Since the authentication credentials (uid, gid, and hostname of client) are completely in anattacker's control, an attacker can circumvent any access restrictions the service may have in place.

Note: The "sadmin" service is enabled by default.

IMPACT:This vulnerability can be exploited to run arbitrary privileged commands on the vulnerable host, and can lead to a complete system compromise.




SOLUTION:A solution is to either disable the "sadmin" service if it is not required, or restart the service with stronger authentication.

The service may be disabled by commenting the service out of the inetd.conf configuration file, and restarting inetd.

The service may be reconfigured to use stronger AUTH_DES authentication instead. To do this, append "-S 2" to the inetd.conf configuration and restart inetd.Please check Sun's Sadmind Alert (http://sunsolve.sun.com/search/document.do?assetkey=1-26-56740-1), which provides details about this configuration process.


RESULTS:/bin/sh could be executed on the target host.

















147.144.1.212 (cloud.ccsf.cc.ca.us, -) FreeBSD

Vulnerabilities (1)

4 Activeport 21/tcpDatabase Files Present on Anonymous FTP Server Vulnerability

QID: 27026Category: File Transfer ProtocolCVE ID: CVE-1999-0527Vendor Reference: -Bugtraq ID: -Modified: 04/03/2009Edited: No

THREAT:Database files with a ".db" extension were found on the FTP Server.

IMPACT:Files with the .db extension may contain sensitive information. Please verify that these documents should be on the FTP server. If the document(s) are encrypted,they can easily be cracked. And, if the user uses the same password for encrypting documents as for logging on to the server, their user accounts can becompromised.

SOLUTION:Remove all *.db files that are not required.


RESULTS:/etc/pwd.db [user anonymous]/etc/pwd.db [user ftp]

147.144.1.214 (-, -) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (1)

4 Newport 22/tcpSSH Protocol Version 1 Supported

















147.144.1.215 (webct3.ccsf.edu, -) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (1)










SSH protected traffic compromise



root shell access to the system running SSH server





147.144.1.219 (cloudy.ccsf.cc.ca.us, -) FreeBSD

Vulnerabilities (1)

4 Newport 21/tcpDatabase Files Present on Anonymous FTP Server Vulnerability

QID: 27026Category: File Transfer ProtocolCVE ID: CVE-1999-0527Vendor Reference: -Bugtraq ID: -Modified: 04/03/2009Edited: No

THREAT:Database files with a ".db" extension were found on the FTP Server.

IMPACT:Files with the .db extension may contain sensitive information. Please verify that these documents should be on the FTP server. If the document(s) are encrypted,they can easily be cracked. And, if the user uses the same password for encrypting documents as for logging on to the server, their user accounts can becompromised.

SOLUTION:Remove all *.db files that are not required.


RESULTS:/etc/pwd.db [user anonymous]



147.144.1.220 (cloudz.ccsf.cc.ca.us, -) BSDI BSD/OS 4.0.1

Vulnerabilities (1)

















147.144.1.245 (gw3.ccsf.edu, -) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (2)

5 Newport 5901/tcpNull Authentication VNC Server Access

QID: 38161Category: General remote servicesCVE ID: CVE-2002-2088Vendor Reference: -Bugtraq ID: 4581Modified: 05/13/2009Edited: No

THREAT:VNC (Virtual Network Computing) is similar to Xwindows in that it is a remote, graphical interface. It is freely available from multiple vendors (for exampleAT&T Cambridge).

To create a session with VNC server, a primitive sort of authentication is implemented. There is an option to not use authentication at all, in which case anyone isallowed to connect to the VNC server.

An example of such default configuration is ClumpOS.ClumpOS is a CD-based Linux and Mosix distribution that is maintained and distributed by the Mosix project. ClumpOS does not prompt a user to set a passwordfor VNC when installed. Instead, ClumpOS leaves the default password for VNC blank, which allows remote root access to the system.

IMPACT:By exploiting this vulnerability, an unauthenticated user can have the same privileges as the privileges of the user who launched a VNC server.

SOLUTION:As a possible workaround, manually set a VNC password or remove the VNC server (if not needed).




















RESULTS:SSH1 supported yesSupported ciphers for SSH1 3des, blowfishSupported authentications for SSH1 RSA, keyboard_interactive

147.144.1.246 (gw4.ccsf.edu, BAT-GW4) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (3)

5 Newport 5901/tcpNull Authentication VNC Server Access

QID: 38161Category: General remote servicesCVE ID: CVE-2002-2088Vendor Reference: -Bugtraq ID: 4581Modified: 05/13/2009Edited: No

THREAT:VNC (Virtual Network Computing) is similar to Xwindows in that it is a remote, graphical interface. It is freely available from multiple vendors (for exampleAT&T Cambridge).

To create a session with VNC server, a primitive sort of authentication is implemented. There is an option to not use authentication at all, in which case anyone isallowed to connect to the VNC server.

An example of such default configuration is ClumpOS.ClumpOS is a CD-based Linux and Mosix distribution that is maintained and distributed by the Mosix project. ClumpOS does not prompt a user to set a passwordfor VNC when installed. Instead, ClumpOS leaves the default password for VNC blank, which allows remote root access to the system.

IMPACT:By exploiting this vulnerability, an unauthenticated user can have the same privileges as the privileges of the user who launched a VNC server.

SOLUTION:As a possible workaround, manually set a VNC password or remove the VNC server (if not needed).

COMPLIANCE:




Not Applicable


4 NewNull Session/Password NetBIOS Access

QID: 70003Category: SMB / NETBIOSCVE ID: CVE-1999-0519Vendor Reference: -Bugtraq ID: -Modified: 10/08/2009Edited: No

THREAT:Unauthorized users can connect to this NetBIOS service without a password.

IMPACT:Unauthorized users may be able to exploit this vulnerability to obtain sensitive information about your system resources, such as a list of all accounts or sharedresources on this host. For Windows hosts, unauthorized users may also be able to access the registry, and depending on the Windows version and registrypermission settings, make modifications to the registry.

SOLUTION:Null NetBIOS sessions can be disabled using the following methods:

Windows NT:

1. Set the following registry key: HKLM\System\CurrentControlSet\Control\Lsa Name: RestrictAnonymous Type: REG_DWORD Value: 12. Restart your computer.

Windows 2000:

1. Start "Control Panel-->Administrative Tools-->Local Security Policy".2. Open "Local Policies-->Security Options".3. Make sure "Additional restrictions of anonymous connections" is set to"No access without explicit anonymous permissions". 4. Restart your computer.

Windows XP/2003:

1. Start "Control Panel-->Administrative Tools-->Local Security Policy".2. Open "Local Policies-->Security Options".3. Make sure the following two policies are enabled: * Network Access: Do not allow anonymous enumeration of SAM accounts * Network Access: Do not allow anonymous enumeration of SAM accounts and shares4. Disable Network Access: Let Everyone permissions apply to anonymous users.5. Restart your computer.

The above settings have no impact on domain controllers. If this vulnerability was discovered on a domain controller, please note that some of the recommendedsettings may not have any effect. Read the Microsoft article Description of Dcpromo Permissions Choices (http://support.microsoft.com/kb/257988/) for moreinformation regarding Pre-Windows 2000 Compatible Access. Please read the Microsoft documents called How to Use the RestrictAnonymous Registry Value(http://support.microsoft.com/default.aspx?scid=kb;en-us;246261) and Restricting Anonymous Access(http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx?mfr=true) for more information.

Samba: Make the following settings in smb.conf:* set "security" to "user" or "domain" or "server" as per your requirements.* set "map_to_guest" to "Never"



SECURITY = USERThis is the default security setting in Samba 2.2. With user-level security a client must first "log=on" with a valid username and password (which can be mappedusing the username map parameter). Encrypted passwords can also be used in this security mode. Parameters such as user and guest only if set are then applied andmay change the UNIX user to use on this connection, but only after the user has been successfully authenticated.

SECURITY = SERVERIn this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user,but note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd fileto check users against. See the documentation file in the docs/ directory ENCRYPTION.txt for details on how to set this up.

SECURITY = DOMAINThis mode will only work correctly if smbpasswd(8) has been used to add this machine into a Windows NT Domain. It expects the encrypted passwords parameterto be set to true. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactlythe same way that a Windows NT Server would do.

A suggested workaround.Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment.Adding 'restrict anonymous = 2' in smb.conf can help resolve the issue.

For SAMBA 3.0 and Active DirectoryMake the following settings in smb.conf:security = ADS













SOLUTION:



Disable SSH1 support. See your vendor's Web site for information on how to disable SSH protocol Version 1 support. Some references are provided below:SSH Communications Security (http://www.ssh.com)F-Secure (http://www.f-secure.com)OpenSSH (http://www.openssh.org)




147.144.1.249 (ns9.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (1)













COMPLIANCE:



Not Applicable


147.144.1.250 (ns7.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (1)

















147.144.1.251 (ns3.ccsf.cc.ca.us, -) Linux 2.4-2.6 / SonicWALL

Vulnerabilities (1)

















147.144.1.252 (-, -) Linux 2.4-2.6 / SonicWALL

Vulnerabilities (1)

















147.144.1.254 (-, INST-DC1) Windows 2000 Service Pack 3-4

Vulnerabilities (3)

4 NewRemote User List Disclosure Using NetBIOS

QID: 45003Category: Information gatheringCVE ID: CVE-2000-1200Vendor Reference: -Bugtraq ID: 959Modified: 10/08/2009Edited: No

THREAT:A null session connection to the IPC$ share was successful. NetBIOS access can be obtained with any authenticated account on this host. Therefore unauthorizedusers can steal the remote user list. This kind of attack is commonly exploited by users with weak passwords, such as the GUEST account.

IMPACT:By exploiting this vulnerability, unauthorized users can launch brute force password attacks and other intrusive attacks based on collected information. Employee,customer, and partner information may be gathered. Spamming the user list is also possible.

SOLUTION:It is recommended that you disable null sessions. Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment.Read the Microsoft documents called How to Use the RestrictAnonymous Registry Value (http://support.microsoft.com/default.aspx?scid=kb;en-us;246261) andRestricting Anonymous Access (http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx?mfr=true) formore information. If this vulnerability was discovered on a domain controller, please note that some of the recommended settings may not have any effect. Readthe Microsoft article Description of Dcpromo Permissions Choices (http://support.microsoft.com/kb/257988/) for more information regarding Pre-Windows 2000Compatible Access.

For Windows NT, setting this registry value limits only certain interfaces to this data. It is not possible to completely eliminate this vulnerability through a registrysetting.

There is another interesting Microsoft document called Local Policies(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6d1cf160-25c8-4b0f-90b5-428bf5c24eae.mspx) about Windows securitypolicies settings for local policies.

Windows XP onwards Microsoft has added more granular control to the anonymous user access by adding couple of more DWORD registry values in the same keylocation as RestrictAnonymous, RestrictAnonymousSAM and EveryoneIncludesAnonymous. Set RestrictAnonymous = 1 to restrict share information access,RestrictAnonymousSAM = 1 to prevent enumeration of SAM accounts (User Accounts) and EveryoneIncludesAnonymous = 0 to prevent null-sessions fromhaving any rights. Setting the RestrictAnonymous value to 1 restricts null session access to unauthenticated users to all server pipes and shares except those listed inthe NullSessionPipes and NullSessionShares entries. Additionally setHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, NullSessionPipes and NullSessionShares, to a null string.

For Samba servers there is no direct way of disabling null session access. A workaround is to specify a non exisiting UNIX account in global section of Sambaconfig file. guest account = NON EXISTING USER.

Adding 'restrict anonymous = 2' in smb.conf can help resolve the issue.Note: Please be aware that changing the restrictanonymous setting to the highest security level for example restrictanonymous = 2 in windows 2000 may disableolder programs that make use of this account. It will also affect Windows NT 4.0 Domain Controllers from communicating with each other between trustrelationships.

If possible, filter out Microsoft networking ports such as TCP ports 135, 137, 138, 139, and UDP ports 135, 137, 138.


RESULTS:




bookloan 1190tboegel 1376gknapp 2083lindao 3086ccruz 3095schou 3105creyes 3154arichard 3176mhock01 3266mvipusit 3336emmorris 3341fbanh 3634mentor-student 3644monizuka 3707mfelice 3839rallyn 3880tlamb 4006plee 4471ibell 4472lbritton 4474ecastill 4475nchinn 4476jchiu 4477mchu 4478tdang 4479cdevore 4480dgong 4482khanamur 4483kharper 4484shuey 4485njulin 4486akerrar 4487klau 4488tle 4489alira 4490hma 4491smance 4492amonroe 4494jpopely 4498asalonga 4499asimpson 4500astanley 4501pstrobel 4502ltsang 4504abader 4506cchu 4507kcolom 4508bhall 4509rheiman 4510ahoward 4511lhuynh 4512vkartash 4513ukukharc 4514klam 4515lleiva 4516


tmccullo 4517emelnice 4518jmockbee 4519rmoore 4520pnabhan 4521tnarlite 4522dnichols 4523aprum 4524msong 4525avelez 4526jwang 4527dyap 4528eyussen 4529vcrooks 4530abrawley 4531knawtsah 4532ssmith 4533llim 4534pcheung 4535hweeks 4536mgrier 4537jluddeke 4562ytang 4563tyip 4564acanning 4573ddarmo 4582

4 NewNull Session/Password NetBIOS Access

QID: 70003Category: SMB / NETBIOSCVE ID: CVE-1999-0519Vendor Reference: -Bugtraq ID: -Modified: 10/08/2009Edited: No

THREAT:Unauthorized users can connect to this NetBIOS service without a password.

IMPACT:Unauthorized users may be able to exploit this vulnerability to obtain sensitive information about your system resources, such as a list of all accounts or sharedresources on this host. For Windows hosts, unauthorized users may also be able to access the registry, and depending on the Windows version and registrypermission settings, make modifications to the registry.

SOLUTION:Null NetBIOS sessions can be disabled using the following methods:

Windows NT:

1. Set the following registry key: HKLM\System\CurrentControlSet\Control\Lsa Name: RestrictAnonymous Type: REG_DWORD Value: 12. Restart your computer.



Windows 2000:

1. Start "Control Panel-->Administrative Tools-->Local Security Policy".2. Open "Local Policies-->Security Options".3. Make sure "Additional restrictions of anonymous connections" is set to"No access without explicit anonymous permissions". 4. Restart your computer.

Windows XP/2003:

1. Start "Control Panel-->Administrative Tools-->Local Security Policy".2. Open "Local Policies-->Security Options".3. Make sure the following two policies are enabled: * Network Access: Do not allow anonymous enumeration of SAM accounts * Network Access: Do not allow anonymous enumeration of SAM accounts and shares4. Disable Network Access: Let Everyone permissions apply to anonymous users.5. Restart your computer.

The above settings have no impact on domain controllers. If this vulnerability was discovered on a domain controller, please note that some of the recommendedsettings may not have any effect. Read the Microsoft article Description of Dcpromo Permissions Choices (http://support.microsoft.com/kb/257988/) for moreinformation regarding Pre-Windows 2000 Compatible Access. Please read the Microsoft documents called How to Use the RestrictAnonymous Registry Value(http://support.microsoft.com/default.aspx?scid=kb;en-us;246261) and Restricting Anonymous Access(http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx?mfr=true) for more information.

Samba: Make the following settings in smb.conf:* set "security" to "user" or "domain" or "server" as per your requirements.* set "map_to_guest" to "Never"

SECURITY = USERThis is the default security setting in Samba 2.2. With user-level security a client must first "log=on" with a valid username and password (which can be mappedusing the username map parameter). Encrypted passwords can also be used in this security mode. Parameters such as user and guest only if set are then applied andmay change the UNIX user to use on this connection, but only after the user has been successfully authenticated.

SECURITY = SERVERIn this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user,but note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd fileto check users against. See the documentation file in the docs/ directory ENCRYPTION.txt for details on how to set this up.

SECURITY = DOMAINThis mode will only work correctly if smbpasswd(8) has been used to add this machine into a Windows NT Domain. It expects the encrypted passwords parameterto be set to true. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactlythe same way that a Windows NT Server would do.

A suggested workaround.Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment.Adding 'restrict anonymous = 2' in smb.conf can help resolve the issue.

For SAMBA 3.0 and Active DirectoryMake the following settings in smb.conf:security = ADS




QID: 38304Category: General remote servicesCVE ID: CVE-2001-1473



Vendor Reference: -Bugtraq ID: -Modified: 06/10/2009Edited: No













147.144.4.4 (-, -) HP-UX 11

Vulnerabilities (2)

5 Newport 5050/tcpApache Chunked-Encoding Memory Corruption Vulnerability

QID: 86352Category: Web serverCVE ID: CVE-2002-0392Vendor Reference: -Bugtraq ID: 5033Modified: 10/22/2007Edited: No




THREAT:Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems. Various products, such as StrongHold, Oracle 9iASand IBM Websphere, use or bundle Apache.

The HTTP protocol specifies a method of data coding called 'Chunked Encoding', designed to facilitate fragmentation of HTTP requests in transit. A vulnerabilityhas been discovered in the Apache implementation of 'Chunked Encoding'. When processing requests coded with the 'Chunked Encoding' mechanism, Apache failsto properly calculate required buffer sizes. This is due to improper (signed) interpretation of an unsigned integer value.

On Windows and Netware platforms, Apache uses threads within a single server process to handle concurrent connections. Causing the server process to crash onthese platforms may result in a denial of service.The link http://httpd.apache.org/info/security_bulletin_20020617.txt (http://httpd.apache.org/info/security_bulletin_20020617.txt) provides additional information on thisvulnerability for Apache running on Windows.

IMPACT:This vulnerability can be exploited by an attacker to cause a Denial of Service and even execute arbitrary code on the vulnerable machine.

SOLUTION:This vulnerability has been fixed in Apache 1.3.26 and Apache 2.0.37. Please upgrade to the latest version (http://httpd.apache.org/download.cgi).

An efix (via APAR PQ62369) (http://www.ibm.com/software/webservers/httpservers/support.html) is available for IHS from the IBM HTTP Server Downloadswebpage.

A complete list of vendor status and fixes can be found in CERT advisory CA-2002-17 (http://www.cert.org/advisories/CA-2002-17.html)

To manually verify this vulnerability, one may telnet to the host/port that the HTTP service is running on, and issue the following request directly:-----[snip]-----GET / HTTP/1.1Host: iopjfdsTransfer-Encoding: Chunked

AAAAAAAA-----[/snip]-----

A vulnerable webserver should respond by immediately closing the connection, while a patched webserver should respond with a valid HTTP response code; itmay be necessary to try large integers other than AAAAAAAA (e.g. FFFFFFFF or 80000000).In order to eliminate erroneous behavior from intervening networking equipment, it is important to run the manual verification locally on the target host in question.



















147.144.17.71 (wiz.ccsf.cc.ca.us, -) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (2)

4 NewLinux Kernel Multiple Memory Leak Local Denial of Service Vulnerabilities

QID: 115292Category: LocalCVE ID: -Vendor Reference: 2.6.14rc4Bugtraq ID: 15076Modified: 09/28/2007Edited: No

THREAT:Two local denial of service vulnerabilities affect the Linux kernel. These issues are due to a design flaw that creates memory leaks.

IMPACT:These vulnerabilities may be exploited by local users to consume excessive kernel resources, likely triggering a kernel crash and denying service to legitimateusers.

SOLUTION:For more information, read Red Hat advisory RHSA-2005:808-14 (http://www.redhat.com/support/errata/RHSA-2005-808.html).

A newer update RHSA-2007-0937 (http://rhn.redhat.com/errata/RHSA-2007-0937.html) is also available which obsoletes RHSA-2005-808

COMPLIANCE:

http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.14-rc4



Not Applicable

RESULTS:Detected through OS checks.

















147.144.19.11 (peachie.ccsf.cc.ca.us, -) Linux 2.2

Vulnerabilities (3)

5 Newport 9876/tcpApache Chunked-Encoding Memory Corruption Vulnerability

QID: 86352Category: Web serverCVE ID: CVE-2002-0392Vendor Reference: -Bugtraq ID: 5033Modified: 10/22/2007Edited: No

THREAT:Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems. Various products, such as StrongHold, Oracle 9iASand IBM Websphere, use or bundle Apache.

The HTTP protocol specifies a method of data coding called 'Chunked Encoding', designed to facilitate fragmentation of HTTP requests in transit. A vulnerabilityhas been discovered in the Apache implementation of 'Chunked Encoding'. When processing requests coded with the 'Chunked Encoding' mechanism, Apache failsto properly calculate required buffer sizes. This is due to improper (signed) interpretation of an unsigned integer value.

On Windows and Netware platforms, Apache uses threads within a single server process to handle concurrent connections. Causing the server process to crash onthese platforms may result in a denial of service.The link http://httpd.apache.org/info/security_bulletin_20020617.txt (http://httpd.apache.org/info/security_bulletin_20020617.txt) provides additional information on thisvulnerability for Apache running on Windows.

IMPACT:This vulnerability can be exploited by an attacker to cause a Denial of Service and even execute arbitrary code on the vulnerable machine.

SOLUTION:This vulnerability has been fixed in Apache 1.3.26 and Apache 2.0.37. Please upgrade to the latest version (http://httpd.apache.org/download.cgi).

An efix (via APAR PQ62369) (http://www.ibm.com/software/webservers/httpservers/support.html) is available for IHS from the IBM HTTP Server Downloadswebpage.

A complete list of vendor status and fixes can be found in CERT advisory CA-2002-17 (http://www.cert.org/advisories/CA-2002-17.html)

To manually verify this vulnerability, one may telnet to the host/port that the HTTP service is running on, and issue the following request directly:-----[snip]-----GET / HTTP/1.1Host: iopjfdsTransfer-Encoding: Chunked

AAAAAAAA-----[/snip]-----

A vulnerable webserver should respond by immediately closing the connection, while a patched webserver should respond with a valid HTTP response code; itmay be necessary to try large integers other than AAAAAAAA (e.g. FFFFFFFF or 80000000).In order to eliminate erroneous behavior from intervening networking equipment, it is important to run the manual verification locally on the target host in question.






5 Activeport 21/tcpWU-FTPD Remote Root Access with 'SITE EXEC' Command

QID: 27080Category: File Transfer ProtocolCVE ID: CVE-2000-0573Vendor Reference: -Bugtraq ID: 1387Modified: 06/03/2009Edited: No

THREAT:

WU-FTPD is the most popular FTP server used on Internet.

WU-FTPD Version 2.6 (shipped with RedHat Version 6.2) contains a vulnerability in the "SITE EXEC" command. The behavior of a "vsnprintf()" function can bemodified by overwriting the return address on the stack. Therefore, unauthorized remote users can execute code on the host. Anonymous FTP access is the onlyrequirement for exploiting this vulnerability.

IMPACT:By exploiting this vulnerability, unauthorized users can execute arbitrary commands as root on your server.

SOLUTION:As a temporary patch, you can disable anonymous access on your server. However, this will not prevent legitimate users from exploiting the vulnerability. You candownload a patch directly from the WU-FTPD Web site (http://www.wuftpd.org).



5 Activeport 21/tcpWU-FTPd File Globbing Heap Corruption Vulnerability

QID: 27126Category: File Transfer ProtocolCVE ID: CVE-2001-0550Vendor Reference: RHSA-2001-157Bugtraq ID: 3581Modified: 06/17/2009Edited: No

THREAT:WU-FTPd is a popular Unix FTP server. It's based on the BSD FTPd, which is maintained by Washington University.

WU-FTPd allows clients to organize files for FTP actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation offile globbing included in WU-FTPd contains a heap corruption vulnerability that may allow a malicious remote user to execute arbitrary code on a server.

During the processing of a globbing pattern, the WU-FTPd implementation creates a list of the files that match. The memory where this data is stored is on theheap, allocated using malloc(). The globbing function simply returns a pointer to the list. It is up to the calling functions to free the allocated memory.If an error occurs processing the pattern, memory will not be allocated and a variable indicating this should be set. The calling functions must check the value ofthis variable before attempting to use the globbed filenames (and later freeing the memory).

Under certain circumstances, the globbing function does not set this variable when an error occurs. As a result of this, WU-FTPd will eventually attempt to freeuninitialized memory. If this region of memory contained user-controllable data before the free call, it may be possible to have an arbitrary word in memoryoverwritten with an arbitrary value. This can lead to execution of arbitrary code if function pointers or return addresses are overwritten.

If anonymous FTP is not enabled, then valid user credentials are required to exploit this vulnerability.

IMPACT:




http://rhn.redhat.com/errata/RHSA-2001-157.html



If successfully exploited, a remote malicious user may be able to execute arbitrary code with the privileges of WU-FTPd, typically root.

SOLUTION:Apply the patch supplied by your vendor. Alternatively, apply the patch provided by WU-FTPd.

Workaround:

Block or restrict access to the port used by WU-FTPd, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved accesscontrol and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPd.Disable anonymous FTP access.Disable WU-FTPd until a patch can be applied.



147.144.40.253 (rpg1.ccsf.cc.ca.us, -) Windows 2000 Service Pack 3-4

Vulnerabilities (3)

5 NewMicrosoft SQL Server 2000 Service Pack 4 Missing


THREAT:The Microsoft SQL Server / MSDE 2000 host is missing Service Pack 4.

IMPACT:SQL Server 2000 Service Pack 4 includes all security hotfixes released after the release of Service Pack 3.

SOLUTION:Read Microsoft article KB290211 (http://support.microsoft.com/kb/290211) for details on downloading SQL Server 2000 Service Pack 4.


RESULTS:8.0.820

4 Newport 1433/tcpMicrosoft SQL Server 2000 Latest Patch Not Installed



THREAT:The latest Microsoft SQL security hotfixes are not installed. This check makes sure that Service Pack 4 is installed. The current version detected is shown in theresult section of the vulnerability report.

IMPACT:Microsoft SQL service packs and hotfixes are important because they fix a lot of security issues.

SOLUTION:Apply the latest service packs and hotfixes available for download from the Microsoft SQL Server Support Center (http://www.microsoft.com/sql/).


RESULTS:8.0.820

4 Newport 1723/tcpPPTP VPN Configuration Allows Weak MS-CHAPv1 Authentication

QID: 38110Category: General remote servicesCVE ID: -Vendor Reference: -Bugtraq ID: -Modified: 02/09/2009Edited: No

THREAT:The configuration of a PPTP Virtual Private Network server on this host allows clients to authenticate using the weak MS-CHAPv1 protocol (Microsoft's variationof Challenge Handshake Authentication Protocol, version 1), which contains several weaknesses. The most significant weakness is that encryption keys negotiatedby MS-CHAPv1 are used for both directions of the link. This allows an attacker with access to the encrypted data stream to effectively decrypt all data in the datastream using a trivial XOR attack.

IMPACT:An attacker with access to the data stream between client and server may be able to decrypt the data stream, thus negating the effects of data encryption. This maylead to further attacks, such as session hijacking or password theft.

SOLUTION:Disable MS-CHAPv1 support on the VPN server, and only allow the stronger CHAP or MS-CHAPv2 protocols instead. Instructions on enabling the MS-CHAPv2protocol are available at the MS-CHAP version 2 Web page (http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_RASS_MSCHAPv2.htm)on Microsoft's site.

For machines running Windows NT 4.0, Windows 95, or Windows 98, this may require applying the latest security patch. Refer to this document(http://www.schneier.com/paper-pptp.html) for details.



147.144.49.242 (s-arx169-kcsf.ccsf.cc.ca.us, -) Windows XP Service Pack 0-1

Vulnerabilities (1)

5 NewMicrosoft Windows Server Service Could Allow Remote Code Execution (MS08-067)

QID: 90464Category: WindowsCVE ID: CVE-2008-4250



Vendor Reference: MS08-067Bugtraq ID: 31874Modified: 02/12/2009Edited: No

THREAT:The Microsoft Windows Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing oflocal resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applicationsrunning on other computers and your computer, which is used for RPC.

The Server service is vulnerable to remote code execution issue, due to the service not properly handling specially-crafted RPC requests. Any anonymous user whocan deliver a specially-crafted message to the affected system could try to exploit this vulnerability.Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s):December 2008 Updates are Available (including for XPe SP3 and Standard)(http://blogs.msdn.com/embedded/archive/2008/12/26/december-2008-updates-are-available-including-for-xpe-sp3-and-standard.aspx) (KB958644)October 2008Security Updates Include a Bonus (http://blogs.msdn.com/embedded/archive/2008/10/30/october-2008-security-updates-include-a-bonus.aspx) (KB958644)

IMPACT:An attacker who successfully exploits this vulnerability could take complete control of the affected system.

SOLUTION:Patch:Following are links for downloading patches to fix the vulnerabilities:

Microsoft Windows 2000 Service Pack 4:http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3(http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3)Windows XP Service Pack 2:http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03(http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03)Windows XP Service Pack 3:http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03(http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03)Windows XP Professional x64 Edition:http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25(http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25)Windows XP Professional x64 Edition Service Pack 2:http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25(http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25)Windows Server 2003 Service Pack 1:http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D(http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D)Windows Server 2003 Service Pack 2:http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D(http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D)Windows Server 2003 x64 Edition:http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400(http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400)Windows Server 2003 x64 Edition Service Pack 2:http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400(http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400)Windows Server 2003 with SP1 for Itanium-based Systems:http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF(http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF)Windows Server 2003 with SP2 for Itanium-based Systems:http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF(http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF)Windows Vista and Windows Vista Service Pack 1:http://www.microsoft.com/downloads/details.aspx?familyid=18FDFF67-C723-42BD-AC5C-CAC7D8713B21(http://www.microsoft.com/downloads/details.aspx?familyid=18FDFF67-C723-42BD-AC5C-CAC7D8713B21)For a complete list of patch download links, please refer to Micrsoft Security Bulletin MS08-067(http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx).


RESULTS:Detected through MSRPC Interface

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx



Appendix

Selected ScansDate : 07/05/2009 at 07:25:25 (GMT-0800)Active Hosts : 59Total Hosts : 269Type : On demandStatus : FinishedReference : scan/1246807525.1079Scanner Appliance : 64.39.104.154 (Scanner 5.1.39-1,Web 6.5.117-1,Vulnsigs 1.23.19-2)Duration : 00:47:34Title : InternetScanAsset Groups : ServerGroupIPs : 147.144.1.0-147.144.1.255, 147.144.4.4, 147.144.17.71-147.144.17.72, 147.144.19.11,

147.144.20.19, 147.144.20.40, 147.144.33.130, 147.144.40.253, 147.144.49.242,147.144.51.52, 147.144.55.252, 147.144.55.254, 147.144.79.245

Options Profile : Initial OptionsDate : 07/05/2009 at 08:15:41 (GMT-0800)Active Hosts : 58Total Hosts : 269Type : On demandStatus : FinishedReference : scan/1246810541.23046Scanner Appliance : 64.39.104.177 (Scanner 5.1.39-1,Web 6.5.117-1,Vulnsigs 1.23.19-2)Duration : 00:39:30Title : full-access-scanAsset Groups : ServerGroupIPs : 147.144.1.0-147.144.1.255, 147.144.4.4, 147.144.17.71-147.144.17.72, 147.144.19.11,

147.144.20.19, 147.144.20.40, 147.144.33.130, 147.144.40.253, 147.144.49.242,147.144.51.52, 147.144.55.252, 147.144.55.254, 147.144.79.245

Options Profile : Initial Options

Options Profile

Initial Options

Scan SettingsPorts:Scanned TCP Ports: Standard ScanScanned UDP Ports: Standard ScanScan Dead Hosts: OffLoad Balancer Detection: OffPerform 3-way Handshake: OffVulnerability Detection: CompletePassword Brute Forcing:System: DisabledCustom: DisabledAuthentication:Windows: DisabledUnix: DisabledOracle: DisabledOracle Listener: DisabledSNMP: DisabledOverall Performance: NormalHosts to Scan in Parallel:


External Scanners: 15Scanner Appliances: 30Processes to Run in Parallel:Total: 10HTTP: 10Packet (Burst) Delay: MediumPort Scanning and Host Discovery:Intensity: Normal

Advanced SettingsHost Discovery: TCP Standard Scan, UDP Standard Scan, ICMP OnIgnore RST packets: OffIgnore firewall-generated SYN-ACK packets: OffDo not send ACK or SYN-ACK packets during host discovery: Off

Report FiltersVulnerability Lists: Scan Report Template: High Severity ReportQIDs: 1001, 1002, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1016, 1017,

1019, 1021, 1022, 1023, 1024, 1025, 1026, 1114, 1115, 1116, 1117, 1119, 1120, 1121,1122, 1125, 1126, 1128, 1129, 1131, 1132, 1133, 1134, 1135, 1137, 1138, 1139, 1140,1141, 1142, 1143, 1144, 1145, 1146, 1147, 1148, 1149, 1150, 1151, 1152, 1153, 1154,1155, 1156, 1157, 1158, 1159, 1160, 1161, 1163, 1166, 1167, 1168, 1169, 1171, 1172,1173, 1175, 1176, 1177, 1178, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188,1190, 1191, 1192, 1193, 1195, 1199, 1201, 1203, 1204, 1205, 1206, 1207, 1210, 1212,1213, 1214, 1216, 1217, 1222, 1224, 1225, 1226, 1227, 1228, 1232, 1406, 2600, 5000,5005, 10000, 10001, 10003, 10004, 10006, 10007, 10008, 10009, 10010, 10012, 10013,10014, 10017, 10018, 10021, 10022, 10024, 10025, 10026, 10027, 10028, 10029, 10031,10032, 10034, 10035, 10036, 10037, 10038, 10040, 10042, 10044, 10045, 10048, 10049,10053, 10054, 10056, 10057, 10059, 10062, 10065, 10066, 10067, 10069, 10070, 10071,10072, 10073, 10074, 10079, 10082, 10087, 10090, 10094, 10096, 10098, 10103, 10107,10109, 10113, 10114, 10117, 10122, 10123, 10124, 10126, 10127, 10129, 10130, 10131,10132, 10134, 10135, 10137, 10141, 10142, 10143, 10144, 10146, 10151, 10154, 10158,10161, 10162, 10163, 10164, 10165, 10167, 10168, 10170, 10171, 10174, 10177, 10180,10181, 10184, 10188, 10191, 10192, 10194, 10195, 10197, 10200, 10204, 10206, 10208,10212, 10216, 10218, 10220, 10221, 10222, 10223, 10230, 10232, 10233, 10236, 10237,10239, 10243, 10244, 10245, 10249, 10250, 10252, 10253, 10254, 10257, 10258, 10259,10260, 10263, 10265, 10266, 10268, 10328, 10329, 10332, 10333, 10335, 10336, 10341,10342, 10346, 10349, 10353, 10355, 10356, 10357, 10359, 10361, 10364, 10365, 10367,10371, 10374, 10375, 10381, 10383, 10386, 10389, 10392, 10394, 10396, 10397, 10398,10399, 10401, 10402, 10403, 10404, 10405, 10406, 10409, 10410, 10411, 10412, 10413,10415, 10416, 10417, 10418, 10428, 10429, 10430, 10431, 10435, 10436, 10438, 10451,10454, 10467, 10486, 10490, 10493, 10521, 10524, 10525, 10534, 10536, 10537, 10540,10557, 10558, 10568, 10570, 10571, 10572, 10577, 10578, 10580, 10581, 10583, 10584,10585, 10586, 10587, 10590, 10623, 10624, 10625, 10626, 10630, 10633, 10636, 10647,10650, 10651, 10655, 10656, 10662, 10664, 10669, 10670, 10681, 10684, 10694, 10701,10702, 10703, 10704, 10710, 10711, 10712, 10715, 10719, 10720, 10723, 10730, 10732,10734, 10739, 10740, 10746, 10752, 10753, 10758, 10760, 10779, 10784, 10789, 10794,10798, 10802, 10808, 10810, 10812, 10821, 10822, 10832, 10837, 10848, 10849, 10850,10854, 10855, 10856, 10861, 10863, 10865, 10867, 10869, 10870, 10871, 10872, 10873,10874, 10875, 10876, 10877, 10879, 10885, 10886, 10888, 10890, 10893, 10897, 10900,10901, 10916, 10918, 10932, 10935, 10942, 10943, 10949, 10952, 10957, 10958, 10964,10965, 10966, 10967, 10968, 10969, 10970, 10971, 10972, 10975, 10977, 10978, 10979,10980, 10982, 10984, 10987, 10988, 10989, 10990, 10991, 10992, 10997, 11003, 11005,11008, 11009, 11013, 11024, 11027, 11039, 11040, 11041, 11048, 11050, 11054, 11057,11058, 11060, 11064, 11068, 11080, 11081, 11083, 11085, 11089, 11090, 11092, 11093,11096, 11098, 11104, 11105, 11106, 11108, 11112, 11113, 11116, 11118, 11119, 11120,11123, 11132, 11133, 11145, 11157, 11158, 11159, 11161, 11164, 11166, 11167, 11170,11177, 11180, 11182, 11184, 11186, 11187, 11188, 11194, 11195, 11196, 11198, 11200,11202, 11205, 11210, 11211, 11212, 11213, 11214, 11215, 11218, 11219, 11223, 11230,11232, 11233, 11236, 11237, 11238, 11241, 11243, 11245, 11246, 11247, 11250, 11251,11259, 11263, 11265, 11270, 11271, 11272, 11278, 11281, 11283, 11285, 11296, 11297,11300, 11304, 11305, 11307, 11309, 11310, 11312, 11318, 11326, 11327, 11329, 11337,11339, 11348, 11362, 11364, 11366, 11371, 11372, 11384, 11386, 11390, 11396, 11400,11413, 11415, 11417, 11419, 11430, 11436, 11437, 11438, 11439, 11440, 11452, 11453,11455, 11458, 11464, 11465, 11466, 11467, 11468, 11473, 11481, 11482, 11483, 11485,12001, 12002, 12003, 12005, 12010, 12017, 12018, 12020, 12023, 12025, 12026, 12027,12030, 12032, 12035, 12036, 12039, 12041, 12042, 12043, 12045, 12047, 12050, 12052,12053, 12054, 12055, 12056, 12057, 12060, 12062, 12067, 12068, 12069, 12075, 12077,12079, 12080, 12081, 12082, 12085, 12097, 12098, 12099, 12100, 12103, 12119, 12121,12128, 12133, 12135, 12138, 12139, 12141, 12142, 12151, 12153, 12157, 12165, 12168,12175, 12177, 12178, 12183, 12186, 12191, 12193, 12195, 12196, 12205, 12210, 12211,12212, 12214, 12221, 12236, 12258, 12260, 12263, 12278, 15033, 15037, 15039, 15040,15041, 15042, 15043, 15044, 15047, 19001, 19003, 19004, 19005, 19013, 19029, 19058,19059, 19060, 19061, 19064, 19065, 19066, 19067, 19068, 19069, 19070, 19071, 19078,19086, 19089, 19090, 19091, 19093, 19094, 19096, 19099, 19103, 19106, 19107, 19108,19109, 19112, 19124, 19146, 19147, 19150, 19151, 19154, 19155, 19156, 19157, 19158,


19159, 19160, 19161, 19162, 19164, 19197, 19203, 19205, 19210, 19211, 19215, 19216,19219, 19223, 19227, 19231, 19232, 19238, 19260, 19267, 19277, 19278, 19279, 19280,19281, 19282, 19283, 19284, 19285, 19286, 19287, 19288, 19289, 19290, 19291, 19292,19293, 19294, 19295, 19296, 19297, 19298, 19299, 19300, 19301, 19302, 19303, 19304,19305, 19306, 19308, 19309, 19310, 19311, 19312, 19313, 19314, 19315, 19316, 19317,19318, 19319, 19320, 19321, 19322, 19323, 19324, 19325, 19326, 19327, 19328, 19329,19330, 19331, 19332, 19333, 19334, 19336, 19337, 19338, 19339, 19340, 19341, 19342,19343, 19344, 19345, 19346, 19347, 19348, 19349, 19350, 19351, 19352, 19353, 19354,19355, 19356, 19357, 19358, 19359, 19360, 19361, 19362, 19363, 19364, 19365, 19366,19367, 19368, 19369, 19370, 19371, 19372, 19373, 19374, 19375, 19376, 19377, 19378,19379, 19380, 19381, 19382, 19383, 19384, 19385, 19386, 19387, 19388, 19389, 19390,19391, 19392, 19393, 19394, 19395, 19396, 19397, 19398, 19399, 19400, 19401, 19402,19403, 19404, 19405, 19406, 19407, 19408, 19409, 19413, 19414, 19415, 19416, 19417,19418, 19419, 19420, 19421, 19422, 19423, 19424, 19425, 19426, 19427, 19428, 19429,19430, 19431, 19432, 19433, 19434, 19435, 19436, 19437, 19438, 19439, 19440, 19441,19442, 19443, 19444, 19445, 19446, 19447, 19448, 19449, 19450, 19451, 19452, 19453,19454, 19455, 19456, 19457, 19458, 19459, 19460, 19461, 19462, 19463, 19468, 19469,19470, 19471, 19472, 19474, 19475, 19476, 19477, 19478, 19479, 19480, 19481, 19482,19483, 19484, 19485, 19486, 19487, 19488, 19489, 19490, 19491, 19494, 19495, 19496,19497, 19498, 19499, 23004, 23005, 23007, 23008, 23009, 23011, 23012, 23013, 23014,23016, 27002, 27004, 27006, 27007, 27009, 27011, 27014, 27017, 27018, 27023, 27024,27026, 27027, 27028, 27031, 27032, 27040, 27041, 27045, 27047, 27049, 27051, 27064,27068, 27069, 27071, 27075, 27076, 27078, 27080, 27081, 27086, 27089, 27092, 27094,27095, 27099, 27101, 27104, 27106, 27107, 27110, 27111, 27112, 27116, 27117, 27118,27125, 27126, 27130, 27133, 27135, 27142, 27143, 27145, 27146, 27150, 27151, 27152,27153, 27160, 27161, 27163, 27164, 27165, 27166, 27167, 27169, 27170, 27171, 27174,27179, 27181, 27185, 27191, 27192, 27193, 27197, 27203, 27204, 27205, 27206, 27207,27210, 27211, 27217, 27221, 27222, 27223, 27228, 27229, 27234, 27236, 27244, 27245,27247, 27257, 27258, 27265, 27279, 27302, 31004, 31005, 31006, 31007, 31008, 31013,31014, 34008, 34016, 34019, 34023, 34024, 34025, 34030, 34039, 38008, 38022, 38023,38024, 38026, 38027, 38028, 38031, 38036, 38037, 38043, 38048, 38053, 38054, 38064,38066, 38068, 38071, 38075, 38076, 38078, 38083, 38087, 38097, 38103, 38105, 38106,38108, 38109, 38110, 38123, 38125, 38133, 38134, 38137, 38142, 38143, 38146, 38156,38157, 38158, 38160, 38161, 38162, 38175, 38176, 38180, 38182, 38183, 38184, 38185,38187, 38188, 38189, 38197, 38207, 38212, 38215, 38216, 38222, 38224, 38225, 38227,38228, 38231, 38233, 38244, 38259, 38261, 38264, 38271, 38272, 38276, 38278, 38279,38281, 38283, 38286, 38288, 38304, 38305, 38308, 38314, 38315, 38316, 38317, 38318,38320, 38321, 38326, 38330, 38332, 38334, 38335, 38338, 38340, 38345, 38346, 38347,38350, 38355, 38356, 38357, 38358, 38360, 38361, 38362, 38363, 38364, 38365, 38367,38368, 38369, 38370, 38371, 38373, 38374, 38376, 38377, 38380, 38381, 38382, 38385,38386, 38387, 38388, 38389, 38390, 38391, 38392, 38393, 38394, 38395, 38396, 38398,38399, 38400, 38403, 38405, 38406, 38410, 38412, 38415, 38417, 38419, 38423, 38446,38455, 38461, 38469, 38473, 38475, 38482, 38483, 38484, 38486, 38490, 38504, 38506,38511, 38516, 38531, 38535, 38545, 38546, 38553, 38554, 38555, 38560, 38561, 38562,38565, 38566, 38569, 38570, 38571, 38574, 38575, 38576, 38578, 38583, 38586, 38590,38595, 42005, 42006, 42007, 42008, 42020, 43001, 43002, 43005, 43008, 43010, 43014,43016, 43017, 43018, 43021, 43023, 43057, 43061, 43064, 43065, 43066, 43067, 43068,43069, 43070, 43072, 43076, 43088, 43090, 43117, 43119, 43122, 43123, 43124, 43125,43126, 43127, 43128, 43129, 45003, 50001, 50002, 50007, 50008, 50014, 50015, 50023,50025, 50027, 50029, 50034, 50035, 50036, 50037, 50039, 50044, 50051, 50054, 50062,50066, 50067, 50068, 50071, 50073, 50074, 50076, 50077, 50080, 50081, 50083, 50085,50086, 50088, 54000, 54001, 54002, 54003, 54010, 62004, 62005, 62013, 62024, 62025,62029, 62030, 62033, 62034, 62036, 62037, 62040, 62042, 62043, 62045, 62046, 62052,62054, 62059, 66001, 66010, 66011, 66031, 66034, 66038, 66049, 68504, 68507, 68517,68518, 68520, 68522, 68524, 68528, 68530, 68531, 68532, 68533, 70002, 70003, 70005,70006, 70014, 70016, 70017, 70023, 70024, 70029, 70032, 70034, 70036, 70037, 70042,70043, 70044, 70046, 70050, 74016, 74024, 74027, 74030, 74031, 74047, 74048, 74049,74051, 74052, 74054, 74057, 74059, 74062, 74063, 74064, 74065, 74066, 74070, 74071,74072, 74074, 74075, 74080, 74081, 74086, 74106, 74111, 74112, 74121, 74129, 74131,74133, 74135, 74138, 74139, 74140, 74143, 74146, 74149, 74151, 74152, 74154, 74155,74156, 74157, 74162, 74164, 74167, 74168, 74169, 74170, 74172, 74174, 74175, 74177,74178, 74179, 74180, 74181, 74182, 74185, 74198, 74206, 74213, 74214, 74219, 74228,74232, 78029, 78031, 78035, 78039, 78041, 78043, 78044, 82043, 82051, 82060, 86011,86019, 86020, 86021, 86026, 86027, 86028, 86030, 86034, 86036, 86038, 86040, 86042,86043, 86052, 86053, 86056, 86059, 86060, 86061, 86067, 86070, 86073, 86075, 86083,86084, 86088, 86092, 86109, 86112, 86114, 86135, 86140, 86164, 86168, 86169, 86170,86182, 86183, 86185, 86187, 86188, 86195, 86211, 86212, 86213, 86215, 86217, 86218,86219, 86220, 86224, 86225, 86227, 86228, 86231, 86235, 86236, 86237, 86238, 86239,86242, 86243, 86250, 86255, 86260, 86261, 86266, 86271, 86276, 86281, 86294, 86300,86305, 86328, 86329, 86352, 86353, 86355, 86368, 86372, 86375, 86385, 86389, 86398,86401, 86403, 86411, 86418, 86426, 86427, 86430, 86440, 86441, 86443, 86446, 86447,86450, 86451, 86452, 86453, 86458, 86459, 86460, 86461, 86464, 86465, 86466, 86467,86468, 86470, 86479, 86504, 86505, 86507, 86508, 86510, 86512, 86514, 86515, 86518,86520, 86522, 86525, 86526, 86527, 86530, 86531, 86536, 86537, 86546, 86547, 86548,86551, 86553, 86555, 86560, 86561, 86566, 86568, 86571, 86574, 86582, 86588, 86596,86598, 86603, 86604, 86607, 86614, 86620, 86631, 86634, 86635, 86644, 86651, 86652,86654, 86655, 86661, 86663, 86668, 86669, 86673, 86674, 86675, 86678, 86682, 86684,86686, 86689, 86690, 86691, 86702, 86707, 86832, 86837, 90005, 90028, 90032, 90049,90050, 90051, 90054, 90056, 90064, 90070, 90071, 90072, 90073, 90075, 90078, 90079,90085, 90086, 90089, 90102, 90103, 90104, 90108, 90109, 90110, 90111, 90112, 90113,90115, 90122, 90123, 90125, 90131, 90132, 90133, 90134, 90135, 90137, 90140, 90141,90153, 90155, 90158, 90160, 90161, 90162, 90164, 90166, 90167, 90168, 90169, 90171,90172, 90176, 90178, 90180, 90182, 90183, 90184, 90185, 90186, 90187, 90188, 90189,90190, 90192, 90193, 90198, 90199, 90200, 90201, 90202, 90203, 90204, 90205, 90207,90211, 90212, 90215, 90216, 90217, 90221, 90222, 90223, 90225, 90227, 90228, 90229,90230, 90231, 90233, 90234, 90237, 90240, 90241, 90242, 90243, 90247, 90249, 90252,90253, 90256, 90261, 90262, 90267, 90268, 90270, 90271, 90273, 90274, 90275, 90276,90278, 90280, 90282, 90283, 90284, 90286, 90289, 90291, 90292, 90296, 90297, 90301,


90303, 90305, 90307, 90308, 90309, 90311, 90312, 90314, 90316, 90318, 90319, 90327,90328, 90329, 90336, 90337, 90338, 90339, 90340, 90341, 90342, 90343, 90345, 90351,90352, 90355, 90356, 90361, 90363, 90364, 90365, 90367, 90368, 90370, 90371, 90372,90377, 90378, 90379, 90380, 90381, 90382, 90383, 90385, 90388, 90389, 90390, 90392,90393, 90394, 90395, 90397, 90398, 90401, 90403, 90404, 90405, 90406, 90407, 90408,90409, 90414, 90417, 90418, 90419, 90420, 90423, 90425, 90427, 90428, 90430, 90431,90432, 90433, 90434, 90435, 90437, 90438, 90439, 90441, 90444, 90445, 90448, 90449,90450, 90452, 90453, 90455, 90457, 90458, 90459, 90460, 90461, 90462, 90463, 90464,90466, 90467, 90469, 90470, 90471, 90472, 90473, 90474, 90475, 90477, 90478, 90479,90481, 90482, 90483, 90484, 90488, 90490, 90493, 90495, 90499, 90501, 90502, 90503,90504, 90506, 90510, 90511, 90512, 90513, 90514, 90515, 90516, 90517, 90518, 90519,90521, 90522, 90523, 90524, 90525, 90526, 90527, 90528, 90529, 90530, 90531, 90535,90537, 90543, 90544, 90545, 90546, 90547, 90549, 90550, 90551, 90552, 90554, 90565,90566, 90567, 90568, 95001, 95005, 95006, 95007, 100000, 100001, 100002, 100003,100004, 100006, 100007, 100008, 100018, 100022, 100024, 100025, 100026, 100028,100029, 100030, 100031, 100032, 100033, 100034, 100035, 100036, 100037, 100038,100039, 100045, 100046, 100047, 100050, 100051, 100052, 100053, 100054, 100055,100056, 100057, 100058, 100059, 100063, 100064, 100065, 100067, 100070, 100071,100073, 105007, 105010, 105012, 105029, 105030, 105081, 105082, 105095, 105096,110001, 110002, 110003, 110004, 110006, 110007, 110008, 110009, 110010, 110011,110012, 110014, 110015, 110017, 110018, 110019, 110020, 110023, 110025, 110026,110027, 110028, 110029, 110031, 110032, 110033, 110034, 110035, 110036, 110038,110041, 110042, 110043, 110044, 110045, 110046, 110048, 110049, 110050, 110051,110052, 110053, 110054, 110055, 110056, 110057, 110059, 110060, 110062, 110063,110064, 110065, 110066, 110067, 110069, 110070, 110071, 110072, 110073, 110074,110075, 110076, 110077, 110078, 110079, 110080, 110081, 110082, 110083, 110084,110085, 110086, 110088, 110090, 110092, 110093, 110094, 110095, 110096, 110097,110098, 110099, 110100, 110101, 110111, 115000, 115001, 115002, 115003, 115005,115006, 115007, 115013, 115014, 115015, 115016, 115018, 115020, 115021, 115022,115024, 115025, 115028, 115036, 115037, 115038, 115039, 115043, 115047, 115053,115060, 115260, 115270, 115272, 115280, 115281, 115289, 115292, 115293, 115297,115299, 115301, 115302, 115304, 115306, 115312, 115341, 115345, 115346, 115354,115359, 115361, 115363, 115372, 115373, 115375, 115376, 115382, 115383, 115384,115385, 115388, 115395, 115398, 115400, 115403, 115406, 115409, 115411, 115413,115414, 115416, 115417, 115419, 115422, 115425, 115427, 115429, 115431, 115436,115437, 115440, 115441, 115445, 115446, 115447, 115448, 115449, 115454, 115461,115462, 115466, 115470, 115471, 115475, 115478, 115479, 115480, 115483, 115486,115488, 115492, 115493, 115499, 115500, 115501, 115512, 115515, 115516, 115517,115520, 115521, 115523, 115527, 115532, 115533, 115535, 115539, 115540, 115541,115544, 115545, 115550, 115551, 115557, 115560, 115564, 115568, 115571, 115574,115578, 115579, 115581, 115582, 115586, 115589, 115592, 115593, 115595, 115596,115597, 115598, 115599, 115601, 115603, 115604, 115620, 115622, 115629, 115631,115634, 115640, 115641, 115647, 115648, 115649, 115650, 115656, 115658, 115659,115661, 115665, 115666, 115668, 115670, 115673, 115674, 115675, 115676, 115678,115679, 115681, 115683, 115687, 115688, 115689, 115690, 115694, 115695, 115698,115701, 115707, 115708, 115709, 115710, 115711, 115722, 115725, 115732, 115739,115740, 115746, 115748, 115752, 115753, 115754, 115763, 115764, 115765, 115772,115775, 115778, 115779, 115781, 115785, 115790, 115793, 115796, 115802, 115803,115807, 115808, 115809, 115811, 115812, 115816, 115817, 115818, 115819, 115823,115824, 115828, 115829, 115836, 115838, 115842, 115847, 115848, 115851, 115852,115855, 115859, 115860, 115862, 115865, 115866, 115870, 115872, 115876, 115879,115885, 115894, 115901, 115903, 115908, 115918, 115921, 115924, 115925, 115926,115928, 115932, 115935, 115937, 115940, 115943, 115944, 115949, 115955, 115959,115960, 115963, 115967, 115969, 115978, 115979, 115983, 115987, 115989, 115991,115992, 115995, 115996, 116003, 116007, 116011, 116012, 116017, 116025, 116027,116031, 116032, 116035, 116039, 116044, 116046, 116063, 116068, 116069, 116081,116086, 116088, 116089, 116091, 116109, 116114, 116134, 116136, 116137, 116139,116142, 116143, 116145, 116148, 116149, 116151, 116155, 116164, 116170, 116172,116173, 116174, 116178, 116179, 116180, 116181, 116182, 116184, 116185, 116194,116195, 116196, 116197, 116205, 116215, 116219, 116220, 116232, 116234, 116238,116244, 116247, 116255, 116257, 116258, 116261, 116263, 116264, 116273, 116275,116281, 116311, 116318, 116328, 116333, 116334, 116339, 116345, 116348, 116351,116353, 116358, 116360, 116363, 116367, 116369, 116374, 116384, 116385, 116387,116389, 116390, 116391, 116393, 116395, 116396, 116399, 116400, 116403, 116407,116408, 116416, 116420, 116423, 116424, 116428, 116429, 116431, 116437, 116440,116443, 116453, 116455, 116459, 116461, 116463, 116471, 116473, 116474, 116477,116484, 116496, 116509, 116510, 116517, 116521, 116528, 116529, 116530, 116535,116536, 116539, 116542, 116547, 116548, 116552, 116553, 116556, 116602, 116603,116607, 116608, 116609, 116624, 116635, 116637, 116645, 116650, 116660, 116672,116677, 150000, 150001, 150003, 150012, 150013, 150046, 150047, 150048, 150049,155358, 175000, 175001, 175002, 175003

Status: New, Active, Re-OpenedVulnerabilities: State:ActiveIncluded Operating Systems: All Operating Systems

Report Legend

Vulnerability LevelsA Vulnerability is a design flaw or mis-configuration which makes your network (or a host on your network) susceptible to malicious attacks from local or remote users.Vulnerabilities can exist in several areas of your network, such as in your firewalls, FTP servers, Web servers, operating systems or CGI bins. Depending on the level of thesecurity risk, the successful exploitation of a vulnerability can vary from the disclosure of information about the host to a complete compromise of the host.

Severity Level Description



1 Minimal Intruders can collect information about the host (open ports, services, etc.) and may beable to use this information to find other vulnerabilities.

2 Medium Intruders may be able to collect sensitive information from the host, such as theprecise version of software installed. With this information, intruders can easilyexploit known vulnerabilities specific to software versions.

3 Serious Intruders may be able to gain access to specific information stored on the host,including security settings. This could result in potential misuse of the host byintruders. For example, vulnerabilities at this level may include partial disclosure offile contents, access to certain files on the host, directory browsing, disclosure offiltering rules and security mechanisms, denial of service attacks, and unauthorized useof services, such as mail-relaying.

4 Critical Intruders can possibly gain control of the host, or there may be potential leakage ofhighly sensitive information. For example, vulnerabilities at this level may includefull read access to files, potential backdoors, or a listing of all the users on thehost.

5 Urgent Intruders can easily gain control of the host, which can lead to the compromise of yourentire network security. For example, vulnerabilities at this level may include fullread and write access to files, remote execution of commands, and the presence ofbackdoors.

Potential Vulnerability LevelsA potential vulnerability is one which we cannot confirm exists. The only way to verify the existence of such vulnerabilities on your network would be to perform anintrusive scan, which could result in a denial of service. This is strictly against our policy. Instead, we urge you to investigate these potential vulnerabilities further.


1 Minimal If this vulnerability exists on your system, intruders can collect information about thehost (open ports, services, etc.) and may be able to use this information to find othervulnerabilities.

2 Medium If this vulnerability exists on your system, intruders may be able to collect sensitiveinformation from the host, such as the precise version of software installed. With thisinformation, intruders can easily exploit known vulnerabilities specific to softwareversions.

3 Serious If this vulnerability exists on your system, intruders may be able to gain access tospecific information stored on the host, including security settings. This could resultin potential misuse of the host by intruders. For example, vulnerabilities at this levelmay include partial disclosure of file contents, access to certain files on the host,directory browsing, disclosure of filtering rules and security mechanisms, denial ofservice attacks, and unauthorized use of services, such as mail-relaying.

4 Critical If this vulnerability exists on your system, intruders can possibly gain control of thehost, or there may be potential leakage of highly sensitive information. For example,vulnerabilities at this level may include full read access to files, potentialbackdoors, or a listing of all the users on the host.

5 Urgent If this vulnerability exists on your system, intruders can easily gain control of thehost, which can lead to the compromise of your entire network security. For example,vulnerabilities at this level may include full read and write access to files, remoteexecution of commands, and the presence of backdoors.

Information GatheredInformation Gathered includes visible information about the network related to the host, such as traceroute information, Internet Service Provider (ISP), or a list ofreachable hosts. Information Gathered severity levels also include Network Mapping data, such as detected firewalls, SMTP banners, or a list of open TCP services.


1 Minimal Intruders may be able to retrieve sensitive information related to the host, such asopen UDP and TCP services lists, and detection of firewalls.

2 Medium Intruders may be able to determine the operating system running on the host, and view banner versions.

3 Serious Intruders may be able to detect highly sensitive data, such as global system user lists.


This report was generated with an evaluation version of qualysguardThis report was generated with an evaluation version of qualysguard

CONFIDENTIAL AND PROPRIETARY INFORMATION.Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete orerror-free. Copyright 2009, Qualys, Inc.

A2F-Dataway High Severity Host Report- IntranetScan

Documents

Transcript of A2F-Dataway High Severity Host Report- IntranetScan