Subnetz_PenLab_aiebjr
-
Upload
patrik-fehren -
Category
Documents
-
view
173 -
download
1
Transcript of Subnetz_PenLab_aiebjr
Nessus ReportNessus Scan Report
08/May/2014:19:21:21
Nessus Home: Commercial use of the report is prohibited
Any time Nessus is used in a commercial environment you MUST maintain an activesubscription to the Nessus Feed in order to be compliant with our license agreement:http://www.tenable.com/products/nessus
Table Of ContentsHosts Summary (Executive).................................................................................................7
•192.168.222.58............................................................................................................................................................8
•192.168.222.59..........................................................................................................................................................10
•192.168.222.60..........................................................................................................................................................12
•192.168.222.61..........................................................................................................................................................15
•192.168.222.62..........................................................................................................................................................16
•192.168.222.63..........................................................................................................................................................17
•192.168.222.64..........................................................................................................................................................19
•192.168.222.65..........................................................................................................................................................23
•192.168.222.100........................................................................................................................................................24
•192.168.222.154........................................................................................................................................................25
Vulnerabilities By Host....................................................................................................... 26
•192.168.222.58..........................................................................................................................................................27
•192.168.222.59..........................................................................................................................................................70
•192.168.222.60..........................................................................................................................................................86
•192.168.222.61........................................................................................................................................................145
•192.168.222.62........................................................................................................................................................157
•192.168.222.63........................................................................................................................................................165
•192.168.222.64........................................................................................................................................................183
•192.168.222.65........................................................................................................................................................300
•192.168.222.100......................................................................................................................................................313
•192.168.222.154......................................................................................................................................................321
Vulnerabilities By Plugin...................................................................................................333
•33850 (3) - Unsupported Unix Operating System.................................................................................................. 334
•45004 (2) - Apache 2.2 < 2.2.15 Multiple Vulnerabilities....................................................................................... 335
•60085 (2) - PHP 5.3.x < 5.3.15 Multiple Vulnerabilities......................................................................................... 337
•18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialedcheck)........................................................................................................................................................................ 338
•22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)(uncredentialed check).............................................................................................................................................. 339
•25216 (1) - Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow............................................... 340
•32314 (1) - Debian OpenSSH/OpenSSL Package Random Number Generator Weakness.................................. 341
•34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution(958644) (uncredentialed check).............................................................................................................................. 342
•34970 (1) - Apache Tomcat Manager Common Administrative Credentials.......................................................... 343
•35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialedcheck)........................................................................................................................................................................ 345
•53514 (1) - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) (remotecheck)........................................................................................................................................................................ 346
•73182 (1) - Microsoft Windows XP Unsupported Installation Detection................................................................. 347
•48245 (2) - PHP 5.3 < 5.3.3 Multiple Vulnerabilities.............................................................................................. 348
•51140 (2) - PHP 5.3 < 5.3.4 Multiple Vulnerabilities.............................................................................................. 351
•52717 (2) - PHP 5.3 < 5.3.6 Multiple Vulnerabilities.............................................................................................. 354
•55925 (2) - PHP 5.3 < 5.3.7 Multiple Vulnerabilities.............................................................................................. 357
•57537 (2) - PHP < 5.3.9 Multiple Vulnerabilities.................................................................................................... 359
•58966 (2) - PHP < 5.3.11 Multiple Vulnerabilities.................................................................................................. 361
•58988 (2) - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution.....................................................................363
•59056 (2) - PHP 5.3.x < 5.3.13 CGI Query String Code Execution....................................................................... 365
•59529 (2) - PHP 5.3.x < 5.3.14 Multiple Vulnerabilities......................................................................................... 367
•66842 (2) - PHP 5.3.x < 5.3.26 Multiple Vulnerabilities......................................................................................... 369
•67259 (2) - PHP 5.3.x < 5.3.27 Multiple Vulnerabilities......................................................................................... 370
•10081 (1) - FTP Privileged Port Bounce Scan.......................................................................................................371
•22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)(uncredentialed check).............................................................................................................................................. 372
•34460 (1) - Unsupported Web Server Detection.................................................................................................... 373
•42411 (1) - Microsoft Windows SMB Shares Unprivileged Access........................................................................374
•55976 (1) - Apache HTTP Server Byte Range DoS.............................................................................................. 375
•11213 (6) - HTTP TRACE / TRACK Methods Allowed...........................................................................................377
•57792 (6) - Apache HTTP Server httpOnly Cookie Information Disclosure........................................................... 383
•57608 (4) - SMB Signing Required........................................................................................................................ 386
•20007 (3) - SSL Version 2 (v2) Protocol Detection................................................................................................387
•26928 (3) - SSL Weak Cipher Suites Supported................................................................................................... 388
•42873 (3) - SSL Medium Strength Cipher Suites Supported................................................................................. 391
•51192 (3) - SSL Certificate Cannot Be Trusted..................................................................................................... 393
•51892 (3) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume CiphersuiteDowngrade Issue.......................................................................................................................................................395
•57582 (3) - SSL Self-Signed Certificate................................................................................................................. 397
•10677 (2) - Apache mod_status /server-status Information Disclosure.................................................................. 398
•10678 (2) - Apache mod_info /server-info Information Disclosure......................................................................... 399
•15901 (2) - SSL Certificate Expiry..........................................................................................................................400
•26920 (2) - Microsoft Windows SMB NULL Session Authentication...................................................................... 401
•42880 (2) - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection.................................................402
•44921 (2) - PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities....................................................................................... 405
•48205 (2) - Apache 2.2 < 2.2.16 Multiple Vulnerabilities....................................................................................... 407
•50070 (2) - Apache 2.2 < 2.2.17 Multiple Vulnerabilities....................................................................................... 409
•51439 (2) - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS......................................................411
•53896 (2) - Apache 2.2 < 2.2.18 APR apr_fnmatch DoS.......................................................................................412
•56216 (2) - Apache 2.2 < 2.2.21 mod_proxy_ajp DoS...........................................................................................413
•57791 (2) - Apache 2.2 < 2.2.22 Multiple Vulnerabilities....................................................................................... 414
•62101 (2) - Apache 2.2 < 2.2.23 Multiple Vulnerabilities....................................................................................... 416
•64912 (2) - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities....................................................... 417
•64992 (2) - PHP 5.3.x < 5.3.22 Multiple Vulnerabilities......................................................................................... 418
•66584 (2) - PHP 5.3.x < 5.3.23 Information Disclosure......................................................................................... 420
•68915 (2) - Apache 2.2 < 2.2.25 Multiple Vulnerabilities....................................................................................... 421
•71426 (2) - PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities......................................................................... 423
•73289 (2) - PHP PHP_RSHUTDOWN_FUNCTION Security Bypass.................................................................... 425
•73405 (2) - Apache 2.2 < 2.2.27 Multiple Vulnerabilities....................................................................................... 426
•10073 (1) - Finger Recursive Request Arbitrary Site Redirection.......................................................................... 427
•10079 (1) - Anonymous FTP Enabled....................................................................................................................428
•10882 (1) - SSH Protocol Version 1 Session Key Retrieval.................................................................................. 429
•20928 (1) - MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)(uncredentialed check).............................................................................................................................................. 430
•26919 (1) - Microsoft Windows SMB Guest Account Local User Access.............................................................. 431
•35291 (1) - SSL Certificate Signed using Weak Hashing Algorithm...................................................................... 432
•45411 (1) - SSL Certificate with Wrong Hostname................................................................................................ 433
•51893 (1) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled CipherIssue.......................................................................................................................................................................... 434
•52611 (1) - SMTP Service STARTTLS Plaintext Command Injection....................................................................435
•62565 (1) - Transport Layer Security (TLS) Protocol CRIME Vulnerability............................................................ 437
•70658 (5) - SSH Server CBC Mode Ciphers Enabled........................................................................................... 438
•71049 (5) - SSH Weak MAC Algorithms Enabled..................................................................................................441
•65821 (3) - SSL RC4 Cipher Suites Supported..................................................................................................... 443
•34324 (2) - FTP Supports Clear Text Authentication............................................................................................. 446
•15855 (1) - POP3 Cleartext Logins Permitted........................................................................................................447
•31705 (1) - SSL Anonymous Cipher Suites Supported..........................................................................................448
•42263 (1) - Unencrypted Telnet Server..................................................................................................................450
•11219 (41) - Nessus SYN scanner.........................................................................................................................451
•22964 (30) - Service Detection...............................................................................................................................454
•10107 (12) - HTTP Server Type and Version........................................................................................................ 456
•24260 (12) - HyperText Transfer Protocol (HTTP) Information.............................................................................. 458
•10287 (10) - Traceroute Information.......................................................................................................................462
•10736 (10) - DCE Services Enumeration............................................................................................................... 463
•11936 (10) - OS Identification.................................................................................................................................469
•12053 (10) - Host Fully Qualified Domain Name (FQDN) Resolution.................................................................... 472
•19506 (10) - Nessus Scan Information...................................................................................................................473
•20094 (10) - VMware Virtual Machine Detection....................................................................................................478
•25220 (10) - TCP/IP Timestamps Supported......................................................................................................... 479
•35716 (10) - Ethernet Card Manufacturer Detection.............................................................................................. 480
•45590 (10) - Common Platform Enumeration (CPE)..............................................................................................482
•54615 (10) - Device Type.......................................................................................................................................484
•10114 (9) - ICMP Timestamp Request Remote Date Disclosure...........................................................................485
•11011 (8) - Microsoft Windows SMB Service Detection.........................................................................................486
•48243 (7) - PHP Version........................................................................................................................................ 487
•10267 (5) - SSH Server Type and Version Information......................................................................................... 488
•10881 (5) - SSH Protocol Versions Supported.......................................................................................................489
•39520 (5) - Backported Security Patch Detection (SSH)....................................................................................... 491
•39521 (5) - Backported Security Patch Detection (WWW).....................................................................................492
•66334 (5) - Patch Report........................................................................................................................................493
•70657 (5) - SSH Algorithms and Languages Supported........................................................................................ 495
•10394 (4) - Microsoft Windows SMB Log In Possible............................................................................................501
•10397 (4) - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure....................................................... 502
•10785 (4) - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure........................ 503
•11111 (4) - RPC Services Enumeration................................................................................................................. 504
•18261 (4) - Apache Banner Linux Distribution Disclosure......................................................................................505
•10150 (3) - Windows NetBIOS / SMB Remote Host Information Disclosure..........................................................506
•10863 (3) - SSL Certificate Information..................................................................................................................507
•21643 (3) - SSL Cipher Suites Supported..............................................................................................................510
•24786 (3) - Nessus Windows Scan Not Performed with Admin Privileges............................................................ 513
•43111 (3) - HTTP Methods Allowed (per directory)............................................................................................... 514
•45410 (3) - SSL Certificate commonName Mismatch............................................................................................ 515
•51891 (3) - SSL Session Resume Supported........................................................................................................ 516
•56984 (3) - SSL / TLS Versions Supported............................................................................................................517
•57041 (3) - SSL Perfect Forward Secrecy Cipher Suites Supported..................................................................... 518
•58768 (3) - SSL Resume With Different Cipher Issue........................................................................................... 521
•62563 (3) - SSL Compression Methods Supported............................................................................................... 522
•70544 (3) - SSL Cipher Block Chaining Cipher Suites Supported......................................................................... 523
•10092 (2) - FTP Server Detection.......................................................................................................................... 526
•10263 (2) - SMTP Server Detection....................................................................................................................... 527
•10395 (2) - Microsoft Windows SMB Shares Enumeration.................................................................................... 528
•10859 (2) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration............................... 529
•10860 (2) - SMB Use Host SID to Enumerate Local Users................................................................................... 530
•11002 (2) - DNS Server Detection......................................................................................................................... 532
•11154 (2) - Unknown Service Detection: Banner Retrieval....................................................................................533
•11424 (2) - WebDAV Detection.............................................................................................................................. 534
•26917 (2) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry............................ 535
•57323 (2) - OpenSSL Version Detection................................................................................................................536
•10028 (1) - DNS Server BIND version Directive Remote Version Detection..........................................................537
•10185 (1) - POP Server Detection......................................................................................................................... 538
•10223 (1) - RPC portmapper Service Detection.....................................................................................................539
•10281 (1) - Telnet Server Detection....................................................................................................................... 540
•10400 (1) - Microsoft Windows SMB Registry Remotely Accessible..................................................................... 541
•10428 (1) - Microsoft Windows SMB Registry Not Fully Accessible Detection...................................................... 542
•10719 (1) - MySQL Server Detection..................................................................................................................... 543
•10884 (1) - Network Time Protocol (NTP) Server Detection..................................................................................544
•11040 (1) - HTTP Reverse Proxy Detection.......................................................................................................... 545
•11153 (1) - Service Detection (HELP Request)..................................................................................................... 546
•11414 (1) - IMAP Service Banner Retrieval........................................................................................................... 547
•11422 (1) - Web Server Unconfigured - Default Install Page Present................................................................... 548
•13855 (1) - Microsoft Windows Installed Hotfixes.................................................................................................. 549
•14773 (1) - Service Detection: 3 ASCII Digit Code Responses............................................................................. 550
•17651 (1) - Microsoft Windows SMB : Obtains the Password Policy..................................................................... 551
•20108 (1) - Web Server / Application favicon.ico Vendor Fingerprinting................................................................552
•21186 (1) - AJP Connector Detection.................................................................................................................... 553
•21745 (1) - Authentication Failure - Local Checks Not Run...................................................................................554
•25240 (1) - Samba Server Detection......................................................................................................................555
•26024 (1) - PostgreSQL Server Detection..............................................................................................................556
•35371 (1) - DNS Server hostname.bind Map Hostname Disclosure......................................................................557
•39446 (1) - Apache Tomcat Default Error Page Version Detection....................................................................... 558
•39519 (1) - Backported Security Patch Detection (FTP)........................................................................................ 559
•42088 (1) - SMTP Service STARTTLS Command Support................................................................................... 560
•42410 (1) - Microsoft Windows NTLMSSP Authentication Request Remote Network Name Disclosure............... 562
•45609 (1) - Internet Cache Protocol (ICP) Version 2 Detection............................................................................. 563
•50845 (1) - OpenSSL Detection............................................................................................................................. 564
•53335 (1) - RPC portmapper (TCP)....................................................................................................................... 565
•53360 (1) - SSL Server Accepts Weak Diffie-Hellman Keys..................................................................................566
•53513 (1) - Link-Local Multicast Name Resolution (LLMNR) Detection................................................................. 567
•60119 (1) - Microsoft Windows SMB Share Permissions Enumeration................................................................. 568
•72779 (1) - DNS Server Version Detection............................................................................................................ 569
Hosts Summary (Executive)
8
192.168.222.58Summary
Critical High Medium Low Info Total
1 0 13 3 36 53
Details
Severity Plugin Id Name
Critical (10.0) 33850 Unsupported Unix Operating System
Medium (6.4) 51192 SSL Certificate Cannot Be Trusted
Medium (6.4) 57582 SSL Self-Signed Certificate
Medium (5.8) 42880 SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Medium (5.0) 15901 SSL Certificate Expiry
Medium (5.0) 20007 SSL Version 2 (v2) Protocol Detection
Medium (4.3) 11213 HTTP TRACE / TRACK Methods Allowed
Medium (4.3) 26928 SSL Weak Cipher Suites Supported
Medium (4.3) 42873 SSL Medium Strength Cipher Suites Supported
Medium (4.3) 51892 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUGSession Resume Ciphersuite Downgrade Issue
Medium (4.3) 51893 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUGCiphersuite Disabled Cipher Issue
Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure
Medium (4.0) 10882 SSH Protocol Version 1 Session Key Retrieval
Medium (4.0) 35291 SSL Certificate Signed using Weak Hashing Algorithm
Low (2.6) 65821 SSL RC4 Cipher Suites Supported
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10223 RPC portmapper Service Detection
Info 10267 SSH Server Type and Version Information
Info 10287 Traceroute Information
Info 10863 SSL Certificate Information
Info 10881 SSH Protocol Versions Supported
Info 11111 RPC Services Enumeration
9
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 18261 Apache Banner Linux Distribution Disclosure
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 21643 SSL Cipher Suites Supported
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 39520 Backported Security Patch Detection (SSH)
Info 39521 Backported Security Patch Detection (WWW)
Info 43111 HTTP Methods Allowed (per directory)
Info 45410 SSL Certificate commonName Mismatch
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 51891 SSL Session Resume Supported
Info 53335 RPC portmapper (TCP)
Info 53360 SSL Server Accepts Weak Diffie-Hellman Keys
Info 54615 Device Type
Info 56984 SSL / TLS Versions Supported
Info 57041 SSL Perfect Forward Secrecy Cipher Suites Supported
Info 58768 SSL Resume With Different Cipher Issue
Info 62563 SSL Compression Methods Supported
Info 66334 Patch Report
Info 70544 SSL Cipher Block Chaining Cipher Suites Supported
Info 70657 SSH Algorithms and Languages Supported
10
192.168.222.59Summary
Critical High Medium Low Info Total
1 0 2 2 22 27
Details
Severity Plugin Id Name
Critical (10.0) 33850 Unsupported Unix Operating System
Medium (4.3) 11213 HTTP TRACE / TRACK Methods Allowed
Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10267 SSH Server Type and Version Information
Info 10287 Traceroute Information
Info 10881 SSH Protocol Versions Supported
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 18261 Apache Banner Linux Distribution Disclosure
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 39520 Backported Security Patch Detection (SSH)
Info 39521 Backported Security Patch Detection (WWW)
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 54615 Device Type
Info 66334 Patch Report
11
Info 70657 SSH Algorithms and Languages Supported
12
192.168.222.60Summary
Critical High Medium Low Info Total
4 3 12 6 59 84
Details
Severity Plugin Id Name
Critical (10.0) 25216 Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow
Critical (10.0) 32314 Debian OpenSSH/OpenSSL Package Random Number GeneratorWeakness
Critical (10.0) 33850 Unsupported Unix Operating System
Critical (10.0) 34970 Apache Tomcat Manager Common Administrative Credentials
High (7.8) 55976 Apache HTTP Server Byte Range DoS
High (7.5) 34460 Unsupported Web Server Detection
High (7.5) 42411 Microsoft Windows SMB Shares Unprivileged Access
Medium (6.4) 51192 SSL Certificate Cannot Be Trusted
Medium (6.4) 57582 SSL Self-Signed Certificate
Medium (5.8) 42880 SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Medium (5.0) 15901 SSL Certificate Expiry
Medium (5.0) 20007 SSL Version 2 (v2) Protocol Detection
Medium (5.0) 57608 SMB Signing Required
Medium (4.3) 11213 HTTP TRACE / TRACK Methods Allowed
Medium (4.3) 26928 SSL Weak Cipher Suites Supported
Medium (4.3) 42873 SSL Medium Strength Cipher Suites Supported
Medium (4.3) 51892 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUGSession Resume Ciphersuite Downgrade Issue
Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure
Medium (4.0) 52611 SMTP Service STARTTLS Plaintext Command Injection
Low (2.6) 31705 SSL Anonymous Cipher Suites Supported
Low (2.6) 34324 FTP Supports Clear Text Authentication
Low (2.6) 42263 Unencrypted Telnet Server
Low (2.6) 65821 SSL RC4 Cipher Suites Supported
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
13
Info 10028 DNS Server BIND version Directive Remote Version Detection
Info 10092 FTP Server Detection
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10263 SMTP Server Detection
Info 10267 SSH Server Type and Version Information
Info 10281 Telnet Server Detection
Info 10287 Traceroute Information
Info 10394 Microsoft Windows SMB Log In Possible
Info 10395 Microsoft Windows SMB Shares Enumeration
Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Info 10719 MySQL Server Detection
Info 10785 Microsoft Windows SMB NativeLanManager Remote System InformationDisclosure
Info 10859 Microsoft Windows SMB LsaQueryInformationPolicy Function SIDEnumeration
Info 10860 SMB Use Host SID to Enumerate Local Users
Info 10863 SSL Certificate Information
Info 10881 SSH Protocol Versions Supported
Info 11002 DNS Server Detection
Info 11011 Microsoft Windows SMB Service Detection
Info 11153 Service Detection (HELP Request)
Info 11219 Nessus SYN scanner
Info 11422 Web Server Unconfigured - Default Install Page Present
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 17651 Microsoft Windows SMB : Obtains the Password Policy
Info 18261 Apache Banner Linux Distribution Disclosure
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 20108 Web Server / Application favicon.ico Vendor Fingerprinting
Info 21186 AJP Connector Detection
Info 21643 SSL Cipher Suites Supported
14
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 25240 Samba Server Detection
Info 26024 PostgreSQL Server Detection
Info 35371 DNS Server hostname.bind Map Hostname Disclosure
Info 35716 Ethernet Card Manufacturer Detection
Info 39446 Apache Tomcat Default Error Page Version Detection
Info 39519 Backported Security Patch Detection (FTP)
Info 39520 Backported Security Patch Detection (SSH)
Info 39521 Backported Security Patch Detection (WWW)
Info 42088 SMTP Service STARTTLS Command Support
Info 42410 Microsoft Windows NTLMSSP Authentication Request Remote NetworkName Disclosure
Info 43111 HTTP Methods Allowed (per directory)
Info 45410 SSL Certificate commonName Mismatch
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 51891 SSL Session Resume Supported
Info 54615 Device Type
Info 56984 SSL / TLS Versions Supported
Info 57041 SSL Perfect Forward Secrecy Cipher Suites Supported
Info 58768 SSL Resume With Different Cipher Issue
Info 60119 Microsoft Windows SMB Share Permissions Enumeration
Info 62563 SSL Compression Methods Supported
Info 66334 Patch Report
Info 70544 SSL Cipher Block Chaining Cipher Suites Supported
Info 70657 SSH Algorithms and Languages Supported
Info 72779 DNS Server Version Detection
15
192.168.222.61Summary
Critical High Medium Low Info Total
0 0 0 2 19 21
Details
Severity Plugin Id Name
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10267 SSH Server Type and Version Information
Info 10287 Traceroute Information
Info 10881 SSH Protocol Versions Supported
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 39520 Backported Security Patch Detection (SSH)
Info 43111 HTTP Methods Allowed (per directory)
Info 45590 Common Platform Enumeration (CPE)
Info 54615 Device Type
Info 70657 SSH Algorithms and Languages Supported
16
192.168.222.62Summary
Critical High Medium Low Info Total
0 0 0 0 15 15
Details
Severity Plugin Id Name
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10287 Traceroute Information
Info 11154 Unknown Service Detection: Banner Retrieval
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 45590 Common Platform Enumeration (CPE)
Info 54615 Device Type
17
192.168.222.63Summary
Critical High Medium Low Info Total
5 1 4 0 26 36
Details
Severity Plugin Id Name
Critical (10.0) 18502 MS05-027: Vulnerability in SMB Could Allow Remote Code Execution(896422) (uncredentialed check)
Critical (10.0) 22194 MS06-040: Vulnerability in Server Service Could Allow Remote CodeExecution (921883) (uncredentialed check)
Critical (10.0) 34477 MS08-067: Microsoft Windows Server Service Crafted RPC RequestHandling Remote Code Execution (958644) (uncredentialed check)
Critical (10.0) 35362 MS09-001: Microsoft Windows SMB Vulnerabilities Remote CodeExecution (958687) (uncredentialed check)
Critical (10.0) 73182 Microsoft Windows XP Unsupported Installation Detection
High (7.5) 22034 MS06-035: Vulnerability in Server Service Could Allow Remote CodeExecution (917159) (uncredentialed check)
Medium (6.5) 20928 MS06-008: Vulnerability in Web Client Service Could Allow Remote CodeExecution (911927) (uncredentialed check)
Medium (5.0) 26919 Microsoft Windows SMB Guest Account Local User Access
Medium (5.0) 26920 Microsoft Windows SMB NULL Session Authentication
Medium (5.0) 57608 SMB Signing Required
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10150 Windows NetBIOS / SMB Remote Host Information Disclosure
Info 10287 Traceroute Information
Info 10394 Microsoft Windows SMB Log In Possible
Info 10395 Microsoft Windows SMB Shares Enumeration
Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Info 10400 Microsoft Windows SMB Registry Remotely Accessible
Info 10428 Microsoft Windows SMB Registry Not Fully Accessible Detection
Info 10785 Microsoft Windows SMB NativeLanManager Remote System InformationDisclosure
Info 10859 Microsoft Windows SMB LsaQueryInformationPolicy Function SIDEnumeration
Info 10860 SMB Use Host SID to Enumerate Local Users
Info 10884 Network Time Protocol (NTP) Server Detection
18
Info 11011 Microsoft Windows SMB Service Detection
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 13855 Microsoft Windows Installed Hotfixes
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 21745 Authentication Failure - Local Checks Not Run
Info 24786 Nessus Windows Scan Not Performed with Admin Privileges
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 45590 Common Platform Enumeration (CPE)
Info 54615 Device Type
Info 66334 Patch Report
19
192.168.222.64Summary
Critical High Medium Low Info Total
3 12 30 3 42 90
Details
Severity Plugin Id Name
Critical (10.0) 45004 Apache 2.2 < 2.2.15 Multiple Vulnerabilities
Critical (10.0) 53514 MS11-030: Vulnerability in DNS Resolution Could Allow Remote CodeExecution (2509553) (remote check)
Critical (10.0) 60085 PHP 5.3.x < 5.3.15 Multiple Vulnerabilities
High (9.3) 67259 PHP 5.3.x < 5.3.27 Multiple Vulnerabilities
High (8.5) 59529 PHP 5.3.x < 5.3.14 Multiple Vulnerabilities
High (8.3) 58988 PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution
High (8.3) 59056 PHP 5.3.x < 5.3.13 CGI Query String Code Execution
High (7.5) 10081 FTP Privileged Port Bounce Scan
High (7.5) 48245 PHP 5.3 < 5.3.3 Multiple Vulnerabilities
High (7.5) 51140 PHP 5.3 < 5.3.4 Multiple Vulnerabilities
High (7.5) 52717 PHP 5.3 < 5.3.6 Multiple Vulnerabilities
High (7.5) 55925 PHP 5.3 < 5.3.7 Multiple Vulnerabilities
High (7.5) 57537 PHP < 5.3.9 Multiple Vulnerabilities
High (7.5) 58966 PHP < 5.3.11 Multiple Vulnerabilities
High (7.5) 66842 PHP 5.3.x < 5.3.26 Multiple Vulnerabilities
Medium (6.9) 62101 Apache 2.2 < 2.2.23 Multiple Vulnerabilities
Medium (6.8) 71426 PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities
Medium (6.4) 44921 PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities
Medium (6.4) 51192 SSL Certificate Cannot Be Trusted
Medium (6.4) 57582 SSL Self-Signed Certificate
Medium (5.1) 68915 Apache 2.2 < 2.2.25 Multiple Vulnerabilities
Medium (5.0) 10073 Finger Recursive Request Arbitrary Site Redirection
Medium (5.0) 10079 Anonymous FTP Enabled
Medium (5.0) 10677 Apache mod_status /server-status Information Disclosure
Medium (5.0) 10678 Apache mod_info /server-info Information Disclosure
Medium (5.0) 20007 SSL Version 2 (v2) Protocol Detection
20
Medium (5.0) 45411 SSL Certificate with Wrong Hostname
Medium (5.0) 48205 Apache 2.2 < 2.2.16 Multiple Vulnerabilities
Medium (5.0) 50070 Apache 2.2 < 2.2.17 Multiple Vulnerabilities
Medium (5.0) 51439 PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS
Medium (5.0) 57608 SMB Signing Required
Medium (5.0) 57791 Apache 2.2 < 2.2.22 Multiple Vulnerabilities
Medium (5.0) 73289 PHP PHP_RSHUTDOWN_FUNCTION Security Bypass
Medium (4.3) 11213 HTTP TRACE / TRACK Methods Allowed
Medium (4.3) 26928 SSL Weak Cipher Suites Supported
Medium (4.3) 42873 SSL Medium Strength Cipher Suites Supported
Medium (4.3) 51892 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUGSession Resume Ciphersuite Downgrade Issue
Medium (4.3) 53896 Apache 2.2 < 2.2.18 APR apr_fnmatch DoS
Medium (4.3) 56216 Apache 2.2 < 2.2.21 mod_proxy_ajp DoS
Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure
Medium (4.3) 62565 Transport Layer Security (TLS) Protocol CRIME Vulnerability
Medium (4.3) 64912 Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities
Medium (4.3) 64992 PHP 5.3.x < 5.3.22 Multiple Vulnerabilities
Medium (4.3) 66584 PHP 5.3.x < 5.3.23 Information Disclosure
Medium (4.3) 73405 Apache 2.2 < 2.2.27 Multiple Vulnerabilities
Low (2.6) 15855 POP3 Cleartext Logins Permitted
Low (2.6) 34324 FTP Supports Clear Text Authentication
Low (2.6) 65821 SSL RC4 Cipher Suites Supported
Info 10092 FTP Server Detection
Info 10107 HTTP Server Type and Version
Info 10150 Windows NetBIOS / SMB Remote Host Information Disclosure
Info 10185 POP Server Detection
Info 10263 SMTP Server Detection
Info 10287 Traceroute Information
Info 10394 Microsoft Windows SMB Log In Possible
Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Info 10736 DCE Services Enumeration
21
Info 10785 Microsoft Windows SMB NativeLanManager Remote System InformationDisclosure
Info 10863 SSL Certificate Information
Info 11011 Microsoft Windows SMB Service Detection
Info 11154 Unknown Service Detection: Banner Retrieval
Info 11219 Nessus SYN scanner
Info 11414 IMAP Service Banner Retrieval
Info 11424 WebDAV Detection
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 14773 Service Detection: 3 ASCII Digit Code Responses
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 21643 SSL Cipher Suites Supported
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 24786 Nessus Windows Scan Not Performed with Admin Privileges
Info 25220 TCP/IP Timestamps Supported
Info 26917 Microsoft Windows SMB Registry : Nessus Cannot Access the WindowsRegistry
Info 35716 Ethernet Card Manufacturer Detection
Info 45410 SSL Certificate commonName Mismatch
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 50845 OpenSSL Detection
Info 51891 SSL Session Resume Supported
Info 53513 Link-Local Multicast Name Resolution (LLMNR) Detection
Info 54615 Device Type
Info 56984 SSL / TLS Versions Supported
Info 57041 SSL Perfect Forward Secrecy Cipher Suites Supported
Info 57323 OpenSSL Version Detection
Info 58768 SSL Resume With Different Cipher Issue
Info 62563 SSL Compression Methods Supported
22
Info 66334 Patch Report
Info 70544 SSL Cipher Block Chaining Cipher Suites Supported
23
192.168.222.65Summary
Critical High Medium Low Info Total
0 0 2 0 19 21
Details
Severity Plugin Id Name
Medium (5.0) 26920 Microsoft Windows SMB NULL Session Authentication
Medium (5.0) 57608 SMB Signing Required
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10150 Windows NetBIOS / SMB Remote Host Information Disclosure
Info 10287 Traceroute Information
Info 10394 Microsoft Windows SMB Log In Possible
Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Info 10736 DCE Services Enumeration
Info 10785 Microsoft Windows SMB NativeLanManager Remote System InformationDisclosure
Info 11011 Microsoft Windows SMB Service Detection
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 24786 Nessus Windows Scan Not Performed with Admin Privileges
Info 25220 TCP/IP Timestamps Supported
Info 26917 Microsoft Windows SMB Registry : Nessus Cannot Access the WindowsRegistry
Info 35716 Ethernet Card Manufacturer Detection
Info 45590 Common Platform Enumeration (CPE)
Info 54615 Device Type
24
192.168.222.100Summary
Critical High Medium Low Info Total
0 0 0 0 16 16
Details
Severity Plugin Id Name
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10287 Traceroute Information
Info 11040 HTTP Reverse Proxy Detection
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 45590 Common Platform Enumeration (CPE)
Info 45609 Internet Cache Protocol (ICP) Version 2 Detection
Info 54615 Device Type
25
192.168.222.154Summary
Critical High Medium Low Info Total
0 0 0 2 21 23
Details
Severity Plugin Id Name
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10267 SSH Server Type and Version Information
Info 10287 Traceroute Information
Info 10881 SSH Protocol Versions Supported
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 18261 Apache Banner Linux Distribution Disclosure
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 39520 Backported Security Patch Detection (SSH)
Info 39521 Backported Security Patch Detection (WWW)
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 54615 Device Type
Info 70657 SSH Algorithms and Languages Supported
Vulnerabilities By Host
27
192.168.222.58Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:17:42 2014
Host Information
DNS Name: kioptrix2lc.penlab.lan
IP: 192.168.222.58
MAC Address: 00:50:56:9d:39:15
OS: Linux Kernel 2.6 on CentOS release 4
Results Summary
Critical High Medium Low Info Total
1 0 15 3 54 73
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Portsicmp/0
The difference between the local and remote clocks is -21429 seconds.
0/tcp33850 - Unsupported Unix Operating SystemSynopsis
The remote host is running an obsolete operating system.
Description
According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor orprovider.Lack of support implies that no new security patches will be released for it.
28
Solution
Upgrade to a newer version.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2008/08/08, Modification date: 2014/05/07
Portstcp/0
CentOS release 4 support ended on 2012-02-29.Upgrade to CentOS 6 / 5. For more information, see : http://www.nessus.org/u?b549f616
12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.58 resolves as kioptrix2lc.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Portstcp/018261 - Apache Banner Linux Distribution DisclosureSynopsis
29
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution theremote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restartApache.
Risk Factor
None
Plugin Information:
Publication date: 2005/05/15, Modification date: 2014/03/17
Portstcp/0
The linux distribution detected was : - CentOS 4
20094 - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
30
The following card manufacturers were identified : 00:50:56:9d:39:15 : VMware, Inc.
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Portstcp/0
Remote operating system : Linux Kernel 2.6 on CentOS release 4Confidence Level : 95Method : HTTP The remote host is running Linux Kernel 2.6 on CentOS release 4
54615 - Device TypeSynopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Portstcp/0
Remote device type : general-purposeConfidence level : 95
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
31
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE : cpe:/o:centos:centos:4 -> CentOS-4 Following application CPE's matched on the remote system : cpe:/a:php:php:4.3.9 -> PHP PHP 4.3.9 cpe:/a:apache:http_server:2.0.52 -> Apache Software Foundation Apache HTTP Server 2.0.52
66334 - Patch ReportSynopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to installto make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Portstcp/0
. You need to take the following 2 actions: [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. + Impact: Taking this action will resolve 2 different vulnerabilities (CVEs). [ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine
32
- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 534 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.58 : 192.168.222.35192.168.222.58
22/tcp
33
10882 - SSH Protocol Version 1 Session Key RetrievalSynopsis
The remote service offers an insecure cryptographic protocol.
Description
The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.These protocols are not completely cryptographically safe so they should not be used.
Solution
Disable compatibility with version 1 of the protocol.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 2344
CVE CVE-2001-0361
CVE CVE-2001-0572
CVE CVE-2001-1473
XREF OSVDB:2116
XREF CWE:310
Plugin Information:
Publication date: 2002/03/06, Modification date: 2011/11/14
Portstcp/2271049 - SSH Weak MAC Algorithms EnabledSynopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Portstcp/22
The following client-to-server Method Authentication Code (MAC) algorithmsare supported :
34
hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96
70658 - SSH Server CBC Mode Ciphers EnabledSynopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker torecover the plaintext message from the ciphertext.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR orGCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Portstcp/22
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc
35
aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/22
Port 22/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version InformationSynopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Portstcp/22
36
SSH version : SSH-1.99-OpenSSH_3.9p1SSH supported authentication : publickey,gssapi-with-mic,password
70657 - SSH Algorithms and Languages SupportedSynopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encryptingcommunications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Portstcp/22
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1
37
hmac-sha1-96 The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 The server supports the following options for compression_algorithms_client_to_server : none zlib The server supports the following options for compression_algorithms_server_to_client : none zlib
10881 - SSH Protocol Versions SupportedSynopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Portstcp/22
The remote SSH daemon supports the following versions of theSSH protocol : - 1.33 - 1.5 - 1.99 - 2.0 SSHv1 host key fingerprint : 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72SSHv2 host key fingerprint : 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61
39520 - Backported Security Patch Detection (SSH)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
38
Publication date: 2009/06/25, Modification date: 2013/04/03
Portstcp/22
Give Nessus credentials to perform local checks.
80/tcp11213 - HTTP TRACE / TRACK Methods AllowedSynopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods thatare used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
39
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Portstcp/80
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus1637158252.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 23:09:17 GMTServer: Apache/2.0.52 (CentOS)Connection: closeTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus1637158252.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information DisclosureSynopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sendinga request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunctionwith other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
40
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Portstcp/80
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: kioptrix2lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
41
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/80
Port 80/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/80
A web server is running on this port.
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/80
The remote web server type is : Apache/2.0.52 (CentOS) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...
42
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/80
Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : GET,HEAD,POST,OPTIONS,TRACEHeaders : Date: Thu, 08 May 2014 23:08:46 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Content-Length: 667 Connection: close Content-Type: text/html; charset=UTF-8
48243 - PHP VersionSynopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Portstcp/80
Nessus was able to identify the following PHP version information : Version : 4.3.9 Source : X-Powered-By: PHP/4.3.9
39521 - Backported Security Patch Detection (WWW)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
43
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Portstcp/80
Give Nessus credentials to perform local checks.
111/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/111
Port 111/tcp was found to be open
53335 - RPC portmapper (TCP)Synopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.The portmapper allows someone to get the port number of each RPC service running on the remote host by sendingeither multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/04/08, Modification date: 2011/08/29
Portstcp/11111111 - RPC Services EnumerationSynopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on theremote port. Using this information, it is possible to connect and bind to each service by sending an RPC request tothe remote port.
Solution
n/a
Risk Factor
44
None
Plugin Information:
Publication date: 2002/08/24, Modification date: 2011/05/24
Portstcp/111
The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2
111/udp10223 - RPC portmapper Service DetectionSynopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.The portmapper allows someone to get the port number of each RPC service running on the remote host by sendingeither multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
References
CVE CVE-1999-0632
Plugin Information:
Publication date: 1999/08/19, Modification date: 2014/02/19
Portsudp/11111111 - RPC Services EnumerationSynopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on theremote port. Using this information, it is possible to connect and bind to each service by sending an RPC request tothe remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/08/24, Modification date: 2011/05/24
Portsudp/111
The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2
443/tcp15901 - SSL Certificate ExpirySynopsis
The remote server's SSL certificate has already expired.
45
Description
This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whetherany have already expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2004/12/03, Modification date: 2013/10/18
Portstcp/443
The SSL certificate has already expired : Subject : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain, [email protected] Issuer : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain, [email protected] Not valid before : Oct 8 00:10:47 2009 GMT Not valid after : Oct 8 00:10:47 2010 GMT
42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data InjectionSynopsis
The remote service allows insecure renegotiation of TLS / SSL connections.
Description
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection afterthe initial handshake.An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintextinto the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the serviceassumes that the sessions before and after renegotiation are from the same 'client' and merges them at theapplication layer.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746
Solution
Contact the vendor for specific patch information.
Risk Factor
Medium
CVSS Base Score
5.8 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score
5.0 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
References
BID 36935
CVE CVE-2009-3555
XREF OSVDB:59968
46
XREF OSVDB:59969
XREF OSVDB:59970
XREF OSVDB:59971
XREF OSVDB:59972
XREF OSVDB:59973
XREF OSVDB:59974
XREF OSVDB:60366
XREF OSVDB:60521
XREF OSVDB:61234
XREF OSVDB:61718
XREF OSVDB:61784
XREF OSVDB:61785
XREF OSVDB:61929
XREF OSVDB:62064
XREF OSVDB:62135
XREF OSVDB:62210
XREF OSVDB:62273
XREF OSVDB:62536
XREF OSVDB:62877
XREF OSVDB:64040
XREF OSVDB:64499
XREF OSVDB:64725
XREF OSVDB:65202
XREF OSVDB:66315
XREF OSVDB:67029
XREF OSVDB:69032
XREF OSVDB:69561
XREF OSVDB:70055
XREF OSVDB:70620
XREF OSVDB:71951
XREF OSVDB:71961
47
XREF OSVDB:74335
XREF OSVDB:75622
XREF OSVDB:77832
XREF OSVDB:90597
XREF OSVDB:99240
XREF OSVDB:100172
XREF OSVDB:104575
XREF OSVDB:104796
XREF CERT:120541
XREF CWE:310
Plugin Information:
Publication date: 2009/11/24, Modification date: 2014/03/25
Portstcp/443
TLSv1 supports insecure renegotiation. SSLv3 supports insecure renegotiation.
35291 - SSL Certificate Signed using Weak Hashing AlgorithmSynopsis
An SSL certificate in the certificate chain has been signed using a weak hash algorithm.
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashingalgorithm - MD2, MD4, or MD5.These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may beable to leverage this weakness to generate another certificate with the same digital signature, which could allow theattacker to masquerade as the affected service.Note that certificates in the chain that are contained in the Nessus CA database have been ignored.
See Also
http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://technet.microsoft.com/en-us/security/advisory/961509
Solution
Contact the Certificate Authority to have the certificate reissued.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 11849
48
BID 33065
CVE CVE-2004-2761
XREF OSVDB:45106
XREF OSVDB:45108
XREF OSVDB:45127
XREF CERT:836068
XREF CWE:310
Plugin Information:
Publication date: 2009/01/05, Modification date: 2014/01/14
Portstcp/443
The following certificates were part of the certificate chainsent by the remote host, but contain hashes that are consideredto be weak. |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Signature Algorithm : MD5 With RSA Encryption
57582 - SSL Self-Signed CertificateSynopsis
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is apublic host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack againstthe remote host.Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signedby an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2012/01/17, Modification date: 2012/10/25
Portstcp/443
The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]
51192 - SSL Certificate Cannot Be TrustedSynopsis
The SSL certificate for this service cannot be trusted.
Description
49
The server's X.509 certificate does not have a signature from a known public certificate authority. This situation canoccur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.First, the top of the certificate chain sent by the server might not be descended from a known public certificateauthority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or whenintermediate certificates are missing that would connect the top of the certificate chain to a known public certificateauthority.Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur eitherwhen the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could notbe verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessuseither does not support or does not recognize.If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify theauthenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against theremote host.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2010/12/15, Modification date: 2014/02/27
Portstcp/443
The following certificate was part of the certificate chainsent by the remote host, but has expired : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Not After : Oct 08 00:10:47 2010 GMT The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Issuer : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]
11213 - HTTP TRACE / TRACK Methods AllowedSynopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods thatare used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
50
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Portstcp/443
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2048480226.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: en
51
Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 23:09:17 GMTServer: Apache/2.0.52 (CentOS)Connection: closeTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus2048480226.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information DisclosureSynopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sendinga request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunctionwith other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
52
Portstcp/443
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: kioptrix2lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
20007 - SSL Version 2 (v2) Protocol DetectionSynopsis
The remote service encrypts traffic using a protocol with known weaknesses.
Description
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographicflaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
See Also
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-2005-2969
Plugin Information:
Publication date: 2005/10/12, Modification date: 2013/01/25
Portstcp/44326928 - SSL Weak Cipher Suites SupportedSynopsis
The remote service supports the use of weak SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer weak encryption.
53
Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application, if possible to avoid the use of weak ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
XREF CWE:327
XREF CWE:326
XREF CWE:753
XREF CWE:803
XREF CWE:720
Plugin Information:
Publication date: 2007/10/08, Modification date: 2013/08/30
Portstcp/443
Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
42873 - SSL Medium Strength Cipher Suites Supported
54
Synopsis
The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard asthose with key lengths at least 56 bits and less than 112 bits.Note: This is considerably easier to exploit if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/11/23, Modification date: 2012/04/02
Portstcp/443
Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
51893 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled CipherIssueSynopsis
The remote host allows the resumption of SSL sessions with a disabled cipher.
Description
The version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming asession. This means that an attacker that sees (e.g. by sniffing) the start of an SSL connection can manipulate theOpenSSL session cache to cause subsequent resumptions of that session to use a disabled cipher chosen by theattacker.
Solution
Upgrade to OpenSSL 0.9.8j or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
55
3.2 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45254
CVE CVE-2008-7270
XREF OSVDB:69655
Plugin Information:
Publication date: 2011/02/07, Modification date: 2012/04/17
Portstcp/443
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : e413ac52fff8366b0ae7dc1b241ed8baf75bd2a2cd4f40e600e72479c9f94cae Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_KRB5_RC4_40_SHA (0x0028)
51892 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session ResumeCiphersuite Downgrade IssueSynopsis
The remote host allows resuming SSL sessions with a weaker cipher than the one originally negotiated.
Description
The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher thanwas used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSLconnection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use aweaker cipher chosen by the attacker.Note that other SSL implementations may also be affected by this vulnerability.
See Also
http://openssl.org/news/secadv_20101202.txt
Solution
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45164
CVE CVE-2010-4180
XREF OSVDB:69565
Plugin Information:
Publication date: 2011/02/07, Modification date: 2014/01/27
Portstcp/443
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : cce215ab87816ab4a49e44f13c0e3758723bb4fb20519bf1d93c5b644c6108b0 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)
56
The server allowed the following session over TLSv1 to be resumed as follows : Session ID : e82e96b09a4c83455e4fb78e0f04fcf61d668c24053c9ebba4f87ea00d15bcbd Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
65821 - SSL RC4 Cipher Suites SupportedSynopsis
The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher suites.The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biasesare introduced into the stream, decreasing its randomness.If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)ciphertexts, the attacker may be able to derive the plaintext.
See Also
http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
Solution
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCMsuites subject to browser and web server support.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 58796
CVE CVE-2013-2566
XREF OSVDB:91162
Plugin Information:
Publication date: 2013/04/05, Modification date: 2014/02/27
Portstcp/443
Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key)
57
SSLv2 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/443
Port 443/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/443
A TLSv1 server answered on this port.
tcp/443
58
A web server is running on this port through TLSv1.
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/443
A TLSv1 server answered on this port.
tcp/443
A web server is running on this port through TLSv1.
56984 - SSL / TLS Versions SupportedSynopsis
The remote service encrypts communications.
Description
This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/01, Modification date: 2014/04/14
Portstcp/443
This port supports SSLv2/SSLv3/TLSv1.0.
10863 - SSL Certificate InformationSynopsis
This plugin displays the SSL certificate.
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2008/05/19, Modification date: 2012/04/02
Portstcp/443
Subject Name:
59
Country: --State/Province: SomeStateLocality: SomeCityOrganization: SomeOrganizationOrganization Unit: SomeOrganizationalUnitCommon Name: localhost.localdomainEmail Address: [email protected] Issuer Name: Country: --State/Province: SomeStateLocality: SomeCityOrganization: SomeOrganizationOrganization Unit: SomeOrganizationalUnitCommon Name: localhost.localdomainEmail Address: [email protected] Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 08 00:10:47 2009 GMTNot Valid After: Oct 08 00:10:47 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 DE 1D B8 D5 44 AF 86 8B 4D 47 EC 8D A7 17 29 C0 9A 46 CD 68 4F 1B 1D 35 32 31 92 9E D2 57 63 C3 0F E9 81 63 9B 21 B1 7B 7F 14 C1 BB 52 97 F8 83 AD 39 F9 6E 99 12 17 C1 5A 92 D7 A2 70 C5 69 12 31 C6 7E 00 19 23 8B 83 CA B6 D2 45 2D F6 9D 87 66 E7 DA 48 B4 B0 7D 2C 09 F8 24 CC C1 8B 4D F0 05 34 8E 17 F7 AF 4C BC 8E BF A3 8C 45 34 1D 3E 0E E1 85 DC 9C 34 6F 6C 85 1E 1C A7 9D 3C FB 13 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 1E FA BB 28 F7 94 4E 7D FA 4B 3F C0 BB DE 53 98 2E DA 4A 48 48 90 65 47 31 11 A1 59 EE CA 4C 47 E5 A9 07 DF 61 3A 89 39 2E 31 B2 EF C5 C4 34 72 F4 81 8E 6A 9B 32 20 B1 84 C7 9E DA A6 E0 98 25 6D ED A7 03 14 AE 95 17 BB FC 7D 83 72 CC F9 58 21 88 7D 17 C4 C3 9F 6E E7 95 86 A5 99 FB 23 FC 2E 2B 11 3A BE 6E F8 57 86 38 10 48 20 D0 26 A5 65 17 DB 11 1D 07 8A 7D ED 66 33 3F 4D EB 11 05 Extension: Subject Key Identifier (2.5.29.14)Critical: 0Subject Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60 Extension: Authority Key Identifier (2.5.29.35)Critical: 0Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60 Serial Number: 82 01 00 Extension: Basic Constraints (2.5.29.19)Critical: [...]
62563 - SSL Compression Methods SupportedSynopsis
The remote service supports one or more compression methods for SSL connections.
Description
This script detects which compression methods are supported by the remote service for SSL connections.
See Also
http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xml
60
http://tools.ietf.org/html/rfc3749
http://tools.ietf.org/html/rfc3943
http://tools.ietf.org/html/rfc5246
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/10/16, Modification date: 2013/10/18
Portstcp/443
Nessus was able to confirm that the following compression method is supported by the target : NULL (0x00)
53360 - SSL Server Accepts Weak Diffie-Hellman KeysSynopsis
The remote SSL/TLS server accepts a weak Diffie-Hellman public value.
Description
The remote SSL/TLS server accepts a weak Diffie-Hellman (DH) public key value.This flaw may aid an attacker in conducting a man-in-the-middle (MiTM) attack against the remote server since itcould enable a forced calculation of a fully predictable Diffie-Hellman secret.By itself, this flaw is not sufficient to set up a MiTM attack (hence a risk factor of 'none'), as it would require some SSLimplementation flaws to affect one of the clients connecting to the remote host.
See Also
http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
http://polarssl.org/trac/wiki/SecurityAdvisory201101
Solution
OpenSSL is affected when compiled in FIPS mode. To resolve this issue, either upgrade to OpenSSL 1.0.0, disableFIPS mode or configure the ciphersuite used by the server to not include any Diffie-Hellman key exchanges.PolarSSL is affected. To resolve this issue, upgrade to version 0.99-pre3 / 0.14.2 or higher.If using any other SSL implementation, configure the ciphersuite used by the server to not include any Diffie-Hellmankey exchanges or contact your vendor for a patch.
Risk Factor
None
References
XREF OSVDB:70945
XREF OSVDB:71845
Plugin Information:
Publication date: 2011/04/11, Modification date: 2014/01/19
Portstcp/443
It was possible to complete a full SSL handshake by sending a DH keywith a value of 1.
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
61
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/443
The remote web server type is : Apache/2.0.52 (CentOS) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/443
Protocol version : HTTP/1.1SSL : yesKeep-Alive : noOptions allowed : GET,HEAD,POST,OPTIONS,TRACEHeaders : Date: Thu, 08 May 2014 23:08:47 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Content-Length: 667 Connection: close Content-Type: text/html; charset=UTF-8
48243 - PHP VersionSynopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
62
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Portstcp/443
Nessus was able to identify the following PHP version information : Version : 4.3.9 Source : X-Powered-By: PHP/4.3.9
45410 - SSL Certificate commonName MismatchSynopsis
The SSL certificate commonName does not match the host name.
Description
This service presents an SSL certificate for which the 'commonName'(CN) does not match the host name on which the service listens.
Solution
If the machine has several names, make sure that users connect to the service through the DNS host name thatmatches the common name in the certificate.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/03, Modification date: 2012/09/30
Portstcp/443
The host name known by Nessus is : kioptrix2lc.penlab.lan The Common Name in the certificate is : localhost.localdomain
21643 - SSL Cipher Suites SupportedSynopsis
The remote service encrypts communications using SSL.
Description
This script detects which SSL ciphers are supported by the remote service for encrypting communications.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/06/05, Modification date: 2014/01/15
Portstcp/443
Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key)
63
SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC [...]
57041 - SSL Perfect Forward Secrecy Cipher Suites SupportedSynopsis
The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even ifthe key is stolen.
Description
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These ciphersuites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/07, Modification date: 2012/04/02
Ports
64
tcp/443
Here is the list of SSL PFS ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
70544 - SSL Cipher Block Chaining Cipher Suites SupportedSynopsis
The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks withsubsequent ones.
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These ciphersuites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information ifused improperly.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://www.nessus.org/u?cc4a822a
http://www.openssl.org/~bodo/tls-cbc.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/22, Modification date: 2013/10/22
Portstcp/443
65
Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 [...]
51891 - SSL Session Resume SupportedSynopsis
The remote host allows resuming SSL sessions.
Description
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive asession ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in thesecond connection, the server maintains a cache of sessions that can be resumed.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/02/07, Modification date: 2013/10/18
Portstcp/443
This port supports resuming TLSv1 / SSLv3 sessions.
58768 - SSL Resume With Different Cipher Issue
66
Synopsis
The remote host allows resuming SSL sessions with a different cipher than the one originally negotiated.
Description
The SSL implementation on the remote host has been shown to allow a cipher other than the one originally negotiatedwhen resuming a session. An attacker that sees (e.g. by sniffing) the start of an SSL connection may be able tomanipulate session cache to cause subsequent resumptions of that session to use a cipher chosen by the attacker.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/04/17, Modification date: 2012/04/17
Portstcp/443
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : cce215ab87816ab4a49e44f13c0e3758723bb4fb20519bf1d93c5b644c6108b0 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003) The server allowed the following session over TLSv1 to be resumed as follows : Session ID : e82e96b09a4c83455e4fb78e0f04fcf61d668c24053c9ebba4f87ea00d15bcbd Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
39521 - Backported Security Patch Detection (WWW)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Portstcp/443
Give Nessus credentials to perform local checks.
631/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
67
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/631
Port 631/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/631
A web server is running on this port.
43111 - HTTP Methods Allowed (per directory)Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'is set to 'yes'in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receivesa response code of 400, 403, 405, or 501.Note that the plugin output is only informational and does not necessarily indicate the presence of any securityvulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/12/10, Modification date: 2013/05/09
Portstcp/631
Based on the response to an OPTIONS request : - HTTP methods HEAD OPTIONS POST PUT GET are allowed on : /
68
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/631
The remote web server type is : CUPS/1.1
735/udp11111 - RPC Services EnumerationSynopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on theremote port. Using this information, it is possible to connect and bind to each service by sending an RPC request tothe remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/08/24, Modification date: 2011/05/24
Portsudp/735
The following RPC services are available on UDP port 735 : - program: 100024 (status), version: 1
738/tcp11111 - RPC Services EnumerationSynopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on theremote port. Using this information, it is possible to connect and bind to each service by sending an RPC request tothe remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
69
Publication date: 2002/08/24, Modification date: 2011/05/24
Portstcp/738
The following RPC services are available on TCP port 738 : - program: 100024 (status), version: 1
3306/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/3306
Port 3306/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/3306
A MySQL server is running on this port.
70
192.168.222.59Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:14:32 2014
Host Information
DNS Name: kioptrix3lc.penlab.lan
IP: 192.168.222.59
MAC Address: 00:50:56:9d:0b:07
OS: Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Results Summary
Critical High Medium Low Info Total
1 0 2 2 24 29
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Portsicmp/0
The difference between the local and remote clocks is -7098 seconds.
0/tcp33850 - Unsupported Unix Operating SystemSynopsis
The remote host is running an obsolete operating system.
Description
According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor orprovider.Lack of support implies that no new security patches will be released for it.
71
Solution
Upgrade to a newer version.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2008/08/08, Modification date: 2014/05/07
Portstcp/0
Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).Upgrade to Ubuntu 14.04. For more information, see : https://wiki.ubuntu.com/Releases
12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.59 resolves as kioptrix3lc.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Portstcp/020094 - VMware Virtual Machine DetectionSynopsis
72
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
The following card manufacturers were identified : 00:50:56:9d:0b:07 : VMware, Inc.
18261 - Apache Banner Linux Distribution DisclosureSynopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution theremote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restartApache.
Risk Factor
None
Plugin Information:
Publication date: 2005/05/15, Modification date: 2014/03/17
Ports
73
tcp/0
The linux distribution detected was : - Ubuntu 8.04 (gutsy)
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Portstcp/0
Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:8.04 Following application CPE's matched on the remote system : cpe:/a:php:php:5.2.4 -> PHP 5.2.4 cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7 cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8
54615 - Device Type
74
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Portstcp/0
Remote device type : general-purposeConfidence level : 95
66334 - Patch ReportSynopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to installto make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Portstcp/0
. You need to take the following action:[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
75
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 344 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.59 : 192.168.222.35192.168.222.59
22/tcp71049 - SSH Weak MAC Algorithms EnabledSynopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
76
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Portstcp/22
The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96
70658 - SSH Server CBC Mode Ciphers EnabledSynopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker torecover the plaintext message from the ciphertext.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR orGCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
77
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Portstcp/22
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/22
Port 22/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
78
tcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version InformationSynopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Portstcp/22
SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2SSH supported authentication : publickey,password
70657 - SSH Algorithms and Languages SupportedSynopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encryptingcommunications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Portstcp/22
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour
79
arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]
10881 - SSH Protocol Versions SupportedSynopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Portstcp/22
The remote SSH daemon supports the following versions of theSSH protocol :
80
- 1.99 - 2.0 SSHv2 host key fingerprint : 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd
39520 - Backported Security Patch Detection (SSH)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Portstcp/22
Give Nessus credentials to perform local checks.
80/tcp11213 - HTTP TRACE / TRACK Methods AllowedSynopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods thatare used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
81
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Portstcp/80
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus1953681729.html HTTP/1.1Connection: CloseHost: kioptrix3lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 19:09:57 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-PatchKeep-Alive: timeout=15, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http
82
TRACE /Nessus1953681729.html HTTP/1.1Connection: Keep-AliveHost: kioptrix3lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information DisclosureSynopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sendinga request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunctionwith other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Portstcp/80
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: kioptrix3lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache
83
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/80
Port 80/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/80
A web server is running on this port.
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
84
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/80
The remote web server type is : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/80
Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 19:09:53 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1819 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html
48243 - PHP VersionSynopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
85
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Portstcp/80
Nessus was able to identify the following PHP version information : Version : 5.2.4-2ubuntu5.6 Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
39521 - Backported Security Patch Detection (WWW)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Portstcp/80
Give Nessus credentials to perform local checks.
86
192.168.222.60Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:19:36 2014
Host Information
DNS Name: metasploitable1lc.penlab.lan
Netbios Name: METASPLOITABLE
IP: 192.168.222.60
MAC Address: 00:50:56:9d:70:0f
OS: Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Results Summary
Critical High Medium Low Info Total
4 3 12 6 78 103
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Portsicmp/0
The difference between the local and remote clocks is -7247 seconds.
0/tcp33850 - Unsupported Unix Operating SystemSynopsis
The remote host is running an obsolete operating system.
Description
87
According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor orprovider.Lack of support implies that no new security patches will be released for it.
Solution
Upgrade to a newer version.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2008/08/08, Modification date: 2014/05/07
Portstcp/0
Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).Upgrade to Ubuntu 14.04. For more information, see : https://wiki.ubuntu.com/Releases
12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.60 resolves as metasploitable1lc.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
88
tcp/018261 - Apache Banner Linux Distribution DisclosureSynopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution theremote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restartApache.
Risk Factor
None
Plugin Information:
Publication date: 2005/05/15, Modification date: 2014/03/17
Portstcp/0
The linux distribution detected was : - Ubuntu 8.04 (gutsy)
20094 - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
89
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
The following card manufacturers were identified : 00:50:56:9d:70:0f : VMware, Inc.
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Portstcp/0
Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)Confidence Level : 95Method : SSH Not all fingerprints could give a match. If you think some or all ofthe following could be used to identify the host's operating system,please email them to [email protected]. Be sure to include abrief description of the host itself, such as the actual operatingsystem or product / model names. SinFP: P1:B10113:F0x12:W5840:O0204ffff:M1334: P2:B10113:F0x12:W5792:O0204ffff0402080affffffff4445414401030304:M1334: P3:B10120:F0x04:W0:O0:M0 P4:5206_7_p=8009SMTP:!:220 metasploitable.localdomain ESMTP Postfix (Ubuntu)SSLcert:!:i/CN:ubuntu804-base.localdomaini/O:OCOSAi/OU:Office for Complication of Otherwise Simple Affairss/CN:ubuntu804-base.localdomains/O:OCOSAs/OU:Office for Complication of Otherwise Simple Affairsed093088706603bfd5dc237399b498da2d4d31c6 SSH:SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
90
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:8.04 Following application CPE's matched on the remote system : cpe:/a:php:php:5.2.4 -> PHP 5.2.4 cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7 cpe:/a:samba:samba:3.0.20 -> Samba 3.0.20 cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8 cpe:/a:isc:bind:9.4.
54615 - Device TypeSynopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Portstcp/0
Remote device type : general-purposeConfidence level : 95
66334 - Patch ReportSynopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to installto make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Portstcp/0
. You need to take the following 4 actions:
91
[ Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow (25216) ] + Action to take: Upgrade to Samba version 3.0.25 or later. [ Apache Tomcat Manager Common Administrative Credentials (34970) ] + Action to take: Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials. + Impact: Taking this action will resolve 4 different vulnerabilities (CVEs). [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. [ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later. + Impact: Taking this action will resolve 2 different vulnerabilities (CVEs).
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1
92
Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 648 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.60 : 192.168.222.35192.168.222.60
21/tcp34324 - FTP Supports Clear Text AuthenticationSynopsis
Authentication credentials might be intercepted.
Description
The remote FTP server allows the user's name and password to be transmitted in clear text, which could beintercepted by a network sniffer or a man-in-the-middle attack.
Solution
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so thatcontrol connections are encrypted.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
XREF CWE:522
XREF CWE:523
Plugin Information:
Publication date: 2008/10/01, Modification date: 2013/01/25
Portstcp/21
93
This FTP server does not support 'AUTH TLS'.
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/21
Port 21/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/21
An FTP server is running on this port.
10092 - FTP Server DetectionSynopsis
An FTP server is listening on this port.
Description
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/02/24
Portstcp/21
The remote FTP banner is :
94
220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.222.60]
39519 - Backported Security Patch Detection (FTP)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote FTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Portstcp/21
Give Nessus credentials to perform local checks.
22/tcp32314 - Debian OpenSSH/OpenSSL Package Random Number Generator WeaknessSynopsis
The remote SSH host keys are weak.
Description
The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the randomnumber generator of its OpenSSL library.The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session orset up a man in the middle attack.
See Also
http://www.nessus.org/u?5d01bdab
http://www.nessus.org/u?f14f4224
Solution
Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL andOpenVPN key material should be re-generated.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 29179
CVE CVE-2008-0166
XREF OSVDB:45029
95
XREF CWE:310
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2008/05/14, Modification date: 2011/03/21
Portstcp/2271049 - SSH Weak MAC Algorithms EnabledSynopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Portstcp/22
The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96
70658 - SSH Server CBC Mode Ciphers EnabledSynopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker torecover the plaintext message from the ciphertext.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR orGCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
96
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Portstcp/22
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/22
Port 22/tcp was found to be open
97
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version InformationSynopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Portstcp/22
SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1SSH supported authentication : publickey,password
70657 - SSH Algorithms and Languages SupportedSynopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encryptingcommunications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Portstcp/22
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms :
98
diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]
10881 - SSH Protocol Versions SupportedSynopsis
99
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Portstcp/22
The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3
39520 - Backported Security Patch Detection (SSH)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Portstcp/22
Give Nessus credentials to perform local checks.
23/tcp42263 - Unencrypted Telnet ServerSynopsis
The remote Telnet server transmits traffic in cleartext.
Description
The remote host is running a Telnet server over an unencrypted channel.Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferredin cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information.Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional datastreams such as the X11 session.
Solution
Disable this service and use SSH instead.
Risk Factor
100
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/10/27, Modification date: 2014/01/07
Portstcp/23
Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------Ubuntu 8.04 metasploitable login: ------------------------------ snip ------------------------------
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/23
Port 23/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/23
A telnet server is running on this port.
10281 - Telnet Server DetectionSynopsis
A Telnet server is listening on the remote port.
Description
101
The remote host is running a Telnet server, a remote terminal server.
Solution
Disable this service if you do not use it.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/01/29
Portstcp/23
Here is the banner from the remote Telnet server : ------------------------------ snip ------------------------------Ubuntu 8.04 metasploitable login: ------------------------------ snip ------------------------------
25/tcp52611 - SMTP Service STARTTLS Plaintext Command InjectionSynopsis
The remote mail service allows plaintext command injection while negotiating an encrypted communications channel.
Description
The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote,unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during theciphertext protocol phase.Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authenticationand Security Layer) credentials.
See Also
http://tools.ietf.org/html/rfc2487
http://www.securityfocus.com/archive/1/516901/30/0/threaded
Solution
Contact the vendor to see if an update is available.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 46767
CVE CVE-2011-0411
CVE CVE-2011-1430
CVE CVE-2011-1431
CVE CVE-2011-1432
CVE CVE-2011-1506
CVE CVE-2011-2165
XREF OSVDB:71020
102
XREF OSVDB:71021
XREF OSVDB:71854
XREF OSVDB:71946
XREF OSVDB:73251
XREF OSVDB:75014
XREF OSVDB:75256
XREF CERT:555316
Plugin Information:
Publication date: 2011/03/10, Modification date: 2012/06/14
Portstcp/25
Nessus sent the following two commands in a single packet : STARTTLS\r\nRSET\r\n And the server sent the following two responses : 220 2.0.0 Ready to start TLS 250 2.0.0 Ok
15901 - SSL Certificate ExpirySynopsis
The remote server's SSL certificate has already expired.
Description
This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whetherany have already expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2004/12/03, Modification date: 2013/10/18
Portstcp/25
The SSL certificate has already expired : Subject : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA, OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain, [email protected] Issuer : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA, OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain, [email protected] Not valid before : Mar 17 14:07:45 2010 GMT Not valid after : Apr 16 14:07:45 2010 GMT
42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data InjectionSynopsis
The remote service allows insecure renegotiation of TLS / SSL connections.
103
Description
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection afterthe initial handshake.An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintextinto the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the serviceassumes that the sessions before and after renegotiation are from the same 'client' and merges them at theapplication layer.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746
Solution
Contact the vendor for specific patch information.
Risk Factor
Medium
CVSS Base Score
5.8 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score
5.0 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
References
BID 36935
CVE CVE-2009-3555
XREF OSVDB:59968
XREF OSVDB:59969
XREF OSVDB:59970
XREF OSVDB:59971
XREF OSVDB:59972
XREF OSVDB:59973
XREF OSVDB:59974
XREF OSVDB:60366
XREF OSVDB:60521
XREF OSVDB:61234
XREF OSVDB:61718
XREF OSVDB:61784
XREF OSVDB:61785
XREF OSVDB:61929
XREF OSVDB:62064
XREF OSVDB:62135
104
XREF OSVDB:62210
XREF OSVDB:62273
XREF OSVDB:62536
XREF OSVDB:62877
XREF OSVDB:64040
XREF OSVDB:64499
XREF OSVDB:64725
XREF OSVDB:65202
XREF OSVDB:66315
XREF OSVDB:67029
XREF OSVDB:69032
XREF OSVDB:69561
XREF OSVDB:70055
XREF OSVDB:70620
XREF OSVDB:71951
XREF OSVDB:71961
XREF OSVDB:74335
XREF OSVDB:75622
XREF OSVDB:77832
XREF OSVDB:90597
XREF OSVDB:99240
XREF OSVDB:100172
XREF OSVDB:104575
XREF OSVDB:104796
XREF CERT:120541
XREF CWE:310
Plugin Information:
Publication date: 2009/11/24, Modification date: 2014/03/25
Portstcp/25
TLSv1 supports insecure renegotiation. SSLv3 supports insecure renegotiation.
57582 - SSL Self-Signed CertificateSynopsis
105
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is apublic host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack againstthe remote host.Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signedby an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2012/01/17, Modification date: 2012/10/25
Portstcp/25
The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]
51192 - SSL Certificate Cannot Be TrustedSynopsis
The SSL certificate for this service cannot be trusted.
Description
The server's X.509 certificate does not have a signature from a known public certificate authority. This situation canoccur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.First, the top of the certificate chain sent by the server might not be descended from a known public certificateauthority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or whenintermediate certificates are missing that would connect the top of the certificate chain to a known public certificateauthority.Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur eitherwhen the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could notbe verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessuseither does not support or does not recognize.If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify theauthenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against theremote host.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2010/12/15, Modification date: 2014/02/27
Portstcp/25
106
The following certificate was part of the certificate chainsent by the remote host, but has expired : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]|-Not After : Apr 16 14:07:45 2010 GMT The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]|-Issuer : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]
20007 - SSL Version 2 (v2) Protocol DetectionSynopsis
The remote service encrypts traffic using a protocol with known weaknesses.
Description
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographicflaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
See Also
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-2005-2969
Plugin Information:
Publication date: 2005/10/12, Modification date: 2013/01/25
Portstcp/2526928 - SSL Weak Cipher Suites SupportedSynopsis
The remote service supports the use of weak SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer weak encryption.Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application, if possible to avoid the use of weak ciphers.
Risk Factor
107
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
XREF CWE:327
XREF CWE:326
XREF CWE:753
XREF CWE:803
XREF CWE:720
Plugin Information:
Publication date: 2007/10/08, Modification date: 2013/08/30
Portstcp/25
Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
42873 - SSL Medium Strength Cipher Suites SupportedSynopsis
108
The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard asthose with key lengths at least 56 bits and less than 112 bits.Note: This is considerably easier to exploit if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/11/23, Modification date: 2012/04/02
Portstcp/25
Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
51892 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session ResumeCiphersuite Downgrade IssueSynopsis
The remote host allows resuming SSL sessions with a weaker cipher than the one originally negotiated.
Description
The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher thanwas used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSLconnection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use aweaker cipher chosen by the attacker.Note that other SSL implementations may also be affected by this vulnerability.
See Also
http://openssl.org/news/secadv_20101202.txt
Solution
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.
Risk Factor
Medium
109
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45164
CVE CVE-2010-4180
XREF OSVDB:69565
Plugin Information:
Publication date: 2011/02/07, Modification date: 2014/01/27
Portstcp/25
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 0f375eea57d9d970b558e24b35e61edc793f29bdef71953873562b3388c26fd3 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003) The server allowed the following session over TLSv1 to be resumed as follows : Session ID : 8bb87c4ec3be17a4b0e09f2ba31ba2462ac657d3847567407c339fb1d300e632 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
31705 - SSL Anonymous Cipher Suites SupportedSynopsis
The remote service supports the use of anonymous SSL ciphers.
Description
The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a servicethat encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remotehost's identity and renders the service vulnerable to a man-in-the-middle attack.Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application if possible to avoid use of weak ciphers.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 28482
CVE CVE-2007-1858
XREF OSVDB:34882
Plugin Information:
Publication date: 2008/03/28, Modification date: 2014/01/27
Ports
110
tcp/25
Here is the list of SSL anonymous ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export TLSv1 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 TLSv1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 TLSv1 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1 ADH-AES256-SHA Kx=DH Au=None Enc=AES-CBC(256) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
65821 - SSL RC4 Cipher Suites SupportedSynopsis
The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher suites.The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biasesare introduced into the stream, decreasing its randomness.If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)ciphertexts, the attacker may be able to derive the plaintext.
See Also
http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
Solution
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCMsuites subject to browser and web server support.
Risk Factor
111
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 58796
CVE CVE-2013-2566
XREF OSVDB:91162
Plugin Information:
Publication date: 2013/04/05, Modification date: 2014/02/27
Portstcp/25
Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
112
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/25
Port 25/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/25
An SMTP server is running on this port.
10263 - SMTP Server DetectionSynopsis
An SMTP server is listening on the remote port.
Description
The remote host is running a mail (SMTP) server on this port.Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/03/11
Portstcp/25
Remote SMTP server banner : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
42088 - SMTP Service STARTTLS Command SupportSynopsis
The remote mail service supports encrypting traffic.
Description
113
The remote SMTP service supports the use of the 'STARTTLS' command to switch from a plaintext to an encryptedcommunications channel.
See Also
http://en.wikipedia.org/wiki/STARTTLS
http://tools.ietf.org/html/rfc2487
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/10/09, Modification date: 2011/12/14
Portstcp/25
Here is the SMTP service's SSL certificate that Nessus was able tocollect after sending a 'STARTTLS' command : ------------------------------ snip ------------------------------Subject Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Issuer Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 14:07:45 2010 GMTNot Valid After: Apr 16 14:07:45 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9 7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24 73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF 8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E 98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97 00 90 9D DC 99 0D 33 A4 B5 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A 0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F 1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49 68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68 83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53
114
A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C 15 6E 8D 30 38 F6 CA 2E 75 ------------------------------ snip --------- [...]
56984 - SSL / TLS Versions SupportedSynopsis
The remote service encrypts communications.
Description
This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/01, Modification date: 2014/04/14
Portstcp/25
This port supports SSLv2/SSLv3/TLSv1.0.
10863 - SSL Certificate InformationSynopsis
This plugin displays the SSL certificate.
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2008/05/19, Modification date: 2012/04/02
Portstcp/25
Subject Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Issuer Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC Version: 1 Signature Algorithm: SHA-1 With RSA Encryption
115
Not Valid Before: Mar 17 14:07:45 2010 GMTNot Valid After: Apr 16 14:07:45 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9 7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24 73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF 8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E 98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97 00 90 9D DC 99 0D 33 A4 B5 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A 0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F 1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49 68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68 83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53 A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C 15 6E 8D 30 38 F6 CA 2E 75
62563 - SSL Compression Methods SupportedSynopsis
The remote service supports one or more compression methods for SSL connections.
Description
This script detects which compression methods are supported by the remote service for SSL connections.
See Also
http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xml
http://tools.ietf.org/html/rfc3749
http://tools.ietf.org/html/rfc3943
http://tools.ietf.org/html/rfc5246
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/10/16, Modification date: 2013/10/18
Portstcp/25
Nessus was able to confirm that the following compression methods are supported by the target : NULL (0x00) DEFLATE (0x01)
21643 - SSL Cipher Suites SupportedSynopsis
The remote service encrypts communications using SSL.
Description
This script detects which SSL ciphers are supported by the remote service for encrypting communications.
See Also
http://www.openssl.org/docs/apps/ciphers.html
116
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/06/05, Modification date: 2014/01/15
Portstcp/25
Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA [...]
70544 - SSL Cipher Block Chaining Cipher Suites SupportedSynopsis
The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks withsubsequent ones.
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These ciphersuites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information ifused improperly.
See Also
117
http://www.openssl.org/docs/apps/ciphers.html
http://www.nessus.org/u?cc4a822a
http://www.openssl.org/~bodo/tls-cbc.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/22, Modification date: 2013/10/22
Portstcp/25
Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=M [...]
57041 - SSL Perfect Forward Secrecy Cipher Suites SupportedSynopsis
The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even ifthe key is stolen.
Description
118
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These ciphersuites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/07, Modification date: 2012/04/02
Portstcp/25
Here is the list of SSL PFS ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
51891 - SSL Session Resume SupportedSynopsis
The remote host allows resuming SSL sessions.
Description
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive asession ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in thesecond connection, the server maintains a cache of sessions that can be resumed.
119
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/02/07, Modification date: 2013/10/18
Portstcp/25
This port supports resuming TLSv1 / SSLv3 sessions.
58768 - SSL Resume With Different Cipher IssueSynopsis
The remote host allows resuming SSL sessions with a different cipher than the one originally negotiated.
Description
The SSL implementation on the remote host has been shown to allow a cipher other than the one originally negotiatedwhen resuming a session. An attacker that sees (e.g. by sniffing) the start of an SSL connection may be able tomanipulate session cache to cause subsequent resumptions of that session to use a cipher chosen by the attacker.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/04/17, Modification date: 2012/04/17
Portstcp/25
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 0f375eea57d9d970b558e24b35e61edc793f29bdef71953873562b3388c26fd3 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003) The server allowed the following session over TLSv1 to be resumed as follows : Session ID : 8bb87c4ec3be17a4b0e09f2ba31ba2462ac657d3847567407c339fb1d300e632 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
45410 - SSL Certificate commonName MismatchSynopsis
The SSL certificate commonName does not match the host name.
Description
This service presents an SSL certificate for which the 'commonName'(CN) does not match the host name on which the service listens.
Solution
If the machine has several names, make sure that users connect to the service through the DNS host name thatmatches the common name in the certificate.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/03, Modification date: 2012/09/30
Portstcp/25
120
The host names known by Nessus are : metasploitable metasploitable1lc.penlab.lan The Common Name in the certificate is : ubuntu804-base.localdomain
53/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/53
Port 53/tcp was found to be open
11002 - DNS Server DetectionSynopsis
A DNS server is listening on the remote host.
Description
The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IPaddresses.
See Also
http://en.wikipedia.org/wiki/Domain_Name_System
Solution
Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.
Risk Factor
None
Plugin Information:
Publication date: 2003/02/13, Modification date: 2013/05/07
Portstcp/5353/udp11002 - DNS Server DetectionSynopsis
A DNS server is listening on the remote host.
Description
The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IPaddresses.
See Also
121
http://en.wikipedia.org/wiki/Domain_Name_System
Solution
Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.
Risk Factor
None
Plugin Information:
Publication date: 2003/02/13, Modification date: 2013/05/07
Portsudp/5335371 - DNS Server hostname.bind Map Hostname DisclosureSynopsis
The DNS server discloses the remote host name.
Description
It is possible to learn the remote host name by querying the remote DNS server for 'hostname.bind' in the CHAOSdomain.
Solution
It may be possible to disable this feature. Consult the vendor's documentation for more information.
Risk Factor
None
Plugin Information:
Publication date: 2009/01/15, Modification date: 2011/09/14
Portsudp/53
The remote host name is : metasploitable
72779 - DNS Server Version DetectionSynopsis
Nessus was able to obtain version information on the remote DNS server.
Description
Nessus was able to obtain version information by sending a special TXT record query to the remote host.Note that this version is not necessarily accurate and could even be forged, as some DNS servers send theinformation based on a configuration file.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2014/03/03, Modification date: 2014/04/17
Portsudp/53
DNS server answer for "version.bind" : 9.4.2
10028 - DNS Server BIND version Directive Remote Version DetectionSynopsis
It is possible to obtain the version number of the remote DNS server.
122
Description
The remote host is running BIND or another DNS server that reports its version number when it receives a specialrequest for the text 'version.bind' in the domain 'chaos'.This version is not necessarily accurate and could even be forged, as some DNS servers send the information basedon a configuration file.
Solution
It is possible to hide the version number of BIND by using the 'version' directive in the 'options' section in named.conf.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/03/03
Portsudp/53
Version : 9.4.2
80/tcp55976 - Apache HTTP Server Byte Range DoSSynopsis
The web server running on the remote host is affected by a denial of service vulnerability.
Description
The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Makinga series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result inmemory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive.Exploit code is publicly available and attacks have reportedly been observed in the wild.
See Also
http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html
http://www.gossamer-threads.com/lists/apache/dev/401638
http://www.nessus.org/u?404627ec
http://httpd.apache.org/security/CVE-2011-3192.txt
http://www.nessus.org/u?1538124a
http://www-01.ibm.com/support/docview.wss?uid=swg24030863
Solution
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192.Version 2.2.20 fixed the issue, but also introduced a regression.If the host is running a web server based on Apache httpd, contact the vendor for a fix.
Risk Factor
High
CVSS Base Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score
6.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
References
BID 49303
CVE CVE-2011-3192
XREF OSVDB:74721
123
XREF CERT:405811
XREF EDB-ID:17696
XREF EDB-ID:18221
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2011/08/25, Modification date: 2014/01/27
Portstcp/80
Nessus determined the server is unpatched and is not using anyof the suggested workarounds by making the following requests : -------------------- Testing for workarounds --------------------HEAD / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Thu, 08 May 2014 19:14:34 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 827 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4f8e84a97684a4154-------------------- Testing for workarounds -------------------- -------------------- Testing for patch --------------------HEAD / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=0-,1- Range: bytes=0-,1- Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Thu, 08 May 2014 19:14:38 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 274 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4f8e84adb94281cdf-------------------- Testing for patch --------------------
11213 - HTTP TRACE / TRACK Methods AllowedSynopsis
Debugging functions are enabled on the remote web server.
Description
124
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods thatare used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Portstcp/80
To disable these methods, add the following lines for each virtualhost in your configuration file :
125
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus978170901.html HTTP/1.1Connection: CloseHost: metasploitable1lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 19:13:49 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-PatchKeep-Alive: timeout=15, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus978170901.html HTTP/1.1Connection: Keep-AliveHost: metasploitable1lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information DisclosureSynopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sendinga request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunctionwith other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
126
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Portstcp/80
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/80
Port 80/tcp was found to be open
22964 - Service Detection
127
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/80
A web server is running on this port.
43111 - HTTP Methods Allowed (per directory)Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'is set to 'yes'in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receivesa response code of 400, 403, 405, or 501.Note that the plugin output is only informational and does not necessarily indicate the presence of any securityvulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/12/10, Modification date: 2013/05/09
Portstcp/80
Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST TRACE are allowed on : /
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
128
Portstcp/80
The remote web server type is : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/80
Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 19:13:34 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 45 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html
48243 - PHP VersionSynopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Portstcp/80
Nessus was able to identify the following PHP version information :
129
Version : 5.2.4-2ubuntu5.10 Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
39521 - Backported Security Patch Detection (WWW)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Portstcp/80
Give Nessus credentials to perform local checks.
139/tcp11011 - Microsoft Windows SMB Service DetectionSynopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Portstcp/139
An SMB server is running on this port.
445/tcp25216 - Samba NDR MS-RPC Request Heap-Based Remote Buffer OverflowSynopsis
It is possible to execute code on the remote host through Samba.
Description
The version of the Samba server installed on the remote host is affected by multiple heap overflow vulnerabilities,which can be exploited remotely to execute code with the privileges of the Samba daemon.
See Also
http://www.samba.org/samba/security/CVE-2007-2446.html
Solution
Upgrade to Samba version 3.0.25 or later.
130
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 23973
BID 24195
BID 24196
BID 24197
BID 24198
CVE CVE-2007-2446
XREF OSVDB:34699
XREF OSVDB:34731
XREF OSVDB:34732
XREF OSVDB:34733
Exploitable with
CANVAS (true)Metasploit (true)
Plugin Information:
Publication date: 2007/05/15, Modification date: 2013/02/01
Portstcp/44542411 - Microsoft Windows SMB Shares Unprivileged AccessSynopsis
It is possible to access a network share.
Description
The remote has one or more Windows shares that can be accessed through the network with the given credentials.Depending on the share rights, it may allow an attacker to read/write confidential data.
Solution
To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on'permissions'.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 8026
CVE CVE-1999-0519
131
CVE CVE-1999-0520
XREF OSVDB:299
Plugin Information:
Publication date: 2009/11/06, Modification date: 2011/03/27
Portstcp/445
The following shares can be accessed using a NULL session : - tmp - (readable,writable) + Content of this share :...ICE-unix5364.jsvc_up.X11-unix
57608 - SMB Signing RequiredSynopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft networkserver:Digitally sign communications (always)'.On Samba, the setting is called 'server signing'. See the 'see also'links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Portstcp/44511011 - Microsoft Windows SMB Service DetectionSynopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
132
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Portstcp/445
A CIFS server is running on this port.
25240 - Samba Server DetectionSynopsis
An SMB server is running on the remote host.
Description
The remote host is running Samba, a CIFS/SMB server for Linux and Unix.
See Also
http://www.samba.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2013/01/07
Portstcp/445
The remote host tries to hide its SMB server type by changing the MACaddress and the LAN manager name. However by sending several valid and invalid RPC requests it waspossible to fingerprint the remote SMB server as Samba.
10785 - Microsoft Windows SMB NativeLanManager Remote System Information DisclosureSynopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending anauthentication request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/10/17, Modification date: 2014/04/09
Portstcp/445
The remote Operating System is : UnixThe remote native lan manager is : Samba 3.0.20-DebianThe remote SMB Domain Name is : METASPLOITABLE
10394 - Microsoft Windows SMB Log In PossibleSynopsis
It is possible to log into the remote host.
Description
133
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It waspossible to log into it using one of the following accounts :- NULL session- Guest account- Given Credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2014/04/07
Portstcp/445
- NULL sessions are enabled on the remote host
10859 - Microsoft Windows SMB LsaQueryInformationPolicy Function SID EnumerationSynopsis
It is possible to obtain the host SID for the remote host.
Description
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier).The host SID can then be used to get the list of local users.
See Also
http://technet.microsoft.com/en-us/library/bb418944.aspx
Solution
You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to anappropriate value.Refer to the 'See also' section for guidance.
Risk Factor
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Portstcp/445
The remote host SID value is : 1-5-21-1042354039-2475377354-766472396 The value of 'RestrictAnonymous' setting is : unknown
10860 - SMB Use Host SID to Enumerate Local UsersSynopsis
It is possible to enumerate local users.
Description
Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system.
Solution
n/a
Risk Factor
134
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Portstcp/445
- Administrator (id 500, Administrator account) - nobody (id 501, Guest account) - root (id 1000) - root (id 1001) - daemon (id 1002) - daemon (id 1003) - bin (id 1004) - bin (id 1005) - sys (id 1006) - sys (id 1007) - sync (id 1008) - adm (id 1009) - games (id 1010) - tty (id 1011) - man (id 1012) - disk (id 1013) - lp (id 1014) - lp (id 1015) - mail (id 1016) - mail (id 1017) - news (id 1018) - news (id 1019) - uucp (id 1020) - uucp (id 1021) - man (id 1025) - proxy (id 1026) - proxy (id 1027) - kmem (id 1031) - dialout (id 1041) - fax (id 1043) - voice (id 1045) - cdrom (id 1049) - floppy (id 1051) - tape (id 1053) - sudo (id 1055) - audio (id 1059) - dip (id 1061) - www-data (id 1066) - www-data (id 1067) - backup (id 1068) - backup (id 1069) - operator (id 1075) - list (id 1076) - list (id 1077) - irc (id 1078) - irc (id 1079) - src (id 1081) - gnats (id 1082) - gnats (id 1083) - shadow (id 1085) - utmp (id 1087) - video (id 1089) - sasl (id 1091) - plugdev (id 1093) - staff (id 1101) - games (id 1121) - libuuid (id 1200) Note that, in addition to the Administrator and Guest accounts, Nessushas enumerated only those local users with IDs between 1000 and 1200.To use a different range, edit the scan policy and change the 'StartUID' and/or 'End UID' preferences for this plugin, then re-run thescan.
10395 - Microsoft Windows SMB Shares EnumerationSynopsis
135
It is possible to enumerate remote network shares.
Description
By connecting to the remote host, Nessus was able to enumerate the network share names.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2012/11/29
Portstcp/445
Here are the SMB shares available on the remote host when logged as a NULL session: - print$ - tmp - opt - IPC$ - ADMIN$
60119 - Microsoft Windows SMB Share Permissions EnumerationSynopsis
It is possible to enumerate the permissions of remote network shares.
Description
By using the supplied credentials, Nessus was able to enumerate the permissions of network shares. Userpermissions are enumerated for each network share that has a list of access control entries (ACEs).
See Also
http://technet.microsoft.com/en-us/library/bb456988.aspx
http://technet.microsoft.com/en-us/library/cc783530.aspx
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/07/25, Modification date: 2012/07/25
Portstcp/445
Share path : \\METASPLOITABLE\print$Local path : C:\var\lib\samba\printersComment : Printer Drivers Share path : \\METASPLOITABLE\tmpLocal path : C:\tmpComment : oh noes! Share path : \\METASPLOITABLE\optLocal path : C:\tmp Share path : \\METASPLOITABLE\IPC$Local path : C:\tmpComment : IPC Service (metasploitable server (Samba 3.0.20-Debian)) Share path : \\METASPLOITABLE\ADMIN$Local path : C:\tmpComment : IPC Service (metasploitable server (Samba 3.0.20-Debian))
136
10397 - Microsoft Windows SMB LanMan Pipe Server Listing DisclosureSynopsis
It is possible to obtain network information.
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Publication date: 2000/05/09, Modification date: 2011/09/14
Portstcp/445
Here is the browse list of the remote host : ADMIN-PC ( os : 0.0 )METASPLOITABLE ( os : 0.0 )
17651 - Microsoft Windows SMB : Obtains the Password PolicySynopsis
It is possible to retrieve the remote host's password policy using the supplied credentials.
Description
Using the supplied credentials it was possible to extract the password policy for the remote Windows host. Thepassword policy must conform to the Informational System Policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/03/30, Modification date: 2011/03/04
Portstcp/445
The following password policy is defined on the remote host: Minimum password len: 5Password history len: 0Maximum password age (d): No limitPassword must meet complexity requirements: DisabledMinimum password age (d): 0Forced logoff time (s): Not setLocked account time (s): 1800Time between failed logon (s): 1800Number of invalid logon before locked out (s): 0
42410 - Microsoft Windows NTLMSSP Authentication Request Remote Network Name DisclosureSynopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on tcp port 445 and replies to SMB requests.By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and the nameof its domain.
137
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/11/06, Modification date: 2011/03/27
Portstcp/445
The following 2 NetBIOS names have been gathered : METASPLOITABLE = Computer name METASPLOITABLE = Workgroup / Domain name
3306/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/3306
Port 3306/tcp was found to be open
11153 - Service Detection (HELP Request)Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesa 'HELP'request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/11/18, Modification date: 2014/04/10
Portstcp/3306
A MySQL server is running on this port.
10719 - MySQL Server DetectionSynopsis
A database server is listening on the remote port.
Description
138
The remote host is running MySQL, an open source database server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/13, Modification date: 2013/01/07
Portstcp/3306
Version : 5.0.51a-3ubuntu5Protocol : 10Server Status : SERVER_STATUS_AUTOCOMMITServer Capabilities : CLIENT_LONG_FLAG (Get all column flags) CLIENT_CONNECT_WITH_DB (One can specify db on connect) CLIENT_COMPRESS (Can use compression protocol) CLIENT_PROTOCOL_41 (New 4.1 protocol) CLIENT_SSL (Switch to SSL after handshake) CLIENT_TRANSACTIONS (Client knows about transactions) CLIENT_SECURE_CONNECTION (New 4.1 authentication)
3632/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/3632
Port 3632/tcp was found to be open
5432/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
139
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/5432
Port 5432/tcp was found to be open
26024 - PostgreSQL Server DetectionSynopsis
A database service is listening on the remote host.
Description
The remote service is a PostgreSQL database server, or a derivative such as EnterpriseDB.
See Also
http://www.postgresql.org/
Solution
Limit incoming traffic to this port if desired.
Risk Factor
None
Plugin Information:
Publication date: 2007/09/14, Modification date: 2013/02/14
Portstcp/54328009/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/8009
Port 8009/tcp was found to be open
21186 - AJP Connector DetectionSynopsis
There is an AJP connector listening on the remote host.
Description
The remote host is running an AJP (Apache JServ Protocol) connector, a service by which a standalone web serversuch as Apache communicates over TCP with a Java servlet container such as Tomcat.
See Also
http://tomcat.apache.org/connectors-doc/
http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
Solution
140
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/04/05, Modification date: 2011/03/11
Portstcp/8009
The connector listing on this port supports the ajp13 protocol.
8180/tcp34970 - Apache Tomcat Manager Common Administrative CredentialsSynopsis
The management console for the remote web server is protected using a known set of credentials.
Description
It is possible to gain access to the Manager web application for the remote Tomcat server using a known set ofcredentials. A remote attacker can leverage this issue to install a malicious application on the affected server and runcode with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix).Worms are known to propagate this way.
See Also
http://markmail.org/thread/wfu4nff5chvkb6xp
http://svn.apache.org/viewvc?view=revision&revision=834047
http://www.intevydis.com/blog/?p=87
http://www.zerodayinitiative.com/advisories/ZDI-10-214/
http://archives.neohapsis.com/archives/fulldisclosure/2010-10/0260.html
Solution
Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 36253
BID 36954
BID 37086
BID 38084
BID 44172
CVE CVE-2009-3099
CVE CVE-2009-3548
CVE CVE-2010-0557
141
CVE CVE-2010-4094
XREF OSVDB:57898
XREF OSVDB:60176
XREF OSVDB:60317
XREF OSVDB:62118
XREF OSVDB:69008
XREF EDB-ID:18619
XREF CWE:255
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2008/11/26, Modification date: 2014/02/04
Portstcp/8180
It is possible to log into the Tomcat Manager web app at thefollowing URL : http://metasploitable1lc.penlab.lan:8180/manager/html with the following credentials : - Username : tomcat - Password : tomcat
34460 - Unsupported Web Server DetectionSynopsis
The remote web server is obsolete / unsupported.
Description
According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.A lack of support implies that no new security patches are being released for it.
Solution
Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to anotherserver.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Plugin Information:
Publication date: 2008/10/21, Modification date: 2014/04/25
Portstcp/8180
Product : Tomcat Installed version : 5.5 Support ended : 2012-09-30 Supported versions : 7.0.x / 6.0.x Additional information : http://tomcat.apache.org/tomcat-55-eol.html
11219 - Nessus SYN scannerSynopsis
142
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/8180
Port 8180/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/8180
A web server is running on this port.
11422 - Web Server Unconfigured - Default Install Page PresentSynopsis
The remote web server is not configured or is not properly configured.
Description
The remote web server uses its default welcome page. It probably means that this server is not used at all or isserving content that is meant to be hidden.
Solution
Disable this service if you do not use it.
Risk Factor
None
References
XREF OSVDB:3233
Plugin Information:
Publication date: 2003/03/20, Modification date: 2013/11/18
Portstcp/8180
The default welcome page is from Tomcat.
143
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/8180
The remote web server type is : Coyote HTTP/1.1 Connector
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/8180
Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONSHeaders : Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 08 May 2014 19:13:34 GMT Connection: close
39446 - Apache Tomcat Default Error Page Version DetectionSynopsis
The remote web server reports its version number on error pages.
Description
Apache Tomcat appears to be running on the remote host and reporting its version number on the default error pages.A remote attacker could use this information to mount further attacks.
See Also
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q6
144
http://jcp.org/en/jsr/detail?id=315
Solution
Replace the default error pages with custom error pages to hide the version number. Refer to the Apache wiki or theJava Servlet Specification for more information.
Risk Factor
None
Plugin Information:
Publication date: 2009/06/18, Modification date: 2013/05/15
Portstcp/8180
Nessus found the following version information on an Apache Tomcat404 page or in the HTTP Server header : Source : <title>Apache Tomcat/5.5 Version : 5.5
20108 - Web Server / Application favicon.ico Vendor FingerprintingSynopsis
The remote web server contains a graphic image that is prone to information disclosure.
Description
The 'favicon.ico' file found on the remote web server belongs to a popular web server. This may be used to fingerprintthe web server.
Solution
Remove the 'favicon.ico' file or create a custom one for your site.
Risk Factor
None
References
XREF OSVDB:39272
Plugin Information:
Publication date: 2005/10/28, Modification date: 2013/12/20
Portstcp/8180
The MD5 fingerprint for 'favicon.ico' suggests the web server is Apache Tomcat or Alfresco Community.
145
192.168.222.61Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:14:31 2014
Host Information
DNS Name: wordpresslc.penlab.lan
IP: 192.168.222.61
MAC Address: 00:50:56:9d:75:81
OS: Linux Kernel 3.2 on Debian 7.0 (wheezy)
Results Summary
Critical High Medium Low Info Total
0 0 0 2 21 23
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Portsicmp/0
The difference between the local and remote clocks is -7092 seconds.
0/tcp12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
146
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.61 resolves as wordpresslc.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Portstcp/020094 - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
147
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
The following card manufacturers were identified : 00:50:56:9d:75:81 : VMware, Inc.
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Portstcp/0
Remote operating system : Linux Kernel 3.2 on Debian 7.0 (wheezy)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 3.2 on Debian 7.0 (wheezy)
54615 - Device TypeSynopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Portstcp/0
Remote device type : general-purposeConfidence level : 95
148
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:7.0 -> Debian Linux 7.0 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : Priv
149
Scanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 343 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.61 : 192.168.222.35192.168.222.61
22/tcp71049 - SSH Weak MAC Algorithms EnabledSynopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Portstcp/22
150
The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96
70658 - SSH Server CBC Mode Ciphers EnabledSynopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker torecover the plaintext message from the ciphertext.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR orGCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Portstcp/22
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc
151
blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/22
Port 22/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version InformationSynopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
152
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Portstcp/22
SSH version : SSH-2.0-OpenSSH_6.0p1 Debian-4SSH supported authentication : publickey,password
70657 - SSH Algorithms and Languages SupportedSynopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encryptingcommunications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Portstcp/22
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 The server supports the following options for server_host_key_algorithms : ecdsa-sha2-nistp256 ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr
153
aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]
10881 - SSH Protocol Versions SupportedSynopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Portstcp/22
The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0
154
SSHv2 host key fingerprint : 7f:93:59:28:51:4a:54:7a:ec:60:cd:76:29:f9:a7:9c
39520 - Backported Security Patch Detection (SSH)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Portstcp/22
Give Nessus credentials to perform local checks.
80/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/80
Port 80/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
155
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/80
A web server is running on this port.
43111 - HTTP Methods Allowed (per directory)Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'is set to 'yes'in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receivesa response code of 400, 403, 405, or 501.Note that the plugin output is only informational and does not necessarily indicate the presence of any securityvulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/12/10, Modification date: 2013/05/09
Portstcp/80
Based on the response to an OPTIONS request : - HTTP methods GET HEAD POST OPTIONS are allowed on : /
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/80
The remote web server type is : lighttpd/1.4.31
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...
156
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/80
Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : OPTIONS, GET, HEAD, POSTHeaders : Vary: Accept-Encoding Content-Type: text/html Accept-Ranges: bytes ETag: "1702939983" Last-Modified: Sun, 15 Dec 2013 19:41:52 GMT Content-Length: 3585 Connection: close Date: Thu, 08 May 2014 19:09:42 GMT Server: lighttpd/1.4.31
157
192.168.222.62Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:17:04 2014
Host Information
DNS Name: brainpanlc.penlab.lan
IP: 192.168.222.62
MAC Address: 00:50:56:9d:70:45
OS: Linux Kernel 2.6
Results Summary
Critical High Medium Low Info Total
0 0 0 0 16 16
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Portsicmp/0
The difference between the local and remote clocks is -7092 seconds.
0/tcp12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
158
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.62 resolves as brainpanlc.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Portstcp/020094 - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
159
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
The following card manufacturers were identified : 00:50:56:9d:70:45 : VMware, Inc.
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Portstcp/0
Remote operating system : Linux Kernel 2.6Confidence Level : 65Method : SinFP The remote host is running Linux Kernel 2.6
54615 - Device TypeSynopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Portstcp/0
Remote device type : general-purposeConfidence level : 65
160
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE : cpe:/o:linux:linux_kernel:2.6
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : no
161
Experimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 496 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.62 : 192.168.222.35192.168.222.62
9999/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/9999
Port 9999/tcp was found to be open
11154 - Unknown Service Detection: Banner RetrievalSynopsis
There is an unknown service running on the remote host.
Description
162
Nessus was unable to identify a service on the remote host even though it returned a banner of some type.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/11/18, Modification date: 2014/04/10
Portstcp/9999
If you know what this service is and think the banner could be used toidentify it, please send a description of the service along with thefollowing output to [email protected] : Port : 9999 Type : spontaneous Banner : 0x0000: 5F 7C 20 20 20 20 20 20 20 20 20 20 20 20 20 20 _| 0x0010: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5F 7C _| 0x0020: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 * 0x0040: 20 20 20 20 20 20 20 20 0A 5F 7C 5F 7C 5F 7C 20 ._|_|_| 0x0050: 20 20 20 5F 7C 20 20 5F 7C 5F 7C 20 20 20 20 5F _| _|_| _ 0x0060: 7C 5F 7C 5F 7C 20 20 20 20 20 20 5F 7C 5F 7C 5F |_|_| _|_|_ 0x0070: 7C 20 20 20 20 5F 7C 5F 7C 5F 7C 20 20 20 20 20 | _|_|_| 0x0080: 20 5F 7C 5F 7C 5F 7C 20 20 5F 7C 5F 7C 5F 7C 20 _|_|_| _|_|_| 0x0090: 20 0A 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 5F 7C ._| _| _|_| 0x00A0: 20 20 20 20 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _| 0x00B0: 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C _| _| _| _| 0x00C0: 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C _| _| _| 0x00D0: 20 20 5F 7C 20 20 20 20 5F 7C 0A 5F 7C 20 20 20 _| _|._| 0x00E0: 20 5F 7C 20 20 5F 7C 20 20 20 20 20 20 20 20 5F _| _| _ 0x00F0: 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 5F 7C 20 | _| _| _| 0x0100: 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 _| _| _| 0x0110: 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 _| _| _| 0x0120: 20 5F 7C 0A 5F 7C 5F 7C 5F 7C 20 20 20 20 5F 7C _|._|_|_| _| 0x0130: 20 20 20 20 20 20 20 20 20 20 5F 7C 5F 7C 5F 7C _|_|_| 0x0140: 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _| _| 0x0150: 5F 7C 5F 7C 5F 7C 20 20 20 [...]
10000/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/10000
Port 10000/tcp was found to be open
22964 - Service DetectionSynopsis
163
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/10000
A web server is running on this port.
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/10000
The remote web server type is : SimpleHTTP/0.6 Python/2.7.3
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/10000
Protocol version : HTTP/1.0SSL : noKeep-Alive : noOptions allowed : (Not implemented)
164
Headers : Server: SimpleHTTP/0.6 Python/2.7.3 Date: Thu, 08 May 2014 19:09:46 GMT Content-type: text/html Content-Length: 215 Last-Modified: Mon, 04 Mar 2013 17:35:55 GMT
165
192.168.222.63Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:11:38 2014
Host Information
DNS Name: xpmarco.penlab.lan
Netbios Name: XPPENTEST
IP: 192.168.222.63
MAC Address: 00:50:56:9d:49:54
OS: Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3
Results Summary
Critical High Medium Low Info Total
5 1 4 0 27 37
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Portsicmp/0
The ICMP timestamps seem to be in little endian format (not in network format)The difference between the local and remote clocks is -7092 seconds.
0/tcp73182 - Microsoft Windows XP Unsupported Installation DetectionSynopsis
The remote operating system is no longer supported.
Description
166
The remote host is running Microsoft Windows XP.Support for this operating system by Microsoft ended April 8th, 2014.This means that there will be no new security patches, and Microsoft is unlikely to investigate or acknowledge reportsof vulnerabilities.
See Also
http://www.nessus.org/u?33ca6af0
Solution
Upgrade to a version of Windows that is currently supported.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2014/03/25, Modification date: 2014/05/06
Portstcp/013855 - Microsoft Windows Installed HotfixesSynopsis
It is possible to enumerate installed hotfixes on the remote Windows host.
Description
Using the supplied credentials, Nessus was able to log into the remote Windows host, enumerate installed hotfixes,and store them in its knowledge base for other plugins to use.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/07/30, Modification date: 2014/02/12
Portstcp/0
The SMB account used for this test does not have sufficient privileges to getthe list of the hotfixes installed on the remote host. As a result, Nessus wasnot able to determine the missing hotfixes on the remote host and most SMB checkshave been disabled. Solution : Configure the account you are using to get the ability to connect to ADMIN$
24786 - Nessus Windows Scan Not Performed with Admin PrivilegesSynopsis
The Nessus scan of this host may be incomplete due to insufficient privileges provided.
Description
The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, howeverthese credentials do not have administrative privileges.Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs onthe remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends todetermine if a patch has been applied.If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back toperform a patch audit through the registry which may lead to false positives (especially when using third-party patchauditing tools) or to false negatives (not all patches can be detected through the registry).
Solution
Reconfigure your scanner to use credentials with administrative privileges.
Risk Factor
167
None
Plugin Information:
Publication date: 2007/03/12, Modification date: 2013/01/07
Portstcp/0
It was not possible to connect to '\\XPPENTEST\ADMIN$' with the supplied credentials.
12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.63 resolves as xpmarco.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Portstcp/020094 - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
168
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
The following card manufacturers were identified : 00:50:56:9d:49:54 : VMware, Inc.
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Portstcp/0
Remote operating system : Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 3Confidence Level : 99Method : MSRPC The remote host is running one of these operating systems : Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 3
54615 - Device Type
169
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Portstcp/0
Remote device type : general-purposeConfidence level : 99
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE's : cpe:/o:microsoft:windows_xp::sp2 -> Microsoft Windows XP Service Pack 2 cpe:/o:microsoft:windows_xp::sp3 -> Microsoft Windows XP Service Pack 3
21745 - Authentication Failure - Local Checks Not RunSynopsis
The local security checks are disabled.
Description
Local security checks have been disabled for this host because either the credentials supplied in the scan policy didnot allow Nessus to log into it or some other problem occurred.
Solution
Address the problem(s) so that local security checks are enabled.
Risk Factor
None
Plugin Information:
170
Publication date: 2006/06/23, Modification date: 2013/05/23
Portstcp/0
The local checks failed because :the account used does not have sufficient privileges to read all the required registry entries
66334 - Patch ReportSynopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to installto make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Portstcp/0
. You need to take the following 2 actions: [ MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) (18502) ] + Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003. [ MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) (uncredentialed check) (20928) ] + Action to take: Microsoft has released a set of patches for Windows XP and 2003.
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
171
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 170 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.63 : 192.168.222.35192.168.222.63
123/udp10884 - Network Time Protocol (NTP) Server DetectionSynopsis
An NTP server is listening on the remote host.
Description
An NTP (Network Time Protocol) server is listening on this port. It provides information about the current date andtime of the remote system and may provide system information.
Solution
n/a
Risk Factor
None
172
Plugin Information:
Publication date: 2002/03/13, Modification date: 2011/03/11
Portsudp/123135/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/135
Port 135/tcp was found to be open
137/udp10150 - Windows NetBIOS / SMB Remote Host Information DisclosureSynopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.Note that this plugin gathers information to be used in other plugins but does not itself generate a report.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2013/01/16
Portsudp/137
The following 6 NetBIOS names have been gathered : XPPENTEST = Computer name XPPENTEST = File Server Service ARBEITSGRUPPE = Workgroup / Domain name ARBEITSGRUPPE = Browser Service Elections ARBEITSGRUPPE = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:50:56:9d:49:54
139/tcp11011 - Microsoft Windows SMB Service DetectionSynopsis
A file / print sharing service is listening on the remote host.
173
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Portstcp/139
An SMB server is running on this port.
445/tcp22194 - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)(uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to a buffer overrun in the 'Server'service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-040
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 19409
CVE CVE-2006-3439
XREF OSVDB:27845
XREF MSFT:MS06-040
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2006/08/08, Modification date: 2014/03/31
Portstcp/44535362 - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)(uncredentialed check)Synopsis
It is possible to crash the remote host due to a flaw in SMB.
174
Description
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to executearbitrary code or perform a denial of service against the remote host.
See Also
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Solution
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 31179
BID 33121
BID 33122
CVE CVE-2008-4834
CVE CVE-2008-4835
CVE CVE-2008-4114
XREF OSVDB:48153
XREF OSVDB:52691
XREF OSVDB:52692
XREF MSFT:MS09-001
XREF CWE:399
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2009/01/13, Modification date: 2014/03/28
Portstcp/44518502 - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)(uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.
Description
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow anattacker to execute arbitrary code on the remote host.An attacker does not need to be authenticated to exploit this flaw.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms05-027
Solution
175
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 13942
CVE CVE-2005-1206
XREF OSVDB:17308
XREF MSFT:MS05-027
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2005/06/16, Modification date: 2013/11/04
Portstcp/44534477 - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote CodeExecution (958644) (uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to a buffer overrun in the 'Server'service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms08-067
Solution
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
STIG Severity
I
References
BID 31874
CVE CVE-2008-4250
XREF OSVDB:49243
XREF MSFT:MS08-067
176
XREF IAVA:2008-A-0081
XREF CWE:94
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2008/10/23, Modification date: 2014/03/31
Portstcp/44522034 - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)(uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrarycode on the remote host with 'SYSTEM' privileges.In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow anattacker to obtain portions of the memory of the remote host.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-035
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 18863
BID 18891
CVE CVE-2006-1314
CVE CVE-2006-1315
XREF OSVDB:27154
XREF OSVDB:27155
XREF MSFT:MS06-035
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2006/07/12, Modification date: 2013/11/04
Portstcp/44526919 - Microsoft Windows SMB Guest Account Local User AccessSynopsis
It is possible to log into the remote host.
177
Description
The remote host is running one of the Microsoft Windows operating systems or the SAMBA daemon. It was possibleto log into it as a guest user using a random account.
Solution
In the group policy change the setting for 'Network access: Sharing and security model for local accounts' from 'Guestonly - local users authenticate as Guest' to 'Classic - local users authenticate as themselves'. Disable the Guestaccount if applicable.If the SAMBA daemon is running, double-check the SAMBA configuration around guest user access and disable guestaccess if appropriate
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0505
XREF OSVDB:3106
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2007/10/04, Modification date: 2014/03/03
Portstcp/44520928 - MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)(uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host.
Description
The remote version of Windows contains a flaw in the Web Client service that may allow an attacker to executearbitrary code on the remote host.To exploit this flaw, an attacker would need credentials to log into the remote host.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-008
Solution
Microsoft has released a set of patches for Windows XP and 2003.
Risk Factor
Medium
CVSS Base Score
6.5 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score
4.8 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
References
BID 16636
CVE CVE-2006-0013
XREF OSVDB:23134
XREF MSFT:MS06-008
Plugin Information:
178
Publication date: 2006/02/15, Modification date: 2013/11/04
Portstcp/44526920 - Microsoft Windows SMB NULL Session AuthenticationSynopsis
It is possible to log into the remote Windows host with a NULL session.
Description
The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login orpassword).Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue toget information about the remote host.
See Also
http://support.microsoft.com/kb/q143474/
http://support.microsoft.com/kb/q246261/
http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx
Solution
Apply the following registry changes per the referenced Technet advisories :Set :- HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1Remove BROWSER from :- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipesReboot once the registry changes are complete.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 494
CVE CVE-1999-0519
CVE CVE-1999-0520
CVE CVE-2002-1117
XREF OSVDB:299
XREF OSVDB:8230
Plugin Information:
Publication date: 2007/10/04, Modification date: 2012/02/29
Portstcp/445
It was possible to bind to the \browser pipe
57608 - SMB Signing RequiredSynopsis
Signing is not required on the remote SMB server.
Description
179
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft networkserver:Digitally sign communications (always)'.On Samba, the setting is called 'server signing'. See the 'see also'links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Portstcp/44511011 - Microsoft Windows SMB Service DetectionSynopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Portstcp/445
A CIFS server is running on this port.
10785 - Microsoft Windows SMB NativeLanManager Remote System Information DisclosureSynopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending anauthentication request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information:
180
Publication date: 2001/10/17, Modification date: 2014/04/09
Portstcp/445
The remote Operating System is : Windows 5.1The remote native lan manager is : Windows 2000 LAN ManagerThe remote SMB Domain Name is : XPPENTEST
10394 - Microsoft Windows SMB Log In PossibleSynopsis
It is possible to log into the remote host.
Description
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It waspossible to log into it using one of the following accounts :- NULL session- Guest account- Given Credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2014/04/07
Portstcp/445
- NULL sessions are enabled on the remote host- Remote users are authenticated as 'Guest'
10400 - Microsoft Windows SMB Registry Remotely AccessibleSynopsis
Access the remote Windows Registry.
Description
It was possible to access the remote Windows Registry using the login / password combination used for the Windowslocal checks (SMB tests).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2013/01/07
Portstcp/44510395 - Microsoft Windows SMB Shares EnumerationSynopsis
It is possible to enumerate remote network shares.
Description
By connecting to the remote host, Nessus was able to enumerate the network share names.
Solution
181
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2012/11/29
Portstcp/445
Here are the SMB shares available on the remote host when logged as plrsongc: - IPC$ - ADMIN$ - C$
10428 - Microsoft Windows SMB Registry Not Fully Accessible DetectionSynopsis
Nessus had insufficient access to the remote registry.
Description
Nessus did not access the remote registry completely, because full administrative rights are required.If you want the permissions / values of all the sensitive registry keys to be checked, we recommend that you completethe 'SMB Login' options in the 'Windows credentials' section of the policy with the administrator login name andpassword.
Solution
Use an administrator level account for scanning.
Risk Factor
None
Plugin Information:
Publication date: 2000/05/29, Modification date: 2014/02/27
Portstcp/44510859 - Microsoft Windows SMB LsaQueryInformationPolicy Function SID EnumerationSynopsis
It is possible to obtain the host SID for the remote host.
Description
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier).The host SID can then be used to get the list of local users.
See Also
http://technet.microsoft.com/en-us/library/bb418944.aspx
Solution
You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to anappropriate value.Refer to the 'See also' section for guidance.
Risk Factor
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Portstcp/445
The remote host SID value is : 1-5-21-796845957-484061587-682003330
182
The value of 'RestrictAnonymous' setting is : unknown
10860 - SMB Use Host SID to Enumerate Local UsersSynopsis
It is possible to enumerate local users.
Description
Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Portstcp/445
- Administrator (id 500, Administrator account) - Gast (id 501, Guest account) - Hilfeassistent (id 1000) - Hilfedienstgruppe (id 1001) - SUPPORT_388945a0 (id 1002) - sysadmin (id 1003) - ASPNET (id 1004) Note that, in addition to the Administrator and Guest accounts, Nessushas enumerated only those local users with IDs between 1000 and 1200.To use a different range, edit the scan policy and change the 'StartUID' and/or 'End UID' preferences for this plugin, then re-run thescan.
10397 - Microsoft Windows SMB LanMan Pipe Server Listing DisclosureSynopsis
It is possible to obtain network information.
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Publication date: 2000/05/09, Modification date: 2011/09/14
Portstcp/445
Here is the browse list of the remote host : WINDOWS2003 ( os : 5.2 ) - Windows2003XPPENTEST ( os : 5.1 )
183
192.168.222.64Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:21:20 2014
Host Information
DNS Name: win7lc.penlab.lan
Netbios Name: ADMIN-PC
IP: 192.168.222.64
MAC Address: 00:50:56:9d:61:13
OS: Microsoft Windows 7 Professional
Results Summary
Critical High Medium Low Info Total
5 23 49 3 74 154
Results Details0/tcp24786 - Nessus Windows Scan Not Performed with Admin PrivilegesSynopsis
The Nessus scan of this host may be incomplete due to insufficient privileges provided.
Description
The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, howeverthese credentials do not have administrative privileges.Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs onthe remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends todetermine if a patch has been applied.If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back toperform a patch audit through the registry which may lead to false positives (especially when using third-party patchauditing tools) or to false negatives (not all patches can be detected through the registry).
Solution
Reconfigure your scanner to use credentials with administrative privileges.
Risk Factor
None
Plugin Information:
Publication date: 2007/03/12, Modification date: 2013/01/07
Portstcp/0
It was not possible to connect to '\\ADMIN-PC\ADMIN$' with the supplied credentials.
12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
184
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.64 resolves as win7lc.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Portstcp/011936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Portstcp/0
Remote operating system : Microsoft Windows 7 ProfessionalConfidence Level : 99Method : MSRPC Not all fingerprints could give a match. If you think some or all ofthe following could be used to identify the host's operating system,please email them to [email protected]. Be sure to include abrief description of the host itself, such as the actual operatingsystem or product / model names. HTTP:Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1SinFP: P1:B11113:F0x12:W16384:O0204ffff:M1334: P2:B11113:F0x12:W16384:O0204ffff010303000402080affffffff44454144:M1334:
185
P3:B00000:F0x00:W0:O0:M0 P4:5206_7_p=110SMTP:!:220 localhost ESMTP server ready.SSLcert:!:i/CN:localhosts/CN:localhostb0238c547a905bfa119c4e8baccaeacf36491ff6 The remote host is running Microsoft Windows 7 Professional
54615 - Device TypeSynopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Portstcp/0
Remote device type : general-purposeConfidence level : 99
20094 - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
186
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
The following card manufacturers were identified : 00:50:56:9d:61:13 : VMware, Inc.
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_7:::professional Following application CPE's matched on the remote system : cpe:/a:php:php:5.3.1 -> PHP 5.3.1 cpe:/a:modssl:mod_ssl:2.2.14 cpe:/a:openssl:openssl:0.9.8l -> OpenSSL Project OpenSSL 0.9.8l cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14 cpe:/a:apache:mod_perl:2.0.4
66334 - Patch ReportSynopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to installto make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
187
Publication date: 2013/05/07, Modification date: 2014/04/08
Portstcp/0
. You need to take the following 3 actions: [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. [ PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities (71426) ] + Action to take: Upgrade to PHP version 5.3.28 or later. + Impact: Taking this action will resolve 86 different vulnerabilities (CVEs). [ Apache 2.2 < 2.2.27 Multiple Vulnerabilities (73405) ] + Action to take: Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later. + Impact: Taking this action will resolve 27 different vulnerabilities (CVEs).
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : default
188
Thorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 752 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.64 : 192.168.222.35192.168.222.64
21/tcp10081 - FTP Privileged Port Bounce ScanSynopsis
The remote FTP server is vulnerable to a FTP server bounce attack.
Description
It is possible to force the remote FTP server to connect to third parties using the PORT command.The problem allows intruders to use your network resources to scan other hosts, making them think the attack comesfrom your network.
See Also
http://archives.neohapsis.com/archives/bugtraq/1995_3/0047.html
Solution
See the CERT advisory in the references for solutions and workarounds.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
189
BID 126
CVE CVE-1999-0017
XREF OSVDB:71
XREF CERT-CC:CA-1997-27
Plugin Information:
Publication date: 1999/06/22, Modification date: 2012/12/10
Portstcp/21
The following command, telling the server to connect to 169.254.69.106 on port 10794: PORT 169,254,69,106,42,42 produced the following output: 200 Port command successful
10079 - Anonymous FTP EnabledSynopsis
Anonymous logins are allowed on the remote FTP server.
Description
This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing apassword or unique credentials.This allows a user to access any files made available on the FTP server.
Solution
Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is notavailable.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0497
XREF OSVDB:69
Plugin Information:
Publication date: 1999/06/22, Modification date: 2014/04/02
Portstcp/21
The contents of the remote FTP root are :drwxr-xr-x 1 ftp ftp 0 Apr 06 06:20 incoming -r--r--r-- 1 ftp ftp 187 Dec 20 2009 onefile.html
34324 - FTP Supports Clear Text AuthenticationSynopsis
Authentication credentials might be intercepted.
Description
The remote FTP server allows the user's name and password to be transmitted in clear text, which could beintercepted by a network sniffer or a man-in-the-middle attack.
Solution
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so thatcontrol connections are encrypted.
190
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
XREF CWE:522
XREF CWE:523
Plugin Information:
Publication date: 2008/10/01, Modification date: 2013/01/25
Portstcp/21
This FTP server does not support 'AUTH TLS'.
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/21
Port 21/tcp was found to be open
14773 - Service Detection: 3 ASCII Digit Code ResponsesSynopsis
This plugin performs service detection.
Description
This plugin is a complement of find_service1.nasl. It attempts to identify services that return 3 ASCII digits codes (ie:FTP, SMTP, NNTP, ...)
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/09/17, Modification date: 2011/08/16
Portstcp/21
An FTP server is running on this port
10092 - FTP Server DetectionSynopsis
An FTP server is listening on this port.
191
Description
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/02/24
Portstcp/21
The remote FTP banner is : 220 FileZilla Server version 0.9.33 beta written by Tim Kosse ([email protected]) Please visit http://sourceforge.
25/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/25
Port 25/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/25
An SMTP server is running on this port.
10263 - SMTP Server DetectionSynopsis
192
An SMTP server is listening on the remote port.
Description
The remote host is running a mail (SMTP) server on this port.Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/03/11
Portstcp/25
Remote SMTP server banner : 220 localhost ESMTP server ready.
79/tcp10073 - Finger Recursive Request Arbitrary Site RedirectionSynopsis
It is possible to use the remote host to perform third-party host scans.
Description
The remote finger service accepts redirect requests. That is, users can perform requests like :finger user@host@victimThis allows an attacker to use this computer as a relay to gather information on a third-party network. In addition, thistype of syntax can be used to create a denial of service condition on the remote host.
Solution
Disable the remote finger daemon (comment out the 'finger' line in /etc/inetd.conf and restart the inetd process) orupgrade it to a more secure one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0105
CVE CVE-1999-0106
XREF OSVDB:64
XREF OSVDB:5769
Plugin Information:
Publication date: 1999/06/22, Modification date: 2011/12/28
Portstcp/7911219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
193
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/79
Port 79/tcp was found to be open
11154 - Unknown Service Detection: Banner RetrievalSynopsis
There is an unknown service running on the remote host.
Description
Nessus was unable to identify a service on the remote host even though it returned a banner of some type.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/11/18, Modification date: 2014/04/10
Portstcp/79
If you know what this service is and think the banner could be used toidentify it, please send a description of the service along with thefollowing output to [email protected] : Port : 79 Type : get_http Banner : 0x00: 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 20 69 GET / HTTP/1.0 i 0x10: 73 20 6E 6F 74 20 6B 6E 6F 77 6E 20 61 74 20 74 s not known at t 0x20: 68 69 73 20 73 69 74 65 2E 0D 0A his site...
80/tcp60085 - PHP 5.3.x < 5.3.15 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.15, and is, therefore,potentially affected by the following vulnerabilities :- An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'.(CVE-2012-2688)- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.(CVE-2012-3365)
See Also
http://www.php.net/ChangeLog-5.php#5.3.15
Solution
Upgrade to PHP version 5.3.15 or later.
Risk Factor
Critical
CVSS Base Score
194
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 54612
BID 54638
CVE CVE-2012-2688
CVE CVE-2012-3365
XREF OSVDB:84100
XREF OSVDB:84126
Plugin Information:
Publication date: 2012/07/20, Modification date: 2013/10/23
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.15
45004 - Apache 2.2 < 2.2.15 Multiple VulnerabilitiesSynopsis
The remote web server is affected by multiple vulnerabilities
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.15. Such versions arepotentially affected by multiple vulnerabilities :- A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555)- The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-endserver to be put into an error state. (CVE-2010-0408)- The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-backs in an undefined state. (CVE-2010-0425)- A flaw in the core sub-request process code can lead to sensitive information from a request being handled by thewrong thread if a multi-threaded environment is used. (CVE-2010-0434)- Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
http://www.nessus.org/u?0bf1f184
Solution
Upgrade to Apache version 2.2.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
195
BID 21865
BID 36935
BID 38491
BID 38494
BID 38580
CVE CVE-2007-6750
CVE CVE-2009-3555
CVE CVE-2010-0408
CVE CVE-2010-0425
CVE CVE-2010-0434
XREF OSVDB:59969
XREF OSVDB:62674
XREF OSVDB:62675
XREF OSVDB:62676
XREF Secunia:38776
XREF CWE:200
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/03/12
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.15
58988 - PHP < 5.3.12 / 5.4.2 CGI Query String Code ExecutionSynopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such ispotentially affected by a remote code execution and information disclosure vulnerability.An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web serveror to potentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters ascommand line arguments including switches such as '-s', '-d', and '-c'.Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-03-1
196
http://www.php.net/ChangeLog-5.php#5.3.12
http://www.php.net/ChangeLog-5.php#5.4.2
Solution
Upgrade to PHP version 5.3.12 / 5.4.2 or later. A 'mod_rewrite'workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-1823
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/05/04, Modification date: 2014/04/11
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.12 / 5.4.2
51140 - PHP 5.3 < 5.3.4 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4. Such versions may beaffected by several security issues :- A crash in the zip extract method.- A stack buffer overflow in impagepstext() of the GD extension.- An unspecified vulnerability related to symbolic resolution when using a DFS share.- A security bypass vulnerability related to using pathnames containing NULL bytes.(CVE-2006-7243)- Multiple format string vulnerabilities.(CVE-2010-2094, CVE-2010-2950)- An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)- A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)- Memory corruption in php_filter_validate_email().(CVE-2010-3710)- An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)- A possible double free in the IMAP extension.(CVE-2010-4150)- An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)- An integer overflow vulnerability in 'getSymbol()'.(CVE-2010-4409)
197
- A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is calledcan allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /CVE-2010-4698)- The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are notrecognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)- The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)- A race condition exists in the PCNTL extension.(CVE-2011-0753)- The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links.(CVE-2011-0754)- An integer overflow exists in the mt_rand function.(CVE-2011-0755)
See Also
http://www.php.net/releases/5_3_4.php
http://www.php.net/ChangeLog-5.php#5.3.4
Solution
Upgrade to PHP 5.3.4 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 40173
BID 43926
BID 44605
BID 44718
BID 44723
BID 44951
BID 44980
BID 45119
BID 45335
BID 45338
BID 45339
BID 45952
BID 45954
BID 46056
BID 46168
CVE CVE-2006-7243
198
CVE CVE-2010-2094
CVE CVE-2010-2950
CVE CVE-2010-3436
CVE CVE-2010-3709
CVE CVE-2010-3710
CVE CVE-2010-3870
CVE CVE-2010-4150
CVE CVE-2010-4156
CVE CVE-2010-4409
CVE CVE-2010-4697
CVE CVE-2010-4698
CVE CVE-2010-4699
CVE CVE-2010-4700
CVE CVE-2011-0753
CVE CVE-2011-0754
CVE CVE-2011-0755
XREF OSVDB:66086
XREF OSVDB:68597
XREF OSVDB:69099
XREF OSVDB:69109
XREF OSVDB:69110
XREF OSVDB:69230
XREF OSVDB:69651
XREF OSVDB:69660
XREF OSVDB:70606
XREF OSVDB:70607
XREF OSVDB:70608
XREF OSVDB:70609
XREF OSVDB:70610
XREF OSVDB:74193
XREF OSVDB:74688
199
XREF OSVDB:74689
XREF CERT:479900
Plugin Information:
Publication date: 2010/12/13, Modification date: 2013/10/23
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.4
58966 - PHP < 5.3.11 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.11, and as such ispotentially affected by multiple vulnerabilities :- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handledproperly. This can lower the difficulty for SQL injection attacks. (CVE-2012-0831)- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated.(CVE-2012-1172)- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and'readline_read_history'.- The 'header()' function does not detect multi-line headers with a CR. (Bug #60227 / CVE-2011-1398)
See Also
http://www.nessus.org/u?e81d4026
https://bugs.php.net/bug.php?id=61043
https://bugs.php.net/bug.php?id=54374
https://bugs.php.net/bug.php?id=60227
http://marc.info/?l=oss-security&m=134626481806571&w=2
http://www.php.net/archive/2012.php#id2012-04-26-1
http://www.php.net/ChangeLog-5.php#5.3.11
Solution
Upgrade to PHP version 5.3.11 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 51954
BID 53403
BID 55297
CVE CVE-2011-1398
200
CVE CVE-2012-0831
CVE CVE-2012-1172
XREF OSVDB:79017
XREF OSVDB:81791
XREF OSVDB:85086
Plugin Information:
Publication date: 2012/05/02, Modification date: 2013/10/23
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.11
52717 - PHP 5.3 < 5.3.6 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and canlead to application crashes or code execution.Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED'setting to be in use. (CVE-2011-0421)- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit systemand a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allowarbitrary code execution. (CVE-2011-1092)- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string formatparameter. This can lead to memory corruption when handling PHP archives (phar).(CVE-2011-1153)- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead toapplication crashes. (CVE-2011-1466)- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method'NumberFormatter::setSymbol()' in the Intl extension.This error can lead to application crashes.(CVE-2011-1467)- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'.(CVE-2011-1468)- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.(CVE-2011-1469)- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service viacertain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGIProcess Manager' (FPM) SAPI.
See Also
http://bugs.php.net/bug.php?id=54193
http://bugs.php.net/bug.php?id=54055
http://bugs.php.net/bug.php?id=53885
http://bugs.php.net/bug.php?id=53574
201
http://bugs.php.net/bug.php?id=53512
http://bugs.php.net/bug.php?id=54060
http://bugs.php.net/bug.php?id=54061
http://bugs.php.net/bug.php?id=54092
http://bugs.php.net/bug.php?id=53579
http://bugs.php.net/bug.php?id=49072
http://openwall.com/lists/oss-security/2011/02/14/1
http://www.php.net/releases/5_3_6.php
http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/
Solution
Upgrade to PHP 5.3.6 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46354
BID 46365
BID 46786
BID 46854
CVE CVE-2011-0421
CVE CVE-2011-0708
CVE CVE-2011-1092
CVE CVE-2011-1153
CVE CVE-2011-1464
CVE CVE-2011-1466
CVE CVE-2011-1467
CVE CVE-2011-1468
CVE CVE-2011-1469
CVE CVE-2011-1470
XREF OSVDB:71597
XREF OSVDB:71598
202
XREF OSVDB:72531
XREF OSVDB:72532
XREF OSVDB:72533
XREF OSVDB:73623
XREF OSVDB:73624
XREF OSVDB:73625
XREF OSVDB:73626
XREF OSVDB:73754
XREF OSVDB:73755
XREF EDB-ID:16261
XREF Secunia:43328
Plugin Information:
Publication date: 2011/03/18, Modification date: 2013/10/23
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.6
67259 - PHP 5.3.x < 5.3.27 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.27. It is, therefore,potentially affected by the following vulnerabilities:- A buffer overflow error exists in the function '_pdo_pgsql_error'. (Bug #64949)- A heap corruption error exists in numerous functions in the file 'ext/xml/xml.c'. (CVE-2013-4113 / Bug #65236)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.
See Also
http://bugs.php.net/64949
http://bugs.php.net/65236
http://www.php.net/ChangeLog-5.php#5.3.27
Solution
Apply the vendor patch or upgrade to PHP version 5.3.27 or later.
Risk Factor
High
CVSS Base Score
9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.1 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
References
203
BID 61128
CVE CVE-2013-4113
XREF OSVDB:95152
Plugin Information:
Publication date: 2013/07/12, Modification date: 2013/10/23
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.27
66842 - PHP 5.3.x < 5.3.26 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.26. It is, therefore,potentially affected by the following vulnerabilities:- An error exists in the function 'php_quot_print_encode'in the file 'ext/standard/quot_print.c' that could allow a heap-based buffer overflow when attempting to parse certainstrings (Bug #64879)- An integer overflow error exists related to the value of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c'that could allow denial of service attacks. (Bug #64895)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.
See Also
http://www.nessus.org/u?60cbc5f0
http://www.nessus.org/u?8456482e
http://www.php.net/ChangeLog-5.php#5.3.26
Solution
Apply the vendor patch or upgrade to PHP version 5.3.26 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 60411
BID 60731
CVE CVE-2013-2110
CVE CVE-2013-4635
XREF OSVDB:93968
XREF OSVDB:94063
Plugin Information:
204
Publication date: 2013/06/07, Modification date: 2014/04/03
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.26
55925 - PHP 5.3 < 5.3.7 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. The new versionresolves the following issues :- A stack buffer overflow in socket_connect().(CVE-2011-1938)- A use-after-free vulnerability in substr_replace().(CVE-2011-1148)- A code execution vulnerability in ZipArchive::addGlob().(CVE-2011-1657)- crypt_blowfish was updated to 1.2. (CVE-2011-2483)- Multiple null pointer dereferences. (CVE-2011-3182)- An unspecified crash in error_log(). (CVE-2011-3267)- A buffer overflow in crypt(). (CVE-2011-3268)
See Also
http://securityreason.com/achievement_securityalert/101
http://securityreason.com/exploitalert/10738
https://bugs.php.net/bug.php?id=54238
https://bugs.php.net/bug.php?id=54681
https://bugs.php.net/bug.php?id=54939
http://www.php.net/releases/5_3_7.php
Solution
Upgrade to PHP 5.3.7 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46843
BID 47950
BID 48259
BID 49241
BID 49249
BID 49252
205
CVE CVE-2011-1148
CVE CVE-2011-1657
CVE CVE-2011-1938
CVE CVE-2011-2202
CVE CVE-2011-2483
CVE CVE-2011-3182
CVE CVE-2011-3267
CVE CVE-2011-3268
XREF OSVDB:72644
XREF OSVDB:73113
XREF OSVDB:73218
XREF OSVDB:74738
XREF OSVDB:74739
XREF OSVDB:74742
XREF OSVDB:74743
XREF OSVDB:75200
XREF EDB-ID:17318
XREF EDB-ID:17486
Plugin Information:
Publication date: 2011/08/22, Modification date: 2013/11/27
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.7
59056 - PHP 5.3.x < 5.3.13 CGI Query String Code ExecutionSynopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.13 and, as such, ispotentially affected by a remote code execution and information disclosure vulnerability.The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source codeand code execution via query parameters are still possible.Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
206
http://www.php.net/archive/2012.php#id2012-05-08-1
http://www.php.net/ChangeLog-5.php#5.3.13
Solution
Upgrade to PHP version 5.3.13 or later. A 'mod_rewrite'workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-2311
CVE CVE-2012-2335
CVE CVE-2012-2336
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/05/09, Modification date: 2013/10/30
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.13
59529 - PHP 5.3.x < 5.3.14 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.14, and is, therefore,potentially affected the following vulnerabilities :- An integer overflow error exists in the function 'phar_parse_tarfile' in the file 'ext/phar/tar.c'. This error can lead to aheap-based buffer overflow when handling a maliciously crafted TAR file. Arbitrary code execution is possible due tothis error. (CVE-2012-2386)- A weakness exists in the 'crypt' function related to the DES implementation that can allow brute-force attacks.(CVE-2012-2143)- Several design errors involving the incorrect parsing of PHP PDO prepared statements could lead to disclosure ofsensitive information or denial of service.(CVE-2012-3450)- A variable initialization error exists in the file 'ext/openssl/openssl.c' that can allow process memory contents to bedisclosed when input data is of length zero. (CVE-2012-6113)
See Also
207
http://www.nessus.org/u?6adf7abc
https://bugs.php.net/bug.php?id=61755
http://www.php.net/ChangeLog-5.php#5.3.14
http://www.nessus.org/u?99140286
http://www.nessus.org/u?a42ad63a
Solution
Upgrade to PHP version 5.3.14 or later.
Risk Factor
High
CVSS Base Score
8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score
6.7 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
References
BID 47545
BID 53729
BID 54777
BID 57462
CVE CVE-2012-2143
CVE CVE-2012-2386
CVE CVE-2012-3450
CVE CVE-2012-6113
XREF OSVDB:72399
XREF OSVDB:82510
XREF OSVDB:82931
XREF OSVDB:89424
XREF EDB-ID:17201
Plugin Information:
Publication date: 2012/06/15, Modification date: 2013/12/04
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.14
48245 - PHP 5.3 < 5.3.3 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
208
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3. Such versions may beaffected by several security issues :- An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug#51288) (CVE-2010-0397)- An error exists in the function 'shm_put_var' that is related to resource destruction.- An error exists in the function 'fnmatch' that can lead to stack exhaustion. (CVE-2010-1917)- A memory corruption error exists related to call-time pass by reference and callbacks.- The dechunking filter is vulnerable to buffer overflow.- An error exists in the sqlite extension that could allow arbitrary memory access.- An error exists in the 'phar' extension related to string format validation.- The functions 'mysqlnd_list_fields' and 'mysqlnd_change_user' are vulnerable to buffer overflow.- The Mysqlnd extension is vulnerable to buffer overflow attack when handling error packets.- The following functions are not properly protected against function interruptions :addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities,htmlspecialchars, str_getcsv, http_build_query, strpbrk, strtr, str_pad, str_word_count, wordwrap, strtok, setcookie,strip_tags, trim, ltrim, rtrim, substr_replace, parse_str, pack, unpack, uasort, preg_match, strrchr (CVE-2010-1860,CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190,CVE-2010-2191, CVE-2010-2484)- The following opcodes are not properly protected against function interruptions :ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR (CVE-2010-2191)- The default session serializer contains an error that can be exploited when assigning session variables having userdefined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!',character in variable names.- A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225)- An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions.(CVE-2010-2531)
See Also
http://www.php.net/releases/5_3_3.php
http://www.php.net/ChangeLog-5.php#5.3.3
Solution
Upgrade to PHP version 5.3.3 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 38708
BID 40461
BID 40948
BID 41991
CVE CVE-2007-1581
CVE CVE-2010-0397
CVE CVE-2010-1860
CVE CVE-2010-1862
CVE CVE-2010-1864
CVE CVE-2010-1917
209
CVE CVE-2010-2097
CVE CVE-2010-2100
CVE CVE-2010-2101
CVE CVE-2010-2190
CVE CVE-2010-2191
CVE CVE-2010-2225
CVE CVE-2010-2484
CVE CVE-2010-2531
CVE CVE-2010-3062
CVE CVE-2010-3063
CVE CVE-2010-3064
CVE CVE-2010-3065
XREF OSVDB:33942
XREF OSVDB:63078
XREF OSVDB:64322
XREF OSVDB:64544
XREF OSVDB:64546
XREF OSVDB:64607
XREF OSVDB:65755
XREF OSVDB:66087
XREF OSVDB:66093
XREF OSVDB:66094
XREF OSVDB:66095
XREF OSVDB:66096
XREF OSVDB:66097
XREF OSVDB:66098
XREF OSVDB:66099
XREF OSVDB:66100
XREF OSVDB:66101
XREF OSVDB:66102
XREF OSVDB:66103
210
XREF OSVDB:66104
XREF OSVDB:66105
XREF OSVDB:66106
XREF OSVDB:66798
XREF OSVDB:66804
XREF OSVDB:66805
XREF OSVDB:67418
XREF OSVDB:67419
XREF OSVDB:67420
XREF OSVDB:67421
XREF Secunia:39675
XREF Secunia:40268
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.3
57537 - PHP < 5.3.9 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may beaffected by the following security issues :- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)- It is possible to create a denial of service condition by sending multiple, specially crafted requests containingparameter values that cause hash collisions when computing the hash values for storage in a hash table.(CVE-2011-4885)- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to readarbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,resulting in arbitrary code execution. (CVE-2012-0057)- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a nullpointer. This causes the application to crash. (CVE-2012-0781)- The 'PDORow' implementation contains an error that can cause application crashes when interacting with thesession feature. (CVE-2012-0788)- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial ofservice attack via memory consumption.(CVE-2012-0789)
See Also
http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_PHP5
http://www.php.net/archive/2012.php#id2012-01-11-1
211
http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
https://bugs.php.net/bug.php?id=55475
https://bugs.php.net/bug.php?id=55776
https://bugs.php.net/bug.php?id=53502
http://www.php.net/ChangeLog-5.php#5.3.9
Solution
Upgrade to PHP version 5.3.9 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 49754
BID 50907
BID 51193
BID 51806
BID 51952
BID 51992
BID 52043
CVE CVE-2011-3379
CVE CVE-2011-4566
CVE CVE-2011-4885
CVE CVE-2012-0057
CVE CVE-2012-0781
CVE CVE-2012-0788
CVE CVE-2012-0789
XREF OSVDB:75713
XREF OSVDB:77446
XREF OSVDB:78115
XREF OSVDB:78571
XREF OSVDB:78676
XREF OSVDB:79016
212
XREF OSVDB:79332
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/01/13, Modification date: 2013/11/14
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.9
10678 - Apache mod_info /server-info Information DisclosureSynopsis
The remote web server discloses information about its configuration.
Description
It is possible to obtain an overview of the remote Apache web server's configuration by requesting the URL '/server-info'. This overview includes information such as installed modules, their configuration, and assorted run-time settings.
See Also
http://httpd.apache.org/docs/mod/mod_info.html
Solution
If required, update Apache's configuration file(s) to either disable mod_info or ensure that access is limited to validusers / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:562
Plugin Information:
Publication date: 2001/05/28, Modification date: 2013/01/25
Portstcp/8073289 - PHP PHP_RSHUTDOWN_FUNCTION Security BypassSynopsis
The remote web server uses a version of PHP that is potentially affected by a security bypass vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is 5.x prior to 5.3.11 or 5.4.x prior to 5.4.1and thus, is potentially affected by a security bypass vulnerability.An error exists related to the function 'PHP_RSHUTDOWN_FUNCTION' in the libxml extension and the 'stream_close'method that could allow a remote attacker to bypass 'open_basedir' protections and obtain sensitive information.Note that this plugin has not attempted to exploit this issue, but has instead relied only on PHP's self-reported versionnumber.
See Also
http://www.nessus.org/u?bcc428c2
https://bugs.php.net/bug.php?id=61367
Solution
Upgrade to PHP version 5.3.11 / 5.4.1 or later.
Risk Factor
213
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
STIG Severity
I
References
BID 65673
CVE CVE-2012-1171
XREF OSVDB:104201
XREF IAVB:2014-B-0021
Plugin Information:
Publication date: 2014/04/01, Modification date: 2014/04/02
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.11 / 5.4.1
71426 - PHP 5.3.x < 5.3.28 Multiple OpenSSL VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that containhostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks tospoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificatesigned by an authority that the client trusts. (CVE-2013-4073)- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extensionparsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or acertificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause theapplication to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running thePHP interpreter. (CVE-2013-6420)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.
See Also
http://seclists.org/fulldisclosure/2013/Dec/96
https://bugzilla.redhat.com/show_bug.cgi?id=1036830
http://www.nessus.org/u?b6ec9ef9
http://www.php.net/ChangeLog-5.php#5.3.28
Solution
Upgrade to PHP version 5.3.28 or later.
Risk Factor
Medium
CVSS Base Score
214
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
5.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
References
BID 60843
BID 64225
CVE CVE-2013-4073
CVE CVE-2013-6420
XREF OSVDB:100979
XREF OSVDB:94628
XREF EDB-ID:30395
Plugin Information:
Publication date: 2013/12/14, Modification date: 2013/12/19
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.28
64992 - PHP 5.3.x < 5.3.22 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is, therefore,potentially affected by the following vulnerabilities :- An error exists in the file 'ext/soap/soap.c'related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote 'wsdl' filesto be written to arbitrary locations. (CVE-2013-1635)- An error exists in the file 'ext/soap/php_xml.c'related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML documentsdefined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)Note that this plugin does not attempt to exploit the vulnerabilities but, instead relies only on PHP's self-reportedversion number.
See Also
http://www.nessus.org/u?2dcf53bd
http://www.nessus.org/u?889595b1
http://www.php.net/ChangeLog-5.php#5.3.22
Solution
Upgrade to PHP version 5.3.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
215
References
BID 58224
BID 58766
CVE CVE-2013-1635
CVE CVE-2013-1643
XREF OSVDB:90921
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/03/04, Modification date: 2013/11/22
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.22
66584 - PHP 5.3.x < 5.3.23 Information DisclosureSynopsis
The remote web server uses a version of PHP that is potentially affected by an information disclosure vulnerability.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.23. It is, therefore,potentially affected by an information disclosure vulnerability.The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documents defined byan attacker and could allow access to arbitrary files.Note that this plugin does not attempt to exploit the vulnerability, but instead relies only on PHP's self-reported versionnumber.
See Also
http://www.nessus.org/u?7c770707
http://www.php.net/ChangeLog-5.php#5.3.23
Solution
Upgrade to PHP version 5.3.23 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 62373
CVE CVE-2013-1824
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/05/24, Modification date: 2013/10/23
Ports
216
tcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.23
44921 - PHP < 5.3.2 / 5.2.13 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.2 / 5.2.13. Such versionsmay be affected by several security issues :- Directory paths not ending with '/' may not be correctly validated inside 'tempnam()' in 'safe_mode' configuration.- It may be possible to bypass the 'open_basedir'/ 'safe_mode' configuration restrictions due to an error in sessionextensions.- An unspecified vulnerability affects the LCG entropy.
See Also
http://securityreason.com/achievement_securityalert/82
http://securityreason.com/securityalert/7008
http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0209.html
http://www.php.net/releases/5_3_2.php
http://www.php.net/ChangeLog-5.php#5.3.2
http://www.php.net/releases/5_2_13.php
http://www.php.net/ChangeLog-5.php#5.2.13
Solution
Upgrade to PHP version 5.3.2 / 5.2.13 or later.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
5.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
References
BID 38182
BID 38430
BID 38431
CVE CVE-2010-1128
CVE CVE-2010-1129
CVE CVE-2010-1130
XREF OSVDB:62582
XREF OSVDB:62583
XREF OSVDB:63323
217
XREF Secunia:38708
Plugin Information:
Publication date: 2010/02/26, Modification date: 2013/10/23
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.2 / 5.2.13
51439 - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoSSynopsis
The remote web server uses a version of PHP that is affected by a denial of service vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.17 or 5.3.5.Such versions may experience a crash while performing string to double conversion for certain numeric values. Onlyx86 32-bit PHP processes are known to be affected by this issue regardless of whether the system running PHP is 32-bit or 64-bit.
See Also
http://bugs.php.net/bug.php?id=53632
http://www.php.net/distributions/test_bug53632.txt
http://www.php.net/releases/5_2_17.php
http://www.php.net/releases/5_3_5.php
Solution
Upgrade to PHP 5.2.17/5.3.5 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 45668
CVE CVE-2010-4645
XREF OSVDB:70370
Plugin Information:
Publication date: 2011/01/07, Modification date: 2013/10/23
Portstcp/80
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.2.17/5.3.5
56216 - Apache 2.2 < 2.2.21 mod_proxy_ajp DoSSynopsis
The remote web server may be affected by a denial of service vulnerability.
218
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.21. It therefore ispotentially affected by a denial of service vulnerability.An error exists in the 'mod_proxy_ajp' module that can allow specially crafted HTTP requests to cause a backendserver to temporarily enter an error state. This vulnerability only occurs when 'mod_proxy_ajp' is used along with'mod_proxy_balancer'.Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?34a2f1d8
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.21 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 49616
CVE CVE-2011-3348
XREF OSVDB:75647
Plugin Information:
Publication date: 2011/09/16, Modification date: 2013/07/20
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.21
57791 - Apache 2.2 < 2.2.22 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.22. It is, therefore,potentially affected by the following vulnerabilities:- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could causethe web server to proxy requests to arbitrary hosts.This could allow a remote attacker to indirectly send requests to intranet servers.(CVE-2011-3368, CVE-2011-4317)- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf'directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)- A format string handling error can allow the server to be crashed via maliciously crafted cookies.(CVE-2012-0021)- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown.(CVE-2012-0031)- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious useof either long or malformed HTTP headers. (CVE-2012-0053)- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time torespond could lead to a temporary denial of service. (CVE-2012-4557)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
219
http://www.nessus.org/u?81e2eb5f
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 49957
BID 50494
BID 50802
BID 51407
BID 51705
BID 51706
BID 56753
CVE CVE-2011-3368
CVE CVE-2011-3607
CVE CVE-2011-4317
CVE CVE-2012-0021
CVE CVE-2012-0031
CVE CVE-2012-0053
CVE CVE-2012-4557
XREF OSVDB:76079
XREF OSVDB:76744
XREF OSVDB:77310
XREF OSVDB:78293
XREF OSVDB:78555
XREF OSVDB:78556
XREF OSVDB:89275
Exploitable with
Metasploit (true)
Plugin Information:
220
Publication date: 2012/02/02, Modification date: 2013/06/03
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.22
50070 - Apache 2.2 < 2.2.17 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by several issues.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.17. Such versionsmay be affected by several issues, including :- Errors exist in the bundled expat library that may allow an attacker to crash the server when a buffer is over- readwhen parsing an XML document. (CVE-2009-3720 and CVE-2009-3560)- An error exists in the 'apr_brigade_split_line' function in the bundled APR-util library. Carefully timed bytes inrequests result in gradual memory increases leading to a denial of service. (CVE-2010-1623) Note that the remoteweb server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affectedmodules are in use or to check for the issues themselves.
See Also
http://www.nessus.org/u?1c39fa1c
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.17 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 37203
BID 36097
BID 43673
CVE CVE-2009-3560
CVE CVE-2009-3720
CVE CVE-2010-1623
XREF OSVDB:59737
XREF OSVDB:60797
XREF OSVDB:68327
XREF Secunia:41701
XREF CWE:119
Plugin Information:
221
Publication date: 2010/10/20, Modification date: 2014/01/27
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.17
64912 - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting VulnerabilitiesSynopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore,potentially affected by the following cross-site scripting vulnerabilities :- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp andunescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scriptingattacks. (CVE-2012-4558)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.24 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58165
CVE CVE-2012-3499
CVE CVE-2012-4558
XREF OSVDB:90556
XREF OSVDB:90557
Plugin Information:
Publication date: 2013/02/27, Modification date: 2013/11/27
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.24
48205 - Apache 2.2 < 2.2.16 Multiple VulnerabilitiesSynopsis
The remote web server is affected by multiple vulnerabilities.
Description
222
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.16. Such versions arepotentially affected by multiple vulnerabilities :- A denial of service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)- An information disclosure vulnerability in mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeoutconditions. Note that this issue only affects Apache on Windows, Netware, and OS/2. (CVE-2010-2068)Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determinewhether the affected modules are in use or to check for the issues themselves.
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=49246
https://issues.apache.org/bugzilla/show_bug.cgi?id=49417
http://www.nessus.org/u?ce8ac446
Solution
Upgrade to Apache version 2.2.16 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 40827
BID 41963
CVE CVE-2010-1452
CVE CVE-2010-2068
XREF OSVDB:65654
XREF OSVDB:66745
XREF Secunia:40206
Plugin Information:
Publication date: 2010/07/30, Modification date: 2013/07/20
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.16
62101 - Apache 2.2 < 2.2.23 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,potentially affected by the following vulnerabilities:- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),leading to arbitrary code execution.(CVE-2012-0883)
223
- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.(CVE-2012-2687)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.23
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.23 or later.
Risk Factor
Medium
CVSS Base Score
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
6.0 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
References
BID 53046
BID 55131
CVE CVE-2012-0883
CVE CVE-2012-2687
XREF OSVDB:81359
XREF OSVDB:84818
Plugin Information:
Publication date: 2012/09/14, Modification date: 2013/11/27
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.23
68915 - Apache 2.2 < 2.2.25 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.(CVE-2013-1896)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.25
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.nessus.org/u?f050c342
Solution
224
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later.
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
4.4 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
STIG Severity
I
References
BID 59826
BID 61129
CVE CVE-2013-1862
CVE CVE-2013-1896
XREF OSVDB:93366
XREF OSVDB:95498
XREF IAVA:2013-A-0146
Plugin Information:
Publication date: 2013/07/16, Modification date: 2013/11/14
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.25
53896 - Apache 2.2 < 2.2.18 APR apr_fnmatch DoSSynopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions areaffected by a denial of service vulnerability due to an error in the 'apr_fnmatch'match function of the bundled APR library.If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker cancause high CPU usage with a specially crafted request.Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determinewhether the affected module is in use or to check for the issue itself.
See Also
http://www.nessus.org/u?5582384f
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18
http://securityreason.com/achievement_securityalert/98
Solution
Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 orlater.
Risk Factor
Medium
225
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 47820
CVE CVE-2011-0419
XREF OSVDB:73388
XREF Secunia:44574
Plugin Information:
Publication date: 2011/05/13, Modification date: 2013/07/20
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.18
73405 - Apache 2.2 < 2.2.27 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is a version prior to 2.2.27. It is,therefore, potentially affected by the following vulnerabilities :- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading whitespace. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding.(CVE-2013-6438)- A flaw exists in 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. Aremote attacker with a specially crafted request can cause the service to crash. (CVE-2014-0098)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.27
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 66303
CVE CVE-2013-6438
CVE CVE-2014-0098
XREF OSVDB:104579
226
XREF OSVDB:104580
Plugin Information:
Publication date: 2014/04/08, Modification date: 2014/04/08
Portstcp/80
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.27
10677 - Apache mod_status /server-status Information DisclosureSynopsis
The remote web server discloses information about its status.
Description
It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting theURL '/server-status'. This overview includes information such as current hosts and requests being processed, thenumber of workers idle and service requests, and CPU utilization.
Solution
If required, update Apache's configuration file(s) to either disable mod_status or ensure that access is limited to validusers / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:561
Plugin Information:
Publication date: 2001/05/28, Modification date: 2014/05/05
Portstcp/8011213 - HTTP TRACE / TRACK Methods AllowedSynopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods thatare used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
227
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Portstcp/80
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2044648052.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------
228
HTTP/1.1 200 OKDate: Thu, 08 May 2014 18:13:57 GMTServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus2044648052.html HTTP/1.1Connection: Keep-AliveHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information DisclosureSynopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sendinga request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunctionwith other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Portstcp/80
Nessus verified this by sending a request with a long Cookie header :
229
GET / HTTP/1.1 Host: win7lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/80
Port 80/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/80
A web server is running on this port.
10107 - HTTP Server Type and Version
230
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/80
The remote web server type is : Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/80
Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:23 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Location: http://win7lc.penlab.lan/xampp/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
48243 - PHP VersionSynopsis
It is possible to obtain the version number of the remote PHP install.
Description
231
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Portstcp/80
Nessus was able to identify the following PHP version information : Version : 5.3.1 Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
11424 - WebDAV DetectionSynopsis
The remote server is running with WebDAV enabled.
Description
WebDAV is an industry standard extension to the HTTP specification.It adds a capability for authorized users to remotely add and manage the content of a web server.If you do not use this extension, you should disable it.
Solution
http://support.microsoft.com/default.aspx?kbid=241520
Risk Factor
None
Plugin Information:
Publication date: 2003/03/20, Modification date: 2011/03/14
Portstcp/8057323 - OpenSSL Version DetectionSynopsis
The version of OpenSSL can be identified.
Description
The version of OpenSSL could be extracted from the web server's banner. Note that in many cases, security patchesare backported and the displayed version number does not show the patch level. Using it to identify vulnerablesoftware is likely to lead to false detections.
See Also
http://www.openssl.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/16, Modification date: 2011/12/16
Portstcp/80
Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
232
Version (from banner) : 0.9.8l
105/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/105
Port 105/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/105
A ph server is running on this port.
106/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
233
tcp/106
Port 106/tcp was found to be open
110/tcp15855 - POP3 Cleartext Logins PermittedSynopsis
The remote POP3 daemon allows credentials to be transmitted in clear text.
Description
The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections. An attackercan uncover user names and passwords by sniffing traffic to the POP3 daemon if a less secure authenticationmechanism (eg, USER command, AUTH PLAIN, AUTH LOGIN) is used.
See Also
http://tools.ietf.org/html/rfc2222
http://tools.ietf.org/html/rfc2595
Solution
Contact your vendor for a fix or encrypt traffic with SSL / TLS using stunnel.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2004/11/30, Modification date: 2014/03/12
Portstcp/110
The following clear text methods are supported :USER
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/110
Port 110/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
234
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/110
A POP3 server is running on this port.
10185 - POP Server DetectionSynopsis
A POP server is listening on the remote port.
Description
The remote host is running a server that understands the Post Office Protocol (POP), used by email clients to retrievemessages from a server, possibly across a network link.
See Also
http://en.wikipedia.org/wiki/Post_Office_Protocol
Solution
Disable this service if you do not use it.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/03/11
Portstcp/110
Remote POP server banner : +OK <446450135.25783@localhost>, POP3 server ready.
135/tcp10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Portstcp/135
The following DCERPC services are available locally : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
235
Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WindowsShutdown Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc081CE0 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WindowsShutdown Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc081CE0 Object UUID : 6d726574-7273-0076-0000-000000000000UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0Description : Unknown RPC serviceAnnotation : Impl friendly nameType : Local RPC serviceNamed pipe : LRPC-a997ddd16485b696f3 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc084D81 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0Description : Unknown RPC serviceAnnotation : Security CenterType : Local RPC serviceNamed pipe : OLEDC9938FF971E470581001AC8A203 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0Description : Unknown RPC serviceAnnotation : PcaSvcType : Local RPC serviceNamed pipe : OLE1D9360DA586C435B925639FB5E4E Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0Description : Unknown RPC serviceAnnotation : PcaSvcType : Local RPC serviceNamed pipe : LRPC-53d3f4cc0e9b29f92a Object UUID : 00000000-0000-0000-0000-000000000000UUID : b58aa02e-2884-4e [...]
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
236
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/135
Port 135/tcp was found to be open
137/udp10150 - Windows NetBIOS / SMB Remote Host Information DisclosureSynopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.Note that this plugin gathers information to be used in other plugins but does not itself generate a report.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2013/01/16
Portsudp/137
The following 6 NetBIOS names have been gathered : ADMIN-PC = Computer name WORKGROUP = Workgroup / Domain name ADMIN-PC = File Server Service WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:50:56:9d:61:13
139/tcp11011 - Microsoft Windows SMB Service DetectionSynopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Portstcp/139
An SMB server is running on this port.
143/tcp11219 - Nessus SYN scannerSynopsis
237
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/143
Port 143/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/143
An IMAP server is running on this port.
11414 - IMAP Service Banner RetrievalSynopsis
An IMAP server is running on the remote host.
Description
An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/03/18, Modification date: 2011/03/16
Portstcp/143
The remote imap server banner is : * OK localhost IMAP4rev1 Mercury/32 v4.72 server ready.
443/tcp60085 - PHP 5.3.x < 5.3.15 Multiple VulnerabilitiesSynopsis
238
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.15, and is, therefore,potentially affected by the following vulnerabilities :- An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'.(CVE-2012-2688)- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.(CVE-2012-3365)
See Also
http://www.php.net/ChangeLog-5.php#5.3.15
Solution
Upgrade to PHP version 5.3.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 54612
BID 54638
CVE CVE-2012-2688
CVE CVE-2012-3365
XREF OSVDB:84100
XREF OSVDB:84126
Plugin Information:
Publication date: 2012/07/20, Modification date: 2013/10/23
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.15
45004 - Apache 2.2 < 2.2.15 Multiple VulnerabilitiesSynopsis
The remote web server is affected by multiple vulnerabilities
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.15. Such versions arepotentially affected by multiple vulnerabilities :- A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555)- The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-endserver to be put into an error state. (CVE-2010-0408)- The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-backs in an undefined state. (CVE-2010-0425)- A flaw in the core sub-request process code can lead to sensitive information from a request being handled by thewrong thread if a multi-threaded environment is used. (CVE-2010-0434)- Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
See Also
239
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
http://www.nessus.org/u?0bf1f184
Solution
Upgrade to Apache version 2.2.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 21865
BID 36935
BID 38491
BID 38494
BID 38580
CVE CVE-2007-6750
CVE CVE-2009-3555
CVE CVE-2010-0408
CVE CVE-2010-0425
CVE CVE-2010-0434
XREF OSVDB:59969
XREF OSVDB:62674
XREF OSVDB:62675
XREF OSVDB:62676
XREF Secunia:38776
XREF CWE:200
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/03/12
Portstcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.15
58988 - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution
240
Synopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such ispotentially affected by a remote code execution and information disclosure vulnerability.An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web serveror to potentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters ascommand line arguments including switches such as '-s', '-d', and '-c'.Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-03-1
http://www.php.net/ChangeLog-5.php#5.3.12
http://www.php.net/ChangeLog-5.php#5.4.2
Solution
Upgrade to PHP version 5.3.12 / 5.4.2 or later. A 'mod_rewrite'workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-1823
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/05/04, Modification date: 2014/04/11
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.12 / 5.4.2
51140 - PHP 5.3 < 5.3.4 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
241
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4. Such versions may beaffected by several security issues :- A crash in the zip extract method.- A stack buffer overflow in impagepstext() of the GD extension.- An unspecified vulnerability related to symbolic resolution when using a DFS share.- A security bypass vulnerability related to using pathnames containing NULL bytes.(CVE-2006-7243)- Multiple format string vulnerabilities.(CVE-2010-2094, CVE-2010-2950)- An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)- A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)- Memory corruption in php_filter_validate_email().(CVE-2010-3710)- An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)- A possible double free in the IMAP extension.(CVE-2010-4150)- An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)- An integer overflow vulnerability in 'getSymbol()'.(CVE-2010-4409)- A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is calledcan allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /CVE-2010-4698)- The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are notrecognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)- The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)- A race condition exists in the PCNTL extension.(CVE-2011-0753)- The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links.(CVE-2011-0754)- An integer overflow exists in the mt_rand function.(CVE-2011-0755)
See Also
http://www.php.net/releases/5_3_4.php
http://www.php.net/ChangeLog-5.php#5.3.4
Solution
Upgrade to PHP 5.3.4 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 40173
BID 43926
BID 44605
BID 44718
BID 44723
BID 44951
BID 44980
242
BID 45119
BID 45335
BID 45338
BID 45339
BID 45952
BID 45954
BID 46056
BID 46168
CVE CVE-2006-7243
CVE CVE-2010-2094
CVE CVE-2010-2950
CVE CVE-2010-3436
CVE CVE-2010-3709
CVE CVE-2010-3710
CVE CVE-2010-3870
CVE CVE-2010-4150
CVE CVE-2010-4156
CVE CVE-2010-4409
CVE CVE-2010-4697
CVE CVE-2010-4698
CVE CVE-2010-4699
CVE CVE-2010-4700
CVE CVE-2011-0753
CVE CVE-2011-0754
CVE CVE-2011-0755
XREF OSVDB:66086
XREF OSVDB:68597
XREF OSVDB:69099
XREF OSVDB:69109
XREF OSVDB:69110
XREF OSVDB:69230
243
XREF OSVDB:69651
XREF OSVDB:69660
XREF OSVDB:70606
XREF OSVDB:70607
XREF OSVDB:70608
XREF OSVDB:70609
XREF OSVDB:70610
XREF OSVDB:74193
XREF OSVDB:74688
XREF OSVDB:74689
XREF CERT:479900
Plugin Information:
Publication date: 2010/12/13, Modification date: 2013/10/23
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.4
58966 - PHP < 5.3.11 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.11, and as such ispotentially affected by multiple vulnerabilities :- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handledproperly. This can lower the difficulty for SQL injection attacks. (CVE-2012-0831)- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated.(CVE-2012-1172)- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and'readline_read_history'.- The 'header()' function does not detect multi-line headers with a CR. (Bug #60227 / CVE-2011-1398)
See Also
http://www.nessus.org/u?e81d4026
https://bugs.php.net/bug.php?id=61043
https://bugs.php.net/bug.php?id=54374
https://bugs.php.net/bug.php?id=60227
http://marc.info/?l=oss-security&m=134626481806571&w=2
http://www.php.net/archive/2012.php#id2012-04-26-1
http://www.php.net/ChangeLog-5.php#5.3.11
Solution
244
Upgrade to PHP version 5.3.11 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 51954
BID 53403
BID 55297
CVE CVE-2011-1398
CVE CVE-2012-0831
CVE CVE-2012-1172
XREF OSVDB:79017
XREF OSVDB:81791
XREF OSVDB:85086
Plugin Information:
Publication date: 2012/05/02, Modification date: 2013/10/23
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.11
52717 - PHP 5.3 < 5.3.6 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and canlead to application crashes or code execution.Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED'setting to be in use. (CVE-2011-0421)- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit systemand a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allowarbitrary code execution. (CVE-2011-1092)- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string formatparameter. This can lead to memory corruption when handling PHP archives (phar).(CVE-2011-1153)- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead toapplication crashes. (CVE-2011-1466)- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method'NumberFormatter::setSymbol()' in the Intl extension.This error can lead to application crashes.
245
(CVE-2011-1467)- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'.(CVE-2011-1468)- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.(CVE-2011-1469)- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service viacertain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGIProcess Manager' (FPM) SAPI.
See Also
http://bugs.php.net/bug.php?id=54193
http://bugs.php.net/bug.php?id=54055
http://bugs.php.net/bug.php?id=53885
http://bugs.php.net/bug.php?id=53574
http://bugs.php.net/bug.php?id=53512
http://bugs.php.net/bug.php?id=54060
http://bugs.php.net/bug.php?id=54061
http://bugs.php.net/bug.php?id=54092
http://bugs.php.net/bug.php?id=53579
http://bugs.php.net/bug.php?id=49072
http://openwall.com/lists/oss-security/2011/02/14/1
http://www.php.net/releases/5_3_6.php
http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/
Solution
Upgrade to PHP 5.3.6 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46354
BID 46365
BID 46786
BID 46854
CVE CVE-2011-0421
CVE CVE-2011-0708
CVE CVE-2011-1092
246
CVE CVE-2011-1153
CVE CVE-2011-1464
CVE CVE-2011-1466
CVE CVE-2011-1467
CVE CVE-2011-1468
CVE CVE-2011-1469
CVE CVE-2011-1470
XREF OSVDB:71597
XREF OSVDB:71598
XREF OSVDB:72531
XREF OSVDB:72532
XREF OSVDB:72533
XREF OSVDB:73623
XREF OSVDB:73624
XREF OSVDB:73625
XREF OSVDB:73626
XREF OSVDB:73754
XREF OSVDB:73755
XREF EDB-ID:16261
XREF Secunia:43328
Plugin Information:
Publication date: 2011/03/18, Modification date: 2013/10/23
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.6
67259 - PHP 5.3.x < 5.3.27 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.27. It is, therefore,potentially affected by the following vulnerabilities:- A buffer overflow error exists in the function '_pdo_pgsql_error'. (Bug #64949)- A heap corruption error exists in numerous functions in the file 'ext/xml/xml.c'. (CVE-2013-4113 / Bug #65236)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.
See Also
247
http://bugs.php.net/64949
http://bugs.php.net/65236
http://www.php.net/ChangeLog-5.php#5.3.27
Solution
Apply the vendor patch or upgrade to PHP version 5.3.27 or later.
Risk Factor
High
CVSS Base Score
9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.1 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
References
BID 61128
CVE CVE-2013-4113
XREF OSVDB:95152
Plugin Information:
Publication date: 2013/07/12, Modification date: 2013/10/23
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.27
66842 - PHP 5.3.x < 5.3.26 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.26. It is, therefore,potentially affected by the following vulnerabilities:- An error exists in the function 'php_quot_print_encode'in the file 'ext/standard/quot_print.c' that could allow a heap-based buffer overflow when attempting to parse certainstrings (Bug #64879)- An integer overflow error exists related to the value of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c'that could allow denial of service attacks. (Bug #64895)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.
See Also
http://www.nessus.org/u?60cbc5f0
http://www.nessus.org/u?8456482e
http://www.php.net/ChangeLog-5.php#5.3.26
Solution
Apply the vendor patch or upgrade to PHP version 5.3.26 or later.
Risk Factor
High
CVSS Base Score
248
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 60411
BID 60731
CVE CVE-2013-2110
CVE CVE-2013-4635
XREF OSVDB:93968
XREF OSVDB:94063
Plugin Information:
Publication date: 2013/06/07, Modification date: 2014/04/03
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.26
55925 - PHP 5.3 < 5.3.7 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. The new versionresolves the following issues :- A stack buffer overflow in socket_connect().(CVE-2011-1938)- A use-after-free vulnerability in substr_replace().(CVE-2011-1148)- A code execution vulnerability in ZipArchive::addGlob().(CVE-2011-1657)- crypt_blowfish was updated to 1.2. (CVE-2011-2483)- Multiple null pointer dereferences. (CVE-2011-3182)- An unspecified crash in error_log(). (CVE-2011-3267)- A buffer overflow in crypt(). (CVE-2011-3268)
See Also
http://securityreason.com/achievement_securityalert/101
http://securityreason.com/exploitalert/10738
https://bugs.php.net/bug.php?id=54238
https://bugs.php.net/bug.php?id=54681
https://bugs.php.net/bug.php?id=54939
http://www.php.net/releases/5_3_7.php
Solution
Upgrade to PHP 5.3.7 or later.
Risk Factor
High
249
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46843
BID 47950
BID 48259
BID 49241
BID 49249
BID 49252
CVE CVE-2011-1148
CVE CVE-2011-1657
CVE CVE-2011-1938
CVE CVE-2011-2202
CVE CVE-2011-2483
CVE CVE-2011-3182
CVE CVE-2011-3267
CVE CVE-2011-3268
XREF OSVDB:72644
XREF OSVDB:73113
XREF OSVDB:73218
XREF OSVDB:74738
XREF OSVDB:74739
XREF OSVDB:74742
XREF OSVDB:74743
XREF OSVDB:75200
XREF EDB-ID:17318
XREF EDB-ID:17486
Plugin Information:
Publication date: 2011/08/22, Modification date: 2013/11/27
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1
250
Fixed version : 5.3.7
59056 - PHP 5.3.x < 5.3.13 CGI Query String Code ExecutionSynopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.13 and, as such, ispotentially affected by a remote code execution and information disclosure vulnerability.The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source codeand code execution via query parameters are still possible.Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-08-1
http://www.php.net/ChangeLog-5.php#5.3.13
Solution
Upgrade to PHP version 5.3.13 or later. A 'mod_rewrite'workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-2311
CVE CVE-2012-2335
CVE CVE-2012-2336
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/05/09, Modification date: 2013/10/30
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.13
59529 - PHP 5.3.x < 5.3.14 Multiple Vulnerabilities
251
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.14, and is, therefore,potentially affected the following vulnerabilities :- An integer overflow error exists in the function 'phar_parse_tarfile' in the file 'ext/phar/tar.c'. This error can lead to aheap-based buffer overflow when handling a maliciously crafted TAR file. Arbitrary code execution is possible due tothis error. (CVE-2012-2386)- A weakness exists in the 'crypt' function related to the DES implementation that can allow brute-force attacks.(CVE-2012-2143)- Several design errors involving the incorrect parsing of PHP PDO prepared statements could lead to disclosure ofsensitive information or denial of service.(CVE-2012-3450)- A variable initialization error exists in the file 'ext/openssl/openssl.c' that can allow process memory contents to bedisclosed when input data is of length zero. (CVE-2012-6113)
See Also
http://www.nessus.org/u?6adf7abc
https://bugs.php.net/bug.php?id=61755
http://www.php.net/ChangeLog-5.php#5.3.14
http://www.nessus.org/u?99140286
http://www.nessus.org/u?a42ad63a
Solution
Upgrade to PHP version 5.3.14 or later.
Risk Factor
High
CVSS Base Score
8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score
6.7 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
References
BID 47545
BID 53729
BID 54777
BID 57462
CVE CVE-2012-2143
CVE CVE-2012-2386
CVE CVE-2012-3450
CVE CVE-2012-6113
XREF OSVDB:72399
XREF OSVDB:82510
XREF OSVDB:82931
XREF OSVDB:89424
252
XREF EDB-ID:17201
Plugin Information:
Publication date: 2012/06/15, Modification date: 2013/12/04
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.14
48245 - PHP 5.3 < 5.3.3 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3. Such versions may beaffected by several security issues :- An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug#51288) (CVE-2010-0397)- An error exists in the function 'shm_put_var' that is related to resource destruction.- An error exists in the function 'fnmatch' that can lead to stack exhaustion. (CVE-2010-1917)- A memory corruption error exists related to call-time pass by reference and callbacks.- The dechunking filter is vulnerable to buffer overflow.- An error exists in the sqlite extension that could allow arbitrary memory access.- An error exists in the 'phar' extension related to string format validation.- The functions 'mysqlnd_list_fields' and 'mysqlnd_change_user' are vulnerable to buffer overflow.- The Mysqlnd extension is vulnerable to buffer overflow attack when handling error packets.- The following functions are not properly protected against function interruptions :addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities,htmlspecialchars, str_getcsv, http_build_query, strpbrk, strtr, str_pad, str_word_count, wordwrap, strtok, setcookie,strip_tags, trim, ltrim, rtrim, substr_replace, parse_str, pack, unpack, uasort, preg_match, strrchr (CVE-2010-1860,CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190,CVE-2010-2191, CVE-2010-2484)- The following opcodes are not properly protected against function interruptions :ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR (CVE-2010-2191)- The default session serializer contains an error that can be exploited when assigning session variables having userdefined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!',character in variable names.- A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225)- An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions.(CVE-2010-2531)
See Also
http://www.php.net/releases/5_3_3.php
http://www.php.net/ChangeLog-5.php#5.3.3
Solution
Upgrade to PHP version 5.3.3 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 38708
253
BID 40461
BID 40948
BID 41991
CVE CVE-2007-1581
CVE CVE-2010-0397
CVE CVE-2010-1860
CVE CVE-2010-1862
CVE CVE-2010-1864
CVE CVE-2010-1917
CVE CVE-2010-2097
CVE CVE-2010-2100
CVE CVE-2010-2101
CVE CVE-2010-2190
CVE CVE-2010-2191
CVE CVE-2010-2225
CVE CVE-2010-2484
CVE CVE-2010-2531
CVE CVE-2010-3062
CVE CVE-2010-3063
CVE CVE-2010-3064
CVE CVE-2010-3065
XREF OSVDB:33942
XREF OSVDB:63078
XREF OSVDB:64322
XREF OSVDB:64544
XREF OSVDB:64546
XREF OSVDB:64607
XREF OSVDB:65755
XREF OSVDB:66087
XREF OSVDB:66093
XREF OSVDB:66094
254
XREF OSVDB:66095
XREF OSVDB:66096
XREF OSVDB:66097
XREF OSVDB:66098
XREF OSVDB:66099
XREF OSVDB:66100
XREF OSVDB:66101
XREF OSVDB:66102
XREF OSVDB:66103
XREF OSVDB:66104
XREF OSVDB:66105
XREF OSVDB:66106
XREF OSVDB:66798
XREF OSVDB:66804
XREF OSVDB:66805
XREF OSVDB:67418
XREF OSVDB:67419
XREF OSVDB:67420
XREF OSVDB:67421
XREF Secunia:39675
XREF Secunia:40268
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.3
57537 - PHP < 5.3.9 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may beaffected by the following security issues :- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)- It is possible to create a denial of service condition by sending multiple, specially crafted requests containingparameter values that cause hash collisions when computing the hash values for storage in a hash table.(CVE-2011-4885)
255
- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to readarbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,resulting in arbitrary code execution. (CVE-2012-0057)- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a nullpointer. This causes the application to crash. (CVE-2012-0781)- The 'PDORow' implementation contains an error that can cause application crashes when interacting with thesession feature. (CVE-2012-0788)- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial ofservice attack via memory consumption.(CVE-2012-0789)
See Also
http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_PHP5
http://www.php.net/archive/2012.php#id2012-01-11-1
http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
https://bugs.php.net/bug.php?id=55475
https://bugs.php.net/bug.php?id=55776
https://bugs.php.net/bug.php?id=53502
http://www.php.net/ChangeLog-5.php#5.3.9
Solution
Upgrade to PHP version 5.3.9 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 49754
BID 50907
BID 51193
BID 51806
BID 51952
BID 51992
BID 52043
CVE CVE-2011-3379
CVE CVE-2011-4566
CVE CVE-2011-4885
CVE CVE-2012-0057
CVE CVE-2012-0781
256
CVE CVE-2012-0788
CVE CVE-2012-0789
XREF OSVDB:75713
XREF OSVDB:77446
XREF OSVDB:78115
XREF OSVDB:78571
XREF OSVDB:78676
XREF OSVDB:79016
XREF OSVDB:79332
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/01/13, Modification date: 2013/11/14
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.9
10678 - Apache mod_info /server-info Information DisclosureSynopsis
The remote web server discloses information about its configuration.
Description
It is possible to obtain an overview of the remote Apache web server's configuration by requesting the URL '/server-info'. This overview includes information such as installed modules, their configuration, and assorted run-time settings.
See Also
http://httpd.apache.org/docs/mod/mod_info.html
Solution
If required, update Apache's configuration file(s) to either disable mod_info or ensure that access is limited to validusers / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:562
Plugin Information:
Publication date: 2001/05/28, Modification date: 2013/01/25
Portstcp/44373289 - PHP PHP_RSHUTDOWN_FUNCTION Security BypassSynopsis
The remote web server uses a version of PHP that is potentially affected by a security bypass vulnerability.
257
Description
According to its banner, the version of PHP 5.x installed on the remote host is 5.x prior to 5.3.11 or 5.4.x prior to 5.4.1and thus, is potentially affected by a security bypass vulnerability.An error exists related to the function 'PHP_RSHUTDOWN_FUNCTION' in the libxml extension and the 'stream_close'method that could allow a remote attacker to bypass 'open_basedir' protections and obtain sensitive information.Note that this plugin has not attempted to exploit this issue, but has instead relied only on PHP's self-reported versionnumber.
See Also
http://www.nessus.org/u?bcc428c2
https://bugs.php.net/bug.php?id=61367
Solution
Upgrade to PHP version 5.3.11 / 5.4.1 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
STIG Severity
I
References
BID 65673
CVE CVE-2012-1171
XREF OSVDB:104201
XREF IAVB:2014-B-0021
Plugin Information:
Publication date: 2014/04/01, Modification date: 2014/04/02
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.11 / 5.4.1
71426 - PHP 5.3.x < 5.3.28 Multiple OpenSSL VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that containhostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks tospoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificatesigned by an authority that the client trusts. (CVE-2013-4073)- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extensionparsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or acertificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause theapplication to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running thePHP interpreter. (CVE-2013-6420)
258
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.
See Also
http://seclists.org/fulldisclosure/2013/Dec/96
https://bugzilla.redhat.com/show_bug.cgi?id=1036830
http://www.nessus.org/u?b6ec9ef9
http://www.php.net/ChangeLog-5.php#5.3.28
Solution
Upgrade to PHP version 5.3.28 or later.
Risk Factor
Medium
CVSS Base Score
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
5.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
References
BID 60843
BID 64225
CVE CVE-2013-4073
CVE CVE-2013-6420
XREF OSVDB:100979
XREF OSVDB:94628
XREF EDB-ID:30395
Plugin Information:
Publication date: 2013/12/14, Modification date: 2013/12/19
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.28
64992 - PHP 5.3.x < 5.3.22 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is, therefore,potentially affected by the following vulnerabilities :- An error exists in the file 'ext/soap/soap.c'related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote 'wsdl' filesto be written to arbitrary locations. (CVE-2013-1635)- An error exists in the file 'ext/soap/php_xml.c'related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML documentsdefined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)Note that this plugin does not attempt to exploit the vulnerabilities but, instead relies only on PHP's self-reportedversion number.
259
See Also
http://www.nessus.org/u?2dcf53bd
http://www.nessus.org/u?889595b1
http://www.php.net/ChangeLog-5.php#5.3.22
Solution
Upgrade to PHP version 5.3.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58224
BID 58766
CVE CVE-2013-1635
CVE CVE-2013-1643
XREF OSVDB:90921
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/03/04, Modification date: 2013/11/22
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.22
66584 - PHP 5.3.x < 5.3.23 Information DisclosureSynopsis
The remote web server uses a version of PHP that is potentially affected by an information disclosure vulnerability.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.23. It is, therefore,potentially affected by an information disclosure vulnerability.The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documents defined byan attacker and could allow access to arbitrary files.Note that this plugin does not attempt to exploit the vulnerability, but instead relies only on PHP's self-reported versionnumber.
See Also
http://www.nessus.org/u?7c770707
http://www.php.net/ChangeLog-5.php#5.3.23
Solution
Upgrade to PHP version 5.3.23 or later.
Risk Factor
260
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 62373
CVE CVE-2013-1824
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/05/24, Modification date: 2013/10/23
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.23
44921 - PHP < 5.3.2 / 5.2.13 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.2 / 5.2.13. Such versionsmay be affected by several security issues :- Directory paths not ending with '/' may not be correctly validated inside 'tempnam()' in 'safe_mode' configuration.- It may be possible to bypass the 'open_basedir'/ 'safe_mode' configuration restrictions due to an error in sessionextensions.- An unspecified vulnerability affects the LCG entropy.
See Also
http://securityreason.com/achievement_securityalert/82
http://securityreason.com/securityalert/7008
http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0209.html
http://www.php.net/releases/5_3_2.php
http://www.php.net/ChangeLog-5.php#5.3.2
http://www.php.net/releases/5_2_13.php
http://www.php.net/ChangeLog-5.php#5.2.13
Solution
Upgrade to PHP version 5.3.2 / 5.2.13 or later.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
5.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
References
261
BID 38182
BID 38430
BID 38431
CVE CVE-2010-1128
CVE CVE-2010-1129
CVE CVE-2010-1130
XREF OSVDB:62582
XREF OSVDB:62583
XREF OSVDB:63323
XREF Secunia:38708
Plugin Information:
Publication date: 2010/02/26, Modification date: 2013/10/23
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.2 / 5.2.13
51439 - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoSSynopsis
The remote web server uses a version of PHP that is affected by a denial of service vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.17 or 5.3.5.Such versions may experience a crash while performing string to double conversion for certain numeric values. Onlyx86 32-bit PHP processes are known to be affected by this issue regardless of whether the system running PHP is 32-bit or 64-bit.
See Also
http://bugs.php.net/bug.php?id=53632
http://www.php.net/distributions/test_bug53632.txt
http://www.php.net/releases/5_2_17.php
http://www.php.net/releases/5_3_5.php
Solution
Upgrade to PHP 5.2.17/5.3.5 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 45668
262
CVE CVE-2010-4645
XREF OSVDB:70370
Plugin Information:
Publication date: 2011/01/07, Modification date: 2013/10/23
Portstcp/443
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.2.17/5.3.5
56216 - Apache 2.2 < 2.2.21 mod_proxy_ajp DoSSynopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.21. It therefore ispotentially affected by a denial of service vulnerability.An error exists in the 'mod_proxy_ajp' module that can allow specially crafted HTTP requests to cause a backendserver to temporarily enter an error state. This vulnerability only occurs when 'mod_proxy_ajp' is used along with'mod_proxy_balancer'.Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?34a2f1d8
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.21 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 49616
CVE CVE-2011-3348
XREF OSVDB:75647
Plugin Information:
Publication date: 2011/09/16, Modification date: 2013/07/20
Portstcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.21
57791 - Apache 2.2 < 2.2.22 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple vulnerabilities.
Description
263
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.22. It is, therefore,potentially affected by the following vulnerabilities:- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could causethe web server to proxy requests to arbitrary hosts.This could allow a remote attacker to indirectly send requests to intranet servers.(CVE-2011-3368, CVE-2011-4317)- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf'directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)- A format string handling error can allow the server to be crashed via maliciously crafted cookies.(CVE-2012-0021)- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown.(CVE-2012-0031)- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious useof either long or malformed HTTP headers. (CVE-2012-0053)- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time torespond could lead to a temporary denial of service. (CVE-2012-4557)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?81e2eb5f
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 49957
BID 50494
BID 50802
BID 51407
BID 51705
BID 51706
BID 56753
CVE CVE-2011-3368
CVE CVE-2011-3607
CVE CVE-2011-4317
CVE CVE-2012-0021
CVE CVE-2012-0031
CVE CVE-2012-0053
CVE CVE-2012-4557
264
XREF OSVDB:76079
XREF OSVDB:76744
XREF OSVDB:77310
XREF OSVDB:78293
XREF OSVDB:78555
XREF OSVDB:78556
XREF OSVDB:89275
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/02/02, Modification date: 2013/06/03
Portstcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.22
50070 - Apache 2.2 < 2.2.17 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by several issues.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.17. Such versionsmay be affected by several issues, including :- Errors exist in the bundled expat library that may allow an attacker to crash the server when a buffer is over- readwhen parsing an XML document. (CVE-2009-3720 and CVE-2009-3560)- An error exists in the 'apr_brigade_split_line' function in the bundled APR-util library. Carefully timed bytes inrequests result in gradual memory increases leading to a denial of service. (CVE-2010-1623) Note that the remoteweb server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affectedmodules are in use or to check for the issues themselves.
See Also
http://www.nessus.org/u?1c39fa1c
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.17 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 37203
BID 36097
BID 43673
265
CVE CVE-2009-3560
CVE CVE-2009-3720
CVE CVE-2010-1623
XREF OSVDB:59737
XREF OSVDB:60797
XREF OSVDB:68327
XREF Secunia:41701
XREF CWE:119
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/01/27
Portstcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.17
64912 - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting VulnerabilitiesSynopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore,potentially affected by the following cross-site scripting vulnerabilities :- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp andunescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scriptingattacks. (CVE-2012-4558)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.24 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58165
CVE CVE-2012-3499
CVE CVE-2012-4558
XREF OSVDB:90556
266
XREF OSVDB:90557
Plugin Information:
Publication date: 2013/02/27, Modification date: 2013/11/27
Portstcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.24
48205 - Apache 2.2 < 2.2.16 Multiple VulnerabilitiesSynopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.16. Such versions arepotentially affected by multiple vulnerabilities :- A denial of service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)- An information disclosure vulnerability in mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeoutconditions. Note that this issue only affects Apache on Windows, Netware, and OS/2. (CVE-2010-2068)Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determinewhether the affected modules are in use or to check for the issues themselves.
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=49246
https://issues.apache.org/bugzilla/show_bug.cgi?id=49417
http://www.nessus.org/u?ce8ac446
Solution
Upgrade to Apache version 2.2.16 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 40827
BID 41963
CVE CVE-2010-1452
CVE CVE-2010-2068
XREF OSVDB:65654
XREF OSVDB:66745
XREF Secunia:40206
Plugin Information:
Publication date: 2010/07/30, Modification date: 2013/07/20
Ports
267
tcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.16
62101 - Apache 2.2 < 2.2.23 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,potentially affected by the following vulnerabilities:- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),leading to arbitrary code execution.(CVE-2012-0883)- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.(CVE-2012-2687)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.23
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.23 or later.
Risk Factor
Medium
CVSS Base Score
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
6.0 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
References
BID 53046
BID 55131
CVE CVE-2012-0883
CVE CVE-2012-2687
XREF OSVDB:81359
XREF OSVDB:84818
Plugin Information:
Publication date: 2012/09/14, Modification date: 2013/11/27
Portstcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.23
68915 - Apache 2.2 < 2.2.25 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
268
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.(CVE-2013-1896)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.25
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.nessus.org/u?f050c342
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later.
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
4.4 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
STIG Severity
I
References
BID 59826
BID 61129
CVE CVE-2013-1862
CVE CVE-2013-1896
XREF OSVDB:93366
XREF OSVDB:95498
XREF IAVA:2013-A-0146
Plugin Information:
Publication date: 2013/07/16, Modification date: 2013/11/14
Portstcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.25
53896 - Apache 2.2 < 2.2.18 APR apr_fnmatch DoSSynopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions areaffected by a denial of service vulnerability due to an error in the 'apr_fnmatch'match function of the bundled APR library.
269
If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker cancause high CPU usage with a specially crafted request.Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determinewhether the affected module is in use or to check for the issue itself.
See Also
http://www.nessus.org/u?5582384f
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18
http://securityreason.com/achievement_securityalert/98
Solution
Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 orlater.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 47820
CVE CVE-2011-0419
XREF OSVDB:73388
XREF Secunia:44574
Plugin Information:
Publication date: 2011/05/13, Modification date: 2013/07/20
Portstcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.18
73405 - Apache 2.2 < 2.2.27 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is a version prior to 2.2.27. It is,therefore, potentially affected by the following vulnerabilities :- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading whitespace. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding.(CVE-2013-6438)- A flaw exists in 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. Aremote attacker with a specially crafted request can cause the service to crash. (CVE-2014-0098)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.27
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later.
270
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 66303
CVE CVE-2013-6438
CVE CVE-2014-0098
XREF OSVDB:104579
XREF OSVDB:104580
Plugin Information:
Publication date: 2014/04/08, Modification date: 2014/04/08
Portstcp/443
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.27
10677 - Apache mod_status /server-status Information DisclosureSynopsis
The remote web server discloses information about its status.
Description
It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting theURL '/server-status'. This overview includes information such as current hosts and requests being processed, thenumber of workers idle and service requests, and CPU utilization.
Solution
If required, update Apache's configuration file(s) to either disable mod_status or ensure that access is limited to validusers / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:561
Plugin Information:
Publication date: 2001/05/28, Modification date: 2014/05/05
Portstcp/44311213 - HTTP TRACE / TRACK Methods AllowedSynopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods thatare used to debug web server connections.
See Also
271
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Portstcp/443
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
272
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2139788281.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.0 200 OKDate: Thu, 08 May 2014 18:13:57 GMTServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1Connection: closeContent-Type: message/http TRACE /Nessus2139788281.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
62565 - Transport Layer Security (TLS) Protocol CRIME VulnerabilitySynopsis
The remote service has a configuration that may make it vulnerable to the CRIME attack.
Description
The remote service has one of two configurations that are known to be required for the CRIME attack:- SSL / TLS compression is enabled.- TLS advertises the SPDY protocol earlier than version 4.Note that Nessus did not attempt to launch the CRIME attack against the remote service.
See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
https://discussions.nessus.org/thread/5546
http://www.nessus.org/u?e8c92220
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
Solution
Disable compression and / or the SPDY service.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
273
References
BID 55704
BID 55707
CVE CVE-2012-4929
CVE CVE-2012-4930
XREF OSVDB:85926
XREF OSVDB:85927
Plugin Information:
Publication date: 2012/10/16, Modification date: 2014/04/24
Portstcp/443
The following configuration indicates that the remote servicemay be vulnerable to the CRIME attack : - SSL / TLS compression is enabled.
57582 - SSL Self-Signed CertificateSynopsis
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is apublic host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack againstthe remote host.Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signedby an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2012/01/17, Modification date: 2012/10/25
Portstcp/443
The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : CN=localhost
51192 - SSL Certificate Cannot Be TrustedSynopsis
The SSL certificate for this service cannot be trusted.
Description
The server's X.509 certificate does not have a signature from a known public certificate authority. This situation canoccur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.First, the top of the certificate chain sent by the server might not be descended from a known public certificateauthority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when
274
intermediate certificates are missing that would connect the top of the certificate chain to a known public certificateauthority.Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur eitherwhen the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could notbe verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessuseither does not support or does not recognize.If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify theauthenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against theremote host.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2010/12/15, Modification date: 2014/02/27
Portstcp/443
The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : CN=localhost|-Issuer : CN=localhost
20007 - SSL Version 2 (v2) Protocol DetectionSynopsis
The remote service encrypts traffic using a protocol with known weaknesses.
Description
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographicflaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
See Also
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-2005-2969
Plugin Information:
Publication date: 2005/10/12, Modification date: 2013/01/25
Portstcp/443
275
26928 - SSL Weak Cipher Suites SupportedSynopsis
The remote service supports the use of weak SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer weak encryption.Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application, if possible to avoid the use of weak ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
XREF CWE:327
XREF CWE:326
XREF CWE:753
XREF CWE:803
XREF CWE:720
Plugin Information:
Publication date: 2007/10/08, Modification date: 2013/08/30
Portstcp/443
Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are :
276
{OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
42873 - SSL Medium Strength Cipher Suites SupportedSynopsis
The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard asthose with key lengths at least 56 bits and less than 112 bits.Note: This is considerably easier to exploit if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/11/23, Modification date: 2012/04/02
Portstcp/443
Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
51892 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session ResumeCiphersuite Downgrade IssueSynopsis
The remote host allows resuming SSL sessions with a weaker cipher than the one originally negotiated.
Description
The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher thanwas used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSLconnection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use aweaker cipher chosen by the attacker.Note that other SSL implementations may also be affected by this vulnerability.
See Also
http://openssl.org/news/secadv_20101202.txt
277
Solution
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45164
CVE CVE-2010-4180
XREF OSVDB:69565
Plugin Information:
Publication date: 2011/02/07, Modification date: 2014/01/27
Portstcp/443
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 6dc8e07ddbbed52bc3c2b5a3dac3828f646f7f7309a8407cd3f9c3aef568cee8 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)
57792 - Apache HTTP Server httpOnly Cookie Information DisclosureSynopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sendinga request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunctionwith other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
278
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Portstcp/443
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: win7lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
45411 - SSL Certificate with Wrong HostnameSynopsis
The SSL certificate for this service is for a different host.
Description
The commonName (CN) of the SSL certificate presented on this service is for a different machine.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2010/04/03, Modification date: 2014/03/11
Portstcp/443
The identities known by Nessus are : 192.168.222.64 win7lc.penlab.lan The Common Name in the certificate is : localhost
65821 - SSL RC4 Cipher Suites Supported
279
Synopsis
The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher suites.The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biasesare introduced into the stream, decreasing its randomness.If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)ciphertexts, the attacker may be able to derive the plaintext.
See Also
http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
Solution
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCMsuites subject to browser and web server support.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 58796
CVE CVE-2013-2566
XREF OSVDB:91162
Plugin Information:
Publication date: 2013/04/05, Modification date: 2014/02/27
Portstcp/443
Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
280
TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/443
Port 443/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/443
A TLSv1 server answered on this port.
tcp/443
A web server is running on this port through TLSv1.
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
281
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/443
A TLSv1 server answered on this port.
tcp/443
A web server is running on this port through TLSv1.
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/443
The remote web server type is : Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/443
Protocol version : HTTP/1.0SSL : yesKeep-Alive : noOptions allowed : (Not implemented)Headers :
282
Date: Thu, 08 May 2014 18:13:23 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Location: https://win7lc.penlab.lan/xampp/ Content-Length: 0 Connection: close Content-Type: text/html
48243 - PHP VersionSynopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Portstcp/443
Nessus was able to identify the following PHP version information : Version : 5.3.1 Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
11424 - WebDAV DetectionSynopsis
The remote server is running with WebDAV enabled.
Description
WebDAV is an industry standard extension to the HTTP specification.It adds a capability for authorized users to remotely add and manage the content of a web server.If you do not use this extension, you should disable it.
Solution
http://support.microsoft.com/default.aspx?kbid=241520
Risk Factor
None
Plugin Information:
Publication date: 2003/03/20, Modification date: 2011/03/14
Portstcp/44357323 - OpenSSL Version DetectionSynopsis
The version of OpenSSL can be identified.
Description
The version of OpenSSL could be extracted from the web server's banner. Note that in many cases, security patchesare backported and the displayed version number does not show the patch level. Using it to identify vulnerablesoftware is likely to lead to false detections.
See Also
http://www.openssl.org/
283
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/16, Modification date: 2011/12/16
Portstcp/443
Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Version (from banner) : 0.9.8l
56984 - SSL / TLS Versions SupportedSynopsis
The remote service encrypts communications.
Description
This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/01, Modification date: 2014/04/14
Portstcp/443
This port supports SSLv2/SSLv3/TLSv1.0.
10863 - SSL Certificate InformationSynopsis
This plugin displays the SSL certificate.
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2008/05/19, Modification date: 2012/04/02
Portstcp/443
Subject Name: Common Name: localhost Issuer Name: Common Name: localhost Serial Number: 00 B5 C7 52 C9 87 81 B5 03 Version: 1
284
Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Nov 10 23:48:47 2009 GMTNot Valid After: Nov 08 23:48:47 2019 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 C1 25 D3 27 E3 EC AD 0D 83 6A 6D E7 5F 9A 75 10 23 E2 90 9D A0 63 95 8F 1D 41 9A 58 D5 9C 63 8C 5B 73 86 90 79 CC C3 D6 A3 89 B8 75 BC 1E 94 7C 7C 6E E3 AD E8 27 5C 0B C6 0C 6A F9 0F 32 FE B3 C4 7A 10 23 04 2B 29 28 D4 AA F9 B3 2F 66 10 F8 A7 C1 CD 60 C4 6B 28 57 E3 67 3B F7 9E CD 48 22 DC 38 EA 48 13 80 3A 40 97 57 0C 47 35 46 3D 71 62 9A EE 53 9D 63 0E 67 7A 28 C9 A4 34 FF 19 ED Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 6A F1 F3 49 6C F9 BA 68 5F 6F F3 27 04 C6 B9 0C BD 95 37 34 BE F7 08 66 9A 9B 03 18 41 BE B9 1D 24 33 55 B6 19 02 1D 54 71 C9 4F 21 5D 68 75 F3 81 52 41 41 C5 93 C2 1A 7C E2 7B C7 4A 24 13 0C 14 9A 4F A7 10 35 0A 6F 6A 0F D3 68 40 FF 48 44 29 9B 45 6A 0C 5C 29 7C 56 2E B9 F0 4B BD 53 5B 2E 42 B1 6C AD 97 C1 4B EE D1 1C 68 2D D0 4C 0B FF 3D 1E AA D9 D2 9A 62 38 DB 90 F9 7D 8C B7 11
45410 - SSL Certificate commonName MismatchSynopsis
The SSL certificate commonName does not match the host name.
Description
This service presents an SSL certificate for which the 'commonName'(CN) does not match the host name on which the service listens.
Solution
If the machine has several names, make sure that users connect to the service through the DNS host name thatmatches the common name in the certificate.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/03, Modification date: 2012/09/30
Portstcp/443
The host names known by Nessus are : admin-pc win7lc.penlab.lan The Common Name in the certificate is : localhost
50845 - OpenSSL DetectionSynopsis
The remote service appears to use OpenSSL to encrypt traffic.
Description
Based on its response to a TLS request with a specially crafted server name extension, it seems that the remoteservice is using the OpenSSL library to encrypt traffic.Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC4366).
See Also
http://www.openssl.org
285
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/11/30, Modification date: 2013/10/18
Portstcp/44362563 - SSL Compression Methods SupportedSynopsis
The remote service supports one or more compression methods for SSL connections.
Description
This script detects which compression methods are supported by the remote service for SSL connections.
See Also
http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xml
http://tools.ietf.org/html/rfc3749
http://tools.ietf.org/html/rfc3943
http://tools.ietf.org/html/rfc5246
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/10/16, Modification date: 2013/10/18
Portstcp/443
Nessus was able to confirm that the following compression methods are supported by the target : NULL (0x00) DEFLATE (0x01)
21643 - SSL Cipher Suites SupportedSynopsis
The remote service encrypts communications using SSL.
Description
This script detects which SSL ciphers are supported by the remote service for encrypting communications.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/06/05, Modification date: 2014/01/15
Portstcp/443
286
Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC [...]
70544 - SSL Cipher Block Chaining Cipher Suites SupportedSynopsis
The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks withsubsequent ones.
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These ciphersuites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information ifused improperly.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://www.nessus.org/u?cc4a822a
http://www.openssl.org/~bodo/tls-cbc.txt
Solution
n/a
Risk Factor
287
None
Plugin Information:
Publication date: 2013/10/22, Modification date: 2013/10/22
Portstcp/443
Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC(128) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 [...]
57041 - SSL Perfect Forward Secrecy Cipher Suites SupportedSynopsis
The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even ifthe key is stolen.
Description
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These ciphersuites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
288
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/07, Modification date: 2012/04/02
Portstcp/443
Here is the list of SSL PFS ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
51891 - SSL Session Resume SupportedSynopsis
The remote host allows resuming SSL sessions.
Description
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive asession ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in thesecond connection, the server maintains a cache of sessions that can be resumed.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/02/07, Modification date: 2013/10/18
Portstcp/443
289
This port supports resuming SSLv3 sessions.
58768 - SSL Resume With Different Cipher IssueSynopsis
The remote host allows resuming SSL sessions with a different cipher than the one originally negotiated.
Description
The SSL implementation on the remote host has been shown to allow a cipher other than the one originally negotiatedwhen resuming a session. An attacker that sees (e.g. by sniffing) the start of an SSL connection may be able tomanipulate session cache to cause subsequent resumptions of that session to use a cipher chosen by the attacker.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/04/17, Modification date: 2012/04/17
Portstcp/443
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 6dc8e07ddbbed52bc3c2b5a3dac3828f646f7f7309a8407cd3f9c3aef568cee8 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)
445/tcp57608 - SMB Signing RequiredSynopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft networkserver:Digitally sign communications (always)'.On Samba, the setting is called 'server signing'. See the 'see also'links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Portstcp/44511011 - Microsoft Windows SMB Service Detection
290
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Portstcp/445
A CIFS server is running on this port.
10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Portstcp/445
The following DCERPC services are available remotely : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \PIPE\InitShutdownNetbios name : \\ADMIN-PC Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \PIPE\InitShutdownNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \pipe\trkwksNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account Manager
291
Windows process : lsass.exeType : Remote RPC serviceNamed pipe : \pipe\lsassNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0Description : Unknown RPC serviceAnnotation : WinHttp Auto-Proxy ServiceType : Remote RPC serviceNamed pipe : \PIPE\W32TIME_ALTNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000 [...]
10785 - Microsoft Windows SMB NativeLanManager Remote System Information DisclosureSynopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending anauthentication request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/10/17, Modification date: 2014/04/09
Portstcp/445
The remote Operating System is : Windows 7 Professional 7600The remote native lan manager is : Windows 7 Professional 6.1The remote SMB Domain Name is : ADMIN-PC
10394 - Microsoft Windows SMB Log In PossibleSynopsis
It is possible to log into the remote host.
Description
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It waspossible to log into it using one of the following accounts :- NULL session- Guest account
292
- Given Credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2014/04/07
Portstcp/445
- NULL sessions are enabled on the remote host
26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows RegistrySynopsis
Nessus is not able to access the remote Windows Registry.
Description
It was not possible to connect to PIPE\winreg on the remote host.If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'RemoteRegistry Access'service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/10/04, Modification date: 2011/03/27
Portstcp/445
Could not connect to the registry because:Could not connect to \winreg
10397 - Microsoft Windows SMB LanMan Pipe Server Listing DisclosureSynopsis
It is possible to obtain network information.
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Publication date: 2000/05/09, Modification date: 2011/09/14
Portstcp/445
293
Here is the browse list of the remote host : ADMIN-PC ( os : 6.1 )
2224/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/2224
Port 2224/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/2224
A web server is running on this port.
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
294
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/2224
Protocol version : HTTP/1.0SSL : noKeep-Alive : noHeaders : Content-type: text/html Content-Length: 2841
3306/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/3306
Port 3306/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/3306
A MySQL server is running on this port.
5355/udp53514 - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)(remote check)Synopsis
Arbitrary code can be executed on the remote host through the installed Windows DNS client.
Description
295
A flaw in the way the installed Windows DNS client processes Link- local Multicast Name Resolution (LLMNR) queriescan be exploited to execute arbitrary code in the context of the NetworkService account.Note that Windows XP and 2003 do not support LLMNR and successful exploitation on those platforms requires localaccess and the ability to run a special application. On Windows Vista, 2008, 7, and 2008 R2, however, the issue canbe exploited remotely.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms11-030
Solution
Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
STIG Severity
I
References
BID 47242
CVE CVE-2011-0657
XREF OSVDB:71780
XREF IAVA:2011-A-0039
XREF MSFT:MS11-030
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2011/04/21, Modification date: 2013/11/03
Portsudp/535553513 - Link-Local Multicast Name Resolution (LLMNR) DetectionSynopsis
The remote device supports LLMNR.
Description
The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides aname lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions.
See Also
http://www.nessus.org/u?85beb421
http://technet.microsoft.com/en-us/library/bb878128.aspx
Solution
Make sure that use of this software conforms to your organization's acceptable use and security policies.
Risk Factor
None
Plugin Information:
Publication date: 2011/04/21, Modification date: 2012/03/05
296
Portsudp/5355
According to LLMNR, the name of the remote host is 'admin-PC'.
49152/tcp10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Portstcp/49152
The following DCERPC services are available on TCP port 49152 : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49152IP : 192.168.222.64
49153/tcp10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Portstcp/49153
The following DCERPC services are available on TCP port 49153 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0Description : Unknown RPC serviceAnnotation : Event log TCPIP
297
Type : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0Description : Unknown RPC serviceAnnotation : NRP server endpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0Description : Unknown RPC serviceAnnotation : DHCPv6 Client LRPC EndpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0Description : DHCP Client ServiceWindows process : svchost.exeAnnotation : DHCP Client LRPC EndpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0Description : Unknown RPC serviceAnnotation : Security CenterType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64
49154/tcp10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Portstcp/49154
The following DCERPC services are available on TCP port 49154 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
298
Description : Unknown RPC serviceAnnotation : IP Transition Configuration endpointType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0Description : Unknown RPC serviceAnnotation : XactSrv serviceType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64
49155/tcp10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Portstcp/49155
The following DCERPC services are available on TCP port 49155 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceTCP Port : 49155IP : 192.168.222.64
49156/tcp10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
299
Portstcp/49156
The following DCERPC services are available on TCP port 49156 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49156IP : 192.168.222.64
300
192.168.222.65Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:11:13 2014
Host Information
DNS Name: win03svrlc.penlab.lan
Netbios Name: WINDOWS2003
IP: 192.168.222.65
MAC Address: 00:50:56:9d:37:bc
OS: Microsoft Windows Server 2003 Service Pack 2
Results Summary
Critical High Medium Low Info Total
0 0 2 0 23 25
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Portsicmp/0
The ICMP timestamps seem to be in little endian format (not in network format)The difference between the local and remote clocks is -7092 seconds.
0/tcp24786 - Nessus Windows Scan Not Performed with Admin PrivilegesSynopsis
The Nessus scan of this host may be incomplete due to insufficient privileges provided.
Description
301
The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, howeverthese credentials do not have administrative privileges.Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs onthe remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends todetermine if a patch has been applied.If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back toperform a patch audit through the registry which may lead to false positives (especially when using third-party patchauditing tools) or to false negatives (not all patches can be detected through the registry).
Solution
Reconfigure your scanner to use credentials with administrative privileges.
Risk Factor
None
Plugin Information:
Publication date: 2007/03/12, Modification date: 2013/01/07
Portstcp/0
It was not possible to connect to '\\WINDOWS2003\ADMIN$' with the supplied credentials.
12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.65 resolves as win03svrlc.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Portstcp/0
302
20094 - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
The following card manufacturers were identified : 00:50:56:9d:37:bc : VMware, Inc.
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
303
Portstcp/0
Remote operating system : Microsoft Windows Server 2003 Service Pack 2Confidence Level : 99Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2
54615 - Device TypeSynopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Portstcp/0
Remote device type : general-purposeConfidence level : 99
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
304
- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 145 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.65 :
305
192.168.222.35192.168.222.65
135/tcp10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Portstcp/135
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0Description : DHCP Client ServiceWindows process : svchost.exeAnnotation : DHCP Client LRPC EndpointType : Local RPC serviceNamed pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000
306
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8ddUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0Description : Distributed Transaction CoordinatorWindows process : msdtc.exeType : Local RPC serviceNamed pipe : OLE9FA4B79F08034681B5CFA83A3A45 Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8ddUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1. [...]
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/135
Port 135/tcp was found to be open
137/udp10150 - Windows NetBIOS / SMB Remote Host Information DisclosureSynopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.Note that this plugin gathers information to be used in other plugins but does not itself generate a report.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2013/01/16
Portsudp/137
The following 4 NetBIOS names have been gathered : WINDOWS2003 = Computer name WINDOWS2003 = File Server Service ARBEITSGRUPPE = Workgroup / Domain name ARBEITSGRUPPE = Browser Service Elections The remote host has the following MAC address on its adapter : 00:50:56:9d:37:bc
307
139/tcp11011 - Microsoft Windows SMB Service DetectionSynopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Portstcp/139
An SMB server is running on this port.
445/tcp26920 - Microsoft Windows SMB NULL Session AuthenticationSynopsis
It is possible to log into the remote Windows host with a NULL session.
Description
The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login orpassword).Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue toget information about the remote host.
See Also
http://support.microsoft.com/kb/q143474/
http://support.microsoft.com/kb/q246261/
http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx
Solution
Apply the following registry changes per the referenced Technet advisories :Set :- HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1Remove BROWSER from :- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipesReboot once the registry changes are complete.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 494
CVE CVE-1999-0519
308
CVE CVE-1999-0520
CVE CVE-2002-1117
XREF OSVDB:299
XREF OSVDB:8230
Plugin Information:
Publication date: 2007/10/04, Modification date: 2012/02/29
Portstcp/445
It was possible to bind to the \browser pipe
57608 - SMB Signing RequiredSynopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft networkserver:Digitally sign communications (always)'.On Samba, the setting is called 'server signing'. See the 'see also'links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Portstcp/44511011 - Microsoft Windows SMB Service DetectionSynopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
309
Publication date: 2002/06/05, Modification date: 2012/01/31
Portstcp/445
A CIFS server is running on this port.
10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Portstcp/445
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\lsassNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\WINDOWS2003
310
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceNamed pipe : \PIPE\lsassNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\WINDOWS2003
10785 - Microsoft Windows SMB NativeLanManager Remote System Information DisclosureSynopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending anauthentication request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/10/17, Modification date: 2014/04/09
Portstcp/445
The remote Operating System is : Windows Server 2003 R2 3790 Service Pack 2The remote native lan manager is : Windows Server 2003 R2 5.2The remote SMB Domain Name is : WINDOWS2003
10394 - Microsoft Windows SMB Log In PossibleSynopsis
It is possible to log into the remote host.
Description
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It waspossible to log into it using one of the following accounts :- NULL session- Guest account- Given Credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2014/04/07
Portstcp/445
311
- NULL sessions are enabled on the remote host
26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows RegistrySynopsis
Nessus is not able to access the remote Windows Registry.
Description
It was not possible to connect to PIPE\winreg on the remote host.If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'RemoteRegistry Access'service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/10/04, Modification date: 2011/03/27
Portstcp/445
Could not connect to the registry because:Could not connect to \winreg
10397 - Microsoft Windows SMB LanMan Pipe Server Listing DisclosureSynopsis
It is possible to obtain network information.
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Publication date: 2000/05/09, Modification date: 2011/09/14
Portstcp/445
Here is the browse list of the remote host : WINDOWS2003 ( os : 5.2 ) - Windows2003XPPENTEST ( os : 5.1 )
1025/tcp10736 - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
312
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Portstcp/1025
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceTCP Port : 1025IP : 192.168.222.65 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceTCP Port : 1025IP : 192.168.222.65
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/1025
Port 1025/tcp was found to be open
313
192.168.222.100Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:12:07 2014
Host Information
DNS Name: hackinglablivelc.penlab.lan
IP: 192.168.222.100
MAC Address: 00:50:56:9d:15:4b
OS: Linux Kernel 2.2, Linux Kernel 2.4, Linux Kernel 2.6
Results Summary
Critical High Medium Low Info Total
0 0 0 0 17 17
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Portsicmp/0
The difference between the local and remote clocks is -7089 seconds.
0/tcp12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
314
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.100 resolves as hackinglablivelc.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Portstcp/020094 - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
315
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
The following card manufacturers were identified : 00:50:56:9d:15:4b : VMware, Inc.
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Portstcp/0
Remote operating system : Linux Kernel 2.2Linux Kernel 2.4Linux Kernel 2.6Confidence Level : 54Method : SinFP The remote host is running one of these operating systems : Linux Kernel 2.2Linux Kernel 2.4Linux Kernel 2.6
54615 - Device TypeSynopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
316
tcp/0
Remote device type : general-purposeConfidence level : 54
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE's : cpe:/o:linux:linux_kernel:2.2 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015
317
Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 199 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.100 : 192.168.222.35192.168.222.100
3128/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/3128
Port 3128/tcp was found to be open
318
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/3128
A web server is running on this port.
tcp/3128
An HTTP proxy is running on this port.
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/3128
A web server is running on this port.
tcp/3128
An HTTP proxy is running on this port.
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/3128
319
The remote web server type is : squid/2.7.STABLE9
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/3128
Protocol version : HTTP/1.0SSL : noKeep-Alive : noOptions allowed : (Not implemented)Headers : Server: squid/2.7.STABLE9 Date: Thu, 08 May 2014 19:09:21 GMT Content-Type: text/html Content-Length: 2147 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from lcd800.hacking-lab.com X-Cache-Lookup: NONE from lcd800.hacking-lab.com:3128 Via: 1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9) Connection: close
11040 - HTTP Reverse Proxy DetectionSynopsis
A transparent or reverse HTTP proxy is running on this port.
Description
This web server is reachable through a reverse HTTP proxy.
Solution
n/a
Risk Factor
None
STIG Severity
II
References
CVE CVE-2004-2320
CVE CVE-2005-3398
CVE CVE-2005-3498
CVE CVE-2007-3008
320
XREF IAVT:2005-T-0043
XREF CWE:200
XREF CWE:79
Plugin Information:
Publication date: 2002/07/02, Modification date: 2012/08/18
Portstcp/3128
The GET method revealed those proxies on the way to this web server :HTTP/1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9)
3130/udp45609 - Internet Cache Protocol (ICP) Version 2 DetectionSynopsis
An HTTP caching service is listening on the remote port.
Description
The remote service supports version 2 of the Internet Cache Protocol (ICP), used for communicating between webcaches.
See Also
http://tools.ietf.org/html/rfc2186
Solution
Limit access to this port if desired.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/23, Modification date: 2011/03/11
Portsudp/3130
321
192.168.222.154Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:14:26 2014
Host Information
DNS Name: wah_aufgabe2.penlab.lan
IP: 192.168.222.154
MAC Address: 00:50:56:9d:3d:e4
OS: Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
Results Summary
Critical High Medium Low Info Total
0 0 0 2 23 25
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Portsicmp/0
The difference between the local and remote clocks is -3719 seconds.
0/tcp12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
322
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Portstcp/0
192.168.222.154 resolves as wah_aufgabe2.penlab.lan.
25220 - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Portstcp/020094 - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
323
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Portstcp/0
The following card manufacturers were identified : 00:50:56:9d:3d:e4 : VMware, Inc.
18261 - Apache Banner Linux Distribution DisclosureSynopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution theremote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restartApache.
Risk Factor
None
Plugin Information:
Publication date: 2005/05/15, Modification date: 2014/03/17
Portstcp/0
The linux distribution detected was : - Ubuntu 10.04 (lucid)
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Portstcp/0
Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid)Confidence Level : 95Method : SSH
324
The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
54615 - Device TypeSynopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Portstcp/0
Remote device type : general-purposeConfidence level : 95
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Portstcp/0
The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:10.04 Following application CPE's matched on the remote system : cpe:/a:php:php:5.3.2 -> PHP 5.3.2 cpe:/a:openbsd:openssh:5.3 -> OpenBSD OpenSSH 5.3 cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)
325
- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Portstcp/0
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 338 sec
0/udp10287 - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Portsudp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.154 : 192.168.222.35192.168.222.154
326
22/tcp71049 - SSH Weak MAC Algorithms EnabledSynopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Portstcp/22
The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96
70658 - SSH Server CBC Mode Ciphers EnabledSynopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker torecover the plaintext message from the ciphertext.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR orGCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
327
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Portstcp/22
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/22
Port 22/tcp was found to be open
22964 - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
328
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version InformationSynopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Portstcp/22
SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7SSH supported authentication : publickey,password
70657 - SSH Algorithms and Languages SupportedSynopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encryptingcommunications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Portstcp/22
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa
329
The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]
10881 - SSH Protocol Versions SupportedSynopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
330
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Portstcp/22
The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 2d:d4:d5:aa:0e:b1:b5:8f:ac:9a:6e:ed:d5:11:13:fa
39520 - Backported Security Patch Detection (SSH)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Portstcp/22
Give Nessus credentials to perform local checks.
80/tcp11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Portstcp/80
Port 80/tcp was found to be open
22964 - Service DetectionSynopsis
331
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Portstcp/80
A web server is running on this port.
10107 - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Portstcp/80
The remote web server type is : Apache/2.2.14 (Ubuntu) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Portstcp/80
Protocol version : HTTP/1.1
332
SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Refresh: 0; url=login.html Vary: Accept-Encoding Content-Length: 36 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html
48243 - PHP VersionSynopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Portstcp/80
Nessus was able to identify the following PHP version information : Version : 5.3.2-1ubuntu4.24 Source : X-Powered-By: PHP/5.3.2-1ubuntu4.24
39521 - Backported Security Patch Detection (WWW)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Portstcp/80
Give Nessus credentials to perform local checks.
Vulnerabilities By Plugin
334
33850 (3) - Unsupported Unix Operating SystemSynopsis
The remote host is running an obsolete operating system.
Description
According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor orprovider.Lack of support implies that no new security patches will be released for it.
Solution
Upgrade to a newer version.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2008/08/08, Modification date: 2014/05/07
Hosts192.168.222.58 (tcp/0)
CentOS release 4 support ended on 2012-02-29.Upgrade to CentOS 6 / 5. For more information, see : http://www.nessus.org/u?b549f616
192.168.222.59 (tcp/0)
Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).Upgrade to Ubuntu 14.04. For more information, see : https://wiki.ubuntu.com/Releases
192.168.222.60 (tcp/0)
Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).Upgrade to Ubuntu 14.04. For more information, see : https://wiki.ubuntu.com/Releases
335
45004 (2) - Apache 2.2 < 2.2.15 Multiple VulnerabilitiesSynopsis
The remote web server is affected by multiple vulnerabilities
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.15. Such versions arepotentially affected by multiple vulnerabilities :- A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555)- The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-endserver to be put into an error state. (CVE-2010-0408)- The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-backs in an undefined state. (CVE-2010-0425)- A flaw in the core sub-request process code can lead to sensitive information from a request being handled by thewrong thread if a multi-threaded environment is used. (CVE-2010-0434)- Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
http://www.nessus.org/u?0bf1f184
Solution
Upgrade to Apache version 2.2.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 21865
BID 36935
BID 38491
BID 38494
BID 38580
CVE CVE-2007-6750
CVE CVE-2009-3555
CVE CVE-2010-0408
CVE CVE-2010-0425
CVE CVE-2010-0434
XREF OSVDB:59969
XREF OSVDB:62674
XREF OSVDB:62675
336
XREF OSVDB:62676
XREF Secunia:38776
XREF CWE:200
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/03/12
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.15
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.15
337
60085 (2) - PHP 5.3.x < 5.3.15 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.15, and is, therefore,potentially affected by the following vulnerabilities :- An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'.(CVE-2012-2688)- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.(CVE-2012-3365)
See Also
http://www.php.net/ChangeLog-5.php#5.3.15
Solution
Upgrade to PHP version 5.3.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 54612
BID 54638
CVE CVE-2012-2688
CVE CVE-2012-3365
XREF OSVDB:84100
XREF OSVDB:84126
Plugin Information:
Publication date: 2012/07/20, Modification date: 2013/10/23
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.15
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.15
338
18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)(uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.
Description
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow anattacker to execute arbitrary code on the remote host.An attacker does not need to be authenticated to exploit this flaw.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms05-027
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 13942
CVE CVE-2005-1206
XREF OSVDB:17308
XREF MSFT:MS05-027
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2005/06/16, Modification date: 2013/11/04
Hosts192.168.222.63 (tcp/445)
339
22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)(uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to a buffer overrun in the 'Server'service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-040
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 19409
CVE CVE-2006-3439
XREF OSVDB:27845
XREF MSFT:MS06-040
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2006/08/08, Modification date: 2014/03/31
Hosts192.168.222.63 (tcp/445)
340
25216 (1) - Samba NDR MS-RPC Request Heap-Based Remote Buffer OverflowSynopsis
It is possible to execute code on the remote host through Samba.
Description
The version of the Samba server installed on the remote host is affected by multiple heap overflow vulnerabilities,which can be exploited remotely to execute code with the privileges of the Samba daemon.
See Also
http://www.samba.org/samba/security/CVE-2007-2446.html
Solution
Upgrade to Samba version 3.0.25 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 23973
BID 24195
BID 24196
BID 24197
BID 24198
CVE CVE-2007-2446
XREF OSVDB:34699
XREF OSVDB:34731
XREF OSVDB:34732
XREF OSVDB:34733
Exploitable with
CANVAS (true)Metasploit (true)
Plugin Information:
Publication date: 2007/05/15, Modification date: 2013/02/01
Hosts192.168.222.60 (tcp/445)
341
32314 (1) - Debian OpenSSH/OpenSSL Package Random Number Generator WeaknessSynopsis
The remote SSH host keys are weak.
Description
The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the randomnumber generator of its OpenSSL library.The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session orset up a man in the middle attack.
See Also
http://www.nessus.org/u?5d01bdab
http://www.nessus.org/u?f14f4224
Solution
Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL andOpenVPN key material should be re-generated.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 29179
CVE CVE-2008-0166
XREF OSVDB:45029
XREF CWE:310
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2008/05/14, Modification date: 2011/03/21
Hosts192.168.222.60 (tcp/22)
342
34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling RemoteCode Execution (958644) (uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to a buffer overrun in the 'Server'service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms08-067
Solution
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
STIG Severity
I
References
BID 31874
CVE CVE-2008-4250
XREF OSVDB:49243
XREF MSFT:MS08-067
XREF IAVA:2008-A-0081
XREF CWE:94
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2008/10/23, Modification date: 2014/03/31
Hosts192.168.222.63 (tcp/445)
343
34970 (1) - Apache Tomcat Manager Common Administrative CredentialsSynopsis
The management console for the remote web server is protected using a known set of credentials.
Description
It is possible to gain access to the Manager web application for the remote Tomcat server using a known set ofcredentials. A remote attacker can leverage this issue to install a malicious application on the affected server and runcode with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix).Worms are known to propagate this way.
See Also
http://markmail.org/thread/wfu4nff5chvkb6xp
http://svn.apache.org/viewvc?view=revision&revision=834047
http://www.intevydis.com/blog/?p=87
http://www.zerodayinitiative.com/advisories/ZDI-10-214/
http://archives.neohapsis.com/archives/fulldisclosure/2010-10/0260.html
Solution
Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 36253
BID 36954
BID 37086
BID 38084
BID 44172
CVE CVE-2009-3099
CVE CVE-2009-3548
CVE CVE-2010-0557
CVE CVE-2010-4094
XREF OSVDB:57898
XREF OSVDB:60176
XREF OSVDB:60317
XREF OSVDB:62118
XREF OSVDB:69008
344
XREF EDB-ID:18619
XREF CWE:255
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2008/11/26, Modification date: 2014/02/04
Hosts192.168.222.60 (tcp/8180)
It is possible to log into the Tomcat Manager web app at thefollowing URL : http://metasploitable1lc.penlab.lan:8180/manager/html with the following credentials : - Username : tomcat - Password : tomcat
345
35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)(uncredentialed check)Synopsis
It is possible to crash the remote host due to a flaw in SMB.
Description
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to executearbitrary code or perform a denial of service against the remote host.
See Also
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Solution
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 31179
BID 33121
BID 33122
CVE CVE-2008-4834
CVE CVE-2008-4835
CVE CVE-2008-4114
XREF OSVDB:48153
XREF OSVDB:52691
XREF OSVDB:52692
XREF MSFT:MS09-001
XREF CWE:399
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2009/01/13, Modification date: 2014/03/28
Hosts192.168.222.63 (tcp/445)
346
53514 (1) - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)(remote check)Synopsis
Arbitrary code can be executed on the remote host through the installed Windows DNS client.
Description
A flaw in the way the installed Windows DNS client processes Link- local Multicast Name Resolution (LLMNR) queriescan be exploited to execute arbitrary code in the context of the NetworkService account.Note that Windows XP and 2003 do not support LLMNR and successful exploitation on those platforms requires localaccess and the ability to run a special application. On Windows Vista, 2008, 7, and 2008 R2, however, the issue canbe exploited remotely.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms11-030
Solution
Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
STIG Severity
I
References
BID 47242
CVE CVE-2011-0657
XREF OSVDB:71780
XREF IAVA:2011-A-0039
XREF MSFT:MS11-030
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2011/04/21, Modification date: 2013/11/03
Hosts192.168.222.64 (udp/5355)
347
73182 (1) - Microsoft Windows XP Unsupported Installation DetectionSynopsis
The remote operating system is no longer supported.
Description
The remote host is running Microsoft Windows XP.Support for this operating system by Microsoft ended April 8th, 2014.This means that there will be no new security patches, and Microsoft is unlikely to investigate or acknowledge reportsof vulnerabilities.
See Also
http://www.nessus.org/u?33ca6af0
Solution
Upgrade to a version of Windows that is currently supported.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2014/03/25, Modification date: 2014/05/06
Hosts192.168.222.63 (tcp/0)
348
48245 (2) - PHP 5.3 < 5.3.3 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3. Such versions may beaffected by several security issues :- An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug#51288) (CVE-2010-0397)- An error exists in the function 'shm_put_var' that is related to resource destruction.- An error exists in the function 'fnmatch' that can lead to stack exhaustion. (CVE-2010-1917)- A memory corruption error exists related to call-time pass by reference and callbacks.- The dechunking filter is vulnerable to buffer overflow.- An error exists in the sqlite extension that could allow arbitrary memory access.- An error exists in the 'phar' extension related to string format validation.- The functions 'mysqlnd_list_fields' and 'mysqlnd_change_user' are vulnerable to buffer overflow.- The Mysqlnd extension is vulnerable to buffer overflow attack when handling error packets.- The following functions are not properly protected against function interruptions :addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities,htmlspecialchars, str_getcsv, http_build_query, strpbrk, strtr, str_pad, str_word_count, wordwrap, strtok, setcookie,strip_tags, trim, ltrim, rtrim, substr_replace, parse_str, pack, unpack, uasort, preg_match, strrchr (CVE-2010-1860,CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190,CVE-2010-2191, CVE-2010-2484)- The following opcodes are not properly protected against function interruptions :ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR (CVE-2010-2191)- The default session serializer contains an error that can be exploited when assigning session variables having userdefined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!',character in variable names.- A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225)- An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions.(CVE-2010-2531)
See Also
http://www.php.net/releases/5_3_3.php
http://www.php.net/ChangeLog-5.php#5.3.3
Solution
Upgrade to PHP version 5.3.3 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 38708
BID 40461
BID 40948
BID 41991
CVE CVE-2007-1581
CVE CVE-2010-0397
CVE CVE-2010-1860
349
CVE CVE-2010-1862
CVE CVE-2010-1864
CVE CVE-2010-1917
CVE CVE-2010-2097
CVE CVE-2010-2100
CVE CVE-2010-2101
CVE CVE-2010-2190
CVE CVE-2010-2191
CVE CVE-2010-2225
CVE CVE-2010-2484
CVE CVE-2010-2531
CVE CVE-2010-3062
CVE CVE-2010-3063
CVE CVE-2010-3064
CVE CVE-2010-3065
XREF OSVDB:33942
XREF OSVDB:63078
XREF OSVDB:64322
XREF OSVDB:64544
XREF OSVDB:64546
XREF OSVDB:64607
XREF OSVDB:65755
XREF OSVDB:66087
XREF OSVDB:66093
XREF OSVDB:66094
XREF OSVDB:66095
XREF OSVDB:66096
XREF OSVDB:66097
XREF OSVDB:66098
XREF OSVDB:66099
XREF OSVDB:66100
350
XREF OSVDB:66101
XREF OSVDB:66102
XREF OSVDB:66103
XREF OSVDB:66104
XREF OSVDB:66105
XREF OSVDB:66106
XREF OSVDB:66798
XREF OSVDB:66804
XREF OSVDB:66805
XREF OSVDB:67418
XREF OSVDB:67419
XREF OSVDB:67420
XREF OSVDB:67421
XREF Secunia:39675
XREF Secunia:40268
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.3
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.3
351
51140 (2) - PHP 5.3 < 5.3.4 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4. Such versions may beaffected by several security issues :- A crash in the zip extract method.- A stack buffer overflow in impagepstext() of the GD extension.- An unspecified vulnerability related to symbolic resolution when using a DFS share.- A security bypass vulnerability related to using pathnames containing NULL bytes.(CVE-2006-7243)- Multiple format string vulnerabilities.(CVE-2010-2094, CVE-2010-2950)- An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)- A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)- Memory corruption in php_filter_validate_email().(CVE-2010-3710)- An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)- A possible double free in the IMAP extension.(CVE-2010-4150)- An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)- An integer overflow vulnerability in 'getSymbol()'.(CVE-2010-4409)- A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is calledcan allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /CVE-2010-4698)- The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are notrecognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)- The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)- A race condition exists in the PCNTL extension.(CVE-2011-0753)- The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links.(CVE-2011-0754)- An integer overflow exists in the mt_rand function.(CVE-2011-0755)
See Also
http://www.php.net/releases/5_3_4.php
http://www.php.net/ChangeLog-5.php#5.3.4
Solution
Upgrade to PHP 5.3.4 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 40173
BID 43926
BID 44605
352
BID 44718
BID 44723
BID 44951
BID 44980
BID 45119
BID 45335
BID 45338
BID 45339
BID 45952
BID 45954
BID 46056
BID 46168
CVE CVE-2006-7243
CVE CVE-2010-2094
CVE CVE-2010-2950
CVE CVE-2010-3436
CVE CVE-2010-3709
CVE CVE-2010-3710
CVE CVE-2010-3870
CVE CVE-2010-4150
CVE CVE-2010-4156
CVE CVE-2010-4409
CVE CVE-2010-4697
CVE CVE-2010-4698
CVE CVE-2010-4699
CVE CVE-2010-4700
CVE CVE-2011-0753
CVE CVE-2011-0754
CVE CVE-2011-0755
XREF OSVDB:66086
XREF OSVDB:68597
353
XREF OSVDB:69099
XREF OSVDB:69109
XREF OSVDB:69110
XREF OSVDB:69230
XREF OSVDB:69651
XREF OSVDB:69660
XREF OSVDB:70606
XREF OSVDB:70607
XREF OSVDB:70608
XREF OSVDB:70609
XREF OSVDB:70610
XREF OSVDB:74193
XREF OSVDB:74688
XREF OSVDB:74689
XREF CERT:479900
Plugin Information:
Publication date: 2010/12/13, Modification date: 2013/10/23
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.4
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.4
354
52717 (2) - PHP 5.3 < 5.3.6 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and canlead to application crashes or code execution.Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED'setting to be in use. (CVE-2011-0421)- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit systemand a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allowarbitrary code execution. (CVE-2011-1092)- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string formatparameter. This can lead to memory corruption when handling PHP archives (phar).(CVE-2011-1153)- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead toapplication crashes. (CVE-2011-1466)- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method'NumberFormatter::setSymbol()' in the Intl extension.This error can lead to application crashes.(CVE-2011-1467)- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'.(CVE-2011-1468)- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.(CVE-2011-1469)- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service viacertain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGIProcess Manager' (FPM) SAPI.
See Also
http://bugs.php.net/bug.php?id=54193
http://bugs.php.net/bug.php?id=54055
http://bugs.php.net/bug.php?id=53885
http://bugs.php.net/bug.php?id=53574
http://bugs.php.net/bug.php?id=53512
http://bugs.php.net/bug.php?id=54060
http://bugs.php.net/bug.php?id=54061
http://bugs.php.net/bug.php?id=54092
http://bugs.php.net/bug.php?id=53579
http://bugs.php.net/bug.php?id=49072
http://openwall.com/lists/oss-security/2011/02/14/1
http://www.php.net/releases/5_3_6.php
http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/
Solution
355
Upgrade to PHP 5.3.6 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46354
BID 46365
BID 46786
BID 46854
CVE CVE-2011-0421
CVE CVE-2011-0708
CVE CVE-2011-1092
CVE CVE-2011-1153
CVE CVE-2011-1464
CVE CVE-2011-1466
CVE CVE-2011-1467
CVE CVE-2011-1468
CVE CVE-2011-1469
CVE CVE-2011-1470
XREF OSVDB:71597
XREF OSVDB:71598
XREF OSVDB:72531
XREF OSVDB:72532
XREF OSVDB:72533
XREF OSVDB:73623
XREF OSVDB:73624
XREF OSVDB:73625
XREF OSVDB:73626
XREF OSVDB:73754
XREF OSVDB:73755
XREF EDB-ID:16261
356
XREF Secunia:43328
Plugin Information:
Publication date: 2011/03/18, Modification date: 2013/10/23
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.6
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.6
357
55925 (2) - PHP 5.3 < 5.3.7 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. The new versionresolves the following issues :- A stack buffer overflow in socket_connect().(CVE-2011-1938)- A use-after-free vulnerability in substr_replace().(CVE-2011-1148)- A code execution vulnerability in ZipArchive::addGlob().(CVE-2011-1657)- crypt_blowfish was updated to 1.2. (CVE-2011-2483)- Multiple null pointer dereferences. (CVE-2011-3182)- An unspecified crash in error_log(). (CVE-2011-3267)- A buffer overflow in crypt(). (CVE-2011-3268)
See Also
http://securityreason.com/achievement_securityalert/101
http://securityreason.com/exploitalert/10738
https://bugs.php.net/bug.php?id=54238
https://bugs.php.net/bug.php?id=54681
https://bugs.php.net/bug.php?id=54939
http://www.php.net/releases/5_3_7.php
Solution
Upgrade to PHP 5.3.7 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46843
BID 47950
BID 48259
BID 49241
BID 49249
BID 49252
CVE CVE-2011-1148
CVE CVE-2011-1657
CVE CVE-2011-1938
358
CVE CVE-2011-2202
CVE CVE-2011-2483
CVE CVE-2011-3182
CVE CVE-2011-3267
CVE CVE-2011-3268
XREF OSVDB:72644
XREF OSVDB:73113
XREF OSVDB:73218
XREF OSVDB:74738
XREF OSVDB:74739
XREF OSVDB:74742
XREF OSVDB:74743
XREF OSVDB:75200
XREF EDB-ID:17318
XREF EDB-ID:17486
Plugin Information:
Publication date: 2011/08/22, Modification date: 2013/11/27
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.7
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.7
359
57537 (2) - PHP < 5.3.9 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may beaffected by the following security issues :- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)- It is possible to create a denial of service condition by sending multiple, specially crafted requests containingparameter values that cause hash collisions when computing the hash values for storage in a hash table.(CVE-2011-4885)- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to readarbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,resulting in arbitrary code execution. (CVE-2012-0057)- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a nullpointer. This causes the application to crash. (CVE-2012-0781)- The 'PDORow' implementation contains an error that can cause application crashes when interacting with thesession feature. (CVE-2012-0788)- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial ofservice attack via memory consumption.(CVE-2012-0789)
See Also
http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_PHP5
http://www.php.net/archive/2012.php#id2012-01-11-1
http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
https://bugs.php.net/bug.php?id=55475
https://bugs.php.net/bug.php?id=55776
https://bugs.php.net/bug.php?id=53502
http://www.php.net/ChangeLog-5.php#5.3.9
Solution
Upgrade to PHP version 5.3.9 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 49754
BID 50907
BID 51193
BID 51806
BID 51952
360
BID 51992
BID 52043
CVE CVE-2011-3379
CVE CVE-2011-4566
CVE CVE-2011-4885
CVE CVE-2012-0057
CVE CVE-2012-0781
CVE CVE-2012-0788
CVE CVE-2012-0789
XREF OSVDB:75713
XREF OSVDB:77446
XREF OSVDB:78115
XREF OSVDB:78571
XREF OSVDB:78676
XREF OSVDB:79016
XREF OSVDB:79332
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/01/13, Modification date: 2013/11/14
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.9
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.9
361
58966 (2) - PHP < 5.3.11 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.11, and as such ispotentially affected by multiple vulnerabilities :- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handledproperly. This can lower the difficulty for SQL injection attacks. (CVE-2012-0831)- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated.(CVE-2012-1172)- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and'readline_read_history'.- The 'header()' function does not detect multi-line headers with a CR. (Bug #60227 / CVE-2011-1398)
See Also
http://www.nessus.org/u?e81d4026
https://bugs.php.net/bug.php?id=61043
https://bugs.php.net/bug.php?id=54374
https://bugs.php.net/bug.php?id=60227
http://marc.info/?l=oss-security&m=134626481806571&w=2
http://www.php.net/archive/2012.php#id2012-04-26-1
http://www.php.net/ChangeLog-5.php#5.3.11
Solution
Upgrade to PHP version 5.3.11 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 51954
BID 53403
BID 55297
CVE CVE-2011-1398
CVE CVE-2012-0831
CVE CVE-2012-1172
XREF OSVDB:79017
XREF OSVDB:81791
XREF OSVDB:85086
Plugin Information:
362
Publication date: 2012/05/02, Modification date: 2013/10/23
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.11
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.11
363
58988 (2) - PHP < 5.3.12 / 5.4.2 CGI Query String Code ExecutionSynopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such ispotentially affected by a remote code execution and information disclosure vulnerability.An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web serveror to potentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters ascommand line arguments including switches such as '-s', '-d', and '-c'.Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-03-1
http://www.php.net/ChangeLog-5.php#5.3.12
http://www.php.net/ChangeLog-5.php#5.4.2
Solution
Upgrade to PHP version 5.3.12 / 5.4.2 or later. A 'mod_rewrite'workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-1823
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/05/04, Modification date: 2014/04/11
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.12 / 5.4.2
192.168.222.64 (tcp/443)
364
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.12 / 5.4.2
365
59056 (2) - PHP 5.3.x < 5.3.13 CGI Query String Code ExecutionSynopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.13 and, as such, ispotentially affected by a remote code execution and information disclosure vulnerability.The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source codeand code execution via query parameters are still possible.Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-08-1
http://www.php.net/ChangeLog-5.php#5.3.13
Solution
Upgrade to PHP version 5.3.13 or later. A 'mod_rewrite'workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-2311
CVE CVE-2012-2335
CVE CVE-2012-2336
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/05/09, Modification date: 2013/10/30
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.13
192.168.222.64 (tcp/443)
366
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.13
367
59529 (2) - PHP 5.3.x < 5.3.14 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.14, and is, therefore,potentially affected the following vulnerabilities :- An integer overflow error exists in the function 'phar_parse_tarfile' in the file 'ext/phar/tar.c'. This error can lead to aheap-based buffer overflow when handling a maliciously crafted TAR file. Arbitrary code execution is possible due tothis error. (CVE-2012-2386)- A weakness exists in the 'crypt' function related to the DES implementation that can allow brute-force attacks.(CVE-2012-2143)- Several design errors involving the incorrect parsing of PHP PDO prepared statements could lead to disclosure ofsensitive information or denial of service.(CVE-2012-3450)- A variable initialization error exists in the file 'ext/openssl/openssl.c' that can allow process memory contents to bedisclosed when input data is of length zero. (CVE-2012-6113)
See Also
http://www.nessus.org/u?6adf7abc
https://bugs.php.net/bug.php?id=61755
http://www.php.net/ChangeLog-5.php#5.3.14
http://www.nessus.org/u?99140286
http://www.nessus.org/u?a42ad63a
Solution
Upgrade to PHP version 5.3.14 or later.
Risk Factor
High
CVSS Base Score
8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score
6.7 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
References
BID 47545
BID 53729
BID 54777
BID 57462
CVE CVE-2012-2143
CVE CVE-2012-2386
CVE CVE-2012-3450
CVE CVE-2012-6113
XREF OSVDB:72399
XREF OSVDB:82510
368
XREF OSVDB:82931
XREF OSVDB:89424
XREF EDB-ID:17201
Plugin Information:
Publication date: 2012/06/15, Modification date: 2013/12/04
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.14
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.14
369
66842 (2) - PHP 5.3.x < 5.3.26 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.26. It is, therefore,potentially affected by the following vulnerabilities:- An error exists in the function 'php_quot_print_encode'in the file 'ext/standard/quot_print.c' that could allow a heap-based buffer overflow when attempting to parse certainstrings (Bug #64879)- An integer overflow error exists related to the value of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c'that could allow denial of service attacks. (Bug #64895)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.
See Also
http://www.nessus.org/u?60cbc5f0
http://www.nessus.org/u?8456482e
http://www.php.net/ChangeLog-5.php#5.3.26
Solution
Apply the vendor patch or upgrade to PHP version 5.3.26 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 60411
BID 60731
CVE CVE-2013-2110
CVE CVE-2013-4635
XREF OSVDB:93968
XREF OSVDB:94063
Plugin Information:
Publication date: 2013/06/07, Modification date: 2014/04/03
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.26
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.26
370
67259 (2) - PHP 5.3.x < 5.3.27 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.27. It is, therefore,potentially affected by the following vulnerabilities:- A buffer overflow error exists in the function '_pdo_pgsql_error'. (Bug #64949)- A heap corruption error exists in numerous functions in the file 'ext/xml/xml.c'. (CVE-2013-4113 / Bug #65236)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.
See Also
http://bugs.php.net/64949
http://bugs.php.net/65236
http://www.php.net/ChangeLog-5.php#5.3.27
Solution
Apply the vendor patch or upgrade to PHP version 5.3.27 or later.
Risk Factor
High
CVSS Base Score
9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.1 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
References
BID 61128
CVE CVE-2013-4113
XREF OSVDB:95152
Plugin Information:
Publication date: 2013/07/12, Modification date: 2013/10/23
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.27
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.27
371
10081 (1) - FTP Privileged Port Bounce ScanSynopsis
The remote FTP server is vulnerable to a FTP server bounce attack.
Description
It is possible to force the remote FTP server to connect to third parties using the PORT command.The problem allows intruders to use your network resources to scan other hosts, making them think the attack comesfrom your network.
See Also
http://archives.neohapsis.com/archives/bugtraq/1995_3/0047.html
Solution
See the CERT advisory in the references for solutions and workarounds.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 126
CVE CVE-1999-0017
XREF OSVDB:71
XREF CERT-CC:CA-1997-27
Plugin Information:
Publication date: 1999/06/22, Modification date: 2012/12/10
Hosts192.168.222.64 (tcp/21)
The following command, telling the server to connect to 169.254.69.106 on port 10794: PORT 169,254,69,106,42,42 produced the following output: 200 Port command successful
372
22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)(uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrarycode on the remote host with 'SYSTEM' privileges.In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow anattacker to obtain portions of the memory of the remote host.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-035
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 18863
BID 18891
CVE CVE-2006-1314
CVE CVE-2006-1315
XREF OSVDB:27154
XREF OSVDB:27155
XREF MSFT:MS06-035
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2006/07/12, Modification date: 2013/11/04
Hosts192.168.222.63 (tcp/445)
373
34460 (1) - Unsupported Web Server DetectionSynopsis
The remote web server is obsolete / unsupported.
Description
According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.A lack of support implies that no new security patches are being released for it.
Solution
Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to anotherserver.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Plugin Information:
Publication date: 2008/10/21, Modification date: 2014/04/25
Hosts192.168.222.60 (tcp/8180)
Product : Tomcat Installed version : 5.5 Support ended : 2012-09-30 Supported versions : 7.0.x / 6.0.x Additional information : http://tomcat.apache.org/tomcat-55-eol.html
374
42411 (1) - Microsoft Windows SMB Shares Unprivileged AccessSynopsis
It is possible to access a network share.
Description
The remote has one or more Windows shares that can be accessed through the network with the given credentials.Depending on the share rights, it may allow an attacker to read/write confidential data.
Solution
To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on'permissions'.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 8026
CVE CVE-1999-0519
CVE CVE-1999-0520
XREF OSVDB:299
Plugin Information:
Publication date: 2009/11/06, Modification date: 2011/03/27
Hosts192.168.222.60 (tcp/445)
The following shares can be accessed using a NULL session : - tmp - (readable,writable) + Content of this share :...ICE-unix5364.jsvc_up.X11-unix
375
55976 (1) - Apache HTTP Server Byte Range DoSSynopsis
The web server running on the remote host is affected by a denial of service vulnerability.
Description
The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Makinga series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result inmemory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive.Exploit code is publicly available and attacks have reportedly been observed in the wild.
See Also
http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html
http://www.gossamer-threads.com/lists/apache/dev/401638
http://www.nessus.org/u?404627ec
http://httpd.apache.org/security/CVE-2011-3192.txt
http://www.nessus.org/u?1538124a
http://www-01.ibm.com/support/docview.wss?uid=swg24030863
Solution
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192.Version 2.2.20 fixed the issue, but also introduced a regression.If the host is running a web server based on Apache httpd, contact the vendor for a fix.
Risk Factor
High
CVSS Base Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score
6.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
References
BID 49303
CVE CVE-2011-3192
XREF OSVDB:74721
XREF CERT:405811
XREF EDB-ID:17696
XREF EDB-ID:18221
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2011/08/25, Modification date: 2014/01/27
Hosts192.168.222.60 (tcp/80)
Nessus determined the server is unpatched and is not using anyof the suggested workarounds by making the following requests : -------------------- Testing for workarounds --------------------
376
HEAD / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Thu, 08 May 2014 19:14:34 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 827 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4f8e84a97684a4154-------------------- Testing for workarounds -------------------- -------------------- Testing for patch --------------------HEAD / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=0-,1- Range: bytes=0-,1- Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Thu, 08 May 2014 19:14:38 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 274 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4f8e84adb94281cdf-------------------- Testing for patch --------------------
377
11213 (6) - HTTP TRACE / TRACK Methods AllowedSynopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods thatare used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
378
Publication date: 2003/01/23, Modification date: 2013/03/29
Hosts192.168.222.58 (tcp/80)
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus1637158252.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 23:09:17 GMTServer: Apache/2.0.52 (CentOS)Connection: closeTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus1637158252.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
192.168.222.58 (tcp/443)
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2048480226.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
379
Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 23:09:17 GMTServer: Apache/2.0.52 (CentOS)Connection: closeTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus2048480226.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
192.168.222.59 (tcp/80)
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus1953681729.html HTTP/1.1Connection: CloseHost: kioptrix3lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 19:09:57 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-PatchKeep-Alive: timeout=15, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus1953681729.html HTTP/1.1Connection: Keep-AliveHost: kioptrix3lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8
380
------------------------------ snip ------------------------------
192.168.222.60 (tcp/80)
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus978170901.html HTTP/1.1Connection: CloseHost: metasploitable1lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 19:13:49 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-PatchKeep-Alive: timeout=15, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus978170901.html HTTP/1.1Connection: Keep-AliveHost: metasploitable1lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
192.168.222.64 (tcp/80)
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2044648052.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: en
381
Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 18:13:57 GMTServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus2044648052.html HTTP/1.1Connection: Keep-AliveHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------
192.168.222.64 (tcp/443)
To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2139788281.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.0 200 OKDate: Thu, 08 May 2014 18:13:57 GMTServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1Connection: closeContent-Type: message/http TRACE /Nessus2139788281.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8
382
------------------------------ snip ------------------------------
383
57792 (6) - Apache HTTP Server httpOnly Cookie Information DisclosureSynopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sendinga request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunctionwith other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Hosts192.168.222.58 (tcp/80)
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: kioptrix2lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body>
384
<h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
192.168.222.58 (tcp/443)
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: kioptrix2lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
192.168.222.59 (tcp/80)
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: kioptrix3lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
192.168.222.60 (tcp/80)
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache
385
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
192.168.222.64 (tcp/80)
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: win7lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
192.168.222.64 (tcp/443)
Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: win7lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
386
57608 (4) - SMB Signing RequiredSynopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft networkserver:Digitally sign communications (always)'.On Samba, the setting is called 'server signing'. See the 'see also'links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Hosts192.168.222.60 (tcp/445)192.168.222.63 (tcp/445)192.168.222.64 (tcp/445)192.168.222.65 (tcp/445)
387
20007 (3) - SSL Version 2 (v2) Protocol DetectionSynopsis
The remote service encrypts traffic using a protocol with known weaknesses.
Description
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographicflaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
See Also
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-2005-2969
Plugin Information:
Publication date: 2005/10/12, Modification date: 2013/01/25
Hosts192.168.222.58 (tcp/443)192.168.222.60 (tcp/25)192.168.222.64 (tcp/443)
388
26928 (3) - SSL Weak Cipher Suites SupportedSynopsis
The remote service supports the use of weak SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer weak encryption.Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application, if possible to avoid the use of weak ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
XREF CWE:327
XREF CWE:326
XREF CWE:753
XREF CWE:803
XREF CWE:720
Plugin Information:
Publication date: 2007/10/08, Modification date: 2013/08/30
Hosts192.168.222.58 (tcp/443)
Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
389
The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
192.168.222.60 (tcp/25)
Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
192.168.222.64 (tcp/443)
Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export
390
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
391
42873 (3) - SSL Medium Strength Cipher Suites SupportedSynopsis
The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard asthose with key lengths at least 56 bits and less than 112 bits.Note: This is considerably easier to exploit if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/11/23, Modification date: 2012/04/02
Hosts192.168.222.58 (tcp/443)
Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
192.168.222.60 (tcp/25)
Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are :
392
{OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
192.168.222.64 (tcp/443)
Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
393
51192 (3) - SSL Certificate Cannot Be TrustedSynopsis
The SSL certificate for this service cannot be trusted.
Description
The server's X.509 certificate does not have a signature from a known public certificate authority. This situation canoccur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.First, the top of the certificate chain sent by the server might not be descended from a known public certificateauthority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or whenintermediate certificates are missing that would connect the top of the certificate chain to a known public certificateauthority.Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur eitherwhen the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could notbe verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessuseither does not support or does not recognize.If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify theauthenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against theremote host.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2010/12/15, Modification date: 2014/02/27
Hosts192.168.222.58 (tcp/443)
The following certificate was part of the certificate chainsent by the remote host, but has expired : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Not After : Oct 08 00:10:47 2010 GMT The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Issuer : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]
192.168.222.60 (tcp/25)
The following certificate was part of the certificate chainsent by the remote host, but has expired : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]|-Not After : Apr 16 14:07:45 2010 GMT The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority :
394
|-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]|-Issuer : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]
192.168.222.64 (tcp/443)
The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : CN=localhost|-Issuer : CN=localhost
395
51892 (3) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session ResumeCiphersuite Downgrade IssueSynopsis
The remote host allows resuming SSL sessions with a weaker cipher than the one originally negotiated.
Description
The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher thanwas used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSLconnection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use aweaker cipher chosen by the attacker.Note that other SSL implementations may also be affected by this vulnerability.
See Also
http://openssl.org/news/secadv_20101202.txt
Solution
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45164
CVE CVE-2010-4180
XREF OSVDB:69565
Plugin Information:
Publication date: 2011/02/07, Modification date: 2014/01/27
Hosts192.168.222.58 (tcp/443)
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : cce215ab87816ab4a49e44f13c0e3758723bb4fb20519bf1d93c5b644c6108b0 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003) The server allowed the following session over TLSv1 to be resumed as follows : Session ID : e82e96b09a4c83455e4fb78e0f04fcf61d668c24053c9ebba4f87ea00d15bcbd Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
192.168.222.60 (tcp/25)
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 0f375eea57d9d970b558e24b35e61edc793f29bdef71953873562b3388c26fd3 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003) The server allowed the following session over TLSv1 to be resumed as follows : Session ID : 8bb87c4ec3be17a4b0e09f2ba31ba2462ac657d3847567407c339fb1d300e632 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
192.168.222.64 (tcp/443)
396
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 6dc8e07ddbbed52bc3c2b5a3dac3828f646f7f7309a8407cd3f9c3aef568cee8 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)
397
57582 (3) - SSL Self-Signed CertificateSynopsis
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is apublic host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack againstthe remote host.Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signedby an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2012/01/17, Modification date: 2012/10/25
Hosts192.168.222.58 (tcp/443)
The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]
192.168.222.60 (tcp/25)
The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]
192.168.222.64 (tcp/443)
The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : CN=localhost
398
10677 (2) - Apache mod_status /server-status Information DisclosureSynopsis
The remote web server discloses information about its status.
Description
It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting theURL '/server-status'. This overview includes information such as current hosts and requests being processed, thenumber of workers idle and service requests, and CPU utilization.
Solution
If required, update Apache's configuration file(s) to either disable mod_status or ensure that access is limited to validusers / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:561
Plugin Information:
Publication date: 2001/05/28, Modification date: 2014/05/05
Hosts192.168.222.64 (tcp/80)192.168.222.64 (tcp/443)
399
10678 (2) - Apache mod_info /server-info Information DisclosureSynopsis
The remote web server discloses information about its configuration.
Description
It is possible to obtain an overview of the remote Apache web server's configuration by requesting the URL '/server-info'. This overview includes information such as installed modules, their configuration, and assorted run-time settings.
See Also
http://httpd.apache.org/docs/mod/mod_info.html
Solution
If required, update Apache's configuration file(s) to either disable mod_info or ensure that access is limited to validusers / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:562
Plugin Information:
Publication date: 2001/05/28, Modification date: 2013/01/25
Hosts192.168.222.64 (tcp/80)192.168.222.64 (tcp/443)
400
15901 (2) - SSL Certificate ExpirySynopsis
The remote server's SSL certificate has already expired.
Description
This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whetherany have already expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2004/12/03, Modification date: 2013/10/18
Hosts192.168.222.58 (tcp/443)
The SSL certificate has already expired : Subject : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain, [email protected] Issuer : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain, [email protected] Not valid before : Oct 8 00:10:47 2009 GMT Not valid after : Oct 8 00:10:47 2010 GMT
192.168.222.60 (tcp/25)
The SSL certificate has already expired : Subject : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA, OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain, [email protected] Issuer : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA, OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain, [email protected] Not valid before : Mar 17 14:07:45 2010 GMT Not valid after : Apr 16 14:07:45 2010 GMT
401
26920 (2) - Microsoft Windows SMB NULL Session AuthenticationSynopsis
It is possible to log into the remote Windows host with a NULL session.
Description
The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login orpassword).Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue toget information about the remote host.
See Also
http://support.microsoft.com/kb/q143474/
http://support.microsoft.com/kb/q246261/
http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx
Solution
Apply the following registry changes per the referenced Technet advisories :Set :- HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1Remove BROWSER from :- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipesReboot once the registry changes are complete.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 494
CVE CVE-1999-0519
CVE CVE-1999-0520
CVE CVE-2002-1117
XREF OSVDB:299
XREF OSVDB:8230
Plugin Information:
Publication date: 2007/10/04, Modification date: 2012/02/29
Hosts192.168.222.63 (tcp/445)
It was possible to bind to the \browser pipe
192.168.222.65 (tcp/445)
It was possible to bind to the \browser pipe
402
42880 (2) - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data InjectionSynopsis
The remote service allows insecure renegotiation of TLS / SSL connections.
Description
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection afterthe initial handshake.An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintextinto the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the serviceassumes that the sessions before and after renegotiation are from the same 'client' and merges them at theapplication layer.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746
Solution
Contact the vendor for specific patch information.
Risk Factor
Medium
CVSS Base Score
5.8 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score
5.0 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
References
BID 36935
CVE CVE-2009-3555
XREF OSVDB:59968
XREF OSVDB:59969
XREF OSVDB:59970
XREF OSVDB:59971
XREF OSVDB:59972
XREF OSVDB:59973
XREF OSVDB:59974
XREF OSVDB:60366
XREF OSVDB:60521
XREF OSVDB:61234
XREF OSVDB:61718
XREF OSVDB:61784
XREF OSVDB:61785
403
XREF OSVDB:61929
XREF OSVDB:62064
XREF OSVDB:62135
XREF OSVDB:62210
XREF OSVDB:62273
XREF OSVDB:62536
XREF OSVDB:62877
XREF OSVDB:64040
XREF OSVDB:64499
XREF OSVDB:64725
XREF OSVDB:65202
XREF OSVDB:66315
XREF OSVDB:67029
XREF OSVDB:69032
XREF OSVDB:69561
XREF OSVDB:70055
XREF OSVDB:70620
XREF OSVDB:71951
XREF OSVDB:71961
XREF OSVDB:74335
XREF OSVDB:75622
XREF OSVDB:77832
XREF OSVDB:90597
XREF OSVDB:99240
XREF OSVDB:100172
XREF OSVDB:104575
XREF OSVDB:104796
XREF CERT:120541
XREF CWE:310
Plugin Information:
Publication date: 2009/11/24, Modification date: 2014/03/25
Hosts192.168.222.58 (tcp/443)
404
TLSv1 supports insecure renegotiation. SSLv3 supports insecure renegotiation.
192.168.222.60 (tcp/25)
TLSv1 supports insecure renegotiation. SSLv3 supports insecure renegotiation.
405
44921 (2) - PHP < 5.3.2 / 5.2.13 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.2 / 5.2.13. Such versionsmay be affected by several security issues :- Directory paths not ending with '/' may not be correctly validated inside 'tempnam()' in 'safe_mode' configuration.- It may be possible to bypass the 'open_basedir'/ 'safe_mode' configuration restrictions due to an error in sessionextensions.- An unspecified vulnerability affects the LCG entropy.
See Also
http://securityreason.com/achievement_securityalert/82
http://securityreason.com/securityalert/7008
http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0209.html
http://www.php.net/releases/5_3_2.php
http://www.php.net/ChangeLog-5.php#5.3.2
http://www.php.net/releases/5_2_13.php
http://www.php.net/ChangeLog-5.php#5.2.13
Solution
Upgrade to PHP version 5.3.2 / 5.2.13 or later.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
5.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
References
BID 38182
BID 38430
BID 38431
CVE CVE-2010-1128
CVE CVE-2010-1129
CVE CVE-2010-1130
XREF OSVDB:62582
XREF OSVDB:62583
XREF OSVDB:63323
XREF Secunia:38708
Plugin Information:
Publication date: 2010/02/26, Modification date: 2013/10/23
406
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.2 / 5.2.13
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.2 / 5.2.13
407
48205 (2) - Apache 2.2 < 2.2.16 Multiple VulnerabilitiesSynopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.16. Such versions arepotentially affected by multiple vulnerabilities :- A denial of service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)- An information disclosure vulnerability in mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeoutconditions. Note that this issue only affects Apache on Windows, Netware, and OS/2. (CVE-2010-2068)Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determinewhether the affected modules are in use or to check for the issues themselves.
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=49246
https://issues.apache.org/bugzilla/show_bug.cgi?id=49417
http://www.nessus.org/u?ce8ac446
Solution
Upgrade to Apache version 2.2.16 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 40827
BID 41963
CVE CVE-2010-1452
CVE CVE-2010-2068
XREF OSVDB:65654
XREF OSVDB:66745
XREF Secunia:40206
Plugin Information:
Publication date: 2010/07/30, Modification date: 2013/07/20
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.16
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14
408
Fixed version : 2.2.16
409
50070 (2) - Apache 2.2 < 2.2.17 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by several issues.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.17. Such versionsmay be affected by several issues, including :- Errors exist in the bundled expat library that may allow an attacker to crash the server when a buffer is over- readwhen parsing an XML document. (CVE-2009-3720 and CVE-2009-3560)- An error exists in the 'apr_brigade_split_line' function in the bundled APR-util library. Carefully timed bytes inrequests result in gradual memory increases leading to a denial of service. (CVE-2010-1623) Note that the remoteweb server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affectedmodules are in use or to check for the issues themselves.
See Also
http://www.nessus.org/u?1c39fa1c
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.17 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 37203
BID 36097
BID 43673
CVE CVE-2009-3560
CVE CVE-2009-3720
CVE CVE-2010-1623
XREF OSVDB:59737
XREF OSVDB:60797
XREF OSVDB:68327
XREF Secunia:41701
XREF CWE:119
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/01/27
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.17
410
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.17
411
51439 (2) - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoSSynopsis
The remote web server uses a version of PHP that is affected by a denial of service vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.17 or 5.3.5.Such versions may experience a crash while performing string to double conversion for certain numeric values. Onlyx86 32-bit PHP processes are known to be affected by this issue regardless of whether the system running PHP is 32-bit or 64-bit.
See Also
http://bugs.php.net/bug.php?id=53632
http://www.php.net/distributions/test_bug53632.txt
http://www.php.net/releases/5_2_17.php
http://www.php.net/releases/5_3_5.php
Solution
Upgrade to PHP 5.2.17/5.3.5 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 45668
CVE CVE-2010-4645
XREF OSVDB:70370
Plugin Information:
Publication date: 2011/01/07, Modification date: 2013/10/23
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.2.17/5.3.5
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.2.17/5.3.5
412
53896 (2) - Apache 2.2 < 2.2.18 APR apr_fnmatch DoSSynopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions areaffected by a denial of service vulnerability due to an error in the 'apr_fnmatch'match function of the bundled APR library.If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker cancause high CPU usage with a specially crafted request.Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determinewhether the affected module is in use or to check for the issue itself.
See Also
http://www.nessus.org/u?5582384f
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18
http://securityreason.com/achievement_securityalert/98
Solution
Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 orlater.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 47820
CVE CVE-2011-0419
XREF OSVDB:73388
XREF Secunia:44574
Plugin Information:
Publication date: 2011/05/13, Modification date: 2013/07/20
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.18
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.18
413
56216 (2) - Apache 2.2 < 2.2.21 mod_proxy_ajp DoSSynopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.21. It therefore ispotentially affected by a denial of service vulnerability.An error exists in the 'mod_proxy_ajp' module that can allow specially crafted HTTP requests to cause a backendserver to temporarily enter an error state. This vulnerability only occurs when 'mod_proxy_ajp' is used along with'mod_proxy_balancer'.Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?34a2f1d8
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.21 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 49616
CVE CVE-2011-3348
XREF OSVDB:75647
Plugin Information:
Publication date: 2011/09/16, Modification date: 2013/07/20
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.21
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.21
414
57791 (2) - Apache 2.2 < 2.2.22 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.22. It is, therefore,potentially affected by the following vulnerabilities:- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could causethe web server to proxy requests to arbitrary hosts.This could allow a remote attacker to indirectly send requests to intranet servers.(CVE-2011-3368, CVE-2011-4317)- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf'directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)- A format string handling error can allow the server to be crashed via maliciously crafted cookies.(CVE-2012-0021)- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown.(CVE-2012-0031)- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious useof either long or malformed HTTP headers. (CVE-2012-0053)- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time torespond could lead to a temporary denial of service. (CVE-2012-4557)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?81e2eb5f
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 49957
BID 50494
BID 50802
BID 51407
BID 51705
BID 51706
BID 56753
CVE CVE-2011-3368
CVE CVE-2011-3607
CVE CVE-2011-4317
CVE CVE-2012-0021
415
CVE CVE-2012-0031
CVE CVE-2012-0053
CVE CVE-2012-4557
XREF OSVDB:76079
XREF OSVDB:76744
XREF OSVDB:77310
XREF OSVDB:78293
XREF OSVDB:78555
XREF OSVDB:78556
XREF OSVDB:89275
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/02/02, Modification date: 2013/06/03
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.22
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.22
416
62101 (2) - Apache 2.2 < 2.2.23 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,potentially affected by the following vulnerabilities:- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),leading to arbitrary code execution.(CVE-2012-0883)- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.(CVE-2012-2687)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.23
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.23 or later.
Risk Factor
Medium
CVSS Base Score
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
6.0 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
References
BID 53046
BID 55131
CVE CVE-2012-0883
CVE CVE-2012-2687
XREF OSVDB:81359
XREF OSVDB:84818
Plugin Information:
Publication date: 2012/09/14, Modification date: 2013/11/27
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.23
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.23
417
64912 (2) - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting VulnerabilitiesSynopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore,potentially affected by the following cross-site scripting vulnerabilities :- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp andunescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scriptingattacks. (CVE-2012-4558)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.24 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58165
CVE CVE-2012-3499
CVE CVE-2012-4558
XREF OSVDB:90556
XREF OSVDB:90557
Plugin Information:
Publication date: 2013/02/27, Modification date: 2013/11/27
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.24
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.24
418
64992 (2) - PHP 5.3.x < 5.3.22 Multiple VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is, therefore,potentially affected by the following vulnerabilities :- An error exists in the file 'ext/soap/soap.c'related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote 'wsdl' filesto be written to arbitrary locations. (CVE-2013-1635)- An error exists in the file 'ext/soap/php_xml.c'related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML documentsdefined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)Note that this plugin does not attempt to exploit the vulnerabilities but, instead relies only on PHP's self-reportedversion number.
See Also
http://www.nessus.org/u?2dcf53bd
http://www.nessus.org/u?889595b1
http://www.php.net/ChangeLog-5.php#5.3.22
Solution
Upgrade to PHP version 5.3.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58224
BID 58766
CVE CVE-2013-1635
CVE CVE-2013-1643
XREF OSVDB:90921
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/03/04, Modification date: 2013/11/22
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.22
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1
419
Fixed version : 5.3.22
420
66584 (2) - PHP 5.3.x < 5.3.23 Information DisclosureSynopsis
The remote web server uses a version of PHP that is potentially affected by an information disclosure vulnerability.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.23. It is, therefore,potentially affected by an information disclosure vulnerability.The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documents defined byan attacker and could allow access to arbitrary files.Note that this plugin does not attempt to exploit the vulnerability, but instead relies only on PHP's self-reported versionnumber.
See Also
http://www.nessus.org/u?7c770707
http://www.php.net/ChangeLog-5.php#5.3.23
Solution
Upgrade to PHP version 5.3.23 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 62373
CVE CVE-2013-1824
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/05/24, Modification date: 2013/10/23
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.23
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.23
421
68915 (2) - Apache 2.2 < 2.2.25 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.(CVE-2013-1896)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.25
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.nessus.org/u?f050c342
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later.
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
4.4 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
STIG Severity
I
References
BID 59826
BID 61129
CVE CVE-2013-1862
CVE CVE-2013-1896
XREF OSVDB:93366
XREF OSVDB:95498
XREF IAVA:2013-A-0146
Plugin Information:
Publication date: 2013/07/16, Modification date: 2013/11/14
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.25
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14
422
Fixed version : 2.2.25
423
71426 (2) - PHP 5.3.x < 5.3.28 Multiple OpenSSL VulnerabilitiesSynopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that containhostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks tospoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificatesigned by an authority that the client trusts. (CVE-2013-4073)- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extensionparsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or acertificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause theapplication to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running thePHP interpreter. (CVE-2013-6420)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.
See Also
http://seclists.org/fulldisclosure/2013/Dec/96
https://bugzilla.redhat.com/show_bug.cgi?id=1036830
http://www.nessus.org/u?b6ec9ef9
http://www.php.net/ChangeLog-5.php#5.3.28
Solution
Upgrade to PHP version 5.3.28 or later.
Risk Factor
Medium
CVSS Base Score
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
5.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
References
BID 60843
BID 64225
CVE CVE-2013-4073
CVE CVE-2013-6420
XREF OSVDB:100979
XREF OSVDB:94628
XREF EDB-ID:30395
Plugin Information:
Publication date: 2013/12/14, Modification date: 2013/12/19
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
424
Installed version : 5.3.1 Fixed version : 5.3.28
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.28
425
73289 (2) - PHP PHP_RSHUTDOWN_FUNCTION Security BypassSynopsis
The remote web server uses a version of PHP that is potentially affected by a security bypass vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is 5.x prior to 5.3.11 or 5.4.x prior to 5.4.1and thus, is potentially affected by a security bypass vulnerability.An error exists related to the function 'PHP_RSHUTDOWN_FUNCTION' in the libxml extension and the 'stream_close'method that could allow a remote attacker to bypass 'open_basedir' protections and obtain sensitive information.Note that this plugin has not attempted to exploit this issue, but has instead relied only on PHP's self-reported versionnumber.
See Also
http://www.nessus.org/u?bcc428c2
https://bugs.php.net/bug.php?id=61367
Solution
Upgrade to PHP version 5.3.11 / 5.4.1 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
STIG Severity
I
References
BID 65673
CVE CVE-2012-1171
XREF OSVDB:104201
XREF IAVB:2014-B-0021
Plugin Information:
Publication date: 2014/04/01, Modification date: 2014/04/02
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.11 / 5.4.1
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.11 / 5.4.1
426
73405 (2) - Apache 2.2 < 2.2.27 Multiple VulnerabilitiesSynopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is a version prior to 2.2.27. It is,therefore, potentially affected by the following vulnerabilities :- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading whitespace. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding.(CVE-2013-6438)- A flaw exists in 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. Aremote attacker with a specially crafted request can cause the service to crash. (CVE-2014-0098)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.27
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 66303
CVE CVE-2013-6438
CVE CVE-2014-0098
XREF OSVDB:104579
XREF OSVDB:104580
Plugin Information:
Publication date: 2014/04/08, Modification date: 2014/04/08
Hosts192.168.222.64 (tcp/80)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.27
192.168.222.64 (tcp/443)
Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.27
427
10073 (1) - Finger Recursive Request Arbitrary Site RedirectionSynopsis
It is possible to use the remote host to perform third-party host scans.
Description
The remote finger service accepts redirect requests. That is, users can perform requests like :finger user@host@victimThis allows an attacker to use this computer as a relay to gather information on a third-party network. In addition, thistype of syntax can be used to create a denial of service condition on the remote host.
Solution
Disable the remote finger daemon (comment out the 'finger' line in /etc/inetd.conf and restart the inetd process) orupgrade it to a more secure one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0105
CVE CVE-1999-0106
XREF OSVDB:64
XREF OSVDB:5769
Plugin Information:
Publication date: 1999/06/22, Modification date: 2011/12/28
Hosts192.168.222.64 (tcp/79)
428
10079 (1) - Anonymous FTP EnabledSynopsis
Anonymous logins are allowed on the remote FTP server.
Description
This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing apassword or unique credentials.This allows a user to access any files made available on the FTP server.
Solution
Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is notavailable.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0497
XREF OSVDB:69
Plugin Information:
Publication date: 1999/06/22, Modification date: 2014/04/02
Hosts192.168.222.64 (tcp/21)
The contents of the remote FTP root are :drwxr-xr-x 1 ftp ftp 0 Apr 06 06:20 incoming -r--r--r-- 1 ftp ftp 187 Dec 20 2009 onefile.html
429
10882 (1) - SSH Protocol Version 1 Session Key RetrievalSynopsis
The remote service offers an insecure cryptographic protocol.
Description
The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.These protocols are not completely cryptographically safe so they should not be used.
Solution
Disable compatibility with version 1 of the protocol.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 2344
CVE CVE-2001-0361
CVE CVE-2001-0572
CVE CVE-2001-1473
XREF OSVDB:2116
XREF CWE:310
Plugin Information:
Publication date: 2002/03/06, Modification date: 2011/11/14
Hosts192.168.222.58 (tcp/22)
430
20928 (1) - MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution(911927) (uncredentialed check)Synopsis
Arbitrary code can be executed on the remote host.
Description
The remote version of Windows contains a flaw in the Web Client service that may allow an attacker to executearbitrary code on the remote host.To exploit this flaw, an attacker would need credentials to log into the remote host.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-008
Solution
Microsoft has released a set of patches for Windows XP and 2003.
Risk Factor
Medium
CVSS Base Score
6.5 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score
4.8 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
References
BID 16636
CVE CVE-2006-0013
XREF OSVDB:23134
XREF MSFT:MS06-008
Plugin Information:
Publication date: 2006/02/15, Modification date: 2013/11/04
Hosts192.168.222.63 (tcp/445)
431
26919 (1) - Microsoft Windows SMB Guest Account Local User AccessSynopsis
It is possible to log into the remote host.
Description
The remote host is running one of the Microsoft Windows operating systems or the SAMBA daemon. It was possibleto log into it as a guest user using a random account.
Solution
In the group policy change the setting for 'Network access: Sharing and security model for local accounts' from 'Guestonly - local users authenticate as Guest' to 'Classic - local users authenticate as themselves'. Disable the Guestaccount if applicable.If the SAMBA daemon is running, double-check the SAMBA configuration around guest user access and disable guestaccess if appropriate
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0505
XREF OSVDB:3106
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2007/10/04, Modification date: 2014/03/03
Hosts192.168.222.63 (tcp/445)
432
35291 (1) - SSL Certificate Signed using Weak Hashing AlgorithmSynopsis
An SSL certificate in the certificate chain has been signed using a weak hash algorithm.
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashingalgorithm - MD2, MD4, or MD5.These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may beable to leverage this weakness to generate another certificate with the same digital signature, which could allow theattacker to masquerade as the affected service.Note that certificates in the chain that are contained in the Nessus CA database have been ignored.
See Also
http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://technet.microsoft.com/en-us/security/advisory/961509
Solution
Contact the Certificate Authority to have the certificate reissued.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 11849
BID 33065
CVE CVE-2004-2761
XREF OSVDB:45106
XREF OSVDB:45108
XREF OSVDB:45127
XREF CERT:836068
XREF CWE:310
Plugin Information:
Publication date: 2009/01/05, Modification date: 2014/01/14
Hosts192.168.222.58 (tcp/443)
The following certificates were part of the certificate chainsent by the remote host, but contain hashes that are consideredto be weak. |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Signature Algorithm : MD5 With RSA Encryption
433
45411 (1) - SSL Certificate with Wrong HostnameSynopsis
The SSL certificate for this service is for a different host.
Description
The commonName (CN) of the SSL certificate presented on this service is for a different machine.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2010/04/03, Modification date: 2014/03/11
Hosts192.168.222.64 (tcp/443)
The identities known by Nessus are : 192.168.222.64 win7lc.penlab.lan The Common Name in the certificate is : localhost
434
51893 (1) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite DisabledCipher IssueSynopsis
The remote host allows the resumption of SSL sessions with a disabled cipher.
Description
The version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming asession. This means that an attacker that sees (e.g. by sniffing) the start of an SSL connection can manipulate theOpenSSL session cache to cause subsequent resumptions of that session to use a disabled cipher chosen by theattacker.
Solution
Upgrade to OpenSSL 0.9.8j or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.2 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45254
CVE CVE-2008-7270
XREF OSVDB:69655
Plugin Information:
Publication date: 2011/02/07, Modification date: 2012/04/17
Hosts192.168.222.58 (tcp/443)
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : e413ac52fff8366b0ae7dc1b241ed8baf75bd2a2cd4f40e600e72479c9f94cae Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_KRB5_RC4_40_SHA (0x0028)
435
52611 (1) - SMTP Service STARTTLS Plaintext Command InjectionSynopsis
The remote mail service allows plaintext command injection while negotiating an encrypted communications channel.
Description
The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote,unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during theciphertext protocol phase.Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authenticationand Security Layer) credentials.
See Also
http://tools.ietf.org/html/rfc2487
http://www.securityfocus.com/archive/1/516901/30/0/threaded
Solution
Contact the vendor to see if an update is available.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 46767
CVE CVE-2011-0411
CVE CVE-2011-1430
CVE CVE-2011-1431
CVE CVE-2011-1432
CVE CVE-2011-1506
CVE CVE-2011-2165
XREF OSVDB:71020
XREF OSVDB:71021
XREF OSVDB:71854
XREF OSVDB:71946
XREF OSVDB:73251
XREF OSVDB:75014
XREF OSVDB:75256
XREF CERT:555316
Plugin Information:
Publication date: 2011/03/10, Modification date: 2012/06/14
Hosts
436
192.168.222.60 (tcp/25)
Nessus sent the following two commands in a single packet : STARTTLS\r\nRSET\r\n And the server sent the following two responses : 220 2.0.0 Ready to start TLS 250 2.0.0 Ok
437
62565 (1) - Transport Layer Security (TLS) Protocol CRIME VulnerabilitySynopsis
The remote service has a configuration that may make it vulnerable to the CRIME attack.
Description
The remote service has one of two configurations that are known to be required for the CRIME attack:- SSL / TLS compression is enabled.- TLS advertises the SPDY protocol earlier than version 4.Note that Nessus did not attempt to launch the CRIME attack against the remote service.
See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
https://discussions.nessus.org/thread/5546
http://www.nessus.org/u?e8c92220
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
Solution
Disable compression and / or the SPDY service.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 55704
BID 55707
CVE CVE-2012-4929
CVE CVE-2012-4930
XREF OSVDB:85926
XREF OSVDB:85927
Plugin Information:
Publication date: 2012/10/16, Modification date: 2014/04/24
Hosts192.168.222.64 (tcp/443)
The following configuration indicates that the remote servicemay be vulnerable to the CRIME attack : - SSL / TLS compression is enabled.
438
70658 (5) - SSH Server CBC Mode Ciphers EnabledSynopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker torecover the plaintext message from the ciphertext.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR orGCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Hosts192.168.222.58 (tcp/22)
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
192.168.222.59 (tcp/22)
439
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
192.168.222.60 (tcp/22)
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
192.168.222.61 (tcp/22)
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
192.168.222.154 (tcp/22)
The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported :
440
3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]
441
71049 (5) - SSH Weak MAC Algorithms EnabledSynopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Hosts192.168.222.58 (tcp/22)
The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96
192.168.222.59 (tcp/22)
The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96
192.168.222.60 (tcp/22)
The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96
442
hmac-sha1-96
192.168.222.61 (tcp/22)
The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96
192.168.222.154 (tcp/22)
The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96
443
65821 (3) - SSL RC4 Cipher Suites SupportedSynopsis
The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher suites.The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biasesare introduced into the stream, decreasing its randomness.If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)ciphertexts, the attacker may be able to derive the plaintext.
See Also
http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
Solution
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCMsuites subject to browser and web server support.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 58796
CVE CVE-2013-2566
XREF OSVDB:91162
Plugin Information:
Publication date: 2013/04/05, Modification date: 2014/02/27
Hosts192.168.222.58 (tcp/443)
Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 High Strength Ciphers (>= 112-bit key)
444
SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
192.168.222.60 (tcp/25)
Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
192.168.222.64 (tcp/443)
Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2
445
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
446
34324 (2) - FTP Supports Clear Text AuthenticationSynopsis
Authentication credentials might be intercepted.
Description
The remote FTP server allows the user's name and password to be transmitted in clear text, which could beintercepted by a network sniffer or a man-in-the-middle attack.
Solution
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so thatcontrol connections are encrypted.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
XREF CWE:522
XREF CWE:523
Plugin Information:
Publication date: 2008/10/01, Modification date: 2013/01/25
Hosts192.168.222.60 (tcp/21)
This FTP server does not support 'AUTH TLS'.
192.168.222.64 (tcp/21)
This FTP server does not support 'AUTH TLS'.
447
15855 (1) - POP3 Cleartext Logins PermittedSynopsis
The remote POP3 daemon allows credentials to be transmitted in clear text.
Description
The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections. An attackercan uncover user names and passwords by sniffing traffic to the POP3 daemon if a less secure authenticationmechanism (eg, USER command, AUTH PLAIN, AUTH LOGIN) is used.
See Also
http://tools.ietf.org/html/rfc2222
http://tools.ietf.org/html/rfc2595
Solution
Contact your vendor for a fix or encrypt traffic with SSL / TLS using stunnel.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2004/11/30, Modification date: 2014/03/12
Hosts192.168.222.64 (tcp/110)
The following clear text methods are supported :USER
448
31705 (1) - SSL Anonymous Cipher Suites SupportedSynopsis
The remote service supports the use of anonymous SSL ciphers.
Description
The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a servicethat encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remotehost's identity and renders the service vulnerable to a man-in-the-middle attack.Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application if possible to avoid use of weak ciphers.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 28482
CVE CVE-2007-1858
XREF OSVDB:34882
Plugin Information:
Publication date: 2008/03/28, Modification date: 2014/01/27
Hosts192.168.222.60 (tcp/25)
Here is the list of SSL anonymous ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export TLSv1 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 TLSv1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
449
TLSv1 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1 ADH-AES256-SHA Kx=DH Au=None Enc=AES-CBC(256) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
450
42263 (1) - Unencrypted Telnet ServerSynopsis
The remote Telnet server transmits traffic in cleartext.
Description
The remote host is running a Telnet server over an unencrypted channel.Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferredin cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information.Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional datastreams such as the X11 session.
Solution
Disable this service and use SSH instead.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/10/27, Modification date: 2014/01/07
Hosts192.168.222.60 (tcp/23)
Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------Ubuntu 8.04 metasploitable login: ------------------------------ snip ------------------------------
451
11219 (41) - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Hosts192.168.222.58 (tcp/22)
Port 22/tcp was found to be open
192.168.222.58 (tcp/80)
Port 80/tcp was found to be open
192.168.222.58 (tcp/111)
Port 111/tcp was found to be open
192.168.222.58 (tcp/443)
Port 443/tcp was found to be open
192.168.222.58 (tcp/631)
Port 631/tcp was found to be open
192.168.222.58 (tcp/3306)
Port 3306/tcp was found to be open
192.168.222.59 (tcp/22)
Port 22/tcp was found to be open
192.168.222.59 (tcp/80)
Port 80/tcp was found to be open
192.168.222.60 (tcp/21)
Port 21/tcp was found to be open
192.168.222.60 (tcp/22)
Port 22/tcp was found to be open
192.168.222.60 (tcp/23)
Port 23/tcp was found to be open
192.168.222.60 (tcp/25)
Port 25/tcp was found to be open
192.168.222.60 (tcp/53)
Port 53/tcp was found to be open
192.168.222.60 (tcp/80)
Port 80/tcp was found to be open
192.168.222.60 (tcp/3306)
Port 3306/tcp was found to be open
192.168.222.60 (tcp/3632)
452
Port 3632/tcp was found to be open
192.168.222.60 (tcp/5432)
Port 5432/tcp was found to be open
192.168.222.60 (tcp/8009)
Port 8009/tcp was found to be open
192.168.222.60 (tcp/8180)
Port 8180/tcp was found to be open
192.168.222.61 (tcp/22)
Port 22/tcp was found to be open
192.168.222.61 (tcp/80)
Port 80/tcp was found to be open
192.168.222.62 (tcp/9999)
Port 9999/tcp was found to be open
192.168.222.62 (tcp/10000)
Port 10000/tcp was found to be open
192.168.222.63 (tcp/135)
Port 135/tcp was found to be open
192.168.222.64 (tcp/21)
Port 21/tcp was found to be open
192.168.222.64 (tcp/25)
Port 25/tcp was found to be open
192.168.222.64 (tcp/79)
Port 79/tcp was found to be open
192.168.222.64 (tcp/80)
Port 80/tcp was found to be open
192.168.222.64 (tcp/105)
Port 105/tcp was found to be open
192.168.222.64 (tcp/106)
Port 106/tcp was found to be open
192.168.222.64 (tcp/110)
Port 110/tcp was found to be open
192.168.222.64 (tcp/135)
Port 135/tcp was found to be open
192.168.222.64 (tcp/143)
Port 143/tcp was found to be open
192.168.222.64 (tcp/443)
Port 443/tcp was found to be open
192.168.222.64 (tcp/2224)
Port 2224/tcp was found to be open
192.168.222.64 (tcp/3306)
Port 3306/tcp was found to be open
192.168.222.65 (tcp/135)
Port 135/tcp was found to be open
192.168.222.65 (tcp/1025)
Port 1025/tcp was found to be open
192.168.222.100 (tcp/3128)
453
Port 3128/tcp was found to be open
192.168.222.154 (tcp/22)
Port 22/tcp was found to be open
192.168.222.154 (tcp/80)
Port 80/tcp was found to be open
454
22964 (30) - Service DetectionSynopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Hosts192.168.222.58 (tcp/22)
An SSH server is running on this port.
192.168.222.58 (tcp/80)
A web server is running on this port.
192.168.222.58 (tcp/443)
A TLSv1 server answered on this port.
192.168.222.58 (tcp/443)
A web server is running on this port through TLSv1.
192.168.222.58 (tcp/631)
A web server is running on this port.
192.168.222.58 (tcp/3306)
A MySQL server is running on this port.
192.168.222.59 (tcp/22)
An SSH server is running on this port.
192.168.222.59 (tcp/80)
A web server is running on this port.
192.168.222.60 (tcp/21)
An FTP server is running on this port.
192.168.222.60 (tcp/22)
An SSH server is running on this port.
192.168.222.60 (tcp/23)
A telnet server is running on this port.
192.168.222.60 (tcp/25)
An SMTP server is running on this port.
192.168.222.60 (tcp/80)
A web server is running on this port.
192.168.222.60 (tcp/8180)
A web server is running on this port.
192.168.222.61 (tcp/22)
An SSH server is running on this port.
192.168.222.61 (tcp/80)
A web server is running on this port.
455
192.168.222.62 (tcp/10000)
A web server is running on this port.
192.168.222.64 (tcp/25)
An SMTP server is running on this port.
192.168.222.64 (tcp/80)
A web server is running on this port.
192.168.222.64 (tcp/105)
A ph server is running on this port.
192.168.222.64 (tcp/110)
A POP3 server is running on this port.
192.168.222.64 (tcp/143)
An IMAP server is running on this port.
192.168.222.64 (tcp/443)
A TLSv1 server answered on this port.
192.168.222.64 (tcp/443)
A web server is running on this port through TLSv1.
192.168.222.64 (tcp/2224)
A web server is running on this port.
192.168.222.64 (tcp/3306)
A MySQL server is running on this port.
192.168.222.100 (tcp/3128)
A web server is running on this port.
192.168.222.100 (tcp/3128)
An HTTP proxy is running on this port.
192.168.222.154 (tcp/22)
An SSH server is running on this port.
192.168.222.154 (tcp/80)
A web server is running on this port.
456
10107 (12) - HTTP Server Type and VersionSynopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Hosts192.168.222.58 (tcp/80)
The remote web server type is : Apache/2.0.52 (CentOS) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
192.168.222.58 (tcp/443)
The remote web server type is : Apache/2.0.52 (CentOS) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
192.168.222.58 (tcp/631)
The remote web server type is : CUPS/1.1
192.168.222.59 (tcp/80)
The remote web server type is : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
192.168.222.60 (tcp/80)
The remote web server type is : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
192.168.222.60 (tcp/8180)
The remote web server type is : Coyote HTTP/1.1 Connector
192.168.222.61 (tcp/80)
The remote web server type is : lighttpd/1.4.31
192.168.222.62 (tcp/10000)
The remote web server type is :
457
SimpleHTTP/0.6 Python/2.7.3
192.168.222.64 (tcp/80)
The remote web server type is : Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
192.168.222.64 (tcp/443)
The remote web server type is : Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
192.168.222.100 (tcp/3128)
The remote web server type is : squid/2.7.STABLE9
192.168.222.154 (tcp/80)
The remote web server type is : Apache/2.2.14 (Ubuntu) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
458
24260 (12) - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Hosts192.168.222.58 (tcp/80)
Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : GET,HEAD,POST,OPTIONS,TRACEHeaders : Date: Thu, 08 May 2014 23:08:46 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Content-Length: 667 Connection: close Content-Type: text/html; charset=UTF-8
192.168.222.58 (tcp/443)
Protocol version : HTTP/1.1SSL : yesKeep-Alive : noOptions allowed : GET,HEAD,POST,OPTIONS,TRACEHeaders : Date: Thu, 08 May 2014 23:08:47 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Content-Length: 667 Connection: close Content-Type: text/html; charset=UTF-8
192.168.222.59 (tcp/80)
Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 19:09:53 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1819 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html
459
192.168.222.60 (tcp/80)
Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 19:13:34 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 45 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html
192.168.222.60 (tcp/8180)
Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONSHeaders : Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 08 May 2014 19:13:34 GMT Connection: close
192.168.222.61 (tcp/80)
Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : OPTIONS, GET, HEAD, POSTHeaders : Vary: Accept-Encoding Content-Type: text/html Accept-Ranges: bytes ETag: "1702939983" Last-Modified: Sun, 15 Dec 2013 19:41:52 GMT Content-Length: 3585 Connection: close Date: Thu, 08 May 2014 19:09:42 GMT Server: lighttpd/1.4.31
192.168.222.62 (tcp/10000)
Protocol version : HTTP/1.0SSL : noKeep-Alive : noOptions allowed : (Not implemented)Headers : Server: SimpleHTTP/0.6 Python/2.7.3 Date: Thu, 08 May 2014 19:09:46 GMT Content-type: text/html Content-Length: 215 Last-Modified: Mon, 04 Mar 2013 17:35:55 GMT
192.168.222.64 (tcp/80)
Protocol version : HTTP/1.1SSL : noKeep-Alive : yes
460
Options allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:23 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Location: http://win7lc.penlab.lan/xampp/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
192.168.222.64 (tcp/443)
Protocol version : HTTP/1.0SSL : yesKeep-Alive : noOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:23 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Location: https://win7lc.penlab.lan/xampp/ Content-Length: 0 Connection: close Content-Type: text/html
192.168.222.64 (tcp/2224)
Protocol version : HTTP/1.0SSL : noKeep-Alive : noHeaders : Content-type: text/html Content-Length: 2841
192.168.222.100 (tcp/3128)
Protocol version : HTTP/1.0SSL : noKeep-Alive : noOptions allowed : (Not implemented)Headers : Server: squid/2.7.STABLE9 Date: Thu, 08 May 2014 19:09:21 GMT Content-Type: text/html Content-Length: 2147 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from lcd800.hacking-lab.com X-Cache-Lookup: NONE from lcd800.hacking-lab.com:3128 Via: 1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9) Connection: close
192.168.222.154 (tcp/80)
Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT
461
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Refresh: 0; url=login.html Vary: Accept-Encoding Content-Length: 36 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html
462
10287 (10) - Traceroute InformationSynopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Hosts192.168.222.58 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.58 : 192.168.222.35192.168.222.58
192.168.222.59 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.59 : 192.168.222.35192.168.222.59
192.168.222.60 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.60 : 192.168.222.35192.168.222.60
192.168.222.61 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.61 : 192.168.222.35192.168.222.61
192.168.222.62 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.62 : 192.168.222.35192.168.222.62
192.168.222.63 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.63 : 192.168.222.35192.168.222.63
192.168.222.64 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.64 : 192.168.222.35192.168.222.64
192.168.222.65 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.65 : 192.168.222.35192.168.222.65
192.168.222.100 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.100 : 192.168.222.35192.168.222.100
192.168.222.154 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.154 : 192.168.222.35192.168.222.154
463
10736 (10) - DCE Services EnumerationSynopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Hosts192.168.222.64 (tcp/135)
The following DCERPC services are available locally : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WindowsShutdown Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc081CE0 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WindowsShutdown Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc081CE0 Object UUID : 6d726574-7273-0076-0000-000000000000UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0Description : Unknown RPC serviceAnnotation : Impl friendly nameType : Local RPC serviceNamed pipe : LRPC-a997ddd16485b696f3 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc084D81 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0Description : Unknown RPC serviceAnnotation : Security CenterType : Local RPC serviceNamed pipe : OLEDC9938FF971E470581001AC8A203 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0
464
Description : Unknown RPC serviceAnnotation : PcaSvcType : Local RPC serviceNamed pipe : OLE1D9360DA586C435B925639FB5E4E Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0Description : Unknown RPC serviceAnnotation : PcaSvcType : Local RPC serviceNamed pipe : LRPC-53d3f4cc0e9b29f92a Object UUID : 00000000-0000-0000-0000-000000000000UUID : b58aa02e-2884-4e [...]
192.168.222.64 (tcp/445)
The following DCERPC services are available remotely : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \PIPE\InitShutdownNetbios name : \\ADMIN-PC Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \PIPE\InitShutdownNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \pipe\trkwksNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \pipe\lsassNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0Description : Unknown RPC serviceAnnotation : WinHttp Auto-Proxy ServiceType : Remote RPC serviceNamed pipe : \PIPE\W32TIME_ALTNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler Service
465
Windows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000 [...]
192.168.222.64 (tcp/49152)
The following DCERPC services are available on TCP port 49152 : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49152IP : 192.168.222.64
192.168.222.64 (tcp/49153)
The following DCERPC services are available on TCP port 49153 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0Description : Unknown RPC serviceAnnotation : Event log TCPIPType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0Description : Unknown RPC serviceAnnotation : NRP server endpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0Description : Unknown RPC serviceAnnotation : DHCPv6 Client LRPC EndpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0Description : DHCP Client ServiceWindows process : svchost.exeAnnotation : DHCP Client LRPC EndpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0Description : Unknown RPC serviceAnnotation : Security CenterType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64
192.168.222.64 (tcp/49154)
The following DCERPC services are available on TCP port 49154 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64
466
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0Description : Unknown RPC serviceAnnotation : IP Transition Configuration endpointType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0Description : Unknown RPC serviceAnnotation : XactSrv serviceType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64
192.168.222.64 (tcp/49155)
The following DCERPC services are available on TCP port 49155 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceTCP Port : 49155IP : 192.168.222.64
192.168.222.64 (tcp/49156)
The following DCERPC services are available on TCP port 49156 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49156IP : 192.168.222.64
192.168.222.65 (tcp/135)
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0Description : DHCP Client ServiceWindows process : svchost.exeAnnotation : DHCP Client LRPC EndpointType : Local RPC serviceNamed pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A
467
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8ddUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0Description : Distributed Transaction CoordinatorWindows process : msdtc.exeType : Local RPC serviceNamed pipe : OLE9FA4B79F08034681B5CFA83A3A45 Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8ddUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1. [...]
192.168.222.65 (tcp/445)
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\lsassNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\WINDOWS2003
468
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceNamed pipe : \PIPE\lsassNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\WINDOWS2003
192.168.222.65 (tcp/1025)
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceTCP Port : 1025IP : 192.168.222.65 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceTCP Port : 1025IP : 192.168.222.65
469
11936 (10) - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Hosts192.168.222.58 (tcp/0)
Remote operating system : Linux Kernel 2.6 on CentOS release 4Confidence Level : 95Method : HTTP The remote host is running Linux Kernel 2.6 on CentOS release 4
192.168.222.59 (tcp/0)
Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
192.168.222.60 (tcp/0)
Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)Confidence Level : 95Method : SSH Not all fingerprints could give a match. If you think some or all ofthe following could be used to identify the host's operating system,please email them to [email protected]. Be sure to include abrief description of the host itself, such as the actual operatingsystem or product / model names. SinFP: P1:B10113:F0x12:W5840:O0204ffff:M1334: P2:B10113:F0x12:W5792:O0204ffff0402080affffffff4445414401030304:M1334: P3:B10120:F0x04:W0:O0:M0 P4:5206_7_p=8009SMTP:!:220 metasploitable.localdomain ESMTP Postfix (Ubuntu)SSLcert:!:i/CN:ubuntu804-base.localdomaini/O:OCOSAi/OU:Office for Complication of Otherwise Simple Affairss/CN:ubuntu804-base.localdomains/O:OCOSAs/OU:Office for Complication of Otherwise Simple Affairsed093088706603bfd5dc237399b498da2d4d31c6 SSH:SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
192.168.222.61 (tcp/0)
Remote operating system : Linux Kernel 3.2 on Debian 7.0 (wheezy)Confidence Level : 95Method : SSH
470
The remote host is running Linux Kernel 3.2 on Debian 7.0 (wheezy)
192.168.222.62 (tcp/0)
Remote operating system : Linux Kernel 2.6Confidence Level : 65Method : SinFP The remote host is running Linux Kernel 2.6
192.168.222.63 (tcp/0)
Remote operating system : Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 3Confidence Level : 99Method : MSRPC The remote host is running one of these operating systems : Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 3
192.168.222.64 (tcp/0)
Remote operating system : Microsoft Windows 7 ProfessionalConfidence Level : 99Method : MSRPC Not all fingerprints could give a match. If you think some or all ofthe following could be used to identify the host's operating system,please email them to [email protected]. Be sure to include abrief description of the host itself, such as the actual operatingsystem or product / model names. HTTP:Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1SinFP: P1:B11113:F0x12:W16384:O0204ffff:M1334: P2:B11113:F0x12:W16384:O0204ffff010303000402080affffffff44454144:M1334: P3:B00000:F0x00:W0:O0:M0 P4:5206_7_p=110SMTP:!:220 localhost ESMTP server ready.SSLcert:!:i/CN:localhosts/CN:localhostb0238c547a905bfa119c4e8baccaeacf36491ff6 The remote host is running Microsoft Windows 7 Professional
192.168.222.65 (tcp/0)
Remote operating system : Microsoft Windows Server 2003 Service Pack 2Confidence Level : 99Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2
192.168.222.100 (tcp/0)
Remote operating system : Linux Kernel 2.2Linux Kernel 2.4Linux Kernel 2.6Confidence Level : 54Method : SinFP The remote host is running one of these operating systems : Linux Kernel 2.2Linux Kernel 2.4
471
Linux Kernel 2.6
192.168.222.154 (tcp/0)
Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
472
12053 (10) - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Hosts192.168.222.58 (tcp/0)
192.168.222.58 resolves as kioptrix2lc.penlab.lan.
192.168.222.59 (tcp/0)
192.168.222.59 resolves as kioptrix3lc.penlab.lan.
192.168.222.60 (tcp/0)
192.168.222.60 resolves as metasploitable1lc.penlab.lan.
192.168.222.61 (tcp/0)
192.168.222.61 resolves as wordpresslc.penlab.lan.
192.168.222.62 (tcp/0)
192.168.222.62 resolves as brainpanlc.penlab.lan.
192.168.222.63 (tcp/0)
192.168.222.63 resolves as xpmarco.penlab.lan.
192.168.222.64 (tcp/0)
192.168.222.64 resolves as win7lc.penlab.lan.
192.168.222.65 (tcp/0)
192.168.222.65 resolves as win03svrlc.penlab.lan.
192.168.222.100 (tcp/0)
192.168.222.100 resolves as hackinglablivelc.penlab.lan.
192.168.222.154 (tcp/0)
192.168.222.154 resolves as wah_aufgabe2.penlab.lan.
473
19506 (10) - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Hosts192.168.222.58 (tcp/0)
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 534 sec
192.168.222.59 (tcp/0)
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1
474
Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 344 sec
192.168.222.60 (tcp/0)
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 648 sec
192.168.222.61 (tcp/0)
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 343 sec
192.168.222.62 (tcp/0)
Information about this scan : Nessus version : 5.2.6
475
Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 496 sec
192.168.222.63 (tcp/0)
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 170 sec
192.168.222.64 (tcp/0)
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5
476
Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 752 sec
192.168.222.65 (tcp/0)
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 145 sec
192.168.222.100 (tcp/0)
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 199 sec
192.168.222.154 (tcp/0)
Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1
477
Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 338 sec
478
20094 (10) - VMware Virtual Machine DetectionSynopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Hosts192.168.222.58 (tcp/0)192.168.222.59 (tcp/0)192.168.222.60 (tcp/0)192.168.222.61 (tcp/0)192.168.222.62 (tcp/0)192.168.222.63 (tcp/0)192.168.222.64 (tcp/0)192.168.222.65 (tcp/0)192.168.222.100 (tcp/0)192.168.222.154 (tcp/0)
479
25220 (10) - TCP/IP Timestamps SupportedSynopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Hosts192.168.222.58 (tcp/0)192.168.222.59 (tcp/0)192.168.222.60 (tcp/0)192.168.222.61 (tcp/0)192.168.222.62 (tcp/0)192.168.222.63 (tcp/0)192.168.222.64 (tcp/0)192.168.222.65 (tcp/0)192.168.222.100 (tcp/0)192.168.222.154 (tcp/0)
480
35716 (10) - Ethernet Card Manufacturer DetectionSynopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Hosts192.168.222.58 (tcp/0)
The following card manufacturers were identified : 00:50:56:9d:39:15 : VMware, Inc.
192.168.222.59 (tcp/0)
The following card manufacturers were identified : 00:50:56:9d:0b:07 : VMware, Inc.
192.168.222.60 (tcp/0)
The following card manufacturers were identified : 00:50:56:9d:70:0f : VMware, Inc.
192.168.222.61 (tcp/0)
The following card manufacturers were identified : 00:50:56:9d:75:81 : VMware, Inc.
192.168.222.62 (tcp/0)
The following card manufacturers were identified : 00:50:56:9d:70:45 : VMware, Inc.
192.168.222.63 (tcp/0)
The following card manufacturers were identified : 00:50:56:9d:49:54 : VMware, Inc.
192.168.222.64 (tcp/0)
The following card manufacturers were identified : 00:50:56:9d:61:13 : VMware, Inc.
192.168.222.65 (tcp/0)
481
The following card manufacturers were identified : 00:50:56:9d:37:bc : VMware, Inc.
192.168.222.100 (tcp/0)
The following card manufacturers were identified : 00:50:56:9d:15:4b : VMware, Inc.
192.168.222.154 (tcp/0)
The following card manufacturers were identified : 00:50:56:9d:3d:e4 : VMware, Inc.
482
45590 (10) - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Hosts192.168.222.58 (tcp/0)
The remote operating system matched the following CPE : cpe:/o:centos:centos:4 -> CentOS-4 Following application CPE's matched on the remote system : cpe:/a:php:php:4.3.9 -> PHP PHP 4.3.9 cpe:/a:apache:http_server:2.0.52 -> Apache Software Foundation Apache HTTP Server 2.0.52
192.168.222.59 (tcp/0)
The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:8.04 Following application CPE's matched on the remote system : cpe:/a:php:php:5.2.4 -> PHP 5.2.4 cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7 cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8
192.168.222.60 (tcp/0)
The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:8.04 Following application CPE's matched on the remote system : cpe:/a:php:php:5.2.4 -> PHP 5.2.4 cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7 cpe:/a:samba:samba:3.0.20 -> Samba 3.0.20 cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8 cpe:/a:isc:bind:9.4.
192.168.222.61 (tcp/0)
The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:7.0 -> Debian Linux 7.0 Following application CPE matched on the remote system :
483
cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0
192.168.222.62 (tcp/0)
The remote operating system matched the following CPE : cpe:/o:linux:linux_kernel:2.6
192.168.222.63 (tcp/0)
The remote operating system matched the following CPE's : cpe:/o:microsoft:windows_xp::sp2 -> Microsoft Windows XP Service Pack 2 cpe:/o:microsoft:windows_xp::sp3 -> Microsoft Windows XP Service Pack 3
192.168.222.64 (tcp/0)
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_7:::professional Following application CPE's matched on the remote system : cpe:/a:php:php:5.3.1 -> PHP 5.3.1 cpe:/a:modssl:mod_ssl:2.2.14 cpe:/a:openssl:openssl:0.9.8l -> OpenSSL Project OpenSSL 0.9.8l cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14 cpe:/a:apache:mod_perl:2.0.4
192.168.222.65 (tcp/0)
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2
192.168.222.100 (tcp/0)
The remote operating system matched the following CPE's : cpe:/o:linux:linux_kernel:2.2 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6
192.168.222.154 (tcp/0)
The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:10.04 Following application CPE's matched on the remote system : cpe:/a:php:php:5.3.2 -> PHP 5.3.2 cpe:/a:openbsd:openssh:5.3 -> OpenBSD OpenSSH 5.3 cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14
484
54615 (10) - Device TypeSynopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Hosts192.168.222.58 (tcp/0)
Remote device type : general-purposeConfidence level : 95
192.168.222.59 (tcp/0)
Remote device type : general-purposeConfidence level : 95
192.168.222.60 (tcp/0)
Remote device type : general-purposeConfidence level : 95
192.168.222.61 (tcp/0)
Remote device type : general-purposeConfidence level : 95
192.168.222.62 (tcp/0)
Remote device type : general-purposeConfidence level : 65
192.168.222.63 (tcp/0)
Remote device type : general-purposeConfidence level : 99
192.168.222.64 (tcp/0)
Remote device type : general-purposeConfidence level : 99
192.168.222.65 (tcp/0)
Remote device type : general-purposeConfidence level : 99
192.168.222.100 (tcp/0)
Remote device type : general-purposeConfidence level : 54
192.168.222.154 (tcp/0)
Remote device type : general-purposeConfidence level : 95
485
10114 (9) - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Hosts192.168.222.58 (icmp/0)
The difference between the local and remote clocks is -21429 seconds.
192.168.222.59 (icmp/0)
The difference between the local and remote clocks is -7098 seconds.
192.168.222.60 (icmp/0)
The difference between the local and remote clocks is -7247 seconds.
192.168.222.61 (icmp/0)
The difference between the local and remote clocks is -7092 seconds.
192.168.222.62 (icmp/0)
The difference between the local and remote clocks is -7092 seconds.
192.168.222.63 (icmp/0)
The ICMP timestamps seem to be in little endian format (not in network format)The difference between the local and remote clocks is -7092 seconds.
192.168.222.65 (icmp/0)
The ICMP timestamps seem to be in little endian format (not in network format)The difference between the local and remote clocks is -7092 seconds.
192.168.222.100 (icmp/0)
The difference between the local and remote clocks is -7089 seconds.
192.168.222.154 (icmp/0)
The difference between the local and remote clocks is -3719 seconds.
486
11011 (8) - Microsoft Windows SMB Service DetectionSynopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Hosts192.168.222.60 (tcp/139)
An SMB server is running on this port.
192.168.222.60 (tcp/445)
A CIFS server is running on this port.
192.168.222.63 (tcp/139)
An SMB server is running on this port.
192.168.222.63 (tcp/445)
A CIFS server is running on this port.
192.168.222.64 (tcp/139)
An SMB server is running on this port.
192.168.222.64 (tcp/445)
A CIFS server is running on this port.
192.168.222.65 (tcp/139)
An SMB server is running on this port.
192.168.222.65 (tcp/445)
A CIFS server is running on this port.
487
48243 (7) - PHP VersionSynopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Hosts192.168.222.58 (tcp/80)
Nessus was able to identify the following PHP version information : Version : 4.3.9 Source : X-Powered-By: PHP/4.3.9
192.168.222.58 (tcp/443)
Nessus was able to identify the following PHP version information : Version : 4.3.9 Source : X-Powered-By: PHP/4.3.9
192.168.222.59 (tcp/80)
Nessus was able to identify the following PHP version information : Version : 5.2.4-2ubuntu5.6 Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
192.168.222.60 (tcp/80)
Nessus was able to identify the following PHP version information : Version : 5.2.4-2ubuntu5.10 Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
192.168.222.64 (tcp/80)
Nessus was able to identify the following PHP version information : Version : 5.3.1 Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
192.168.222.64 (tcp/443)
Nessus was able to identify the following PHP version information : Version : 5.3.1 Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
192.168.222.154 (tcp/80)
Nessus was able to identify the following PHP version information : Version : 5.3.2-1ubuntu4.24 Source : X-Powered-By: PHP/5.3.2-1ubuntu4.24
488
10267 (5) - SSH Server Type and Version InformationSynopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Hosts192.168.222.58 (tcp/22)
SSH version : SSH-1.99-OpenSSH_3.9p1SSH supported authentication : publickey,gssapi-with-mic,password
192.168.222.59 (tcp/22)
SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2SSH supported authentication : publickey,password
192.168.222.60 (tcp/22)
SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1SSH supported authentication : publickey,password
192.168.222.61 (tcp/22)
SSH version : SSH-2.0-OpenSSH_6.0p1 Debian-4SSH supported authentication : publickey,password
192.168.222.154 (tcp/22)
SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7SSH supported authentication : publickey,password
489
10881 (5) - SSH Protocol Versions SupportedSynopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Hosts192.168.222.58 (tcp/22)
The remote SSH daemon supports the following versions of theSSH protocol : - 1.33 - 1.5 - 1.99 - 2.0 SSHv1 host key fingerprint : 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72SSHv2 host key fingerprint : 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61
192.168.222.59 (tcp/22)
The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd
192.168.222.60 (tcp/22)
The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3
192.168.222.61 (tcp/22)
The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 7f:93:59:28:51:4a:54:7a:ec:60:cd:76:29:f9:a7:9c
192.168.222.154 (tcp/22)
The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0
490
SSHv2 host key fingerprint : 2d:d4:d5:aa:0e:b1:b5:8f:ac:9a:6e:ed:d5:11:13:fa
491
39520 (5) - Backported Security Patch Detection (SSH)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Hosts192.168.222.58 (tcp/22)
Give Nessus credentials to perform local checks.
192.168.222.59 (tcp/22)
Give Nessus credentials to perform local checks.
192.168.222.60 (tcp/22)
Give Nessus credentials to perform local checks.
192.168.222.61 (tcp/22)
Give Nessus credentials to perform local checks.
192.168.222.154 (tcp/22)
Give Nessus credentials to perform local checks.
492
39521 (5) - Backported Security Patch Detection (WWW)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Hosts192.168.222.58 (tcp/80)
Give Nessus credentials to perform local checks.
192.168.222.58 (tcp/443)
Give Nessus credentials to perform local checks.
192.168.222.59 (tcp/80)
Give Nessus credentials to perform local checks.
192.168.222.60 (tcp/80)
Give Nessus credentials to perform local checks.
192.168.222.154 (tcp/80)
Give Nessus credentials to perform local checks.
493
66334 (5) - Patch ReportSynopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to installto make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Hosts192.168.222.58 (tcp/0)
. You need to take the following 2 actions: [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. + Impact: Taking this action will resolve 2 different vulnerabilities (CVEs). [ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.
192.168.222.59 (tcp/0)
. You need to take the following action:[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.
192.168.222.60 (tcp/0)
. You need to take the following 4 actions: [ Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow (25216) ] + Action to take: Upgrade to Samba version 3.0.25 or later. [ Apache Tomcat Manager Common Administrative Credentials (34970) ] + Action to take: Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials. + Impact: Taking this action will resolve 4 different vulnerabilities (CVEs).
494
[ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. [ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later. + Impact: Taking this action will resolve 2 different vulnerabilities (CVEs).
192.168.222.63 (tcp/0)
. You need to take the following 2 actions: [ MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) (18502) ] + Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003. [ MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) (uncredentialed check) (20928) ] + Action to take: Microsoft has released a set of patches for Windows XP and 2003.
192.168.222.64 (tcp/0)
. You need to take the following 3 actions: [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. [ PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities (71426) ] + Action to take: Upgrade to PHP version 5.3.28 or later. + Impact: Taking this action will resolve 86 different vulnerabilities (CVEs). [ Apache 2.2 < 2.2.27 Multiple Vulnerabilities (73405) ] + Action to take: Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later. + Impact: Taking this action will resolve 27 different vulnerabilities (CVEs).
495
70657 (5) - SSH Algorithms and Languages SupportedSynopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encryptingcommunications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Hosts192.168.222.58 (tcp/22)
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96
496
The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 The server supports the following options for compression_algorithms_client_to_server : none zlib The server supports the following options for compression_algorithms_server_to_client : none zlib
192.168.222.59 (tcp/22)
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96
497
[email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]
192.168.222.60 (tcp/22)
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160
498
[email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]
192.168.222.61 (tcp/22)
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 The server supports the following options for server_host_key_algorithms : ecdsa-sha2-nistp256 ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc
499
[email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]
192.168.222.154 (tcp/22)
Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc
500
aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]
501
10394 (4) - Microsoft Windows SMB Log In PossibleSynopsis
It is possible to log into the remote host.
Description
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It waspossible to log into it using one of the following accounts :- NULL session- Guest account- Given Credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2014/04/07
Hosts192.168.222.60 (tcp/445)
- NULL sessions are enabled on the remote host
192.168.222.63 (tcp/445)
- NULL sessions are enabled on the remote host- Remote users are authenticated as 'Guest'
192.168.222.64 (tcp/445)
- NULL sessions are enabled on the remote host
192.168.222.65 (tcp/445)
- NULL sessions are enabled on the remote host
502
10397 (4) - Microsoft Windows SMB LanMan Pipe Server Listing DisclosureSynopsis
It is possible to obtain network information.
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Publication date: 2000/05/09, Modification date: 2011/09/14
Hosts192.168.222.60 (tcp/445)
Here is the browse list of the remote host : ADMIN-PC ( os : 0.0 )METASPLOITABLE ( os : 0.0 )
192.168.222.63 (tcp/445)
Here is the browse list of the remote host : WINDOWS2003 ( os : 5.2 ) - Windows2003XPPENTEST ( os : 5.1 )
192.168.222.64 (tcp/445)
Here is the browse list of the remote host : ADMIN-PC ( os : 6.1 )
192.168.222.65 (tcp/445)
Here is the browse list of the remote host : WINDOWS2003 ( os : 5.2 ) - Windows2003XPPENTEST ( os : 5.1 )
503
10785 (4) - Microsoft Windows SMB NativeLanManager Remote System Information DisclosureSynopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending anauthentication request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/10/17, Modification date: 2014/04/09
Hosts192.168.222.60 (tcp/445)
The remote Operating System is : UnixThe remote native lan manager is : Samba 3.0.20-DebianThe remote SMB Domain Name is : METASPLOITABLE
192.168.222.63 (tcp/445)
The remote Operating System is : Windows 5.1The remote native lan manager is : Windows 2000 LAN ManagerThe remote SMB Domain Name is : XPPENTEST
192.168.222.64 (tcp/445)
The remote Operating System is : Windows 7 Professional 7600The remote native lan manager is : Windows 7 Professional 6.1The remote SMB Domain Name is : ADMIN-PC
192.168.222.65 (tcp/445)
The remote Operating System is : Windows Server 2003 R2 3790 Service Pack 2The remote native lan manager is : Windows Server 2003 R2 5.2The remote SMB Domain Name is : WINDOWS2003
504
11111 (4) - RPC Services EnumerationSynopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on theremote port. Using this information, it is possible to connect and bind to each service by sending an RPC request tothe remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/08/24, Modification date: 2011/05/24
Hosts192.168.222.58 (tcp/111)
The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2
192.168.222.58 (udp/111)
The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2
192.168.222.58 (udp/735)
The following RPC services are available on UDP port 735 : - program: 100024 (status), version: 1
192.168.222.58 (tcp/738)
The following RPC services are available on TCP port 738 : - program: 100024 (status), version: 1
505
18261 (4) - Apache Banner Linux Distribution DisclosureSynopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution theremote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restartApache.
Risk Factor
None
Plugin Information:
Publication date: 2005/05/15, Modification date: 2014/03/17
Hosts192.168.222.58 (tcp/0)
The linux distribution detected was : - CentOS 4
192.168.222.59 (tcp/0)
The linux distribution detected was : - Ubuntu 8.04 (gutsy)
192.168.222.60 (tcp/0)
The linux distribution detected was : - Ubuntu 8.04 (gutsy)
192.168.222.154 (tcp/0)
The linux distribution detected was : - Ubuntu 10.04 (lucid)
506
10150 (3) - Windows NetBIOS / SMB Remote Host Information DisclosureSynopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.Note that this plugin gathers information to be used in other plugins but does not itself generate a report.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2013/01/16
Hosts192.168.222.63 (udp/137)
The following 6 NetBIOS names have been gathered : XPPENTEST = Computer name XPPENTEST = File Server Service ARBEITSGRUPPE = Workgroup / Domain name ARBEITSGRUPPE = Browser Service Elections ARBEITSGRUPPE = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:50:56:9d:49:54
192.168.222.64 (udp/137)
The following 6 NetBIOS names have been gathered : ADMIN-PC = Computer name WORKGROUP = Workgroup / Domain name ADMIN-PC = File Server Service WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:50:56:9d:61:13
192.168.222.65 (udp/137)
The following 4 NetBIOS names have been gathered : WINDOWS2003 = Computer name WINDOWS2003 = File Server Service ARBEITSGRUPPE = Workgroup / Domain name ARBEITSGRUPPE = Browser Service Elections The remote host has the following MAC address on its adapter : 00:50:56:9d:37:bc
507
10863 (3) - SSL Certificate InformationSynopsis
This plugin displays the SSL certificate.
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2008/05/19, Modification date: 2012/04/02
Hosts192.168.222.58 (tcp/443)
Subject Name: Country: --State/Province: SomeStateLocality: SomeCityOrganization: SomeOrganizationOrganization Unit: SomeOrganizationalUnitCommon Name: localhost.localdomainEmail Address: [email protected] Issuer Name: Country: --State/Province: SomeStateLocality: SomeCityOrganization: SomeOrganizationOrganization Unit: SomeOrganizationalUnitCommon Name: localhost.localdomainEmail Address: [email protected] Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 08 00:10:47 2009 GMTNot Valid After: Oct 08 00:10:47 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 DE 1D B8 D5 44 AF 86 8B 4D 47 EC 8D A7 17 29 C0 9A 46 CD 68 4F 1B 1D 35 32 31 92 9E D2 57 63 C3 0F E9 81 63 9B 21 B1 7B 7F 14 C1 BB 52 97 F8 83 AD 39 F9 6E 99 12 17 C1 5A 92 D7 A2 70 C5 69 12 31 C6 7E 00 19 23 8B 83 CA B6 D2 45 2D F6 9D 87 66 E7 DA 48 B4 B0 7D 2C 09 F8 24 CC C1 8B 4D F0 05 34 8E 17 F7 AF 4C BC 8E BF A3 8C 45 34 1D 3E 0E E1 85 DC 9C 34 6F 6C 85 1E 1C A7 9D 3C FB 13 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 1E FA BB 28 F7 94 4E 7D FA 4B 3F C0 BB DE 53 98 2E DA 4A 48 48 90 65 47 31 11 A1 59 EE CA 4C 47 E5 A9 07 DF 61 3A 89 39 2E 31 B2 EF C5 C4 34 72 F4 81 8E 6A 9B 32 20 B1 84 C7 9E DA A6 E0 98 25 6D ED A7 03 14 AE 95 17 BB FC 7D 83 72 CC F9 58 21 88 7D 17 C4 C3 9F 6E E7 95 86 A5 99 FB 23 FC 2E 2B 11 3A BE 6E F8 57 86 38 10 48 20 D0 26 A5 65 17 DB 11 1D 07 8A 7D ED 66 33 3F 4D EB 11 05 Extension: Subject Key Identifier (2.5.29.14)
508
Critical: 0Subject Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60 Extension: Authority Key Identifier (2.5.29.35)Critical: 0Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60 Serial Number: 82 01 00 Extension: Basic Constraints (2.5.29.19)Critical: [...]
192.168.222.60 (tcp/25)
Subject Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Issuer Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 14:07:45 2010 GMTNot Valid After: Apr 16 14:07:45 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9 7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24 73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF 8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E 98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97 00 90 9D DC 99 0D 33 A4 B5 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A 0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F 1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49 68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68 83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53 A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C 15 6E 8D 30 38 F6 CA 2E 75
192.168.222.64 (tcp/443)
Subject Name: Common Name: localhost Issuer Name: Common Name: localhost
509
Serial Number: 00 B5 C7 52 C9 87 81 B5 03 Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Nov 10 23:48:47 2009 GMTNot Valid After: Nov 08 23:48:47 2019 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 C1 25 D3 27 E3 EC AD 0D 83 6A 6D E7 5F 9A 75 10 23 E2 90 9D A0 63 95 8F 1D 41 9A 58 D5 9C 63 8C 5B 73 86 90 79 CC C3 D6 A3 89 B8 75 BC 1E 94 7C 7C 6E E3 AD E8 27 5C 0B C6 0C 6A F9 0F 32 FE B3 C4 7A 10 23 04 2B 29 28 D4 AA F9 B3 2F 66 10 F8 A7 C1 CD 60 C4 6B 28 57 E3 67 3B F7 9E CD 48 22 DC 38 EA 48 13 80 3A 40 97 57 0C 47 35 46 3D 71 62 9A EE 53 9D 63 0E 67 7A 28 C9 A4 34 FF 19 ED Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 6A F1 F3 49 6C F9 BA 68 5F 6F F3 27 04 C6 B9 0C BD 95 37 34 BE F7 08 66 9A 9B 03 18 41 BE B9 1D 24 33 55 B6 19 02 1D 54 71 C9 4F 21 5D 68 75 F3 81 52 41 41 C5 93 C2 1A 7C E2 7B C7 4A 24 13 0C 14 9A 4F A7 10 35 0A 6F 6A 0F D3 68 40 FF 48 44 29 9B 45 6A 0C 5C 29 7C 56 2E B9 F0 4B BD 53 5B 2E 42 B1 6C AD 97 C1 4B EE D1 1C 68 2D D0 4C 0B FF 3D 1E AA D9 D2 9A 62 38 DB 90 F9 7D 8C B7 11
510
21643 (3) - SSL Cipher Suites SupportedSynopsis
The remote service encrypts communications using SSL.
Description
This script detects which SSL ciphers are supported by the remote service for encrypting communications.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/06/05, Modification date: 2014/01/15
Hosts192.168.222.58 (tcp/443)
Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2
511
DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC [...]
192.168.222.60 (tcp/25)
Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA [...]
192.168.222.64 (tcp/443)
Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1
512
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC [...]
513
24786 (3) - Nessus Windows Scan Not Performed with Admin PrivilegesSynopsis
The Nessus scan of this host may be incomplete due to insufficient privileges provided.
Description
The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, howeverthese credentials do not have administrative privileges.Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs onthe remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends todetermine if a patch has been applied.If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back toperform a patch audit through the registry which may lead to false positives (especially when using third-party patchauditing tools) or to false negatives (not all patches can be detected through the registry).
Solution
Reconfigure your scanner to use credentials with administrative privileges.
Risk Factor
None
Plugin Information:
Publication date: 2007/03/12, Modification date: 2013/01/07
Hosts192.168.222.63 (tcp/0)
It was not possible to connect to '\\XPPENTEST\ADMIN$' with the supplied credentials.
192.168.222.64 (tcp/0)
It was not possible to connect to '\\ADMIN-PC\ADMIN$' with the supplied credentials.
192.168.222.65 (tcp/0)
It was not possible to connect to '\\WINDOWS2003\ADMIN$' with the supplied credentials.
514
43111 (3) - HTTP Methods Allowed (per directory)Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'is set to 'yes'in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receivesa response code of 400, 403, 405, or 501.Note that the plugin output is only informational and does not necessarily indicate the presence of any securityvulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/12/10, Modification date: 2013/05/09
Hosts192.168.222.58 (tcp/631)
Based on the response to an OPTIONS request : - HTTP methods HEAD OPTIONS POST PUT GET are allowed on : /
192.168.222.60 (tcp/80)
Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST TRACE are allowed on : /
192.168.222.61 (tcp/80)
Based on the response to an OPTIONS request : - HTTP methods GET HEAD POST OPTIONS are allowed on : /
515
45410 (3) - SSL Certificate commonName MismatchSynopsis
The SSL certificate commonName does not match the host name.
Description
This service presents an SSL certificate for which the 'commonName'(CN) does not match the host name on which the service listens.
Solution
If the machine has several names, make sure that users connect to the service through the DNS host name thatmatches the common name in the certificate.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/03, Modification date: 2012/09/30
Hosts192.168.222.58 (tcp/443)
The host name known by Nessus is : kioptrix2lc.penlab.lan The Common Name in the certificate is : localhost.localdomain
192.168.222.60 (tcp/25)
The host names known by Nessus are : metasploitable metasploitable1lc.penlab.lan The Common Name in the certificate is : ubuntu804-base.localdomain
192.168.222.64 (tcp/443)
The host names known by Nessus are : admin-pc win7lc.penlab.lan The Common Name in the certificate is : localhost
516
51891 (3) - SSL Session Resume SupportedSynopsis
The remote host allows resuming SSL sessions.
Description
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive asession ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in thesecond connection, the server maintains a cache of sessions that can be resumed.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/02/07, Modification date: 2013/10/18
Hosts192.168.222.58 (tcp/443)
This port supports resuming TLSv1 / SSLv3 sessions.
192.168.222.60 (tcp/25)
This port supports resuming TLSv1 / SSLv3 sessions.
192.168.222.64 (tcp/443)
This port supports resuming SSLv3 sessions.
517
56984 (3) - SSL / TLS Versions SupportedSynopsis
The remote service encrypts communications.
Description
This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/01, Modification date: 2014/04/14
Hosts192.168.222.58 (tcp/443)
This port supports SSLv2/SSLv3/TLSv1.0.
192.168.222.60 (tcp/25)
This port supports SSLv2/SSLv3/TLSv1.0.
192.168.222.64 (tcp/443)
This port supports SSLv2/SSLv3/TLSv1.0.
518
57041 (3) - SSL Perfect Forward Secrecy Cipher Suites SupportedSynopsis
The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even ifthe key is stolen.
Description
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These ciphersuites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/07, Modification date: 2012/04/02
Hosts192.168.222.58 (tcp/443)
Here is the list of SSL PFS ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
192.168.222.60 (tcp/25)
519
Here is the list of SSL PFS ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
192.168.222.64 (tcp/443)
Here is the list of SSL PFS ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername}
520
Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
521
58768 (3) - SSL Resume With Different Cipher IssueSynopsis
The remote host allows resuming SSL sessions with a different cipher than the one originally negotiated.
Description
The SSL implementation on the remote host has been shown to allow a cipher other than the one originally negotiatedwhen resuming a session. An attacker that sees (e.g. by sniffing) the start of an SSL connection may be able tomanipulate session cache to cause subsequent resumptions of that session to use a cipher chosen by the attacker.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/04/17, Modification date: 2012/04/17
Hosts192.168.222.58 (tcp/443)
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : cce215ab87816ab4a49e44f13c0e3758723bb4fb20519bf1d93c5b644c6108b0 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003) The server allowed the following session over TLSv1 to be resumed as follows : Session ID : e82e96b09a4c83455e4fb78e0f04fcf61d668c24053c9ebba4f87ea00d15bcbd Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
192.168.222.60 (tcp/25)
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 0f375eea57d9d970b558e24b35e61edc793f29bdef71953873562b3388c26fd3 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003) The server allowed the following session over TLSv1 to be resumed as follows : Session ID : 8bb87c4ec3be17a4b0e09f2ba31ba2462ac657d3847567407c339fb1d300e632 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
192.168.222.64 (tcp/443)
The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 6dc8e07ddbbed52bc3c2b5a3dac3828f646f7f7309a8407cd3f9c3aef568cee8 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)
522
62563 (3) - SSL Compression Methods SupportedSynopsis
The remote service supports one or more compression methods for SSL connections.
Description
This script detects which compression methods are supported by the remote service for SSL connections.
See Also
http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xml
http://tools.ietf.org/html/rfc3749
http://tools.ietf.org/html/rfc3943
http://tools.ietf.org/html/rfc5246
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/10/16, Modification date: 2013/10/18
Hosts192.168.222.58 (tcp/443)
Nessus was able to confirm that the following compression method is supported by the target : NULL (0x00)
192.168.222.60 (tcp/25)
Nessus was able to confirm that the following compression methods are supported by the target : NULL (0x00) DEFLATE (0x01)
192.168.222.64 (tcp/443)
Nessus was able to confirm that the following compression methods are supported by the target : NULL (0x00) DEFLATE (0x01)
523
70544 (3) - SSL Cipher Block Chaining Cipher Suites SupportedSynopsis
The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks withsubsequent ones.
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These ciphersuites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information ifused improperly.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://www.nessus.org/u?cc4a822a
http://www.openssl.org/~bodo/tls-cbc.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/22, Modification date: 2013/10/22
Hosts192.168.222.58 (tcp/443)
Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5
524
RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 [...]
192.168.222.60 (tcp/25)
Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=M [...]
192.168.222.64 (tcp/443)
Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export
525
TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC(128) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 [...]
526
10092 (2) - FTP Server DetectionSynopsis
An FTP server is listening on this port.
Description
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/02/24
Hosts192.168.222.60 (tcp/21)
The remote FTP banner is : 220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.222.60]
192.168.222.64 (tcp/21)
The remote FTP banner is : 220 FileZilla Server version 0.9.33 beta written by Tim Kosse ([email protected]) Please visit http://sourceforge.
527
10263 (2) - SMTP Server DetectionSynopsis
An SMTP server is listening on the remote port.
Description
The remote host is running a mail (SMTP) server on this port.Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/03/11
Hosts192.168.222.60 (tcp/25)
Remote SMTP server banner : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
192.168.222.64 (tcp/25)
Remote SMTP server banner : 220 localhost ESMTP server ready.
528
10395 (2) - Microsoft Windows SMB Shares EnumerationSynopsis
It is possible to enumerate remote network shares.
Description
By connecting to the remote host, Nessus was able to enumerate the network share names.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2012/11/29
Hosts192.168.222.60 (tcp/445)
Here are the SMB shares available on the remote host when logged as a NULL session: - print$ - tmp - opt - IPC$ - ADMIN$
192.168.222.63 (tcp/445)
Here are the SMB shares available on the remote host when logged as plrsongc: - IPC$ - ADMIN$ - C$
529
10859 (2) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID EnumerationSynopsis
It is possible to obtain the host SID for the remote host.
Description
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier).The host SID can then be used to get the list of local users.
See Also
http://technet.microsoft.com/en-us/library/bb418944.aspx
Solution
You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to anappropriate value.Refer to the 'See also' section for guidance.
Risk Factor
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Hosts192.168.222.60 (tcp/445)
The remote host SID value is : 1-5-21-1042354039-2475377354-766472396 The value of 'RestrictAnonymous' setting is : unknown
192.168.222.63 (tcp/445)
The remote host SID value is : 1-5-21-796845957-484061587-682003330 The value of 'RestrictAnonymous' setting is : unknown
530
10860 (2) - SMB Use Host SID to Enumerate Local UsersSynopsis
It is possible to enumerate local users.
Description
Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Hosts192.168.222.60 (tcp/445)
- Administrator (id 500, Administrator account) - nobody (id 501, Guest account) - root (id 1000) - root (id 1001) - daemon (id 1002) - daemon (id 1003) - bin (id 1004) - bin (id 1005) - sys (id 1006) - sys (id 1007) - sync (id 1008) - adm (id 1009) - games (id 1010) - tty (id 1011) - man (id 1012) - disk (id 1013) - lp (id 1014) - lp (id 1015) - mail (id 1016) - mail (id 1017) - news (id 1018) - news (id 1019) - uucp (id 1020) - uucp (id 1021) - man (id 1025) - proxy (id 1026) - proxy (id 1027) - kmem (id 1031) - dialout (id 1041) - fax (id 1043) - voice (id 1045) - cdrom (id 1049) - floppy (id 1051) - tape (id 1053) - sudo (id 1055) - audio (id 1059) - dip (id 1061) - www-data (id 1066) - www-data (id 1067) - backup (id 1068) - backup (id 1069) - operator (id 1075) - list (id 1076) - list (id 1077) - irc (id 1078) - irc (id 1079) - src (id 1081) - gnats (id 1082) - gnats (id 1083) - shadow (id 1085) - utmp (id 1087)
531
- video (id 1089) - sasl (id 1091) - plugdev (id 1093) - staff (id 1101) - games (id 1121) - libuuid (id 1200) Note that, in addition to the Administrator and Guest accounts, Nessushas enumerated only those local users with IDs between 1000 and 1200.To use a different range, edit the scan policy and change the 'StartUID' and/or 'End UID' preferences for this plugin, then re-run thescan.
192.168.222.63 (tcp/445)
- Administrator (id 500, Administrator account) - Gast (id 501, Guest account) - Hilfeassistent (id 1000) - Hilfedienstgruppe (id 1001) - SUPPORT_388945a0 (id 1002) - sysadmin (id 1003) - ASPNET (id 1004) Note that, in addition to the Administrator and Guest accounts, Nessushas enumerated only those local users with IDs between 1000 and 1200.To use a different range, edit the scan policy and change the 'StartUID' and/or 'End UID' preferences for this plugin, then re-run thescan.
532
11002 (2) - DNS Server DetectionSynopsis
A DNS server is listening on the remote host.
Description
The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IPaddresses.
See Also
http://en.wikipedia.org/wiki/Domain_Name_System
Solution
Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.
Risk Factor
None
Plugin Information:
Publication date: 2003/02/13, Modification date: 2013/05/07
Hosts192.168.222.60 (tcp/53)192.168.222.60 (udp/53)
533
11154 (2) - Unknown Service Detection: Banner RetrievalSynopsis
There is an unknown service running on the remote host.
Description
Nessus was unable to identify a service on the remote host even though it returned a banner of some type.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/11/18, Modification date: 2014/04/10
Hosts192.168.222.62 (tcp/9999)
If you know what this service is and think the banner could be used toidentify it, please send a description of the service along with thefollowing output to [email protected] : Port : 9999 Type : spontaneous Banner : 0x0000: 5F 7C 20 20 20 20 20 20 20 20 20 20 20 20 20 20 _| 0x0010: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5F 7C _| 0x0020: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 * 0x0040: 20 20 20 20 20 20 20 20 0A 5F 7C 5F 7C 5F 7C 20 ._|_|_| 0x0050: 20 20 20 5F 7C 20 20 5F 7C 5F 7C 20 20 20 20 5F _| _|_| _ 0x0060: 7C 5F 7C 5F 7C 20 20 20 20 20 20 5F 7C 5F 7C 5F |_|_| _|_|_ 0x0070: 7C 20 20 20 20 5F 7C 5F 7C 5F 7C 20 20 20 20 20 | _|_|_| 0x0080: 20 5F 7C 5F 7C 5F 7C 20 20 5F 7C 5F 7C 5F 7C 20 _|_|_| _|_|_| 0x0090: 20 0A 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 5F 7C ._| _| _|_| 0x00A0: 20 20 20 20 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _| 0x00B0: 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C _| _| _| _| 0x00C0: 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C _| _| _| 0x00D0: 20 20 5F 7C 20 20 20 20 5F 7C 0A 5F 7C 20 20 20 _| _|._| 0x00E0: 20 5F 7C 20 20 5F 7C 20 20 20 20 20 20 20 20 5F _| _| _ 0x00F0: 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 5F 7C 20 | _| _| _| 0x0100: 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 _| _| _| 0x0110: 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 _| _| _| 0x0120: 20 5F 7C 0A 5F 7C 5F 7C 5F 7C 20 20 20 20 5F 7C _|._|_|_| _| 0x0130: 20 20 20 20 20 20 20 20 20 20 5F 7C 5F 7C 5F 7C _|_|_| 0x0140: 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _| _| 0x0150: 5F 7C 5F 7C 5F 7C 20 20 20 [...]
192.168.222.64 (tcp/79)
If you know what this service is and think the banner could be used toidentify it, please send a description of the service along with thefollowing output to [email protected] : Port : 79 Type : get_http Banner : 0x00: 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 20 69 GET / HTTP/1.0 i 0x10: 73 20 6E 6F 74 20 6B 6E 6F 77 6E 20 61 74 20 74 s not known at t 0x20: 68 69 73 20 73 69 74 65 2E 0D 0A his site...
534
11424 (2) - WebDAV DetectionSynopsis
The remote server is running with WebDAV enabled.
Description
WebDAV is an industry standard extension to the HTTP specification.It adds a capability for authorized users to remotely add and manage the content of a web server.If you do not use this extension, you should disable it.
Solution
http://support.microsoft.com/default.aspx?kbid=241520
Risk Factor
None
Plugin Information:
Publication date: 2003/03/20, Modification date: 2011/03/14
Hosts192.168.222.64 (tcp/80)192.168.222.64 (tcp/443)
535
26917 (2) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows RegistrySynopsis
Nessus is not able to access the remote Windows Registry.
Description
It was not possible to connect to PIPE\winreg on the remote host.If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'RemoteRegistry Access'service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/10/04, Modification date: 2011/03/27
Hosts192.168.222.64 (tcp/445)
Could not connect to the registry because:Could not connect to \winreg
192.168.222.65 (tcp/445)
Could not connect to the registry because:Could not connect to \winreg
536
57323 (2) - OpenSSL Version DetectionSynopsis
The version of OpenSSL can be identified.
Description
The version of OpenSSL could be extracted from the web server's banner. Note that in many cases, security patchesare backported and the displayed version number does not show the patch level. Using it to identify vulnerablesoftware is likely to lead to false detections.
See Also
http://www.openssl.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/16, Modification date: 2011/12/16
Hosts192.168.222.64 (tcp/80)
Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Version (from banner) : 0.9.8l
192.168.222.64 (tcp/443)
Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Version (from banner) : 0.9.8l
537
10028 (1) - DNS Server BIND version Directive Remote Version DetectionSynopsis
It is possible to obtain the version number of the remote DNS server.
Description
The remote host is running BIND or another DNS server that reports its version number when it receives a specialrequest for the text 'version.bind' in the domain 'chaos'.This version is not necessarily accurate and could even be forged, as some DNS servers send the information basedon a configuration file.
Solution
It is possible to hide the version number of BIND by using the 'version' directive in the 'options' section in named.conf.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/03/03
Hosts192.168.222.60 (udp/53)
Version : 9.4.2
538
10185 (1) - POP Server DetectionSynopsis
A POP server is listening on the remote port.
Description
The remote host is running a server that understands the Post Office Protocol (POP), used by email clients to retrievemessages from a server, possibly across a network link.
See Also
http://en.wikipedia.org/wiki/Post_Office_Protocol
Solution
Disable this service if you do not use it.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/03/11
Hosts192.168.222.64 (tcp/110)
Remote POP server banner : +OK <446450135.25783@localhost>, POP3 server ready.
539
10223 (1) - RPC portmapper Service DetectionSynopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.The portmapper allows someone to get the port number of each RPC service running on the remote host by sendingeither multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
References
CVE CVE-1999-0632
Plugin Information:
Publication date: 1999/08/19, Modification date: 2014/02/19
Hosts192.168.222.58 (udp/111)
540
10281 (1) - Telnet Server DetectionSynopsis
A Telnet server is listening on the remote port.
Description
The remote host is running a Telnet server, a remote terminal server.
Solution
Disable this service if you do not use it.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/01/29
Hosts192.168.222.60 (tcp/23)
Here is the banner from the remote Telnet server : ------------------------------ snip ------------------------------Ubuntu 8.04 metasploitable login: ------------------------------ snip ------------------------------
541
10400 (1) - Microsoft Windows SMB Registry Remotely AccessibleSynopsis
Access the remote Windows Registry.
Description
It was possible to access the remote Windows Registry using the login / password combination used for the Windowslocal checks (SMB tests).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2013/01/07
Hosts192.168.222.63 (tcp/445)
542
10428 (1) - Microsoft Windows SMB Registry Not Fully Accessible DetectionSynopsis
Nessus had insufficient access to the remote registry.
Description
Nessus did not access the remote registry completely, because full administrative rights are required.If you want the permissions / values of all the sensitive registry keys to be checked, we recommend that you completethe 'SMB Login' options in the 'Windows credentials' section of the policy with the administrator login name andpassword.
Solution
Use an administrator level account for scanning.
Risk Factor
None
Plugin Information:
Publication date: 2000/05/29, Modification date: 2014/02/27
Hosts192.168.222.63 (tcp/445)
543
10719 (1) - MySQL Server DetectionSynopsis
A database server is listening on the remote port.
Description
The remote host is running MySQL, an open source database server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/13, Modification date: 2013/01/07
Hosts192.168.222.60 (tcp/3306)
Version : 5.0.51a-3ubuntu5Protocol : 10Server Status : SERVER_STATUS_AUTOCOMMITServer Capabilities : CLIENT_LONG_FLAG (Get all column flags) CLIENT_CONNECT_WITH_DB (One can specify db on connect) CLIENT_COMPRESS (Can use compression protocol) CLIENT_PROTOCOL_41 (New 4.1 protocol) CLIENT_SSL (Switch to SSL after handshake) CLIENT_TRANSACTIONS (Client knows about transactions) CLIENT_SECURE_CONNECTION (New 4.1 authentication)
544
10884 (1) - Network Time Protocol (NTP) Server DetectionSynopsis
An NTP server is listening on the remote host.
Description
An NTP (Network Time Protocol) server is listening on this port. It provides information about the current date andtime of the remote system and may provide system information.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/13, Modification date: 2011/03/11
Hosts192.168.222.63 (udp/123)
545
11040 (1) - HTTP Reverse Proxy DetectionSynopsis
A transparent or reverse HTTP proxy is running on this port.
Description
This web server is reachable through a reverse HTTP proxy.
Solution
n/a
Risk Factor
None
STIG Severity
II
References
CVE CVE-2004-2320
CVE CVE-2005-3398
CVE CVE-2005-3498
CVE CVE-2007-3008
XREF IAVT:2005-T-0043
XREF CWE:200
XREF CWE:79
Plugin Information:
Publication date: 2002/07/02, Modification date: 2012/08/18
Hosts192.168.222.100 (tcp/3128)
The GET method revealed those proxies on the way to this web server :HTTP/1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9)
546
11153 (1) - Service Detection (HELP Request)Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesa 'HELP'request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/11/18, Modification date: 2014/04/10
Hosts192.168.222.60 (tcp/3306)
A MySQL server is running on this port.
547
11414 (1) - IMAP Service Banner RetrievalSynopsis
An IMAP server is running on the remote host.
Description
An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/03/18, Modification date: 2011/03/16
Hosts192.168.222.64 (tcp/143)
The remote imap server banner is : * OK localhost IMAP4rev1 Mercury/32 v4.72 server ready.
548
11422 (1) - Web Server Unconfigured - Default Install Page PresentSynopsis
The remote web server is not configured or is not properly configured.
Description
The remote web server uses its default welcome page. It probably means that this server is not used at all or isserving content that is meant to be hidden.
Solution
Disable this service if you do not use it.
Risk Factor
None
References
XREF OSVDB:3233
Plugin Information:
Publication date: 2003/03/20, Modification date: 2013/11/18
Hosts192.168.222.60 (tcp/8180)
The default welcome page is from Tomcat.
549
13855 (1) - Microsoft Windows Installed HotfixesSynopsis
It is possible to enumerate installed hotfixes on the remote Windows host.
Description
Using the supplied credentials, Nessus was able to log into the remote Windows host, enumerate installed hotfixes,and store them in its knowledge base for other plugins to use.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/07/30, Modification date: 2014/02/12
Hosts192.168.222.63 (tcp/0)
The SMB account used for this test does not have sufficient privileges to getthe list of the hotfixes installed on the remote host. As a result, Nessus wasnot able to determine the missing hotfixes on the remote host and most SMB checkshave been disabled. Solution : Configure the account you are using to get the ability to connect to ADMIN$
550
14773 (1) - Service Detection: 3 ASCII Digit Code ResponsesSynopsis
This plugin performs service detection.
Description
This plugin is a complement of find_service1.nasl. It attempts to identify services that return 3 ASCII digits codes (ie:FTP, SMTP, NNTP, ...)
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/09/17, Modification date: 2011/08/16
Hosts192.168.222.64 (tcp/21)
An FTP server is running on this port
551
17651 (1) - Microsoft Windows SMB : Obtains the Password PolicySynopsis
It is possible to retrieve the remote host's password policy using the supplied credentials.
Description
Using the supplied credentials it was possible to extract the password policy for the remote Windows host. Thepassword policy must conform to the Informational System Policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/03/30, Modification date: 2011/03/04
Hosts192.168.222.60 (tcp/445)
The following password policy is defined on the remote host: Minimum password len: 5Password history len: 0Maximum password age (d): No limitPassword must meet complexity requirements: DisabledMinimum password age (d): 0Forced logoff time (s): Not setLocked account time (s): 1800Time between failed logon (s): 1800Number of invalid logon before locked out (s): 0
552
20108 (1) - Web Server / Application favicon.ico Vendor FingerprintingSynopsis
The remote web server contains a graphic image that is prone to information disclosure.
Description
The 'favicon.ico' file found on the remote web server belongs to a popular web server. This may be used to fingerprintthe web server.
Solution
Remove the 'favicon.ico' file or create a custom one for your site.
Risk Factor
None
References
XREF OSVDB:39272
Plugin Information:
Publication date: 2005/10/28, Modification date: 2013/12/20
Hosts192.168.222.60 (tcp/8180)
The MD5 fingerprint for 'favicon.ico' suggests the web server is Apache Tomcat or Alfresco Community.
553
21186 (1) - AJP Connector DetectionSynopsis
There is an AJP connector listening on the remote host.
Description
The remote host is running an AJP (Apache JServ Protocol) connector, a service by which a standalone web serversuch as Apache communicates over TCP with a Java servlet container such as Tomcat.
See Also
http://tomcat.apache.org/connectors-doc/
http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/04/05, Modification date: 2011/03/11
Hosts192.168.222.60 (tcp/8009)
The connector listing on this port supports the ajp13 protocol.
554
21745 (1) - Authentication Failure - Local Checks Not RunSynopsis
The local security checks are disabled.
Description
Local security checks have been disabled for this host because either the credentials supplied in the scan policy didnot allow Nessus to log into it or some other problem occurred.
Solution
Address the problem(s) so that local security checks are enabled.
Risk Factor
None
Plugin Information:
Publication date: 2006/06/23, Modification date: 2013/05/23
Hosts192.168.222.63 (tcp/0)
The local checks failed because :the account used does not have sufficient privileges to read all the required registry entries
555
25240 (1) - Samba Server DetectionSynopsis
An SMB server is running on the remote host.
Description
The remote host is running Samba, a CIFS/SMB server for Linux and Unix.
See Also
http://www.samba.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2013/01/07
Hosts192.168.222.60 (tcp/445)
The remote host tries to hide its SMB server type by changing the MACaddress and the LAN manager name. However by sending several valid and invalid RPC requests it waspossible to fingerprint the remote SMB server as Samba.
556
26024 (1) - PostgreSQL Server DetectionSynopsis
A database service is listening on the remote host.
Description
The remote service is a PostgreSQL database server, or a derivative such as EnterpriseDB.
See Also
http://www.postgresql.org/
Solution
Limit incoming traffic to this port if desired.
Risk Factor
None
Plugin Information:
Publication date: 2007/09/14, Modification date: 2013/02/14
Hosts192.168.222.60 (tcp/5432)
557
35371 (1) - DNS Server hostname.bind Map Hostname DisclosureSynopsis
The DNS server discloses the remote host name.
Description
It is possible to learn the remote host name by querying the remote DNS server for 'hostname.bind' in the CHAOSdomain.
Solution
It may be possible to disable this feature. Consult the vendor's documentation for more information.
Risk Factor
None
Plugin Information:
Publication date: 2009/01/15, Modification date: 2011/09/14
Hosts192.168.222.60 (udp/53)
The remote host name is : metasploitable
558
39446 (1) - Apache Tomcat Default Error Page Version DetectionSynopsis
The remote web server reports its version number on error pages.
Description
Apache Tomcat appears to be running on the remote host and reporting its version number on the default error pages.A remote attacker could use this information to mount further attacks.
See Also
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q6
http://jcp.org/en/jsr/detail?id=315
Solution
Replace the default error pages with custom error pages to hide the version number. Refer to the Apache wiki or theJava Servlet Specification for more information.
Risk Factor
None
Plugin Information:
Publication date: 2009/06/18, Modification date: 2013/05/15
Hosts192.168.222.60 (tcp/8180)
Nessus found the following version information on an Apache Tomcat404 page or in the HTTP Server header : Source : <title>Apache Tomcat/5.5 Version : 5.5
559
39519 (1) - Backported Security Patch Detection (FTP)Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote FTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Hosts192.168.222.60 (tcp/21)
Give Nessus credentials to perform local checks.
560
42088 (1) - SMTP Service STARTTLS Command SupportSynopsis
The remote mail service supports encrypting traffic.
Description
The remote SMTP service supports the use of the 'STARTTLS' command to switch from a plaintext to an encryptedcommunications channel.
See Also
http://en.wikipedia.org/wiki/STARTTLS
http://tools.ietf.org/html/rfc2487
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/10/09, Modification date: 2011/12/14
Hosts192.168.222.60 (tcp/25)
Here is the SMTP service's SSL certificate that Nessus was able tocollect after sending a 'STARTTLS' command : ------------------------------ snip ------------------------------Subject Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Issuer Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 14:07:45 2010 GMTNot Valid After: Apr 16 14:07:45 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9 7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24 73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF 8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E 98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97 00 90 9D DC 99 0D 33 A4 B5
561
Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A 0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F 1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49 68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68 83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53 A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C 15 6E 8D 30 38 F6 CA 2E 75 ------------------------------ snip --------- [...]
562
42410 (1) - Microsoft Windows NTLMSSP Authentication Request Remote Network Name DisclosureSynopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on tcp port 445 and replies to SMB requests.By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and the nameof its domain.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/11/06, Modification date: 2011/03/27
Hosts192.168.222.60 (tcp/445)
The following 2 NetBIOS names have been gathered : METASPLOITABLE = Computer name METASPLOITABLE = Workgroup / Domain name
563
45609 (1) - Internet Cache Protocol (ICP) Version 2 DetectionSynopsis
An HTTP caching service is listening on the remote port.
Description
The remote service supports version 2 of the Internet Cache Protocol (ICP), used for communicating between webcaches.
See Also
http://tools.ietf.org/html/rfc2186
Solution
Limit access to this port if desired.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/23, Modification date: 2011/03/11
Hosts192.168.222.100 (udp/3130)
564
50845 (1) - OpenSSL DetectionSynopsis
The remote service appears to use OpenSSL to encrypt traffic.
Description
Based on its response to a TLS request with a specially crafted server name extension, it seems that the remoteservice is using the OpenSSL library to encrypt traffic.Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC4366).
See Also
http://www.openssl.org
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/11/30, Modification date: 2013/10/18
Hosts192.168.222.64 (tcp/443)
565
53335 (1) - RPC portmapper (TCP)Synopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.The portmapper allows someone to get the port number of each RPC service running on the remote host by sendingeither multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/04/08, Modification date: 2011/08/29
Hosts192.168.222.58 (tcp/111)
566
53360 (1) - SSL Server Accepts Weak Diffie-Hellman KeysSynopsis
The remote SSL/TLS server accepts a weak Diffie-Hellman public value.
Description
The remote SSL/TLS server accepts a weak Diffie-Hellman (DH) public key value.This flaw may aid an attacker in conducting a man-in-the-middle (MiTM) attack against the remote server since itcould enable a forced calculation of a fully predictable Diffie-Hellman secret.By itself, this flaw is not sufficient to set up a MiTM attack (hence a risk factor of 'none'), as it would require some SSLimplementation flaws to affect one of the clients connecting to the remote host.
See Also
http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
http://polarssl.org/trac/wiki/SecurityAdvisory201101
Solution
OpenSSL is affected when compiled in FIPS mode. To resolve this issue, either upgrade to OpenSSL 1.0.0, disableFIPS mode or configure the ciphersuite used by the server to not include any Diffie-Hellman key exchanges.PolarSSL is affected. To resolve this issue, upgrade to version 0.99-pre3 / 0.14.2 or higher.If using any other SSL implementation, configure the ciphersuite used by the server to not include any Diffie-Hellmankey exchanges or contact your vendor for a patch.
Risk Factor
None
References
XREF OSVDB:70945
XREF OSVDB:71845
Plugin Information:
Publication date: 2011/04/11, Modification date: 2014/01/19
Hosts192.168.222.58 (tcp/443)
It was possible to complete a full SSL handshake by sending a DH keywith a value of 1.
567
53513 (1) - Link-Local Multicast Name Resolution (LLMNR) DetectionSynopsis
The remote device supports LLMNR.
Description
The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides aname lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions.
See Also
http://www.nessus.org/u?85beb421
http://technet.microsoft.com/en-us/library/bb878128.aspx
Solution
Make sure that use of this software conforms to your organization's acceptable use and security policies.
Risk Factor
None
Plugin Information:
Publication date: 2011/04/21, Modification date: 2012/03/05
Hosts192.168.222.64 (udp/5355)
According to LLMNR, the name of the remote host is 'admin-PC'.
568
60119 (1) - Microsoft Windows SMB Share Permissions EnumerationSynopsis
It is possible to enumerate the permissions of remote network shares.
Description
By using the supplied credentials, Nessus was able to enumerate the permissions of network shares. Userpermissions are enumerated for each network share that has a list of access control entries (ACEs).
See Also
http://technet.microsoft.com/en-us/library/bb456988.aspx
http://technet.microsoft.com/en-us/library/cc783530.aspx
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/07/25, Modification date: 2012/07/25
Hosts192.168.222.60 (tcp/445)
Share path : \\METASPLOITABLE\print$Local path : C:\var\lib\samba\printersComment : Printer Drivers Share path : \\METASPLOITABLE\tmpLocal path : C:\tmpComment : oh noes! Share path : \\METASPLOITABLE\optLocal path : C:\tmp Share path : \\METASPLOITABLE\IPC$Local path : C:\tmpComment : IPC Service (metasploitable server (Samba 3.0.20-Debian)) Share path : \\METASPLOITABLE\ADMIN$Local path : C:\tmpComment : IPC Service (metasploitable server (Samba 3.0.20-Debian))
569
72779 (1) - DNS Server Version DetectionSynopsis
Nessus was able to obtain version information on the remote DNS server.
Description
Nessus was able to obtain version information by sending a special TXT record query to the remote host.Note that this version is not necessarily accurate and could even be forged, as some DNS servers send theinformation based on a configuration file.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2014/03/03, Modification date: 2014/04/17
Hosts192.168.222.60 (udp/53)
DNS server answer for "version.bind" : 9.4.2