Scan Ubuntu With OSSEC + Postfix Prepare For PCI-DSS 0unmp9

Nessus Report
Nessus Scan Report 26/Sep/2013:04:40:53

HomeFeed: Commercial use of the report is prohibited
Any time Nessus is used in a commercial environment you MUST maintain an active subscription to the ProfessionalFeed in order to be compliant with our license agreement: http://www.nessus.org/products/nessus-professionalfeed
Table Of Contents
Hosts Summary (Executive).................................................................................................3
10.42.14.159................................................................................................................................................................ 4
Vulnerabilities By Host......................................................................................................... 5
10.42.14.159................................................................................................................................................................ 6
Vulnerabilities By Plugin.....................................................................................................20
11229 (1) - Web Server info.php / phpinfo.php Detection........................................................................................ 21 12213 (1) - TCP/IP Sequence Prediction Blind Reset Spoofing DoS...................................................................... 22 62101 (1) - Apache 2.2 < 2.2.23 Multiple Vulnerabilities......................................................................................... 24 64912 (1) - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities......................................................... 25 67140 (1) - OpenSSH LoginGraceTime / MaxStartups DoS.................................................................................... 26 68915 (1) - Apache 2.2 < 2.2.25 Multiple Vulnerabilities......................................................................................... 27 11219 (2) - Nessus SYN scanner.............................................................................................................................28 22964 (2) - Service Detection...................................................................................................................................29 10107 (1) - HTTP Server Type and Version............................................................................................................ 30 10114 (1) - ICMP Timestamp Request Remote Date Disclosure.............................................................................31 10267 (1) - SSH Server Type and Version Information........................................................................................... 32 10287 (1) - Traceroute Information...........................................................................................................................33 10662 (1) - Web mirroring........................................................................................................................................ 34 10881 (1) - SSH Protocol Versions Supported.........................................................................................................35 11032 (1) - Web Server Directory Enumeration....................................................................................................... 36 11936 (1) - OS Identification.....................................................................................................................................37 18261 (1) - Apache Banner Linux Distribution Disclosure........................................................................................38 19506 (1) - Nessus Scan Information.......................................................................................................................39 24260 (1) - HyperText Transfer Protocol (HTTP) Information.................................................................................. 40 25220 (1) - TCP/IP Timestamps Supported............................................................................................................. 41 43111 (1) - HTTP Methods Allowed (per directory)................................................................................................. 42 45590 (1) - Common Platform Enumeration (CPE)..................................................................................................43 54615 (1) - Device Type........................................................................................................................................... 44 66334 (1) - Patch Report.......................................................................................................................................... 45
Hosts Summary (Executive)
10.42.14.159 Summary
Critical 0 High 0 Medium 6 Low 0 Info 18 Total 24
Details
Severity Medium (6.9) Medium (5.1) Medium (5.0) Medium (5.0) Medium (5.0) Medium (4.3) Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Plugin Id 62101 68915 11229 12213 67140 64912 10107 10114 10267 10287 10662 10881 11032 11219 11936 18261 19506 22964 24260 25220 43111 45590 54615 66334 Name Apache 2.2 < 2.2.23 Multiple Vulnerabilities Apache 2.2 < 2.2.25 Multiple Vulnerabilities Web Server info.php / phpinfo.php Detection TCP/IP Sequence Prediction Blind Reset Spoofing DoS OpenSSH LoginGraceTime / MaxStartups DoS Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities HTTP Server Type and Version ICMP Timestamp Request Remote Date Disclosure SSH Server Type and Version Information Traceroute Information Web mirroring SSH Protocol Versions Supported Web Server Directory Enumeration Nessus SYN scanner OS Identification Apache Banner Linux Distribution Disclosure Nessus Scan Information Service Detection HyperText Transfer Protocol (HTTP) Information TCP/IP Timestamps Supported HTTP Methods Allowed (per directory) Common Platform Enumeration (CPE) Device Type Patch Report
Vulnerabilities By Host
10.42.14.159 Scan Information

Start time: End time: Thu Sep 26 04:38:18 2013 Thu Sep 26 04:40:40 2013
Host Information
IP: OS: 10.42.14.159 Linux Kernel 3.5 on Ubuntu 12.10 (quantal)
Results Summary
Critical 0 High 0 Medium 6 Low 0 Info 20 Total 26
Results Details 0/icmp 10114 - ICMP Timestamp Request Remote Date Disclosure Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE XREF XREF CVE-1999-0524 OSVDB:94 CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports icmp/0
The difference between the local and remote clocks is 1 second.
0/tcp 12213 - TCP/IP Sequence Prediction Blind Reset Spoofing DoS Synopsis
It may be possible to send spoofed RST packets to the remote system.
Description
The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc).
See Also
https://downloads.avaya.com/elmodocs2/security/ASA-2006-217.htm
http://www.kb.cert.org/vuls/id/JARL-5ZQR4D http://www-01.ibm.com/support/docview.wss?uid=isg1IY55949 http://www-01.ibm.com/support/docview.wss?uid=isg1IY55950 http://www-01.ibm.com/support/docview.wss?uid=isg1IY62006 http://www.juniper.net/support/security/alerts/niscc-236929.txt http://technet.microsoft.com/en-us/security/bulletin/ms05-019 http://technet.microsoft.com/en-us/security/bulletin/ms06-064 http://www.kb.cert.org/vuls/id/JARL-5YGQ9G http://www.kb.cert.org/vuls/id/JARL-5ZQR7H http://www.kb.cert.org/vuls/id/JARL-5YGQAJ http://www.nessus.org/u?9a548ae4 http://isc.sans.edu/diary.html?date=2004-04-20
Solution
Contact the vendor for a patch or mitigation advice.
Risk Factor
Medium
CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score

References
BID CVE XREF XREF XREF XREF 10183 CVE-2004-0230 OSVDB:4030 CERT:415294 EDB-ID:276 EDB-ID:291
Plugin Information:
Ports tcp/0 25220 - TCP/IP Timestamps Supported Synopsis

The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/0 18261 - Apache Banner Linux Distribution Disclosure Synopsis

The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution the remote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restart Apache.
Risk Factor
None
Plugin Information:
Ports tcp/0
The linux - Ubuntu - Ubuntu - Ubuntu distribution detected was : 12.04 (precise) 12.10 (quantal) 13.04 (raring)
11936 - OS Identification Synopsis

It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/0
Remote operating system : Linux Kernel 3.5 on Ubuntu 12.10 (quantal) Confidence Level : 95 Method : SSH
The remote host is running Linux Kernel 3.5 on Ubuntu 12.10 (quantal)
54615 - Device Type 8
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/0
Remote device type : general-purpose Confidence level : 95
45590 - Common Platform Enumeration (CPE) Synopsis

It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/0
The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:12.10 -> Canonical Ubuntu Linux 12.10 Following application CPE's matched on the remote system : cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0 cpe:/a:apache:http_server:2.2.22 -> Apache Software Foundation Apache HTTP Server 2.2.22
66334 - Patch Report Synopsis

The remote host is missing several patches
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date.
Solution
Install the patches listed below
Risk Factor 9
None
Plugin Information:
Ports tcp/0
. You need to take the following 2 actions: [ OpenSSH LoginGraceTime / MaxStartups DoS (67140) ] + Action to take: Upgrade to OpenSSH 6.2 and review the associated server configuration settings.
[ Apache 2.2 < 2.2.25 Multiple Vulnerabilities (68915) ] + Action to take: Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later. + Impact: Taking this action will resolve 6 different vulnerabilities (CVEs).
19506 - Nessus Scan Information Synopsis

Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself : - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - Whether credentialed or third-party patch management checks are possible - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/0
Information about this scan : Nessus version : 5.2.2 Plugin feed version : 201309251115 Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 10.42.12.28 Port scanner(s) : nessus_syn_scanner Port range : 1-65535 Thorough tests : no Experimental tests : no Paranoia level : 2 Report Verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None
10
CGI scanning : enabled Web application tests : enabled Web app tests - Test mode : single Web app tests - Try all HTTP methods : yes Web app tests - Maximum run time : 10 minutes. Web app tests - Stop at first flaw : param Max hosts : 20 Max checks : 4 Recv timeout : 15 Backports : None Allow post-scan editing: Yes Scan Start Date : 2013/9/26 4:38 Scan duration : 142 sec
0/udp 10287 - Traceroute Information Synopsis

It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports udp/0
For your information, here is the traceroute from 10.42.12.28 to 10.42.14.159 : 10.42.12.28 10.42.12.1 10.42.14.159
22/tcp 67140 - OpenSSH LoginGraceTime / MaxStartups DoS Synopsis

The remote SSH service is susceptible to a remote denial of service attack.
Description
According to its banner, a version of OpenSSH earlier than version 6.2 is listening on this port. The default configuration of OpenSSH installs before 6.2 could allow a remote attacker to bypass the LoginGraceTime and MaxStartups thresholds by periodically making a large number of new TCP connections and thereby prevent legitimate users from gaining access to the service. Note that this plugin has not tried to exploit the issue or detect whether the remote service uses a vulnerable configuration. Instead, it has simply checked the version of OpenSSH running on the remote host.
See Also
http://www.openwall.com/lists/oss-security/2013/02/06/5 http://openssh.org/txt/release-6.2 http://tools.cisco.com/security/center/viewAlert.x?alertId=28883
Solution
Upgrade to OpenSSH 6.2 and review the associated server configuration settings.
Risk Factor
Medium
CVSS Base Score

CVSS Temporal Score 11
References
BID CVE XREF 58162 CVE-2010-5107 OSVDB:90007
Plugin Information:
Ports tcp/22
Version source : SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1 Installed version : 6.0p1 Fixed version : 6.2
11219 - Nessus SYN scanner Synopsis

It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Ports tcp/22
Port 22/tcp was found to be open
22964 - Service Detection Synopsis

The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version Information Synopsis

An SSH server is listening on this port.
12
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/22
SSH version : SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1 SSH supported authentication : publickey,password
10881 - SSH Protocol Versions Supported Synopsis

A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/22
The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0
SSHv2 host key fingerprint : d2:2b:99:ab:9b:5e:2e:62:96:4e:b8:57:d2:0c:3d:9c
80/tcp 11229 - Web Server info.php / phpinfo.php Detection Synopsis

The remote web server contains a PHP script that is prone to an information disclosure attack.
Description
Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web server, including : - The username of the user who installed php and if they are a SUDO user. - The IP address of the host. - The version of the operating system. - The web server version. - The root directory of the web server. - Configuration information about the remote PHP installation.
Solution
Remove the affected file(s).
Risk Factor
Medium
13
CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin Information:
Ports tcp/80
Nessus discovered the following URL that calls phpinfo() : - http://10.42.14.159/info.php
62101 - Apache 2.2 < 2.2.23 Multiple Vulnerabilities Synopsis

The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore, potentially affected by the following vulnerabilities: - The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars' file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO), leading to arbitrary code execution. (CVE-2012-0883) - An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow crosssite scripting attacks. (CVE-2012-2687) Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.23 http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.23 or later.
Risk Factor
Medium
CVSS Base Score

6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score

References
BID BID CVE CVE XREF XREF 53046 55131 CVE-2012-0883 CVE-2012-2687 OSVDB:81359 OSVDB:84818
Plugin Information:
Ports tcp/80
14
Version source : Server: Apache/2.2.22 Installed version : 2.2.22 Fixed version : 2.2.23
64912 - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities Synopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore, potentially affected by the following cross-site scripting vulnerabilities : - Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp and unescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499) - An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scripting attacks. (CVE-2012-4558) Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.24 or later.
Risk Factor
Medium
CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score

References
BID CVE CVE XREF XREF 58165 CVE-2012-3499 CVE-2012-4558 OSVDB:90556 OSVDB:90557
Plugin Information:
Ports tcp/80
68915 - Apache 2.2 < 2.2.25 Multiple Vulnerabilities Synopsis

Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore, potentially affected by the following vulnerabilities : - A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files, making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862) - A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests. (CVE-2013-1896)
15
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.25 http://httpd.apache.org/security/vulnerabilities_22.html http://www.nessus.org/u?f050c342
Solution
Risk Factor
Medium
CVSS Base Score

5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score

STIG Severity
I
References
BID BID CVE CVE XREF XREF XREF 59826 61129 CVE-2013-1862 CVE-2013-1896 OSVDB:93366 OSVDB:95498 IAVA:2013-A-0146
Plugin Information:
Ports tcp/80
11219 - Nessus SYN scanner Synopsis

Description
Solution
Risk Factor
None
Plugin Information:
16
Ports tcp/80
22964 - Service Detection Synopsis

Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/80
A web server is running on this port.
11032 - Web Server Directory Enumeration Synopsis

It is possible to enumerate directories on the web server.
Description
This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not.
See Also
http://projects.webappsec.org/Predictable-Resource-Location
Solution
n/a
Risk Factor
None
References
XREF OWASP:OWASP-CM-006
Plugin Information:
Ports tcp/80
The following directories were discovered: /cgi-bin, /icons While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards
10662 - Web mirroring Synopsis

Nessus crawled the remote web site.
Description
This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host.
17
It is suggested that you change the number of pages to mirror in the 'Options' section of the client.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/80
Webmirror performed 9 queries in 1s (9.000 queries per second)
10107 - HTTP Server Type and Version Synopsis

A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/80
The remote web server type is : Apache/2.2.22 (Ubuntu) You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
43111 - HTTP Methods Allowed (per directory) Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/80
Based on the response to an OPTIONS request :
18
- HTTP methods GET HEAD OPTIONS POST are allowed on : / /icons /manager /recipe
Based on tests of each method : - HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on : /cgi-bin - HTTP methods GET HEAD OPTIONS POST are allowed on : / /icons /manager /recipe - Invalid/unknown HTTP methods are allowed on : /cgi-bin
24260 - HyperText Transfer Protocol (HTTP) Information Synopsis

Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports tcp/80
Protocol version : HTTP/1.1 SSL : no Keep-Alive : yes Options allowed : (Not implemented) Headers : Date: Wed, 25 Sep 2013 21:40:20 GMT Server: Apache/2.2.22 (Ubuntu) Last-Modified: Thu, 05 Sep 2013 16:38:50 GMT ETag: "2c14-b1-4e5a58e89f052" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
19
Vulnerabilities By Plugin
11229 (1) - Web Server info.php / phpinfo.php Detection Synopsis

The remote web server contains a PHP script that is prone to an information disclosure attack.
Description
Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web server, including : - The username of the user who installed php and if they are a SUDO user. - The IP address of the host. - The version of the operating system. - The web server version. - The root directory of the web server. - Configuration information about the remote PHP installation.
Solution
Remove the affected file(s).
Risk Factor
Medium
CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin Information:
Hosts 10.42.14.159 (tcp/80)

Nessus discovered the following URL that calls phpinfo() : - http://10.42.14.159/info.php
21
12213 (1) - TCP/IP Sequence Prediction Blind Reset Spoofing DoS Synopsis
It may be possible to send spoofed RST packets to the remote system.
Description
The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc).
See Also
https://downloads.avaya.com/elmodocs2/security/ASA-2006-217.htm http://www.kb.cert.org/vuls/id/JARL-5ZQR4D http://www-01.ibm.com/support/docview.wss?uid=isg1IY55949 http://www-01.ibm.com/support/docview.wss?uid=isg1IY55950 http://www-01.ibm.com/support/docview.wss?uid=isg1IY62006 http://www.juniper.net/support/security/alerts/niscc-236929.txt http://technet.microsoft.com/en-us/security/bulletin/ms05-019 http://technet.microsoft.com/en-us/security/bulletin/ms06-064 http://www.kb.cert.org/vuls/id/JARL-5YGQ9G http://www.kb.cert.org/vuls/id/JARL-5ZQR7H http://www.kb.cert.org/vuls/id/JARL-5YGQAJ http://www.nessus.org/u?9a548ae4 http://isc.sans.edu/diary.html?date=2004-04-20
Solution
Contact the vendor for a patch or mitigation advice.
Risk Factor
Medium
CVSS Base Score

CVSS Temporal Score

References
BID CVE XREF XREF XREF XREF 10183 CVE-2004-0230 OSVDB:4030 CERT:415294 EDB-ID:276 EDB-ID:291
Plugin Information: 22
Hosts 10.42.14.159 (tcp/0)
23
62101 (1) - Apache 2.2 < 2.2.23 Multiple Vulnerabilities Synopsis

The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore, potentially affected by the following vulnerabilities: - The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars' file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO), leading to arbitrary code execution. (CVE-2012-0883) - An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow crosssite scripting attacks. (CVE-2012-2687) Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
Solution
Upgrade to Apache version 2.2.23 or later.
Risk Factor
Medium
CVSS Base Score

CVSS Temporal Score

References
BID BID CVE CVE XREF XREF 53046 55131 CVE-2012-0883 CVE-2012-2687 OSVDB:81359 OSVDB:84818
Plugin Information:
Hosts 10.42.14.159 (tcp/80)

24
64912 (1) - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities Synopsis
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore, potentially affected by the following cross-site scripting vulnerabilities : - Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp and unescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499) - An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scripting attacks. (CVE-2012-4558) Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
Solution
Risk Factor
Medium
CVSS Base Score

CVSS Temporal Score

References
BID CVE CVE XREF XREF 58165 CVE-2012-3499 CVE-2012-4558 OSVDB:90556 OSVDB:90557
Plugin Information:
Hosts 10.42.14.159 (tcp/80)

25
67140 (1) - OpenSSH LoginGraceTime / MaxStartups DoS Synopsis

The remote SSH service is susceptible to a remote denial of service attack.
Description
According to its banner, a version of OpenSSH earlier than version 6.2 is listening on this port. The default configuration of OpenSSH installs before 6.2 could allow a remote attacker to bypass the LoginGraceTime and MaxStartups thresholds by periodically making a large number of new TCP connections and thereby prevent legitimate users from gaining access to the service. Note that this plugin has not tried to exploit the issue or detect whether the remote service uses a vulnerable configuration. Instead, it has simply checked the version of OpenSSH running on the remote host.
See Also
http://www.openwall.com/lists/oss-security/2013/02/06/5 http://openssh.org/txt/release-6.2 http://tools.cisco.com/security/center/viewAlert.x?alertId=28883
Solution
Upgrade to OpenSSH 6.2 and review the associated server configuration settings.
Risk Factor
Medium
CVSS Base Score

CVSS Temporal Score

References
BID CVE XREF 58162 CVE-2010-5107 OSVDB:90007
Plugin Information:
Hosts 10.42.14.159 (tcp/22)

Version source : SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1 Installed version : 6.0p1 Fixed version : 6.2
26
68915 (1) - Apache 2.2 < 2.2.25 Multiple Vulnerabilities Synopsis

Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore, potentially affected by the following vulnerabilities : - A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files, making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862) - A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests. (CVE-2013-1896) Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.25 http://httpd.apache.org/security/vulnerabilities_22.html http://www.nessus.org/u?f050c342
Solution
Risk Factor
Medium
CVSS Base Score

CVSS Temporal Score

STIG Severity
I
References
BID BID CVE CVE XREF XREF XREF 59826 61129 CVE-2013-1862 CVE-2013-1896 OSVDB:93366 OSVDB:95498 IAVA:2013-A-0146
Plugin Information:
Hosts 10.42.14.159 (tcp/80)

27
11219 (2) - Nessus SYN scanner Synopsis

Description
Solution
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/22)

10.42.14.159 (tcp/80)
28
22964 (2) - Service Detection Synopsis

Description
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/22)

An SSH server is running on this port.
10.42.14.159 (tcp/80)
A web server is running on this port.
29
10107 (1) - HTTP Server Type and Version Synopsis

A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/80)

The remote web server type is : Apache/2.2.22 (Ubuntu) You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
30
10114 (1) - ICMP Timestamp Request Remote Date Disclosure Synopsis

It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE XREF XREF CVE-1999-0524 OSVDB:94 CWE:200
Plugin Information:
Hosts 10.42.14.159 (icmp/0)

The difference between the local and remote clocks is 1 second.
31
10267 (1) - SSH Server Type and Version Information Synopsis

An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/22)

SSH version : SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1 SSH supported authentication : publickey,password
32
10287 (1) - Traceroute Information Synopsis

It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (udp/0)

For your information, here is the traceroute from 10.42.12.28 to 10.42.14.159 : 10.42.12.28 10.42.12.1 10.42.14.159
33
10662 (1) - Web mirroring Synopsis

Nessus crawled the remote web site.
Description
This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host. It is suggested that you change the number of pages to mirror in the 'Options' section of the client.
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/80)

Webmirror performed 9 queries in 1s (9.000 queries per second)
34
10881 (1) - SSH Protocol Versions Supported Synopsis

A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/22)

The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0
SSHv2 host key fingerprint : d2:2b:99:ab:9b:5e:2e:62:96:4e:b8:57:d2:0c:3d:9c
35
11032 (1) - Web Server Directory Enumeration Synopsis

It is possible to enumerate directories on the web server.
Description
This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or not.
See Also
http://projects.webappsec.org/Predictable-Resource-Location
Solution
n/a
Risk Factor
None
References
XREF OWASP:OWASP-CM-006
Plugin Information:
Hosts 10.42.14.159 (tcp/80)

The following directories were discovered: /cgi-bin, /icons While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards
36
11936 (1) - OS Identification Synopsis

It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/0)

Remote operating system : Linux Kernel 3.5 on Ubuntu 12.10 (quantal) Confidence Level : 95 Method : SSH
The remote host is running Linux Kernel 3.5 on Ubuntu 12.10 (quantal)
37
18261 (1) - Apache Banner Linux Distribution Disclosure Synopsis

The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution the remote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restart Apache.
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/0)

The linux - Ubuntu - Ubuntu - Ubuntu distribution detected was : 12.04 (precise) 12.10 (quantal) 13.04 (raring)
38
19506 (1) - Nessus Scan Information Synopsis

Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself : - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - Whether credentialed or third-party patch management checks are possible - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/0)

Information about this scan : Nessus version : 5.2.2 Plugin feed version : 201309251115 Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 10.42.12.28 Port scanner(s) : nessus_syn_scanner Port range : 1-65535 Thorough tests : no Experimental tests : no Paranoia level : 2 Report Verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : enabled Web application tests : enabled Web app tests - Test mode : single Web app tests - Try all HTTP methods : yes Web app tests - Maximum run time : 10 minutes. Web app tests - Stop at first flaw : param Max hosts : 20 Max checks : 4 Recv timeout : 15 Backports : None Allow post-scan editing: Yes Scan Start Date : 2013/9/26 4:38 Scan duration : 142 sec
39
24260 (1) - HyperText Transfer Protocol (HTTP) Information Synopsis

Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/80)

Protocol version : HTTP/1.1 SSL : no Keep-Alive : yes Options allowed : (Not implemented) Headers : Date: Wed, 25 Sep 2013 21:40:20 GMT Server: Apache/2.2.22 (Ubuntu) Last-Modified: Thu, 05 Sep 2013 16:38:50 GMT ETag: "2c14-b1-4e5a58e89f052" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
40
25220 (1) - TCP/IP Timestamps Supported Synopsis

The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/0)
41
43111 (1) - HTTP Methods Allowed (per directory) Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/80)

Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST are allowed on : / /icons /manager /recipe
Based on tests of each method : - HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on : /cgi-bin - HTTP methods GET HEAD OPTIONS POST are allowed on : / /icons /manager /recipe - Invalid/unknown HTTP methods are allowed on : /cgi-bin
42
45590 (1) - Common Platform Enumeration (CPE) Synopsis

It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/0)

The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:12.10 -> Canonical Ubuntu Linux 12.10 Following application CPE's matched on the remote system : cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0 cpe:/a:apache:http_server:2.2.22 -> Apache Software Foundation Apache HTTP Server 2.2.22
43
54615 (1) - Device Type Synopsis

It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/0)

Remote device type : general-purpose Confidence level : 95
44
66334 (1) - Patch Report Synopsis

The remote host is missing several patches
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date.
Solution
Install the patches listed below
Risk Factor
None
Plugin Information:
Hosts 10.42.14.159 (tcp/0)
. You need to take the following 2 actions: [ OpenSSH LoginGraceTime / MaxStartups DoS (67140) ] + Action to take: Upgrade to OpenSSH 6.2 and review the associated server configuration settings.
[ Apache 2.2 < 2.2.25 Multiple Vulnerabilities (68915) ] + Action to take: Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later. + Impact: Taking this action will resolve 6 different vulnerabilities (CVEs).
45

Scan Ubuntu With OSSEC + Postfix Prepare For PCI-DSS 0unmp9

Uploaded by

Copyright:

Available Formats

Scan Ubuntu With OSSEC + Postfix Prepare For PCI-DSS 0unmp9

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Scan Ubuntu With OSSEC + Postfix Prepare For PCI-DSS 0unmp9

Uploaded by

Copyright:

Available Formats

Nessus Report

Nessus Scan Report 26/Sep/2013:04:40:53

Hosts Summary (Executive)

10.42.14.159 Scan Information

CVSS Base Score

CVSS Temporal Score

Ports tcp/0 25220 - TCP/IP Timestamps Supported Synopsis

Ports tcp/0 18261 - Apache Banner Linux Distribution Disclosure Synopsis

11936 - OS Identification Synopsis

54615 - Device Type 8

45590 - Common Platform Enumeration (CPE) Synopsis

66334 - Patch Report Synopsis

19506 - Nessus Scan Information Synopsis

0/udp 10287 - Traceroute Information Synopsis

22/tcp 67140 - OpenSSH LoginGraceTime / MaxStartups DoS Synopsis

CVSS Base Score

CVSS Temporal Score 11

11219 - Nessus SYN scanner Synopsis

22964 - Service Detection Synopsis

10267 - SSH Server Type and Version Information Synopsis

10881 - SSH Protocol Versions Supported Synopsis

SSHv2 host key fingerprint : d2:2b:99:ab:9b:5e:2e:62:96:4e:b8:57:d2:0c:3d:9c

80/tcp 11229 - Web Server info.php / phpinfo.php Detection Synopsis

CVSS Base Score

62101 - Apache 2.2 < 2.2.23 Multiple Vulnerabilities Synopsis

CVSS Base Score

CVSS Temporal Score

CVSS Base Score

CVSS Temporal Score

68915 - Apache 2.2 < 2.2.25 Multiple Vulnerabilities Synopsis

CVSS Base Score

CVSS Temporal Score

11219 - Nessus SYN scanner Synopsis

Publication date: 2009/02/04, Modification date: 2013/08/07

22964 - Service Detection Synopsis

11032 - Web Server Directory Enumeration Synopsis

10662 - Web mirroring Synopsis

10107 - HTTP Server Type and Version Synopsis

43111 - HTTP Methods Allowed (per directory) Synopsis

24260 - HyperText Transfer Protocol (HTTP) Information Synopsis

11229 (1) - Web Server info.php / phpinfo.php Detection Synopsis

CVSS Base Score

Hosts 10.42.14.159 (tcp/80)

CVSS Base Score

CVSS Temporal Score

Publication date: 2004/04/25, Modification date: 2012/12/28

Hosts 10.42.14.159 (tcp/0)

62101 (1) - Apache 2.2 < 2.2.23 Multiple Vulnerabilities Synopsis

CVSS Base Score

CVSS Temporal Score

Hosts 10.42.14.159 (tcp/80)

CVSS Base Score

CVSS Temporal Score

Hosts 10.42.14.159 (tcp/80)

67140 (1) - OpenSSH LoginGraceTime / MaxStartups DoS Synopsis

CVSS Base Score

CVSS Temporal Score

Hosts 10.42.14.159 (tcp/22)

68915 (1) - Apache 2.2 < 2.2.25 Multiple Vulnerabilities Synopsis