Pentestreport Romio
Pentestreport Romio
Pentestreport Romio
Version-V1.0
PRESENTED TO:
ASHTON MOZANO
USD
Penetration Test Report – Jessica Romio
Table of Contents
Disclaimer...................................................................................................................................................... 3
Executive Summary....................................................................................................................................... 3
Scope ......................................................................................................................................................... 3
Summary of Findings..................................................................................................................................... 4
Vsftpd Backdoor ........................................................................................................................................ 5
Telnet into Root ........................................................................................................................................ 7
Rexec Passwordless / Unencrypted Cleartext Login ................................................................................. 8
Rogue shell backdoor – telnet port 1524.................................................................................................. 8
UnrealIRCD Backdoor ................................................................................................................................ 8
VNC Brute Force Login ............................................................................................................................ 10
Java-RMI .................................................................................................................................................. 12
DOS Attack .............................................................................................................................................. 12
Conclusion ................................................................................................................................................... 13
References .................................................................................................................................................. 14
Appendix A: OpenVAS Scan Result ............................................................................................................. 15
2|Page
Penetration Test Report – Jessica Romio
Disclaimer
Jessica Romio was employed by Ashton Mozano of the USD Cyber Security Operations and Leadership,
Foundations of Cyber Security course to perform a penetrations test on the target, Metasploitable 2, to
determine its possible exposure. Jessica Romio is not liable for any damages resulting from the use of
this information and the report is provided as is. The assessment is an analysis of a capture in time of
the posture of the environment and the environment and results could have changed since what was
presented in this report. This report provides guidance and is in no way a full representation of all the
risks that are threatening the system.
Executive Summary
All the activities and tests on the system were conducted to simulate a malicious attacker aiming to
perform a targeted attack on the Metasploitable 2 system. The efforts presented were done with the
goal to gain root access to the system, with the assumption that further attacks could be carried out
once the root access level is reached. The assessment was conducted in accordance with general cyber
security practices and tools. The initial scan results were conducted on February 23rd, 2019 and the
testing took place on February 24th 2019. The detailed scan results report can be found in Appendix A.
Scope
The scope of this test is limited to one test environment, Metasploitable 2. Metasploitable 2 is an
intentionally vulnerable virtual machine that was designed for training and testing. The machine was
downloaded to a local machine and assigned the IP address of 192.168.87.129. Testing was conducted
through a Kali Linux VM on the same network.
TABLE 1
Target Machine IP Address
Metasploitable 2 192.168.87.129
3|Page
Penetration Test Report – Jessica Romio
Summary of Findings
When performing the penetration test, an OpenVas scan was run on the target system to identify
possible vulnerabilities. Overall there were 20 high findings, 36 medium finding and 3 that were found to
be low findings. Some of the highlighted vulnerabilities were the Rexec Passwordless / Unencrypted
Cleartext Login, the UnrealIRCd backdoor, the port 1524 backdoor and the Java RMI Server Insecure
Default Configuration Remote Code Execution Vulnerability. The below figures summarize some of the
top findings in OpenVas.
TABLE 2
HOST HIGH MEDIUM LOW
192.168.87.129 20 36 3
Total: 1 20 36 3
FIGURE 1
4|Page
Penetration Test Report – Jessica Romio
Along with performing an OpenVas scan to search for possible attack vectors, an nmap port scan was
also performed to see which ports were open. The following figure summarizes the port findings from
the scan.
FIGURE 2
Using a Kali Linux virtual machine along with the Metasploit Framework (MSF), I was able to take
advantage of many of these vulnerabilities and gain root access into the Metasploitable 2 machine. I
chose the top seven exploited vulnerabilities to highlight in this report. It is possible that many of the
other vulnerabilities found in OpenVas, as well as others, are exploitable as well and should be
mitigated.
Vsftpd Backdoor
The nmap port scan showed that the ftp port 21 was open and running a version of vsftpd 2.3.4 which
was also an open finding in the OpenVas scan as a backdoor vulnerability. A search in the MSF console
showed a possible exploit for the vsftpd backdoor. Setting the RHOST to the IP address of
Metasploitable 2 and running the exploit took us right into the machine. A simple whoami command
5|Page
Penetration Test Report – Jessica Romio
FIGURE 3
FIGURE 4
6|Page
Penetration Test Report – Jessica Romio
FIGURE 5
FIGURE 6
7|Page
Penetration Test Report – Jessica Romio
FIGURE 7
FIGURE 8
UnrealIRCD Backdoor
The OpenVas scan showed another vulnerability titled “Check for backdoor in UnrealIRCD”. Clicking on
this possible attack vector and reading more information showed a little more about the attack as well
as a CVE-2010-2075.
8|Page
Penetration Test Report – Jessica Romio
FIGURE 9
Using the “search” command in the msfconsole along with this CVE number yielded an exploit. Setting
the RHOST IP address once again to the IP of the targeted machine allowed us to use this exploit. The
command was executed and a “whoami” revealed the user to be root.
9|Page
Penetration Test Report – Jessica Romio
FIGURE 10
FIGURE 11
10 | P a g e
Penetration Test Report – Jessica Romio
FIGURE 12
Using the Remmina VNC client and connecting it to 192.168.87.129, we were able to connect to the
server with root privileges.
FIGURE 13
11 | P a g e
Penetration Test Report – Jessica Romio
Java-RMI
The final attack vector that was used was through the Java RMI registry. Another search in the OpenVas
results shows another vulnerability titled, “Java RMI Server Insecure Default Configuration Remote Code
Execution Vulnerabilty”. Nmap also shows this service to be running on port 1099. A quick search
through Metasploit for a Java RMI related exploit allowed us to fine one titled “Java RMI Server Insecure
Default Configuration Java Code Execution (Metasploit)”. Using the info command on this exploit and
setting the RHOST to the target IP allowed us to configure the exploit. We also had to set the session
number to one and then run the attack. This once again allowed us into Metasploitable 2 as a root user.
FIGURE 14
DOS Attack
A denial of service attack is one where the machine’s resources become unavailable to its intended
users because it is being disrupted by a services, typically done by flooding. One could flood the machine
with ICMP packets. ICMP confirms connectivity and if the requests never end, the system will be flooded
with packets, losing it’s ability to respond to genuine ones and causing a denial of service attack. SYN
flooding could also be used where the source tries to establish a TCP connection, however they never
receive an acknowledgement packet causeing the connection to not be established and it is left open. If
this happens enough, the target will not have enough resources to respond and another denial of
service attack will have occurred. Both of these are possible attack vectors and there are many open TCP
ports open to test the SYN flood. Because I can get into the system as root, I decided to go straight to
12 | P a g e
Penetration Test Report – Jessica Romio
the system. I found a command which asked the operating system to continue opening processes for an
infinite amount of time. The command was “:(){ :|:& };:”.
FIGURE 15
The figure above shows Metasploitable 2 opening and killing processes, this continued until I manually
shut off the system. This was only one was to perform a DoS attack and mitigations should be put in
place to prevent this type of attack from occurring.
Conclusion
Metasploitable 2 had many different vulnerabilities that were exploitable into the system. Any of these
attack vectors could be used by an adversary to gain access into their system. Although there was
security implemented in the system, there were also some obvious weaknesses. The use of default
passwords and some open and unsecure ports make the system susceptible to brute force attacks. Had
a malicious party had the intention of getting into the system, these would have been simple attacks to
take advantage of. The overall goal of the penetration test was met by showing some possible
vulnerabilities to mitigate in the system. Serious consideration and appropriate efforts to mitigate the
vulnerabilities should be applied.
13 | P a g e
Penetration Test Report – Jessica Romio
References
Although I know this page is typically not included in a penetration test report, there were several
references I used throughout the activity and report itself.
Badshah, C., & Badshah, C. (2017, May 10). History of Metasploitables – Chandrapal Badshah – Medium.
Denial Of Service Attacks : Explained for Beginners and Dummies. (2014, July 24). Retrieved February 25,
explained-for-beginners-and-dummies/
Handy, N., & Handy, N. (2018, August 02). Kali Linux & Metasploit: Getting Started with Pen Testing.
pen-testing-89d28944097b
Morris, S. (2018). The Easiest Metasploit Guide You’ll Ever Read. Retrieved February 24, 2019, from
https://www.exploit-db.com/docs/english/44040-the-easiest-metasploit-guide-you’ll-ever-
read.pdf
14 | P a g e
Penetration Test Report – Jessica Romio
15 | P a g e
Scan Report
Summary
This document reports on the results of an automatic security scan. All dates are dis-
played using the timezone Coordinated Universal Time, which is abbreviated UTC. The
task was Scan Metasploitable 2. The scan started at Sat Feb 23 19:39:58 2019 UTC and
ended at Sat Feb 23 20:00:35 2019 UTC. The report rst summarises the results found.
Then, for each host, the report describes every issue found. Please consider the advice given
in each description, in order to rectify the issue.
Contents
1 Result Overview 2
1.1 Host Authentications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1
CONTENTS 2
1 Result Overview
This report contains all 59 results selected by the ltering described above. Before ltering
there were 385 results.
. . . (continued) . . .
Service (Port) Threat Level
5900/tcp High
513/tcp High
3632/tcp High
5432/tcp High
8787/tcp High
general/tcp High
6667/tcp Medium
80/tcp Medium
23/tcp Medium
22/tcp Medium
21/tcp Medium
5900/tcp Medium
5432/tcp Medium
25/tcp Medium
445/tcp Medium
2121/tcp Medium
80/tcp Low
22/tcp Low
general/tcp Low
Summary
A backdoor is installed on the remote host
Impact
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Successful attacks will compromise the aected isystem.
Solution
Solution type: Workaround
[ return to 192.168.87.129 ]
2 RESULTS PER HOST 5
Summary
Detection of backdoor in UnrealIRCd.
Solution
Solution type: VendorFix
Install latest version of unrealircd and check signatures of software you're installing.
Vulnerability Insight
Remote attackers can exploit this issue to execute arbitrary system commands within the context
of the aected application.
The issue aects Unreal 3.2.8.1 for Linux. Reportedly package Unreal3.2.8.1.tar.gz down-
loaded in November 2009 and later is aected. The MD5 sum of the aected le is
752e46f2d873c1679fa99de3f52a274d. Files with MD5 sum of 7b741e94e867c0a7370553fd01506c66
are not aected.
References
CVE: CVE-2010-2075
BID:40820
Other:
URL:http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
URL:http://seclists.org/fulldisclosure/2010/Jun/277
URL:http://www.securityfocus.com/bid/40820
[ return to 192.168.87.129 ]
Summary
It was possible to login into the remote MySQL as root using weak credentials.
Solution
Solution type: Mitigation
Change the password as soon as possible.
[ return to 192.168.87.129 ]
Summary
vsftpd is prone to a backdoor vulnerability.
Impact
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Successful attacks will compromise the aected application.
Solution
Solution type: VendorFix
The repaired package can be downloaded from the referenced link. Please validate the package
with its signature.
Aected Software/OS
The vsftpd 2.3.4 source package is aected.
. . . continues on next page . . .
2 RESULTS PER HOST 7
References
BID:48539
Other:
URL:http://www.securityfocus.com/bid/48539
URL:http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-back
,→doored.html
URL:https://security.appspot.com/vsftpd.html
[ return to 192.168.87.129 ]
Summary
This remote host is running a rsh service.
Solution
Solution type: Mitigation
Disable the rsh service and use alternatives like SSH instead.
Vulnerability Insight
rsh (remote shell) is a command line computer program which can execute shell commands as
another user, and on another computer across a computer network.
References
Other:
URL:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0651
[ return to 192.168.87.129 ]
2 RESULTS PER HOST 8
Summary
The host is running TWiki and is prone to Cross-Site Scripting (XSS) and Command Execution
Vulnerabilities.
Impact
Successful exploitation could allow execution of arbitrary script code or commands. This could
let attackers steal cookie-based authentication credentials or compromise the aected application.
Solution
Solution type: VendorFix
Upgrade to version 4.2.4 or later.
Aected Software/OS
TWiki, TWiki version prior to 4.2.4.
Vulnerability Insight
The aws are due to,
- %URLPARAM}}% variable is not properly sanitized which lets attackers conduct cross-site
scripting attack.
- %SEARCH}}% variable is not properly sanitised before being used in an eval() call which lets
the attackers execute perl code through eval injection attack.
References
. . . continues on next page . . .
2 RESULTS PER HOST 9
Summary
Many PHP installation tutorials instruct the user to create a le called phpinfo.php or similar
containing the phpinfo() statement. Such a le is often left back in the webserver directory.
Impact
Some of the information that can be gathered from this le includes:
The username of the user running the PHP process, if it is a sudo user, the IP address of the host,
the web server version, the system version (Unix, Linux, Windows, ...), and the root directory
of the web server.
Solution
Solution type: Workaround
Delete the listed les or restrict access to them.
Summary
Tiki Wiki CMS Groupware is prone to multiple unspecied vulnerabilities, including:
. . . continues on next page . . .
2 RESULTS PER HOST 10
Impact
Exploiting these issues could allow an attacker to compromise the application, access or modify
data, exploit latent vulnerabilities in the underlying database, and gain unauthorized access to
the aected application. Other attacks are also possible.
Solution
Solution type: VendorFix
The vendor has released an advisory and xes. Please see the references for details.
Aected Software/OS
Versions prior to Tiki Wiki CMS Groupware 4.2 are vulnerable.
References
CVE: CVE-2010-1135, CVE-2010-1134, CVE-2010-1133, CVE-2010-1136
BID:38608
Other:
URL:http://www.securityfocus.com/bid/38608
URL:http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=247
,→34
URL:http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=250
,→46
URL:http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=254
,→24
URL:http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=254
,→35
URL:http://info.tikiwiki.org/article86-Tiki-Announces-3-5-and-4-2-Releases
URL:http://info.tikiwiki.org/tiki-index.php?page=homepage
2 RESULTS PER HOST 11
Summary
Miscongured web servers allows remote clients to perform dangerous HTTP methods such as
PUT and DELETE. This script checks if they are enabled and can be misused to upload or
delete les.
Impact
- Enabled PUT method: This might allow an attacker to upload and run arbitrary code on this
web server.
- Enabled DELETE method: This might allow an attacker to delete additional les on this web
server.
Solution
Solution type: Mitigation
Use access restrictions to these dangerous HTTP methods or disable them completely.
References
BID:12141
Other:
OWASP:OWASP-CM-001
Summary
PHP is prone to an information-disclosure vulnerability.
Impact
Exploiting this issue allows remote attackers to view the source code of les in the context of the
server process. This may allow the attacker to obtain sensitive information and to run arbitrary
PHP code on the aected computer. Other attacks are also possible.
. . . continues on next page . . .
2 RESULTS PER HOST 12
Solution
Solution type: VendorFix
PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending
that users upgrade to the latest version of PHP.
Vulnerability Insight
When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives
a processed query string parameter as command line arguments which allows command-line
switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to
disclose source code and obtain arbitrary code execution.
An example of the -s command, allowing an attacker to view the source code of index.php is
below:
http://example.com/index.php?-s
References
CVE: CVE-2012-1823, CVE-2012-2311, CVE-2012-2336, CVE-2012-2335
BID:53388
Other:
URL:http://www.h-online.com/open/news/item/Critical-open-hole-in-PHP-creates-r
,→isks-Update-1567532.html
URL:http://www.kb.cert.org/vuls/id/520827
URL:http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
URL:https://bugs.php.net/bug.php?id=61910
URL:http://www.php.net/manual/en/security.cgi-bin.php
URL:http://www.securityfocus.com/bid/53388
[ return to 192.168.87.129 ]
Summary
Multiple Java products that implement the RMI Server contain a vulnerability that could allow
an unauthenticated, remote attacker to execute arbitrary code on a targeted system with elevated
privileges.
Solution
Solution type: Workaround
Disable class-loading.
Vulnerability Insight
The vulnerability exists because of an incorrect default conguration of the Remote Method
Invocation (RMI) Server in the aected software. An unauthenticated, remote attacker could
exploit the vulnerability by transmitting crafted packets to the aected software. When the
packets are processed, the attacker could execute arbitrary code on the system with elevated
privileges.
References
Other:
URL:https://tools.cisco.com/security/center/viewAlert.x?alertId=23665
[ return to 192.168.87.129 ]
Summary
It was possible to login into the remote SSH server using default credentials.
As the NVT 'SSH Brute Force Logins with default Credentials' (OID:
1.3.6.1.4.1.25623.1.0.108013) might run into a timeout the actual reporting of this vulner-
ability takes place in this NVT instead. The script preference 'Report timeout' allows you to
congure if such an timeout is reported.
Solution
Solution type: Mitigation
Change the password as soon as possible.
. . . continues on next page . . .
2 RESULTS PER HOST 14
[ return to 192.168.87.129 ]
Summary
vsftpd is prone to a backdoor vulnerability.
Impact
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Successful attacks will compromise the aected application.
Solution
Solution type: VendorFix
The repaired package can be downloaded from the referenced link. Please validate the package
with its signature.
Aected Software/OS
The vsftpd 2.3.4 source package is aected.
References
BID:48539
Other:
URL:http://www.securityfocus.com/bid/48539
URL:http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-back
,→doored.html
URL:https://security.appspot.com/vsftpd.html
[ return to 192.168.87.129 ]
2 RESULTS PER HOST 15
Summary
This remote host is running a rexec service.
Solution
Solution type: Mitigation
Disable the rexec service and use alternatives like SSH instead.
Vulnerability Insight
rexec (Remote Process Execution) has the same kind of functionality that rsh has: you can
execute shell commands on a remote computer.
The main dierence is that rexec authenticate by reading the username and password *unen-
crypted* from the socket.
References
Other:
URL:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0618
[ return to 192.168.87.129 ]
Summary
Try to log in with given passwords via VNC protocol.
Solution
Solution type: Mitigation
Change the password to something hard to guess or enable password protection at all.
. . . continues on next page . . .
2 RESULTS PER HOST 16
Vulnerability Insight
This script tries to authenticate to a VNC server with the passwords set in the password prefer-
ence. It will also test and report if no authentication / password is required at all.
Note: Some VNC servers have a blacklisting scheme that blocks IP addresses after ve unsuc-
cessful connection attempts for a period of time. The script will abort the brute force attack if
it encounters that it gets blocked.
Note as well that passwords can be max. 8 characters long.
[ return to 192.168.87.129 ]
Summary
This remote host is running a rlogin service.
Solution
Solution type: Mitigation
Disable the rlogin service and use alternatives like SSH instead.
Vulnerability Insight
rlogin has several serious security problems,
- all information, including passwords, is transmitted unencrypted.
- .rlogin (or .rhosts) le is easy to misuse (potentially allowing anyone to login without a password)
References
Other:
URL:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0651
URL:http://en.wikipedia.org/wiki/Rlogin
URL:http://www.ietf.org/rfc/rfc1282.txt
2 RESULTS PER HOST 17
[ return to 192.168.87.129 ]
Summary
DistCC 2.x, as used in XCode 1.5 and others, when not congured to restrict access to the server
port, allows remote attackers to execute arbitrary commands via compilation jobs, which are
executed by the server without authorization checks.
Impact
DistCC by default trusts its clients completely that in turn could allow a malicious client to
execute arbitrary commands on the server.
Solution
Solution type: VendorFix
Vendor updates are available. Please see the references for more information.
For more information about DistCC's security see the references.
References
CVE: CVE-2004-2687
Other:
URL:https://distcc.github.io/security.html
URL:https://web.archive.org/web/20150511045306/http://archives.neohapsis.com:
,→80/archives/bugtraq/2005-03/0183.html
[ return to 192.168.87.129 ]
Summary
It was possible to login into the remote PostgreSQL as user postgres using weak credentials.
Solution
Solution type: Mitigation
Change the password as soon as possible.
[ return to 192.168.87.129 ]
Summary
Systems using Distributed Ruby (dRuby/DRb), which is available in Ruby versions 1.6 and later,
may permit unauthorized systems to execute distributed commands.
Impact
By default, Distributed Ruby does not impose restrictions on allowed hosts or set the $SAFE
environment variable to prevent privileged activities. If other controls are not in place, especially
if the Distributed Ruby process runs with elevated privileges, an attacker could execute arbitrary
system commands or Ruby scripts on the Distributed Ruby server. An attacker may need to
know only the URI of the listening Distributed Ruby server to submit Ruby commands.
Solution
Solution type: Mitigation
Administrators of environments that rely on Distributed Ruby should ensure that appropriate
controls are in place. Code-level controls may include:
- Implementing taint on untrusted input
- Setting $SAFE levels appropriately (>=2 is recommended if untrusted hosts are allowed to
submit Ruby commands, and >=3 may be appropriate)
- Including drb/acl.rb to set ACLEntry to restrict access to trusted hosts
References
BID:47071
Other:
URL:https://tools.cisco.com/security/center/viewAlert.x?alertId=22750
URL:http://www.securityfocus.com/bid/47071
URL:http://blog.recurity-labs.com/archives/2011/05/12/druby_for_penetration_t
,→esters/
URL:http://www.ruby-doc.org/stdlib-1.9.3/libdoc/drb/rdoc/DRb.html
[ return to 192.168.87.129 ]
Summary
OS End Of Life Detection
The Operating System on the remote host has reached the end of life and should not be used
anymore.
Solution
Solution type: Mitigation
[ return to 192.168.87.129 ]
Summary
This host is installed with UnrealIRCd and is prone to authentication spoong vulnerability.
Impact
Successful exploitation of this vulnerability will allows remote attackers to spoof certicate n-
gerprints and consequently log in as another user.
Solution
Solution type: VendorFix
Upgrade to UnrealIRCd 3.2.10.7, or 4.0.6, or later.
Aected Software/OS
UnrealIRCd before 3.2.10.7 and 4.x before 4.0.6.
Vulnerability Insight
The aw exists due to an error in the 'm_authenticate' function in 'modules/m_sasl.c' script.
References
CVE: CVE-2016-7144
BID:92763
Other:
URL:http://seclists.org/oss-sec/2016/q3/420
URL:http://www.openwall.com/lists/oss-security/2016/09/05/8
URL:https://github.com/unrealircd/unrealircd/commit/f473e355e1dc422c4f019dbf8
,→6bc50ba1a34a766
URL:https://bugs.unrealircd.org/main_page.php
[ return to 192.168.87.129 ]
Summary
The host is running TWiki and is prone to Cross-Site Request Forgery vulnerability.
Impact
Successful exploitation will allow attacker to gain administrative privileges on the target appli-
cation and can cause CSRF attack.
Solution
Solution type: VendorFix
Upgrade to TWiki version 4.3.2 or later.
Aected Software/OS
TWiki version prior to 4.3.2
Vulnerability Insight
Attack can be done by tricking an authenticated TWiki user into visiting a static HTML page on
another side, where a Javascript enabled browser will send an HTTP POST request to TWiki,
which in turn will process the request as the TWiki user.
References
CVE: CVE-2009-4898
Other:
URL:http://www.openwall.com/lists/oss-security/2010/08/03/8
URL:http://www.openwall.com/lists/oss-security/2010/08/02/17
URL:http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix
URL:http://twiki.org/cgi-bin/view/Codev/DownloadTWiki
2 RESULTS PER HOST 23
Summary
In Tiki the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php
show_history parameter.
Solution
Solution type: VendorFix
Upgrade to version 17.2 or later.
Aected Software/OS
Tiki Wiki CMS Groupware prior to version 17.2.
References
CVE: CVE-2018-20719
Other:
URL:https://blog.ripstech.com/2018/scan-verify-patch-security-issues-in-minute
,→s/
Summary
The host is running TWiki and is prone to Cross-Site Request Forgery Vulnerability.
Impact
Successful exploitation will allow attacker to gain administrative privileges on the target appli-
cation and can cause CSRF attack.
Solution
Solution type: VendorFix
Upgrade to version 4.3.1 or later.
Aected Software/OS
TWiki version prior to 4.3.1
Vulnerability Insight
Remote authenticated user can create a specially crafted image tag that, when viewed by the
target user, will update pages on the target system with the privileges of the target user via
HTTP requests.
References
CVE: CVE-2009-1339
Other:
URL:http://secunia.com/advisories/34880
URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526258
URL:http://twiki.org/p/pub/Codev/SecurityAlert-CVE-2009-1339/TWiki-4.3.0-c-di
,→ff-cve-2009-1339.txt
2 RESULTS PER HOST 25
Summary
Debugging functions are enabled on the remote web server.
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
Impact
An attacker may use this aw to trick your legitimate web users to give him their credentials.
Solution
Solution type: Mitigation
Disable the TRACE and TRACK methods in your web server conguration.
Please see the manual of your web server or the references for more information.
Aected Software/OS
Web servers with enabled TRACE and/or TRACK methods.
Vulnerability Insight
It has been shown that web servers supporting this methods are subject to cross-site-scripting
attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses
in browsers.
References
CVE: CVE-2003-1567, CVE-2004-2320, CVE-2004-2763, CVE-2005-3398, CVE-2006-4683,
,→CVE-2007-3008, CVE-2008-7253, CVE-2009-2823, CVE-2010-0386, CVE-2012-2223, CVE
,→-2014-7883
BID:9506, 9561, 11604, 15222, 19915, 24456, 33374, 36956, 36990, 37995
Other:
URL:http://www.kb.cert.org/vuls/id/288308
URL:http://www.kb.cert.org/vuls/id/867593
URL:http://httpd.apache.org/docs/current/de/mod/core.html#traceenable
URL:https://www.owasp.org/index.php/Cross_Site_Tracing
Summary
. . . continues on next page . . .
2 RESULTS PER HOST 26
Solution
Solution type: Mitigation
Use access restrictions for the /doc directory. If you use Apache you might use this in your
access.conf:
<Directory /usr/doc> AllowOverride None order deny,allow deny from all allow from localhost
</Directory>
References
CVE: CVE-1999-0678
BID:318
Summary
The host is installed with Tiki Wiki CMS Groupware and is prone to a local le inclusion
vulnerability.
Impact
Successful exploitation will allow an user having access to the admin backend to gain access to
arbitrary les and to compromise the application.
Solution
Solution type: VendorFix
Upgrade to Tiki Wiki CMS Groupware version 12.11 LTS, 15.4 or later.
. . . continues on next page . . .
2 RESULTS PER HOST 27
Aected Software/OS
Tiki Wiki CMS Groupware versions:
- below 12.11 LTS
- 13.x, 14.x and 15.x below 15.4
Vulnerability Insight
The Flaw is due to improper sanitization of input passed to the 'xedURLData' parameter of
the 'display_banner.php' script.
References
CVE: CVE-2016-10143
Other:
URL:http://tiki.org/article445-Security-updates-Tiki-16-2-15-4-and-Tiki-12-11-
,→released
URL:https://sourceforge.net/p/tikiwiki/code/60308/
URL:https://tiki.org
Summary
bin/statistics in TWiki 6.0.2 allows XSS via the webs parameter.
Solution
Solution type: VendorFix
. . . continues on next page . . .
2 RESULTS PER HOST 28
Aected Software/OS
TWiki version 6.0.2 and probably prior.
References
CVE: CVE-2018-20212
Other:
URL:https://seclists.org/fulldisclosure/2019/Jan/7
URL:http://twiki.org/cgi-bin/view/Codev/DownloadTWiki
Summary
The host is installed with Tiki Wiki CMS Groupware and is prone to input sanitation weakness
vulnerability.
Impact
Successful exploitation could allow arbitrary code execution in the context of an aected site.
Impact Level: Application
Solution
Solution type: VendorFix
. . . continues on next page . . .
2 RESULTS PER HOST 29
Aected Software/OS
Tiki Wiki CMS Groupware version prior to 2.2 on all running platform
Vulnerability Insight
The vulnerability is due to input validation error in tiki-error.php which fails to sanitise before
being returned to the user.
References
CVE: CVE-2008-5318, CVE-2008-5319
Other:
URL:http://secunia.com/advisories/32341
URL:http://info.tikiwiki.org/tiki-read_article.php?articleId=41
Summary
awiki is prone to multiple local le-include vulnerabilities because it fails to properly sanitize
user-supplied input.
Impact
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute
arbitrary local scripts in the context of the webserver process. This may allow the attacker to
compromise the application and the host. Other attacks are also possible.
Solution
Solution type: WillNotFix
No known solution was made available for at least one year since the disclosure of this vulnera-
bility. Likely none will be provided anymore. General solution options are to upgrade to a newer
release, disable respective features, remove the product or replace the product by another one.
. . . continues on next page . . .
2 RESULTS PER HOST 30
Aected Software/OS
awiki 20100125 is vulnerable. Other versions may also be aected.
References
BID:49187
Other:
URL:https://www.exploit-db.com/exploits/36047/
URL:http://www.securityfocus.com/bid/49187
URL:http://www.kobaonline.com/awiki/
Summary
The host / application transmits sensitive information (username, passwords) in cleartext via
HTTP.
Impact
An attacker could use this situation to compromise or eavesdrop on the HTTP communication
between the client and the server using a man-in-the-middle attack to get access to sensitive data
like usernames or passwords.
Solution
Solution type: Workaround
Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally
make sure the host / application is redirecting all users to the secured SSL/TLS connection
before allowing to input sensitive data into the mentioned functions.
Aected Software/OS
Hosts / applications which doesn't enforce the transmission of sensitive data via an encrypted
SSL/TLS connection.
References
Other:
URL:https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_S
,→ession_Management
URL:https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
URL:https://cwe.mitre.org/data/definitions/319.html
Summary
The host is running phpMyAdmin and is prone to Cross-Site Scripting Vulnerability.
Impact
Successful exploitation will allow attackers to inject arbitrary HTML code within the error page
and conduct phishing attacks.
Solution
Solution type: WillNotFix
No known solution was made available for at least one year since the disclosure of this vulnera-
bility. Likely none will be provided anymore. General solution options are to upgrade to a newer
release, disable respective features, remove the product or replace the product by another one.
Aected Software/OS
phpMyAdmin version 3.3.8.1 and prior.
Vulnerability Insight
. . . continues on next page . . .
2 RESULTS PER HOST 32
References
CVE: CVE-2010-4480
Other:
URL:http://www.exploit-db.com/exploits/15699/
URL:http://www.vupen.com/english/advisories/2010/3133
Summary
This host is running Apache HTTP Server and is prone to cookie information disclosure vulner-
ability.
Impact
Successful exploitation will allow attackers to obtain sensitive information that may aid in further
attacks.
Solution
Solution type: VendorFix
Upgrade to Apache HTTP Server version 2.2.22 or later.
Aected Software/OS
Apache HTTP Server versions 2.2.0 through 2.2.21
Vulnerability Insight
The aw is due to an error within the default error response for status code 400 when no custom
ErrorDocument is congured, which can be exploited to expose 'httpOnly' cookies.
References
CVE: CVE-2012-0053
BID:51706
Other:
URL:http://secunia.com/advisories/47779
URL:http://www.exploit-db.com/exploits/18442
URL:http://rhn.redhat.com/errata/RHSA-2012-0128.html
URL:http://httpd.apache.org/security/vulnerabilities_22.html
URL:http://svn.apache.org/viewvc?view=revision&revision=1235454
URL:http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00026.htm
,→l
[ return to 192.168.87.129 ]
Summary
The remote host is running a Telnet service that allows cleartext logins over unencrypted con-
nections.
Impact
An attacker can uncover login names and passwords by sning trac to the Telnet service.
Solution
Solution type: Mitigation
Replace Telnet with a protocol like SSH which supports encrypted connections.
[ return to 192.168.87.129 ]
2 RESULTS PER HOST 34
Summary
The remote SSH server is congured to allow weak encryption algorithms.
Solution
Solution type: Mitigation
Disable the weak encryption algorithms.
Vulnerability Insight
The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is believed
to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems with weak
keys, and should not be used anymore.
The `none` algorithm species that no encryption is to be done. Note that this method provides
no condentiality protection, and it is NOT RECOMMENDED to use it.
A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to
recover plaintext from a block of ciphertext.
References
Other:
URL:https://tools.ietf.org/html/rfc4253#section-6.3
URL:https://www.kb.cert.org/vuls/id/958563
[ return to 192.168.87.129 ]
Summary
Reports if the remote FTP Server allows anonymous logins.
Impact
Based on the les accessible via this anonymous FTP login and the permissions of this account
an attacker might be able to:
- gain access to sensitive les
- upload or delete les.
Solution
Solution type: Mitigation
If you do not want to share les, you should disable anonymous logins.
Vulnerability Insight
A host that provides an FTP service may additionally provide Anonymous FTP access as well.
Under this arrangement, users do not strictly need an account on the host. Instead the user
typically enters 'anonymous' or 'ftp' when prompted for username. Although users are commonly
asked to send their email address as their password, little to no verication is actually performed
on the supplied data.
References
Other:
URL:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0497
Summary
The remote host is running a FTP service that allows cleartext logins over unencrypted connec-
tions.
Impact
An attacker can uncover login names and passwords by sning trac to the FTP service.
Solution
Solution type: Mitigation
Enable FTPS or enforce the connection via the 'AUTH TLS' command. Please see the manual
of the FTP service for more information.
[ return to 192.168.87.129 ]
Summary
The remote host is running a VNC server providing one or more insecure or cryptographically
weak Security Type(s) not intended for use on untrusted networks.
. . . continues on next page . . .
2 RESULTS PER HOST 37
Impact
An attacker can uncover sensitive data by sning trac to the VNC server.
Solution
Solution type: Mitigation
Run the session over an encrypted channel provided by IPsec [RFC4301] or SSH [RFC4254].
Some VNC server vendors are also providing more secure Security Types within their products.
References
Other:
URL:https://tools.ietf.org/html/rfc6143#page-10
[ return to 192.168.87.129 ]
Summary
OpenSSL is prone to security-bypass vulnerability.
Impact
Successfully exploiting this issue may allow attackers to obtain sensitive information by conduct-
ing a man-in-the-middle attack. This may lead to other attacks.
Solution
Solution type: VendorFix
Updates are available. Please see the references for more information.
Aected Software/OS
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m and 1.0.1 before 1.0.1h.
. . . continues on next page . . .
2 RESULTS PER HOST 38
Vulnerability Insight
OpenSSL does not properly restrict processing of ChangeCipherSpec messages, which allows
man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-
OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via
a crafted TLS handshake, aka the 'CCS Injection' vulnerability.
References
CVE: CVE-2014-0224
BID:67899
Other:
URL:https://www.openssl.org/news/secadv/20140605.txt
URL:http://www.securityfocus.com/bid/67899
URL:http://openssl.org/
Summary
The remote server's SSL/TLS certicate has already expired.
Solution
Solution type: Mitigation
Replace the SSL/TLS certicate by a new one.
Vulnerability Insight
This script checks expiry dates of certicates associated with SSL/TLS-enabled services on the
target and reports whether any have already expired.
Summary
This host is prone to an information disclosure vulnerability.
Impact
Successful exploitation will allow a man-in-the-middle attackers gain access to the plain text data
stream.
Solution
Solution type: Mitigation
Possible Mitigations are:
- Disable SSLv3
- Disable cipher suites supporting CBC cipher modes
- Enable TLS_FALLBACK_SCSV if the service is providing TLSv1.0+
Vulnerability Insight
The aw is due to the block cipher padding not being deterministic and not covered by the
Message Authentication Code
Summary
It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this
system.
Impact
An attacker might be able to use the known cryptographic aws to eavesdrop the connection
between clients and the service to get access to sensitive data transferred within the secured
connection.
Solution
Solution type: Mitigation
It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the
TLSv1+ protocols. Please see the references for more information.
Aected Software/OS
All services providing an encrypted communication using the SSLv2 and/or SSLv3 protocols.
Vulnerability Insight
The SSLv2 and SSLv3 protocols containing known cryptographic aws like:
- Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566)
- Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016-0800)
References
CVE: CVE-2016-0800, CVE-2014-3566
Other:
URL:https://www.enisa.europa.eu/activities/identity-and-trust/library/delivera
,→bles/algorithms-key-sizes-and-parameters-report
URL:https://bettercrypto.org/
URL:https://mozilla.github.io/server-side-tls/ssl-config-generator/
URL:https://drownattack.com/
URL:https://www.imperialviolet.org/2014/10/14/poodle.html
Summary
This routine reports all Weak SSL/TLS cipher suites accepted by a service.
NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port
25/tcp is reported. If too strong cipher suites are congured for this service the alternative would
be to fall back to an even more insecure cleartext communication.
Solution
Solution type: Mitigation
The conguration of this services should be changed so that it does not accept the listed weak
cipher suites anymore.
Please see the references for more resources supporting you with this task.
Vulnerability Insight
These rules are applied for the evaluation of the cryptographic strength:
- RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808).
- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore
considered as weak (CVE-2015-4000).
- 1024 bit RSA authentication is considered to be insecure and therefore as weak.
- Any cipher considered to be secure for only the next 10 years is considered as medium
- Any other cipher is considered as strong
References
. . . continues on next page . . .
2 RESULTS PER HOST 42
Summary
The SSL/TLS service uses Die-Hellman groups with insucient strength (key size < 2048).
Impact
An attacker might be able to decrypt the SSL/TLS communication oine.
Solution
Solution type: Workaround
Deploy (Ephemeral) Elliptic-Curve Die-Hellman (ECDHE) or use a 2048-bit or stronger Die-
Hellman group (see the references).
For Apache Web Servers: Beginning with version 2.4.7, mod_ssl will use DH parameters which
include primes with lengths of more than 1024 bits.
Vulnerability Insight
The Die-Hellman group are some big numbers that are used as base for the DH computations.
They can be, and often are, xed. The security of the nal secret depends on the size of these
parameters. It was found that 512 and 768 bits to be weak, 1024 bits to be breakable by really
powerful attackers like governments.
References
Other:
URL:https://weakdh.org/
URL:https://weakdh.org/sysadmin.html
2 RESULTS PER HOST 43
Summary
The remote service is using a SSL/TLS certicate in the certicate chain that has been signed
using a cryptographically weak hashing algorithm.
Solution
Solution type: Mitigation
Servers that use SSL/TLS certicates signed with a weak SHA-1, MD5, MD4 or MD2 hashing
algorithm will need to obtain new SHA-2 signed SSL/TLS certicates to avoid web browser
SSL/TLS certicate warnings.
Vulnerability Insight
The following hashing algorithms used for signing SSL/TLS certicates are considered crypto-
graphically weak and not secure enough for ongoing use:
- Secure Hash Algorithm 1 (SHA-1)
- Message Digest 5 (MD5)
- Message Digest 4 (MD4)
- Message Digest 2 (MD2)
Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft
and Google will begin warning users when visiting web sites that use SHA-1 signed Secure Socket
Layer (SSL) certicates.
NOTE: The script preference allows to set one or more custom SHA-1 ngerprints of CA certi-
cates which are trusted by this routine. The ngerprints needs to be passed comma-separated
and case-insensitive:
Fingerprint1
or
ngerprint1,Fingerprint2
References
Other:
URL:https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with
. . . continues on next page . . .
2 RESULTS PER HOST 44
[ return to 192.168.87.129 ]
Summary
Multiple vendors' implementations of 'STARTTLS' are prone to a vulnerability that lets attackers
inject arbitrary commands.
Impact
An attacker can exploit this issue to execute arbitrary commands in the context of the user
running the application. Successful exploits can allow attackers to obtain email usernames and
passwords.
Solution
Solution type: VendorFix
Updates are available. Please see the references for more information.
Aected Software/OS
The following vendors are aected:
Ipswitch
Kerio
Postx
Qmail-TLS
Oracle
SCO Group
spamdyke
ISC
References
CVE: CVE-2011-0411, CVE-2011-1430, CVE-2011-1431, CVE-2011-1432, CVE-2011-1506,
. . . continues on next page . . .
2 RESULTS PER HOST 45
Summary
The remote server's SSL/TLS certicate has already expired.
Solution
Solution type: Mitigation
Replace the SSL/TLS certicate by a new one.
Vulnerability Insight
This script checks expiry dates of certicates associated with SSL/TLS-enabled services on the
target and reports whether any have already expired.
Summary
The Mailserver on this host answers to VRFY and/or EXPN requests.
Solution
Solution type: Workaround
Disable VRFY and/or EXPN on your Mailserver.
For postx add 'disable_vrfy_command=yes' in 'main.cf '.
For Sendmail add the option 'O PrivacyOptions=goaway'.
It is suggested that, if you really want to publish this type of information, you use a mechanism
that legitimate users actually know about, such as Finger or HTTP.
Vulnerability Insight
VRFY and EXPN ask the server for information about an address. They are inherently unusable
through rewalls, gateways, mail exchangers for part-time hosts, etc.
References
Other:
URL:http://cr.yp.to/smtp/vrfy.html
2 RESULTS PER HOST 47
Summary
This host is prone to an information disclosure vulnerability.
Impact
Successful exploitation will allow a man-in-the-middle attackers gain access to the plain text data
stream.
Solution
Solution type: Mitigation
Possible Mitigations are:
- Disable SSLv3
- Disable cipher suites supporting CBC cipher modes
- Enable TLS_FALLBACK_SCSV if the service is providing TLSv1.0+
Vulnerability Insight
The aw is due to the block cipher padding not being deterministic and not covered by the
Message Authentication Code
References
CVE: CVE-2014-3566
BID:70574
Other:
URL:https://www.openssl.org/~bodo/ssl-poodle.pdf
URL:https://www.imperialviolet.org/2014/10/14/poodle.html
URL:https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html
URL:http://googleonlinesecurity.blogspot.in/2014/10/this-poodle-bites-exploit
,→ing-ssl-30.html
Summary
This host is accepting 'RSA_EXPORT' cipher suites and is prone to man in the middle attack.
. . . continues on next page . . .
2 RESULTS PER HOST 48
Impact
Successful exploitation will allow remote attacker to downgrade the security of a session to use
'RSA_EXPORT' cipher suites, which are signicantly weaker than non-export cipher suites.
This may allow a man-in-the-middle attacker to more easily break the encryption and monitor
or tamper with the encrypted stream.
Solution
Solution type: VendorFix
- Remove support for 'RSA_EXPORT' cipher suites from the service.
- If running OpenSSL update to version 0.9.8zd or 1.0.0p or 1.0.1k or later.
Aected Software/OS
- Hosts accepting 'RSA_EXPORT' cipher suites
- OpenSSL version before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k.
Vulnerability Insight
Flaw is due to improper handling RSA temporary keys in a non-export RSA key exchange cipher
suite.
References
CVE: CVE-2015-0204
BID:71936
Other:
URL:https://freakattack.com
URL:http://secpod.org/blog/?p=3818
URL:http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-f
,→actoring-nsa.html
URL:https://www.openssl.org
2 RESULTS PER HOST 49
Summary
This host is accepting 'DHE_EXPORT' cipher suites and is prone to man in the middle attack.
Impact
Successful exploitation will allow a man-in-the-middle attacker to downgrade the security of a
TLS session to 512-bit export-grade cryptography, which is signicantly weaker, allowing the
attacker to more easily break the encryption and monitor or tamper with the encrypted stream.
Solution
Solution type: VendorFix
- Remove support for 'DHE_EXPORT' cipher suites from the service
- If running OpenSSL updateto version 1.0.2b or 1.0.1n or later.
Aected Software/OS
- Hosts accepting 'DHE_EXPORT' cipher suites
- OpenSSL version before 1.0.2b and 1.0.1n
Vulnerability Insight
Flaw is triggered when handling Die-Hellman key exchanges dened in the 'DHE_EXPORT'
cipher suites.
References
CVE: CVE-2015-4000
BID:74733
Other:
URL:https://weakdh.org
URL:https://weakdh.org/imperfect-forward-secrecy.pdf
URL:http://openwall.com/lists/oss-security/2015/05/20/8
URL:https://blog.cloudflare.com/logjam-the-latest-tls-vulnerability-explained
. . . continues on next page . . .
2 RESULTS PER HOST 50
Summary
It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this
system.
Impact
An attacker might be able to use the known cryptographic aws to eavesdrop the connection
between clients and the service to get access to sensitive data transferred within the secured
connection.
Solution
Solution type: Mitigation
It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the
TLSv1+ protocols. Please see the references for more information.
Aected Software/OS
All services providing an encrypted communication using the SSLv2 and/or SSLv3 protocols.
Vulnerability Insight
The SSLv2 and SSLv3 protocols containing known cryptographic aws like:
- Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566)
- Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016-0800)
References
CVE: CVE-2016-0800, CVE-2014-3566
Other:
URL:https://www.enisa.europa.eu/activities/identity-and-trust/library/delivera
,→bles/algorithms-key-sizes-and-parameters-report
URL:https://bettercrypto.org/
. . . continues on next page . . .
2 RESULTS PER HOST 51
Summary
The SSL/TLS service uses Die-Hellman groups with insucient strength (key size < 2048).
Impact
An attacker might be able to decrypt the SSL/TLS communication oine.
Solution
Solution type: Workaround
Deploy (Ephemeral) Elliptic-Curve Die-Hellman (ECDHE) or use a 2048-bit or stronger Die-
Hellman group (see the references).
For Apache Web Servers: Beginning with version 2.4.7, mod_ssl will use DH parameters which
include primes with lengths of more than 1024 bits.
Vulnerability Insight
The Die-Hellman group are some big numbers that are used as base for the DH computations.
They can be, and often are, xed. The security of the nal secret depends on the size of these
parameters. It was found that 512 and 768 bits to be weak, 1024 bits to be breakable by really
powerful attackers like governments.
References
Other:
URL:https://weakdh.org/
URL:https://weakdh.org/sysadmin.html
Summary
. . . continues on next page . . .
2 RESULTS PER HOST 52
Solution
Solution type: Mitigation
Servers that use SSL/TLS certicates signed with a weak SHA-1, MD5, MD4 or MD2 hashing
algorithm will need to obtain new SHA-2 signed SSL/TLS certicates to avoid web browser
SSL/TLS certicate warnings.
Vulnerability Insight
The following hashing algorithms used for signing SSL/TLS certicates are considered crypto-
graphically weak and not secure enough for ongoing use:
- Secure Hash Algorithm 1 (SHA-1)
- Message Digest 5 (MD5)
- Message Digest 4 (MD4)
- Message Digest 2 (MD2)
Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft
and Google will begin warning users when visiting web sites that use SHA-1 signed Secure Socket
Layer (SSL) certicates.
NOTE: The script preference allows to set one or more custom SHA-1 ngerprints of CA certi-
cates which are trusted by this routine. The ngerprints needs to be passed comma-separated
and case-insensitive:
Fingerprint1
or
ngerprint1,Fingerprint2
References
Other:
URL:https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with
,→-sha-1-based-signature-algorithms/
[ return to 192.168.87.129 ]
2 RESULTS PER HOST 53
Summary
Samba is prone to a vulnerability that allows attackers to execute arbitrary shell commands
because the software fails to sanitize user-supplied input.
Impact
An attacker may leverage this issue to execute arbitrary shell commands on an aected system
with the privileges of the application.
Solution
Solution type: VendorFix
Updates are available. Please see the referenced vendor advisory.
Aected Software/OS
This issue aects Samba 3.0.0 to 3.0.25rc3.
References
CVE: CVE-2007-2447
BID:23972
Other:
URL:http://www.securityfocus.com/bid/23972
URL:https://www.samba.org/samba/security/CVE-2007-2447.html
[ return to 192.168.87.129 ]
2 RESULTS PER HOST 54
Summary
The remote host is running a FTP service that allows cleartext logins over unencrypted connec-
tions.
Impact
An attacker can uncover login names and passwords by sning trac to the FTP service.
Solution
Solution type: Mitigation
Enable FTPS or enforce the connection via the 'AUTH TLS' command. Please see the manual
of the FTP service for more information.
[ return to 192.168.87.129 ]
Summary
. . . continues on next page . . .
2 RESULTS PER HOST 55
Solution
Solution type: VendorFix
Upgrade to version 18.0 or later.
Aected Software/OS
Tiki Wiki CMS Groupware prior to version 18.0.
References
CVE: CVE-2018-7188
Other:
URL:http://openwall.com/lists/oss-security/2018/02/16/1
[ return to 192.168.87.129 ]
Summary
The remote SSH server is congured to allow weak MD5 and/or 96-bit MAC algorithms.
Solution
Solution type: Mitigation
Disable the weak MAC algorithms.
[ return to 192.168.87.129 ]
Summary
The remote host implements TCP timestamps and therefore allows to compute the uptime.
Impact
A side eect of this feature is that the uptime of the remote host can sometimes be computed.
Solution
Solution type: Mitigation
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.
To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options
when initiating TCP connections, but use them if the TCP peer that is initiating communication
includes them in their synchronize (SYN) segment.
See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152
. . . continues on next page . . .
2 RESULTS PER HOST 57
Aected Software/OS
TCP/IPv4 implementations that implement RFC1323.
Vulnerability Insight
The remote host implements TCP timestamps, as dened by RFC1323.
References
Other:
URL:http://www.ietf.org/rfc/rfc1323.txt
[ return to 192.168.87.129 ]