ASIX/M17/UF2/PT1

De Lordwektabyte Wiki
< ASIX/M17/UF2
La revisió el 11:34, 15 abr 2020 per Guillem (discussió | contribucions) (Guillem ha mogut M17/UF2/PT1 a ASIX/M17/UF2/PT1 sense deixar una redirecció: Crear subnivell ASIX)
(dif) ← Versió més antiga | Versió actual (dif) | Versió més nova → (dif)
Salta a la navegació Salta a la cerca
I Summary
=========

This document reports on the results of an automatic security scan.
The report first summarises the results found.
Then, for each host, the report describes every issue found.
Please consider the advice given in each description, in order to rectify
the issue.

All dates are displayed using the timezone "Coordinated Universal Time",
which is abbreviated "UTC".

Vendor security updates are not trusted.

Overrides are on.  When a result has an override, this report uses the
threat of the override.

Notes are included in the report.Information on overrides is included in the report.

This report might not show details of all issues that were found.
It only lists hosts that produced issues.
Issues with the threat level "Log" are not shown.
Issues with the threat level "Debug" are not shown.
Issues with the threat level "False Positive" are not shown.
Only results with a minimum QoD of 70 are shown.

This report contains all 5 results selected by the
filtering described above.  Before filtering there were 155 results.

Scan started: Fri Mar 1 14:54:15 2019 UTC
Scan ended:   Fri Mar 1 15:41:58 2019 UTC
Task:         Nose OVA

Host Summary
************

Host            High  Medium  Low  Log  False Positive
10.17.3.6          0       3    2    0               0
Total: 1           0       3    2    0               0


II Results per Host
===================

Host 10.17.3.6
**************

Scanning of this host started at: Fri Mar 1 15:21:42 2019 UTC
Number of results: 5

Port Summary for Host 10.17.3.6
-------------------------------

Service (Port)          Threat Level
22/tcp                  Medium
general/tcp             Low
80/tcp                  Medium

Security Issues for Host 10.17.3.6
----------------------------------

Issue
-----
NVT:    HTTP Debugging Methods (TRACE/TRACK) Enabled
OID:    1.3.6.1.4.1.25623.1.0.11213
Threat: Medium (CVSS: 5.8)
Port:   80/tcp

Summary:
Debugging functions are enabled on the remote web server.
  The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK
  are HTTP methods which are used to debug web server connections.

Vulnerability Detection Result:
The web server has the following HTTP methods enabled: TRACE

Impact:
An attacker may use this flaw to trick your legitimate web users to give
  him their credentials.

Solution:
Solution type: Mitigation
Disable the TRACE and TRACK methods in your web server configuration.
  Please see the manual of your web server or the references for more informatio!
n.

Affected Software/OS:
Web servers with enabled TRACE and/or TRACK methods.

Vulnerability Insight:
It has been shown that web servers supporting this methods are
  subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, wh!
en used in
  conjunction with various weaknesses in browsers.

Vulnerability Detection Method:
Details:
HTTP Debugging Methods (TRACE/TRACK) Enabled
(OID: 1.3.6.1.4.1.25623.1.0.11213)
Version used: $Revision: 10828 $

References:
CVE: CVE-2003-1567, CVE-2004-2320, CVE-2004-2763, CVE-2005-3398, CVE-2006-4683, CVE-2007-3008, CVE-2008-7253, CVE-2009-2823, CVE-2010-0386, CVE-2012-2223, CVE-2014-7883
BID: 9506,  9561,  11604,  15222,  19915,  24456,  33374,  36956,  36990,  37995
CERT: CB-K14/0981
, DFN-CERT-2014-1018
, DFN-CERT-2010-0020

Other:
    http://www.kb.cert.org/vuls/id/288308
    http://www.kb.cert.org/vuls/id/867593
    http://httpd.apache.org/docs/current/de/mod/core.html#traceenable
    https://www.owasp.org/index.php/Cross_Site_Tracing


Issue
-----
NVT:    Linux Home Folder Accessible
OID:    1.3.6.1.4.1.25623.1.0.111108
Threat: Medium (CVSS: 5.0)
Port:   80/tcp

Summary:
The script attempts to identify files of a linux home folder accessible
  at the webserver.

Vulnerability Detection Result:
The following files were identified:
http://10.17.3.6/.bash_history

Impact:
Based on the information provided in this files an attacker might
  be able to gather additional info.

Solution:
Solution type: Mitigation
A users home folder shouldn't be accessible via a webserver. Restrict access to !
it or remove it completely.

Vulnerability Insight:
Currently the script is checking for the following files:
  - /.ssh/authorized_keys
  - /.ssh/known_hosts
  - /.ssh/identity
  - /.ssh/id_rsa
  - /.ssh/id_rsa.pub
  - /.ssh/id_dsa
  - /.ssh/id_dsa.pub
  - /.ssh/id_dss
  - /.ssh/id_dss.pub
  - /.ssh/id_ecdsa
  - /.ssh/id_ecdsa.pub
  - /.ssh/id_ed25519
  - /.ssh/id_ed25519.pub
  - /.mysql_history
  - /.sqlite_history
  - /.psql_history
  - /.sh_history
  - /.bash_history
  - /.profile
  - /.bashrc

Vulnerability Detection Method:
Check the response if files from a home folder are accessible.
Details:
Linux Home Folder Accessible
(OID: 1.3.6.1.4.1.25623.1.0.111108)
Version used: $Revision: 10157 $


Issue
-----
NVT:    SSH Weak Encryption Algorithms Supported
OID:    1.3.6.1.4.1.25623.1.0.105611
Threat: Medium (CVSS: 4.3)
Port:   22/tcp

Summary:
The remote SSH server is configured to allow weak encryption algorithms.

Vulnerability Detection Result:
The following weak client-to-server encryption algorithms are supported by the r!
emote service:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
The following weak server-to-client encryption algorithms are supported by the r!
emote service:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

Solution:
Solution type: Mitigation
Disable the weak encryption algorithms.

Vulnerability Insight:
The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys.
  The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]!
. Arcfour (and RC4) has problems
  with weak keys, and should not be used anymore.
  The `none` algorithm specifies that no encryption is to be done.
  Note that this method provides no confidentiality protection, and it
  is NOT RECOMMENDED to use it.
  A vulnerability exists in SSH messages that employ CBC mode that may allow an !
attacker to recover plaintext from a block of ciphertext.

Vulnerability Detection Method:
Check if remote ssh service supports Arcfour, none or CBC ciphers.
Details:
SSH Weak Encryption Algorithms Supported
(OID: 1.3.6.1.4.1.25623.1.0.105611)
Version used: $Revision: 13581 $

References:
Other:
    https://tools.ietf.org/html/rfc4253#section-6.3
    https://www.kb.cert.org/vuls/id/958563


Issue
-----
NVT:    SSH Weak MAC Algorithms Supported
OID:    1.3.6.1.4.1.25623.1.0.105610
Threat: Low (CVSS: 2.6)
Port:   22/tcp

Summary:
The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorith!
ms.

Vulnerability Detection Result:
The following weak client-to-server MAC algorithms are supported by the remote s!
ervice:
hmac-md5
hmac-md5-96
hmac-sha1-96
The following weak server-to-client MAC algorithms are supported by the remote s!
ervice:
hmac-md5
hmac-md5-96
hmac-sha1-96

Solution:
Solution type: Mitigation
Disable the weak MAC algorithms.

Vulnerability Detection Method:
Details:
SSH Weak MAC Algorithms Supported
(OID: 1.3.6.1.4.1.25623.1.0.105610)
Version used: $Revision: 13581 $


Issue
-----
NVT:    TCP timestamps
OID:    1.3.6.1.4.1.25623.1.0.80091
Threat: Low (CVSS: 2.6)
Port:   general/tcp

Summary:
The remote host implements TCP timestamps and therefore allows to compute
  the uptime.

Vulnerability Detection Result:
It was detected that the host implements RFC1323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 3183497
Packet 2: 3185039

Impact:
A side effect of this feature is that the uptime of the remote
  host can sometimes be computed.

Solution:
Solution type: Mitigation
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
  /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.
  To disable TCP timestamps on Windows execute 'netsh int tcp set global timesta!
mps=disabled'
  Starting with Windows Server 2008 and Vista, the timestamp can not be complete!
ly disabled.
  The default behavior of the TCP/IP stack on this Systems is to not use the
  Timestamp options when initiating TCP connections, but use them if the TCP pee!
r
  that is initiating communication includes them in their synchronize (SYN) segm!
ent.
  See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152

Affected Software/OS:
TCP/IPv4 implementations that implement RFC1323.

Vulnerability Insight:
The remote host implements TCP timestamps, as defined by RFC1323.

Vulnerability Detection Method:
Special IP packets are forged and sent with a little delay in between to the
  target IP. The responses are searched for a timestamps. If found, the timestam!
ps are reported.
Details:
TCP timestamps
(OID: 1.3.6.1.4.1.25623.1.0.80091)
Version used: $Revision: 10411 $

References:
Other:
    http://www.ietf.org/rfc/rfc1323.txt