Nessus Report

Nessus Scan Report

02/Dec/2013:14:07:21

Table Of Contents
Remediations
Suggested Remediations
Vulnerabilities By Plugin
10357 (1) - Microsoft IIS MDAC RDS (msadcs.dll) Arbitrary Remote Command Execution
11808 (1) - MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check)
11835 (1) - MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)
11890 (1) - MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check)
12054 (1) - MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) (NTLM)
12209 (1) - MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)
13852 (1) - MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873) (uncredentialed check)
18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)
19407 (1) - MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check)
19408 (1) - MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check)
21193 (1) - MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)
21334 (1) - MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check)
22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)
34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)
35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)
58662 (1) - Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows
11161 (1) - Microsoft Data Access Components RDS Data Stub Remote Overflow
22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)
47036 (1) - Samba 3.x < 3.3.13 SMB1 Packet Chaining Memory Corruption
12213 (18) - TCP/IP Sequence Prediction Blind Reset Spoofing DoS
56283 (14) - Linux Kernel TCP Sequence Number Generation Security Weakness
35291 (4) - SSL Certificate Signed using Weak Hashing Algorithm
18405 (3) - Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness
70545 (3) - Dropbear SSH Server < 2013.59 Multiple Vulnerabilities
10815 (2) - Web Server Generic XSS
64588 (2) - Microsoft ASP.NET MS-DOS Device Name DoS
10595 (1) - DNS Server Zone Transfer Information Disclosure (AXFR)
11213 (1) - HTTP TRACE / TRACK Methods Allowed
26919 (1) - Microsoft Windows SMB Guest Account Local User Access
45517 (1) - MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check)
50600 (1) - Apache Shiro URI Path Security Traversal Information Disclosure
55733 (1) - Samba 3.x < 3.3.16 / 3.4.14 / 3.5.10 Multiple Vulnerabilities
56210 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials
56211 (1) - SMB Use Host SID to Enumerate Local Users Without Credentials
64459 (1) - Samba < 3.5.21 / 3.6.12 / 4.0.2 SWAT Multiple Vulnerabilities
69276 (1) - Samba 3.x < 3.5.22 / 3.6.x < 3.6.17 / 4.0.x < 4.0.8 read_nttrans_ea_lis DoS
42880 (3) - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
10394 (7) - Microsoft Windows SMB Log In Possible

Remediations

[-] Collapse All
[+] Expand All

Suggested Remediations

Taking the following actions across 10 hosts would resolve 20% of the vulnerabilities on the network:
Action to take Vulns Hosts
OpenSSH LoginGraceTime / MaxStartups DoS: Upgrade to OpenSSH 6.2 and review the associated server configuration settings. 12 3
Samba 3.x < 3.5.22 / 3.6.x < 3.6.17 / 4.0.x < 4.0.8 read_nttrans_ea_lis DoS: Either install the patch referenced in the project's advisory, or upgrade to version 3.5.22 / 3.6.17 / 4.0.8 or later. 9 1
Dropbear SSH Server < 2013.59 Multiple Vulnerabilities: Upgrade to the Dropbear SSH 2013.59 or later. 6 3
MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 4 1
Firewall UDP Packet Source Port 53 Ruleset Bypass: Either contact the vendor for an update or review the firewall rules settings. 4 2
Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure: Apply the patch referenced above. 1 1
MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 1 1
MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 1 1
Microsoft ASP.NET MS-DOS Device Name DoS: Use an ISAPI filter to block requests for URLs with MS-DOS device names. 1 1

Vulnerabilities By Plugin

[-] Collapse All
[+] Expand All

10357 (1) - Microsoft IIS MDAC RDS (msadcs.dll) Arbitrary Remote Command Execution

Synopsis

The remote web server is affected by a remote command execution vulnerability.

Description

The web server is probably susceptible to a common IIS vulnerability discovered by 'Rain Forest Puppy'. This vulnerability enables an attacker to execute arbitrary commands on the server with Administrator Privileges.

*** Nessus solely relied on the presence of the file /msadc/msadcs.dll
*** so this might be a false positive

See Also

http://support.microsoft.com/default.aspx?scid=kb;[LN];184375
http://technet.microsoft.com/en-us/security/bulletin/ms98-004
http://technet.microsoft.com/en-us/security/bulletin/ms99-025

Solution

Upgrade to MDAC version 2.1 SP2 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Delete the /msadc virtual directory in IIS.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

9.5 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 529
CVE CVE-1999-1011
XREF OSVDB:272
XREF CWE:264
XREF MSFT:MS98-004
XREF MSFT:MS99-025

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2000/04/01, Modification date: 2012/06/07

Hosts

192.168.1.146 (tcp/80)

11808 (1) - MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges.

A series of worms (Blaster) are known to exploit this vulnerability in the wild.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms03-026

Solution

Microsoft has released patches for Windows NT, 2000, XP, and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 8205
CVE CVE-2003-0352
XREF OSVDB:2100
XREF MSFT:MS03-026

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2003/07/28, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

11835 (1) - MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote host is running a version of Windows that has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges.

An attacker or a worm could use it to gain the control of this host.

Note that this is NOT the same bug as the one described in MS03-026, which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms03-039

Solution

Microsoft has released patches for Windows NT, 2000, XP, and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 8458
BID 8460
CVE CVE-2003-0715
CVE CVE-2003-0528
CVE CVE-2003-0605
XREF OSVDB:11460
XREF OSVDB:11797
XREF OSVDB:2535
XREF MSFT:MS03-039

Plugin Information:

Publication date: 2003/09/10, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

11890 (1) - MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system or could cause the Messenger Service to fail.
Disabling the Messenger Service will prevent the possibility of attack.

This plugin actually tests for the presence of this flaw.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms03-043

Solution

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 8826
CVE CVE-2003-0717
XREF OSVDB:10936
XREF MSFT:MS03-043

Exploitable with

CANVAS (true)

Plugin Information:

Publication date: 2003/10/16, Modification date: 2013/11/04

Hosts

192.168.1.146 (udp/135)

12054 (1) - MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) (NTLM)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote Windows host has an ASN.1 library that could allow an attacker to execute arbitrary code on this host.

To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths.

This particular check sent a malformed NTLM packet and determined that the remote host is not patched.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms04-007

Solution

Microsoft has released patches for Windows NT, 2000, XP, and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 9633
BID 9635
BID 9743
BID 13300
CVE CVE-2003-0818
XREF OSVDB:3902
XREF MSFT:MS04-007

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2004/02/13, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

12209 (1) - MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the LSASS service.

Description

The remote version of Windows contains a flaw in the function 'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service (LSASS) that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.

A series of worms (Sasser) are known to exploit this vulnerability in the wild.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms04-011

Solution

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 10108
CVE CVE-2003-0533
XREF OSVDB:5248
XREF MSFT:MS04-011

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2004/04/15, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

13852 (1) - MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

There is a flaw in the Task Scheduler application which could allow a remote attacker to execute code remotely. There are many attack vectors for this flaw. An attacker, exploiting this flaw, would need to either have the ability to connect to the target machine or be able to coerce a local user to either install a .job file or browse to a malicious website.

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://technet.microsoft.com/en-us/security/bulletin/ms04-022

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 10708
CVE CVE-2004-0212
XREF OSVDB:7798
XREF MSFT:MS04-022

Plugin Information:

Publication date: 2004/07/29, Modification date: 2012/06/14

Hosts

192.168.1.146 (tcp/1025)

18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.

Description

The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow an attacker to execute arbitrary code on the remote host.

An attacker does not need to be authenticated to exploit this flaw.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-027

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 13942
CVE CVE-2005-1206
XREF OSVDB:17308
XREF MSFT:MS05-027

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2005/06/16, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

19407 (1) - MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the Spooler service.

Description

The remote host contains a version of the Print Spooler service that may allow an attacker to execute code on the remote host or crash the spooler service.

An attacker can execute code on the remote host with a NULL session against :

- Windows 2000

An attacker can crash the remote service with a NULL session against :

- Windows 2000
- Windows XP SP1

An attacker needs valid credentials to crash the service against :

- Windows 2003
- Windows XP SP2

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-043

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 14514
CVE CVE-2005-1984
XREF OSVDB:18607
XREF MSFT:MS05-043

Exploitable with

CANVAS (true)Core Impact (true)

Plugin Information:

Publication date: 2005/08/09, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

19408 (1) - MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the Plug-And-Play service.

Description

The remote version of Windows contains a flaw in the function 'PNP_QueryResConfList()' in the Plug and Play service that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.

A series of worms (Zotob) are known to exploit this vulnerability in the wild.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-039

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 14513
CVE CVE-2005-1983
XREF OSVDB:18605
XREF MSFT:MS05-039

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2005/08/09, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

21193 (1) - MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)

Synopsis

A flaw in the Plug and Play service may allow an authenticated attacker to execute arbitrary code on the remote host and, therefore, elevate his privileges.

Description

The remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data.

An authenticated attacker may exploit this flaw by sending a malformed RPC request to the remote service and execute code with SYSTEM privileges.

Note that authentication is not required against Windows 2000 if the MS05-039 patch is missing.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-047

Solution

Microsoft has released a set of patches for Windows 2000 and XP.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 15065
CVE CVE-2005-2120
XREF OSVDB:18830
XREF MSFT:MS05-047

Exploitable with

Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2007/03/12, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

21334 (1) - MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check)

Synopsis

A vulnerability in MSDTC could allow remote code execution.

Description

The remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that is affected by several remote code execution and denial of service vulnerabilities.

An attacker may exploit these flaws to obtain complete control of the remote host (2000, NT4) or to crash the remote service (XP, 2003).

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-018

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 17905
BID 17906
CVE CVE-2006-0034
CVE CVE-2006-1184
XREF OSVDB:25335
XREF OSVDB:25336
XREF MSFT:MS06-018

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2006/05/10, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/1086)

22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-040

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 19409
CVE CVE-2006-3439
XREF OSVDB:27845
XREF MSFT:MS06-040

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2006/08/08, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms08-067

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

STIG Severity

I

References

BID 31874
CVE CVE-2008-4250
XREF OSVDB:49243
XREF MSFT:MS08-067
XREF IAVA:2008-A-0081
XREF CWE:94

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2008/10/23, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)

Synopsis

It is possible to crash the remote host due to a flaw in SMB.

Description

The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host.

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :

http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 31179
BID 33121
BID 33122
CVE CVE-2008-4834
CVE CVE-2008-4835
CVE CVE-2008-4114
XREF OSVDB:48153
XREF OSVDB:52691
XREF OSVDB:52692
XREF MSFT:MS09-001
XREF CWE:399

Exploitable with

Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2009/01/13, Modification date: 2012/10/19

Hosts

192.168.1.146 (tcp/445)

58662 (1) - Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows

Synopsis

The remote Samba server is affected by multiple buffer overflow vulnerabilities.

Description

According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It is, therefore, affected by multiple heap-based buffer overflow vulnerabilities.

An error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling code it generates to contain multiple heap-based buffer overflow vulnerabilities. This generated code can allow a remote, unauthenticated attacker to use malicious RPC calls to crash the application and possibly execute arbitrary code as the root user.

Note that Nessus has not actually tried to exploit this issue or otherwise determine if one of the associated patches has been applied.

See Also

http://www.zerodayinitiative.com/advisories/ZDI-12-061/
http://www.zerodayinitiative.com/advisories/ZDI-12-062/
http://www.zerodayinitiative.com/advisories/ZDI-12-063/
http://www.zerodayinitiative.com/advisories/ZDI-12-064/
http://www.zerodayinitiative.com/advisories/ZDI-12-068/
http://www.zerodayinitiative.com/advisories/ZDI-12-069/
http://www.zerodayinitiative.com/advisories/ZDI-12-070/
http://www.zerodayinitiative.com/advisories/ZDI-12-071/
http://www.zerodayinitiative.com/advisories/ZDI-12-072/
https://www.samba.org/samba/security/CVE-2012-1182
http://www.samba.org/samba/history/samba-3.6.4.html
http://www.samba.org/samba/history/samba-3.5.14.html
http://www.samba.org/samba/history/samba-3.4.16.html
http://www.samba.org/samba/history/security.html

Solution

Either install the appropriate patch referenced in the project's advisory or upgrade to 3.6.4 / 3.5.14 / 3.4.16 or later.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 52973
CVE CVE-2012-1182
XREF OSVDB:81303

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2012/04/11, Modification date: 2012/10/10

Hosts

192.168.1.212 (tcp/445)


Installed version : 3.0.37
Fixed version : 3.6.4 / 3.5.14 / 3.4.16

11161 (1) - Microsoft Data Access Components RDS Data Stub Remote Overflow

Synopsis

The remote host is affected by a remote buffer overflow vulnerability.

Description

The remote DLL /msadc/msadcs.dll is accessible by anyone. Several flaws have been found in it in the past. We recommend that you restrict access to MSADC only to trusted hosts.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms02-065
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0082.html

Solution

- Launch the Internet Services Manager
- Select your web server
- Right-click on MSADC and select 'Properties'
- Select the tab 'Directory Security'
- Click on the 'IP address and domain name restrictions'
option
- Make sure that by default, all computers are DENIED access to this resource
- List the computers that should be allowed to use it

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID 6214
CVE CVE-2002-1142
XREF OSVDB:14502
XREF MSFT:MS02-065

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2002/11/22, Modification date: 2012/06/14

Hosts

192.168.1.146 (tcp/80)


*** Nessus did not test for any security vulnerability but solely relied
*** on the presence of this resource to issue this warning, so this
*** might be a false positive.

22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain portions of the memory of the remote host.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-035

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID 18863
BID 18891
CVE CVE-2006-1314
CVE CVE-2006-1315
XREF OSVDB:27154
XREF OSVDB:27155
XREF MSFT:MS06-035

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2006/07/12, Modification date: 2013/11/04

Hosts

192.168.1.146 (tcp/445)

47036 (1) - Samba 3.x < 3.3.13 SMB1 Packet Chaining Memory Corruption

Synopsis

The remote service is affected by a memory corruption vulnerability.

Description

According to its banner, the version of Samba running on the remote host is a version of 3.x before 3.3.13. Such versions are affected by a memory corruption vulnerability when handling specially crafted SMB1 packets.

By exploiting this flaw, a remote, unauthenticated attacker could crash the affected service or potentially execute arbitrary code subject to the privileges of the user running the affected application.

See Also

http://www.samba.org/samba/security/CVE-2010-2063.html
http://www.samba.org/samba/history/security.html

Solution

Upgrade to Samba 3.3.13 or later.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

5.9 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID 40884
CVE CVE-2010-2063
XREF OSVDB:65518
XREF Secunia:40145

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2010/06/17, Modification date: 2013/02/01

Hosts

192.168.1.212 (tcp/445)


The remote Samba server appears to be :

Samba 3.0.37

12213 (18) - TCP/IP Sequence Prediction Blind Reset Spoofing DoS

Synopsis

It may be possible to send spoofed RST packets to the remote system.

Description

The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc).

See Also

https://downloads.avaya.com/elmodocs2/security/ASA-2006-217.htm
http://www.kb.cert.org/vuls/id/JARL-5ZQR4D
http://www-01.ibm.com/support/docview.wss?uid=isg1IY55949
http://www-01.ibm.com/support/docview.wss?uid=isg1IY55950
http://www-01.ibm.com/support/docview.wss?uid=isg1IY62006
http://www.juniper.net/support/security/alerts/niscc-236929.txt
http://technet.microsoft.com/en-us/security/bulletin/ms05-019
http://technet.microsoft.com/en-us/security/bulletin/ms06-064
http://www.kb.cert.org/vuls/id/JARL-5YGQ9G
http://www.kb.cert.org/vuls/id/JARL-5ZQR7H
http://www.kb.cert.org/vuls/id/JARL-5YGQAJ
http://www.nessus.org/u?9a548ae4
http://isc.sans.edu/diary.html?date=2004-04-20

Solution

Contact the vendor for a patch or mitigation advice.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

References

BID 10183
CVE CVE-2004-0230
XREF OSVDB:4030
XREF CERT:415294
XREF EDB-ID:276
XREF EDB-ID:291

Plugin Information:

Publication date: 2004/04/25, Modification date: 2012/12/28

Hosts

192.168.1.1 (tcp/0)

192.168.1.10 (tcp/0)

192.168.1.20 (tcp/0)

192.168.1.21 (tcp/0)

192.168.1.22 (tcp/0)

192.168.1.25 (tcp/0)

192.168.1.81 (tcp/0)

192.168.1.98 (tcp/0)

192.168.1.146 (tcp/0)

192.168.1.207 (tcp/0)

192.168.1.212 (tcp/0)

192.168.1.216 (tcp/0)

192.168.1.219 (tcp/0)

192.168.1.226 (tcp/0)

192.168.1.240 (tcp/0)

192.168.1.248 (tcp/0)

192.168.1.249 (tcp/0)

192.168.1.250 (tcp/0)

56283 (14) - Linux Kernel TCP Sequence Number Generation Security Weakness

Synopsis

It may be possible to predict TCP/IP Initial Sequence Numbers for the remote host.

Description

The Linux kernel is prone to a security weakness related to TCP sequence number generation. Attackers can exploit this issue to inject arbitrary packets into TCP sessions using a brute force attack.

An attacker may use this vulnerability to create a denial of service condition or a man-in-the-middle attack.

Note that this plugin may fire as a result of a network device (such as a load balancer, VPN, IPS, transparent proxy, etc.) that is vulnerable and that re-writes TCP sequence numbers, rather than the host itself being vulnerable.

See Also

http://lwn.net/Articles/455135/
http://www.nessus.org/u?9881d9af

Solution

Contact the OS vendor for a Linux kernel update / patch.

Risk Factor

Medium

CVSS Base Score

6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

5.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

References

BID 49289
CVE CVE-2011-3188
XREF OSVDB:75716

Plugin Information:

Publication date: 2011/09/23, Modification date: 2012/01/30

Hosts

192.168.1.1 (tcp/0)

192.168.1.10 (tcp/0)

192.168.1.20 (tcp/0)

192.168.1.21 (tcp/0)

192.168.1.22 (tcp/0)

192.168.1.25 (tcp/0)

192.168.1.81 (tcp/0)

192.168.1.207 (tcp/0)

192.168.1.212 (tcp/0)

192.168.1.219 (tcp/0)

192.168.1.226 (tcp/0)

192.168.1.248 (tcp/0)

192.168.1.249 (tcp/0)

192.168.1.250 (tcp/0)

35291 (4) - SSL Certificate Signed using Weak Hashing Algorithm

Synopsis

The SSL certificate has been signed using a weak hash algorithm.

Description

The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may be able to leverage this weakness to generate another certificate with the same digital signature, which could allow him to masquerade as the affected service.

See Also

http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://technet.microsoft.com/en-us/security/advisory/961509

Solution

Contact the Certificate Authority to have the certificate reissued.

Risk Factor

Medium

CVSS Base Score

4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVSS Temporal Score

3.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

References

BID 11849
BID 33065
CVE CVE-2004-2761
XREF OSVDB:45106
XREF OSVDB:45108
XREF OSVDB:45127
XREF CERT:836068
XREF CWE:310

Plugin Information:

Publication date: 2009/01/05, Modification date: 2012/12/10

Hosts

192.168.1.1 (tcp/443)


Here is the service's SSL certificate :

Subject Name:

Country: US
Common Name: ORname_Jungo: OpenRG Products Group

Issuer Name:

Country: US
Common Name: ORname_Jungo: OpenRG Products Group

Serial Number: 00

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: Jun 03 11:11:43 2004 GMT
Not Valid After: May 29 11:11:43 2024 GMT

Public Key Info:

Algorithm: RSA Encryption
Key Length: 1024 bits
Public Key: 00 CE 3D AF B0 FF 6A 39 22 E5 AC DD E5 76 31 55 C4 A7 2A 8B
61 F6 52 71 BC 8F A6 BD A6 63 CC E4 6D D2 82 E8 31 6A CC 6E
9C 05 8E D2 D3 AA A8 6D 58 D7 98 E8 10 32 4A 15 A0 EF 22 85
B0 F5 34 1E 95 FF 8C 72 0E 03 30 24 9F 2E 49 FA 5A 07 F2 72
CD E7 DE A0 DC FD 19 C8 3E B3 EC 29 2A 81 BC E0 F4 C7 C9 F5
72 EB 13 13 0B 06 7E A8 2D BA 24 B1 8F AA EB BF B9 CC 04 96
31 F2 D1 65 58 3E 66 FD 55
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits
Signature: 00 9E D6 D6 CD 8F E4 52 1A AD 77 99 4D F9 91 18 DA 06 12 92
DF 5F 5A 88 8B 66 87 7D 86 03 2C D7 82 3E 24 64 56 B9 10 F5
AD EF 77 C2 F9 45 D4 51 6F C4 93 A4 CF 63 0B 73 47 64 47 4C
F4 FD 6D FA CF B4 F0 EF 2A 49 53 FF 35 77 29 ED 6B DC 88 58
B4 B2 C1 D9 F5 FD 8E 80 ED 5E 81 C3 24 05 46 E2 65 83 6F E7
0C FF AD 52 5B 5C E9 C5 DB 51 EF 06 75 39 B6 20 04 C0 CC 44
7C 38 A1 91 6C 13 2D 5E AB

Extension: Basic Constraints (2.5.29.19)
Critical: 0
CA: TRUE
Path Length: 5


Extension: Key Usage (2.5.29.15)
Critical: 0
Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Cert Signature


Extension: Extended Key Usage (2.5.29.37)
Critical: 0
Purpose#1: Web Client Authentication (1.3.6.1.5.5.7.3.2)
Purpose#2: Code Signing (1.3.6.1.5.5.7.3.3)
Purpose#3: E-Mail Protection (1.3.6.1.5.5.7.3.4)
Purpose#4: Web Server Authentication (1.3.6.1.5.5.7.3.1)


Extension: Comment (2.16.840.1.113730.1.13)
Critical: 0
Comment: Jungo OpenRG Products Group standard certificate


Extension: 2.16.840.1.113730.1.1
Critical: 0
Data: 03 02 02 C4

192.168.1.1 (tcp/992)


Here is the service's SSL certificate :

Subject Name:

Country: US
Common Name: ORname_Jungo: OpenRG Products Group

Issuer Name:

Country: US
Common Name: ORname_Jungo: OpenRG Products Group

Serial Number: 00

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: Jun 03 11:11:43 2004 GMT
Not Valid After: May 29 11:11:43 2024 GMT

Public Key Info:

Algorithm: RSA Encryption
Key Length: 1024 bits
Public Key: 00 CE 3D AF B0 FF 6A 39 22 E5 AC DD E5 76 31 55 C4 A7 2A 8B
61 F6 52 71 BC 8F A6 BD A6 63 CC E4 6D D2 82 E8 31 6A CC 6E
9C 05 8E D2 D3 AA A8 6D 58 D7 98 E8 10 32 4A 15 A0 EF 22 85
B0 F5 34 1E 95 FF 8C 72 0E 03 30 24 9F 2E 49 FA 5A 07 F2 72
CD E7 DE A0 DC FD 19 C8 3E B3 EC 29 2A 81 BC E0 F4 C7 C9 F5
72 EB 13 13 0B 06 7E A8 2D BA 24 B1 8F AA EB BF B9 CC 04 96
31 F2 D1 65 58 3E 66 FD 55
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits
Signature: 00 9E D6 D6 CD 8F E4 52 1A AD 77 99 4D F9 91 18 DA 06 12 92
DF 5F 5A 88 8B 66 87 7D 86 03 2C D7 82 3E 24 64 56 B9 10 F5
AD EF 77 C2 F9 45 D4 51 6F C4 93 A4 CF 63 0B 73 47 64 47 4C
F4 FD 6D FA CF B4 F0 EF 2A 49 53 FF 35 77 29 ED 6B DC 88 58
B4 B2 C1 D9 F5 FD 8E 80 ED 5E 81 C3 24 05 46 E2 65 83 6F E7
0C FF AD 52 5B 5C E9 C5 DB 51 EF 06 75 39 B6 20 04 C0 CC 44
7C 38 A1 91 6C 13 2D 5E AB

Extension: Basic Constraints (2.5.29.19)
Critical: 0
CA: TRUE
Path Length: 5


Extension: Key Usage (2.5.29.15)
Critical: 0
Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Cert Signature


Extension: Extended Key Usage (2.5.29.37)
Critical: 0
Purpose#1: Web Client Authentication (1.3.6.1.5.5.7.3.2)
Purpose#2: Code Signing (1.3.6.1.5.5.7.3.3)
Purpose#3: E-Mail Protection (1.3.6.1.5.5.7.3.4)
Purpose#4: Web Server Authentication (1.3.6.1.5.5.7.3.1)


Extension: Comment (2.16.840.1.113730.1.13)
Critical: 0
Comment: Jungo OpenRG Products Group standard certificate


Extension: 2.16.840.1.113730.1.1
Critical: 0
Data: 03 02 02 C4

192.168.1.1 (tcp/8443)


Here is the service's SSL certificate :

Subject Name:

Country: US
Common Name: ORname_Jungo: OpenRG Products Group

Issuer Name:

Country: US
Common Name: ORname_Jungo: OpenRG Products Group

Serial Number: 00

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: Jun 03 11:11:43 2004 GMT
Not Valid After: May 29 11:11:43 2024 GMT

Public Key Info:

Algorithm: RSA Encryption
Key Length: 1024 bits
Public Key: 00 CE 3D AF B0 FF 6A 39 22 E5 AC DD E5 76 31 55 C4 A7 2A 8B
61 F6 52 71 BC 8F A6 BD A6 63 CC E4 6D D2 82 E8 31 6A CC 6E
9C 05 8E D2 D3 AA A8 6D 58 D7 98 E8 10 32 4A 15 A0 EF 22 85
B0 F5 34 1E 95 FF 8C 72 0E 03 30 24 9F 2E 49 FA 5A 07 F2 72
CD E7 DE A0 DC FD 19 C8 3E B3 EC 29 2A 81 BC E0 F4 C7 C9 F5
72 EB 13 13 0B 06 7E A8 2D BA 24 B1 8F AA EB BF B9 CC 04 96
31 F2 D1 65 58 3E 66 FD 55
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits
Signature: 00 9E D6 D6 CD 8F E4 52 1A AD 77 99 4D F9 91 18 DA 06 12 92
DF 5F 5A 88 8B 66 87 7D 86 03 2C D7 82 3E 24 64 56 B9 10 F5
AD EF 77 C2 F9 45 D4 51 6F C4 93 A4 CF 63 0B 73 47 64 47 4C
F4 FD 6D FA CF B4 F0 EF 2A 49 53 FF 35 77 29 ED 6B DC 88 58
B4 B2 C1 D9 F5 FD 8E 80 ED 5E 81 C3 24 05 46 E2 65 83 6F E7
0C FF AD 52 5B 5C E9 C5 DB 51 EF 06 75 39 B6 20 04 C0 CC 44
7C 38 A1 91 6C 13 2D 5E AB

Extension: Basic Constraints (2.5.29.19)
Critical: 0
CA: TRUE
Path Length: 5


Extension: Key Usage (2.5.29.15)
Critical: 0
Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Cert Signature


Extension: Extended Key Usage (2.5.29.37)
Critical: 0
Purpose#1: Web Client Authentication (1.3.6.1.5.5.7.3.2)
Purpose#2: Code Signing (1.3.6.1.5.5.7.3.3)
Purpose#3: E-Mail Protection (1.3.6.1.5.5.7.3.4)
Purpose#4: Web Server Authentication (1.3.6.1.5.5.7.3.1)


Extension: Comment (2.16.840.1.113730.1.13)
Critical: 0
Comment: Jungo OpenRG Products Group standard certificate


Extension: 2.16.840.1.113730.1.1
Critical: 0
Data: 03 02 02 C4

192.168.1.81 (tcp/1413)


Here is the service's SSL certificate :

Subject Name:

Common Name: 746-0001-9022-E613
Organization: TiVo Inc.
Organization Unit: IT
Locality: Alviso
State/Province: California
Country: US

Issuer Name:

Country: US
State/Province: California
Locality: Alviso
Organization: TiVo Inc.
Organization Unit: IT
Common Name: TiVo Device Sub CA
Email Address: cert@tivo.com

Serial Number: 46 2C 95

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: Jan 25 20:11:47 2010 GMT
Not Valid After: Jan 23 20:11:47 2020 GMT

Public Key Info:

Algorithm: RSA Encryption
Key Length: 1024 bits
Public Key: 00 FB 50 05 EB 59 A6 1C BB 85 9D 9A 5B 20 69 94 4A 1F 9E 82
B5 41 F1 F9 04 01 A2 A1 CC AE 66 E1 C1 D4 14 AB 7C F5 EA 93
67 81 A3 EC 12 B3 F8 64 5A F6 7E AF 75 7B 14 62 50 B9 C0 7D
A3 A5 C9 DB BC 8A 83 15 8D 86 25 FC F6 7E 7B A7 B6 9F D3 65
49 B0 35 57 67 C9 DA 63 58 F8 6E 1F B1 EC 5A 86 A9 30 24 E8
F1 17 5E 88 8D 70 51 9E 2D 4A 63 AC 09 12 E8 8E 3E C8 A1 F1
00 97 20 8D 9B A8 47 F6 B5
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits
Signature: 00 9F 21 F0 A2 C7 7A 2C F1 A4 9B 18 2C 98 FD C5 F2 E9 41 27
FC CA 40 85 24 38 53 9D 36 C3 02 25 49 10 9A 70 B9 B0 52 9E
59 D1 65 6C 43 28 07 72 C6 B9 7D 7B 0E 64 8E 57 BB 50 76 56
EE 79 CE 09 33 FF BB 00 FC F8 E5 35 BA 6F C9 66 29 19 8E 81
89 F6 71 41 3C B6 CD 4E 3F D2 65 37 93 75 E8 43 C6 1B 2E 11
1B 9E F9 DB 94 30 46 7B AB A9 13 CC 79 8D 52 4B 89 92 2C E7
3D 26 B3 04 E3 59 CD 1E FD

Extension: Key Usage (2.5.29.15)
Critical: 0
Key Usage: Digital Signature


Extension: Extended Key Usage (2.5.29.37)
Critical: 0
Purpose#1: Web Client Authentication (1.3.6.1.5.5.7.3.2)


Extension: 2.16.840.1.113730.1.1
Critical: 0
Data: 03 02 07 80

18405 (3) - Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness

Synopsis

It may be possible to get access to the remote host.

Description

The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials.

This flaw exists because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack.

See Also

http://www.oxid.it/downloads/rdp-gbu.pdf
http://www.nessus.org/u?e2628096
http://technet.microsoft.com/en-us/library/cc782610.aspx

Solution

- Force the use of SSL as a transport layer for this service if supported, or/and
- Select the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting if it is available.

Risk Factor

Medium

CVSS Base Score

5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

4.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

References

BID 13818
CVE CVE-2005-1794
XREF OSVDB:17131

Plugin Information:

Publication date: 2005/06/01, Modification date: 2013/08/05

Hosts

192.168.1.16 (tcp/3389)

192.168.1.17 (tcp/3389)

192.168.1.200 (tcp/3389)

70545 (3) - Dropbear SSH Server < 2013.59 Multiple Vulnerabilities

Synopsis

The remote SSH service is affected by multiple vulnerabilities.

Description

According to its self-reported banner, the version of Dropbear SSH running on this port is earlier than 2013.59. As such, it is potentially affected by multiple vulnerabilities :

- A denial of service vulnerability caused by the way the 'buf_decompress()' function handles compressed files.
(CVE-2013-4421)

- User-enumeration is possible due to a timing error when authenticating users. (CVE-2013-4434)

See Also

https://matt.ucc.asn.au/dropbear/CHANGES
https://secure.ucc.asn.au/hg/dropbear/rev/0bf76f54de6f
https://secure.ucc.asn.au/hg/dropbear/rev/a625f9e135a4

Solution

Upgrade to the Dropbear SSH 2013.59 or later.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

References

BID 62958
BID 62993
CVE CVE-2013-4421
CVE CVE-2013-4434
XREF OSVDB:98303
XREF OSVDB:98365

Plugin Information:

Publication date: 2013/10/22, Modification date: 2013/10/22

Hosts

192.168.1.20 (tcp/22)


Version source : SSH-2.0-dropbear_0.51
Installed version : 0.51
Fixed version : 2013.59

192.168.1.21 (tcp/22)


Version source : SSH-2.0-dropbear_0.51
Installed version : 0.51
Fixed version : 2013.59

192.168.1.22 (tcp/22)


Version source : SSH-2.0-dropbear_0.51
Installed version : 0.51
Fixed version : 2013.59

10815 (2) - Web Server Generic XSS

Synopsis

The remote web server is prone to cross-site scripting attacks.

Description

The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site.

See Also

http://en.wikipedia.org/wiki/Cross-site_scripting

Solution

Contact the vendor for a patch or upgrade.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Temporal Score

3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

BID 5011
BID 5305
BID 7344
BID 7353
BID 8037
BID 14473
BID 17408
BID 54344
CVE CVE-2002-1700
CVE CVE-2003-1543
CVE CVE-2005-2453
CVE CVE-2006-1681
CVE CVE-2012-3382
XREF OSVDB:4989
XREF OSVDB:18525
XREF OSVDB:24469
XREF OSVDB:42314
XREF OSVDB:58976
XREF OSVDB:83683
XREF CWE:79
XREF CWE:80
XREF CWE:81
XREF CWE:83
XREF CWE:20
XREF CWE:74
XREF CWE:442
XREF CWE:712
XREF CWE:722
XREF CWE:725
XREF CWE:811
XREF CWE:751
XREF CWE:801
XREF CWE:116

Plugin Information:

Publication date: 2001/11/30, Modification date: 2013/09/04

Hosts

192.168.1.25 (tcp/80)


The request string used to detect this flaw was :

/img/?<script>cross_site_scripting.nasl</script>

The output was :

HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 Dec 2013 14:12:09 GMT
Last-Modified: Tue, 11 Aug 2009 10:10:20 GMT
Accept-Ranges: bytes
Connection: close


<HTML>
<HEAD><TITLE>Index of /img/?<script>cross_site_scripting.nasl</script></
TITLE></HEAD>
<BODY BGCOLOR="#99cc99" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>Index of /img/?<script>cross_site_scripting.nasl</script></H2>

192.168.1.248 (tcp/80)


The request string used to detect this flaw was :

/customer_setting/?<script>cross_site_scripting.nasl</script>

The output was :

HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003
Content-Type: text/html; charset="UTF-8"
Date: Tue, 13 Jan 1970 17:36:13 GMT
Last-Modified: Fri, 14 Jan 2011 08:31:19 GMT
Accept-Ranges: bytes
Connection: close


<HTML>
<HEAD><TITLE>Index of /customer_setting/?<script>cross_site_scripting.na
sl</script></TITLE></HEAD>
<BODY BGCOLOR="#99cc99" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H2>Index of /customer_setting/?<script>cross_site_scripting.nasl< [...]

64588 (2) - Microsoft ASP.NET MS-DOS Device Name DoS

Synopsis

A framework used by the remote web server has a denial of service vulnerability.

Description

The web server running on the remote host appears to be using Microsoft ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL containing an MS-DOS device name can cause the web server to become temporarily unresponsive. An attacker could repeatedly request these URLs, resulting in a denial of service.

Additionally, there is speculation that this vulnerability could result in code execution if an attacker with physical access to the machine connects to a serial port.

See Also

http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0377.html
http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0419.html
http://www.nessus.org/u?d32fbf50

Solution

Use an ISAPI filter to block requests for URLs with MS-DOS device names.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

4.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

References

BID 51527
CVE CVE-2007-2897
XREF OSVDB:41057
XREF EDB-ID:3965

Plugin Information:

Publication date: 2013/02/13, Modification date: 2013/02/13

Hosts

192.168.1.1 (tcp/2555)


Nessus received an HTTP 500 or related error message by requesting
the following URL :

http://Wireless_Broadband_Router.home:2555/AUX/.aspx

192.168.1.1 (tcp/2556)


Nessus received an HTTP 500 or related error message by requesting
the following URL :

http://Wireless_Broadband_Router.home:2556/AUX/.aspx

10595 (1) - DNS Server Zone Transfer Information Disclosure (AXFR)

Synopsis

The remote name server allows zone transfers

Description

The remote name server allows DNS zone transfers to be performed.

A zone transfer lets a remote attacker instantly populate a list of potential targets. In addition, companies often use a naming convention that can give hints as to a servers primary application (for instance, proxy.example.com, payroll.example.com, b2b.example.com, etc.).

As such, this information is of great use to an attacker, who may use it to gain information about the topology of the network and spot new targets.

See Also

http://en.wikipedia.org/wiki/AXFR

Solution

Limit DNS zone transfers to only the servers that need the information.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-1999-0532
XREF OSVDB:492

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2001/01/16, Modification date: 2012/08/15

Hosts

192.168.1.10 (tcp/53)

11213 (1) - HTTP TRACE / TRACK Methods Allowed

Synopsis

Debugging functions are enabled on the remote web server.

Description

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.

See Also

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html

Solution

Disable these methods. Refer to the plugin output for more information.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2003/01/23, Modification date: 2013/03/29

Hosts

192.168.1.146 (tcp/80)


Use the URLScan tool to deny HTTP TRACE requests or to permit only the
methods needed to meet site requirements and policy.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus809062341.html HTTP/1.1
Connection: Close
Host: 192.168.1.146
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 02 Dec 2013 18:14:49 GMT
Content-Type: message/http
Content-Length: 314


TRACE /Nessus809062341.html HTTP/1.1
Connection: Keep-Alive
Host: 192.168.1.146
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

26919 (1) - Microsoft Windows SMB Guest Account Local User Access

Synopsis

It is possible to log into the remote host.

Description

The remote host is running one of the Microsoft Windows operating systems. It was possible to log into it as a guest user using a random account.

Solution

In the group policy change the setting for 'Network access: Sharing and security model for local accounts' from 'Guest only - local users authenticate as Guest' to 'Classic - local users authenticate as themselves'.

Disable the Guest account if applicable.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-1999-0505
XREF OSVDB:3106

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2007/10/04, Modification date: 2013/11/21

Hosts

192.168.1.212 (tcp/445)

45517 (1) - MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check)

Synopsis

The remote mail server may be affected by multiple vulnerabilities.

Description

The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability :

- Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024)

- Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server.
(CVE-2010-0025)

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange Server 2000, 2003, 2007, and 2010 :

http://technet.microsoft.com/en-us/security/bulletin/MS10-024

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

3.9 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

STIG Severity

II

References

BID 39381
CVE CVE-2010-0024
CVE CVE-2010-0025
XREF OSVDB:63738
XREF OSVDB:63739
XREF MSFT:MS10-024
XREF IAVB:2010-B-0029

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2010/04/13, Modification date: 2013/02/01

Hosts

192.168.1.146 (tcp/25)


The remote version of the smtpsvc.dll is 5.0.2195.6713 versus 5.0.2195.7381.

50600 (1) - Apache Shiro URI Path Security Traversal Information Disclosure

Synopsis

The remote web server appears to use a security framework that is affected by an information disclosure vulnerability.

Description

The remote web server appears to be using a version of the Shiro open source security framework that that does not properly normalize URI paths before comparing them to entries in the framework's 'shiro.ini'
file.

A remote attacker can leverage this issue to bypass authentication, authorization, or other types of security restrictions via specially crafted requests.

See Also

http://archives.neohapsis.com/archives/bugtraq/2010-11/0046.html

Solution

Upgrade to Shiro 1.1.0 or later.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 44616
CVE CVE-2010-3863
XREF OSVDB:69067

Plugin Information:

Publication date: 2010/11/15, Modification date: 2011/10/24

Hosts

192.168.1.248 (tcp/80)


Nessus was able to exploit this issue to bypass authentication and
gain access to a page using the following URL :

http://192.168.1.248/./images/./

Note that Nessus has not actually verified that a vulnerable
version of Shiro is in use but only inferred that one is based on
the use of a published exploit to bypass authentication.

55733 (1) - Samba 3.x < 3.3.16 / 3.4.14 / 3.5.10 Multiple Vulnerabilities

Synopsis

The remote Samba server is affected by multiple vulnerabilities.

Description

According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.3.16 / 3.4.14 / 3.5.10. As such, it is potentially affected by several vulnerabilities in the Samba Web Administration Tool (SWAT) :

- A cross-site scripting vulnerability exists because of a failure to sanitize input to the username parameter of the 'passwd' program. (Issue #8289)

- A cross-site request forgery (CSRF) vulnerability can allow SWAT to be manipulated when a user who is logged in as root is tricked into clicking specially crafted URLs sent by an attacker. (Issue #8290)

Note that these issues are only exploitable when SWAT it enabled, and it is not enabled by default.

Also note that Nessus has relied only on the self-reported version number and has not actually determined whether SWAT is enabled, tried to exploit these issues, or determine if the associated patches have been applied.

See Also

https://bugzilla.samba.org/show_bug.cgi?id=8289
https://bugzilla.samba.org/show_bug.cgi?id=8290
http://samba.org/samba/security/CVE-2011-2522
http://samba.org/samba/security/CVE-2011-2694
http://www.samba.org/samba/history/samba-3.3.16.html
http://www.samba.org/samba/history/samba-3.4.14.html
http://www.samba.org/samba/history/samba-3.5.10.html

Solution

Either apply one of the patches referenced in the project's advisory or upgrade to 3.3.16 / 3.4.14 / 3.5.10 or later.

Risk Factor

Medium

CVSS Base Score

6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

5.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

References

BID 48899
BID 48901
CVE CVE-2011-2522
CVE CVE-2011-2694
XREF OSVDB:74071
XREF OSVDB:74072
XREF EDB-ID:17577
XREF Secunia:45393

Plugin Information:

Publication date: 2011/07/29, Modification date: 2011/10/24

Hosts

192.168.1.212 (tcp/445)


Installed version : 3.0.37
Fixed version : 3.3.16 / 3.4.14 / 3.5.10

56210 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials

Synopsis

It is possible to obtain the host SID for the remote host, without credentials.

Description

By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier), without credentials.

The host SID can then be used to get the list of local users.

See Also

http://technet.microsoft.com/en-us/library/bb418944.aspx

Solution

You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to an appropriate value.

Refer to the 'See also' section for guidance.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 959
CVE CVE-2000-1200
XREF OSVDB:715

Plugin Information:

Publication date: 2011/09/15, Modification date: 2011/11/07

Hosts

192.168.1.146 (tcp/445)


The remote host SID value is :

1-5-21-1123561945-1085031214-839522115

56211 (1) - SMB Use Host SID to Enumerate Local Users Without Credentials

Synopsis

It is possible to enumerate local users, without credentials.

Description

Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system without credentials.

Solution

n/a

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 959
CVE CVE-2000-1200
XREF OSVDB:714

Plugin Information:

Publication date: 2011/09/15, Modification date: 2011/09/16

Hosts

192.168.1.146 (tcp/445)


- Administrator (id 500, Administrator account)
- Guest (id 501, Guest account)
- IUSR_WINDOWS2000 (id 1000)
- IWAM_WINDOWS2000 (id 1001)
- paul (id 1002)
- kevin (id 1003)
- josh (id 1004)
- mike (id 1005)
- nessus (id 1006)
- bgates (id 1007)

64459 (1) - Samba < 3.5.21 / 3.6.12 / 4.0.2 SWAT Multiple Vulnerabilities

Synopsis

The remote Samba server is affected by multiple vulnerabilities.

Description

According to its banner, the version of Samba running on the remote host is 3.x earlier than 3.5.21 or 3.6.12 or is 4.x earlier than 4.0.1, and is, therefore, potentially affected by the following vulnerabilities :

- An error exists in the SWAT interface that could allow 'clickjacking' attacks. (CVE-2013-0213, Issue #9576)

- An error exists in the SWAT interface that could allow cross-site request forgery (XSRF) attacks.
(CVE-2013-0214, Issue #9577)

Note that these issues are only exploitable when SWAT is enabled and it is not enabled by default.

Also note that Nessus has relied only on the self-reported version number and has not actually determined whether SWAT is enabled, tried to exploit these issues, or determine if the associated patches have been applied.

See Also

http://www.samba.org/samba/security/CVE-2013-0213
http://www.samba.org/samba/security/CVE-2013-0214
http://www.samba.org/samba/history/samba-4.0.2.html

Solution

Either install the patch referenced in the project's advisory or upgrade to 3.5.21 / 3.6.12 / 4.0.2 or later.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Temporal Score

3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

BID 57631
CVE CVE-2013-0213
CVE CVE-2013-0214
XREF OSVDB:89626
XREF OSVDB:89627

Plugin Information:

Publication date: 2013/02/04, Modification date: 2013/10/02

Hosts

192.168.1.212 (tcp/445)


Installed version : 3.0.37
Fixed version : 3.5.21 / 3.6.12 / 4.0.2

69276 (1) - Samba 3.x < 3.5.22 / 3.6.x < 3.6.17 / 4.0.x < 4.0.8 read_nttrans_ea_lis DoS

Synopsis

The remote Samba server is affected by a denial of service vulnerability.

Description

According to its banner, the version of Samba running on the remote host is 3.x prior to 3.5.22, 3.6.x prior to 3.6.17 or 4.0.x prior to 4.0.8. It is, therefore, potentially affected by a denial of service vulnerability.

An integer overflow error exists in the function 'read_nttrans_ea_lis'
in the file 'nttrans.c' that could allow denial of service attacks to be carried out via specially crafted network traffic.

Note if 'guest' connections are allowed, this issue can be exploited by a remote, unauthenticated attacker.

Further note that Nessus has relied only on the self-reported version number and has not actually tried to exploit this issue or determine if the associated patch has been applied.

See Also

http://www.samba.org/samba/security/CVE-2013-4124
http://www.samba.org/samba/history/samba-3.5.22.html
http://www.samba.org/samba/history/samba-3.6.17.html
http://www.samba.org/samba/history/samba-4.0.8.html
http://www.nessus.org/u?402dfe4d

Solution

Either install the patch referenced in the project's advisory, or upgrade to version 3.5.22 / 3.6.17 / 4.0.8 or later.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

References

BID 61597
CVE CVE-2013-4124
XREF OSVDB:95969
XREF EDB-ID:27778

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2013/08/08, Modification date: 2013/11/17

Hosts

192.168.1.212 (tcp/445)


Installed version : 3.0.37
Fixed version : 3.5.22 / 3.6.17 / 4.0.8

42880 (3) - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection

Synopsis

The remote service allows insecure renegotiation of TLS / SSL connections.

Description

The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after the initial handshake.
An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the application layer.

See Also

http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746

Solution

Contact the vendor for specific patch information.

Risk Factor

Low

CVSS Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)

CVSS Temporal Score

2.1 (CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)

References

BID 36935
CVE CVE-2009-3555
XREF OSVDB:59968
XREF OSVDB:59969
XREF OSVDB:59970
XREF OSVDB:59971
XREF OSVDB:59972
XREF OSVDB:59973
XREF OSVDB:59974
XREF OSVDB:60366
XREF OSVDB:60521
XREF OSVDB:61234
XREF OSVDB:61718
XREF OSVDB:61784
XREF OSVDB:61785
XREF OSVDB:61929
XREF OSVDB:62064
XREF OSVDB:62135
XREF OSVDB:62210
XREF OSVDB:62273
XREF OSVDB:62536
XREF OSVDB:62877
XREF OSVDB:64040
XREF OSVDB:64499
XREF OSVDB:64725
XREF OSVDB:65202
XREF OSVDB:66315
XREF OSVDB:67029
XREF OSVDB:69032
XREF OSVDB:69561
XREF OSVDB:70055
XREF OSVDB:70620
XREF OSVDB:71951
XREF OSVDB:71961
XREF OSVDB:74335
XREF OSVDB:75622
XREF OSVDB:77832
XREF OSVDB:90597
XREF OSVDB:99240
XREF CERT:120541
XREF CWE:310

Plugin Information:

Publication date: 2009/11/24, Modification date: 2013/11/14

Hosts

192.168.1.1 (tcp/443)


TLSv1 supports insecure renegotiation.

SSLv3 supports insecure renegotiation.

192.168.1.1 (tcp/992)


TLSv1 supports insecure renegotiation.

SSLv3 supports insecure renegotiation.

192.168.1.1 (tcp/8443)


TLSv1 supports insecure renegotiation.

SSLv3 supports insecure renegotiation.

10394 (7) - Microsoft Windows SMB Log In Possible

Synopsis

It is possible to log into the remote host.

Description

The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following accounts :

- NULL session
- Guest account
- Given Credentials

See Also

http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261

Solution

n/a

Risk Factor

None

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2000/05/09, Modification date: 2013/04/23

Hosts

192.168.1.16 (tcp/445)

- NULL sessions are enabled on the remote host

192.168.1.17 (tcp/445)

- NULL sessions are enabled on the remote host

192.168.1.146 (tcp/445)

- NULL sessions are enabled on the remote host

192.168.1.200 (tcp/445)

- NULL sessions are enabled on the remote host

192.168.1.204 (tcp/445)

- NULL sessions are enabled on the remote host

192.168.1.212 (tcp/445)

- NULL sessions are enabled on the remote host
- Remote users are authenticated as 'Guest'

192.168.1.228 (tcp/445)

- NULL sessions are enabled on the remote host