My FreeScan Vulnerabilities Report

Transcription

1 Page 1 of 6 My FreeScan Vulnerabilities Report Print Help For on Feb 07, 008 Thank you for trying FreeScan. Below you'll find the complete results of your scan, including whether or not the IP you provided is exposed to any vulnerabilities. For detected vulnerabilities, a complete description of the issue, possible consequences if exploited, and an assigned severity level are provided. Follow links to verified remedies to fix these issues before they can be exploited. FreeScan is just one component of QualysGuard. To experience all of QualysGuard's vulnerability management capabilities (both perimeter and internal) sign up for a free 7-day trial of QualysGuard. With your trial, you will receive customized network mapping with access to an unlimited number of scans and get comprehensive reports that include vulnerability trending, business risk assessment, risk matrixes, policy & compliance reporting and much more. Sign up now for your Free 7-day Trial this Free Network Security Scan to a colleague. Summary for Vulnerabilities 1 Severity 5 (Urgent) 0 Severity 4 (Critical) 1 Severity 3 (Serious) 4 Severity (Medium) Severity 1 (Minimum) 8 Total List of Vulnerabilities for Severity Analysis 5 Writeable Root Directory on Anonymous FTP Server 3 Mail Server Accepts Plaintext Credentials Anonymous Access to FTP with a Blank Password Allowed Multiple Vendor ftpd PASV Mode Data Channel Hijacking Vulnerability Accessible Anonymous FTP Server Account Brute Force Possible Through IIS NTLM Authentication Scheme 1 Microsoft IIS Authentication Method Disclosure Vulnerability 1 ICMP Timestamp Request Detailed Vulnerabilities for Severity Analysis

2 Page of 6 5 Consequences: Writeable Root Directory on Anonymous FTP Server Qualys ID : 700 CVE ID : CVE The Anonymous FTP server has a world writeable root directory. The root directory of your anonymous FTP server can therefore be written-to by any anonymous user. Writeable anonymous FTP servers are commonly abused by unauthorized users to upload movies, pornography, pirated software and other "warez". Sometimes the secondary storage is completely filled up resulting in performance degradation or even complete failure. For some FTP servers, the FTP root directory contains configuration files. Allowing write permissions may allow an anonymous user to overwrite these configuration files. In addition for UNIX, unauthorized users could place a ".forward" or an ".rhosts" file in this directory. ".forward" files may contain commands to be executed each time the anonymous user receives an message. ".rhosts" files contain hostnames from which any user will be able to connect to this host without a password. Thus, the unauthorized user can add the.rhosts file using their own hostname. They can then log in with rsh, rlogin or rexec service. These two files are commonly used to compromise servers. Disable write access for unauthorized users in the root directory of the FTP server. For UNIX: $ chmod o-w path/to/ftp/root/directory For Microsoft IIS 6: 1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS).. In IIS Manager, expand the local computer, expand the FTP Sites folder, right-click the FTP site in question, and click Properties. 3. Click the Home Directory tab and deselect the Write checkbox; click OK. 4. For advanced permissions, refer to step and click Permissions instead of Properties; then click Advanced Permissions. For other versions of IIS, please refer to the Microsoft website. 3 Mail Server Accepts Plaintext Credentials Qualys ID : Port : 5 Your Mail Server responds to the EHLO command which implies that it uses the ESMTP protocol. ESMTP uses the AUTH command which indicates an authentication mechanism to the server. If the server supports the requested authentication mechanism, it performs an authentication protocol exchange to authenticate and identify the user. Optionally, it also negotiates a security layer for subsequent protocol interactions. Your server accepts PLAIN or LOGIN as one of the AUTH parameters. The authentication credentials are transmitted in plaintext over the network and no encryption is performed. Consequences: Malicious users could obtain mail server credentials by sniffing the traffic. This can allow unauthorized users to use the mail server as an open mail relay. It may also lead to compromise of account credentials that can be used to access other mail services like POP3 and IMAP. Disable the plaintext authentication methods on your SMTP server for unencrypted (non-ssl/tls) sessions. You may consider using more advanced challenge-based authentication methods like CRAM-MD5 or DIGEST-MD5. Please contact your vendor for configuration information. Also check RFC 554 and RFC 487 for more details.

3 Page 3 of 6 Anonymous Access to FTP with a Blank Password Allowed Qualys ID : 7001 CVE ID : CVE Users can access the FTP server using the "anonymous" or "ftp"account with a blank password. Some FTP server software is installed with Anonymous access enabled by default. Vulnerable systems include RedHat Linux installations and Microsoft IIS (Internet Information Server) installations. Consequences: The FTP server may contain sensitive files because anonymous FTP servers are often used to exchange files between different users. These files can be downloaded by anybody who visits this FTP server. Anonymous FTP is often used for "bounce attacks". Bounce attacks enable unauthorized users to scan networks, hosts and ports behind a firewall. This can result in internal networks, VPN and Intranets being compromised. You should first decide if you really require the FTP service on this host. If you use it to exchange files between users, you should either use a dedicated password-protected account, or, by default, an unreadable but writeable directory. The security of this last option depends on the secrecy of the filenames you upload and download from this directory. Therefore, avoid guessable filenames like "backup", "accounting" or "project". Multiple Vendor ftpd PASV Mode Data Channel Hijacking Vulnerability Qualys ID : 7177 CVE ID : CVE Some FTP servers are vulnerable to hijacking of data connections when PASV mode is in use. In particular, these FTP servers are vulnerable: the ftpd included with Caldera Open UNIX and Unixware, and versions of RedHat prior to Version 6.0. (This is not a complete list.) The FTP server is transferred to FTP PASV mode, when the client issues PASV command through the control connection made to the server (usually 1/tcp). The server starts listening on a TCP port and responds to the client, letting it know that it is ready for the data connection establishment. The port number that the client is expected to connect to is included in the response to the PASV command. An attacker can connect to the FTP server's listening port before the client connects and thereby receive data intended for the client. To exploit this vulnerability, the attacker must intercept or guess the listening port number that the server will use, then try to connect before the client. If the server uses some predicatble port numbers, this vulnerability is trivial to exploit. Caldera reported that the Open UNIX/Unixware ftpd selects predictable PASV mode port numbers. Note: In order to detect this vulnerability, authentication of the FTP server is required. Consequences: By exploiting this vulnerability, remote attackers can hijack data connections and successfully retrieve data before the client. This is a generic FTP server vulnerablility, affecting all FTP servers. Apply a patch from your vendor. For more details, see this Cert Advisory. Contact your vendor to obtain either a patch or a not vulnerable version of the software.

4 Page 4 of 6 Note: This vulnerability has not been completely eliminated. Preventing IP addresses other than that of the client from connecting to data ports breaks RFC compliance, and does not prevent attacks from the client address (perhaps other internal hosts if NAT is in use). Data ports are now randomly selected by the server, making them more difficult to guess before the client connects. Accessible Anonymous FTP Server Qualys ID : 7000 CVE ID : CVE Users can access the FTP server using the "anonymous" account with any password. Some FTP server software is installed with Anonymous access enabled by default. Vulnerable systems include RedHat Linux installations and Microsoft IIS (Internet Information Server) installations. Consequences: The FTP server may contain sensitive files because anonymous FTP servers are often used to exchange files between different users. These files can be downloaded by anybody who visits this FTP server. Anonymous FTP is often used for "bounce attacks". Bounce attacks enable unauthorized users to scan networks, hosts and ports behind a firewall. This can result in internal networks, VPN and Intranets being compromised. You should first decide if you really require the FTP service on this host. If you use it to exchange files between users, you should either use a dedicated password-protected account, or, by default, an unreadable but writeable directory. The security of this last option depends on the secrecy of the filenames you upload and download from this directory. Therefore, avoid guessable filenames like "backup", "accounting" or "project". Consequences: Account Brute Force Possible Through IIS NTLM Authentication Scheme Qualys ID : CVE ID : CVE Port : 80 NTLM authentication is enabled on the Microsoft IIS Web server. This allows a remote user to perform account brute force by requesting a non-existing HTTP resource or an existing HTTP resource that does not actually require authentication. Requests would include the "Authorization: NTLM" field. If the host has an account lockout policy in place, a remote user may exploit this vulnerability to lockout a local user, provided that the name of the local user is known. If the host does not have an account lockout policy in place, a remote user may exploit this vulnerability to brute force user passwords. Note that the Windows user list may sometimes be obtained by exploiting other vulnerabilities. Windows also has a few easy-to-guess default names for built-in accounts: "Administrator" for administering the computer/domain, "Guest" for guest access, "IUSR_<MachineName>" for anonymous access to IIS, and "IWAM_<Machinename>" for IIS to start out of process applications. Here the machine name <Machinename> may be obtained via Windows UDP Netbios NS (port 137). Among the above built-in accounts, the account lockout policy, even if it is in place, does not apply to the administrator account. So if the host uses a default name of "Administrator" for the administrator account, the password brute force of this account is possible through the IIS authentication interface. In addition, if the request has the NTLMSSP_REQUEST_TARGET flag on, the Web server may respond to the request with an NTLM challenge that contains sensitive host information, such as the Windows server and domain in which the authentication will be checked. Currently there are no vendor supplied patches available for this issue.

5 Page 5 of 6 As a workaround, disable NTLM authentication for your Web server. This can be done by unchecking "Integrated Windows Authentication" within "Authentication Method" under "Directory Security" in "Default Web Site Properties". Microsoft IIS Authentication Method Disclosure Vulnerability Qualys ID : CVE ID : CVE Port : 80 Microsoft IIS supports Basic and NTLM authentication. It has been reported that the authentication methods supported by a given IIS server can be revealed to an attacker through the inspection of returned error messages, even when anonymous access is also granted. 1 When a valid authentication request is submitted (for either method) with an invalid username and password, an error message is returned. This happens even if anonymous access to the requested resource is allowed. Consequences: If this vulnerability is successfully exploited, a malicious user can learn what authentication method is used. This information can then be used in further intelligent attacks against the server, or in a brute force password attack against a known user name. Currently there are no vendor supplied patches available. ICMP Timestamp Request Qualys ID : 8003 CVE ID : CVE Port : N/A ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. It's principal purpose is to provide a protocol layer able to inform gateways of the inter-connectivity and accessibility of other gateways or hosts. "ping" is a well-known program for determining if a host is up or down. It uses ICMP echo packets. ICMP timestamp packets are used to synchronize clocks between hosts. Consequences: Unauthorized users can obtain information about your network by sending ICMP timestamp packets. For example, the internal systems clock should not be disclosed since some internal daemons use this value to calculate ID or sequence numbers (i.e., on SunOS servers). 1 You can filter ICMP messages of type "Timestamp" and "Timestamp Reply" at the firewall level. Some system administrators choose to filter most types of ICMP messages for various reasons. For example, they may want to protect their internal hosts from ICMP-based Denial Of Service attacks, such as the Ping of Death or Smurf attacks. However, you should never filter ALL ICMP messages, as some of them ("Don't Fragment", "Destination Unreachable", "Source Quench", etc) are necessary for proper behavior of Operating System TCP/IP stacks. It may be wiser to contact your network consultants for advice, since this issue impacts your overall network reliability and security.

6 Page 6 of 6 Copyright 008 Qualys, Inc. Privacy Policy