ASV Scan Report Vulnerability Details PRESTO BIZ

Transcription

1 ASV Scan Report Vulnerability Details PRESTO BIZ

2 Scan Results Executive Summary PCI Compliance: Passing Scan Target: secure.prestomart.com Scan ID: Start: :00:01 Finish: :41:10 Maximum score: 2.6 Scan Length: 0:41:09 Scan Expiration: TCP/IP Fingerprint OS Estimate: Linux SecurityMetrics has determined that PRESTO BIZ is COMPLIANT with the PCI scan validation requirement for this computer. Congratulations, the computer passes because no failing vulnerability was found. If SecurityMetrics scanned your website, you may choose to use our certified logo. This logo cannot be used if we have only scanned your network, and is only valid for use on websites scanned and passing by SecurityMetrics. Your Site Certification ID is: Please keep this number. How To Add Certified Logo. Attackers typically use footprinting, port scanning and security vulnerability scanning to find security weaknesses on computers. This report provides information on each of these categories. Footprinting Find public information regarding this IP, which an attacker could use to gain access: IP Information Port Scan Attackers use a port scan to find out what programs are running on your computer. Most programs have known security weaknesses. Disable any unnecessary programs listed below. Port Scan Protocol Port Program Status Summary ICMP Ping Accepting Your computer is answering ping requests. TCP 22 TCP 25 TCP 80 OpenSSH 4.3 Sendmail / Apache httpd Open Open Open Port 22 is typically used by Secure Shell (SSH) software. Properly configured SSH encrypts all data sent by a remote user who must be authorized to access this computer. Using SSH is a good security practice. Your computer is running SMTP (Simple Mail Transport Protocol). This can be a security risk since a hacker can verify user names when this service is running. If you do not need to run SMTP then turn it off. If you must run SMTP then be sure to run the latest version. Your computer appears to be running http software that allows others to view its web pages. If you don't intend this computer to allow others to view its web pages then turn this service off. There are many potential security vulnerabilities in http software.

3 TCP 443 Apache httpd Open Your computer appears to be running HTTP Secure Socket Layer (SSL) software. This software improves the security of HTTP communication with this server. Security Vulnerabilities Solution Plan The following section lists all security vulnerabilities detected on your system. Vulnerabilities which cause you to fail PCI compliance have a score listed in red. PCI Risk Table Security Vulnerabilities Protocol Port Program Score Summary Description: SSL RC4 Cipher Suites Supported Synopsis: The remote service supports the use of the RC4 cipher. Impact: The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions) ciphertexts, the attacker may be able to derive the plaintext. See also : TCP 443 https Data Received: Here is the list of RC4 cipher suites supported by the remote server : High Strength Ciphers (>= 112-bit key) TLSv1 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc= {symmetric encryption method} Mac={message authentication code} {export flag} Resolution: Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser and web server support. Risk Factor: Low/ CVSS2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) CVE: CVE

4 Description: Common Platform Enumeration (CPE) Synopsis: It is possible to enumerate CPE names that matched on the remote system. Impact: By using information obtained from a SecurityMetrics scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. TCP None general 1.0 See also : Data Received: The remote operating system matched the following CPE : cpe:/o:redhat:enterprise_linux:::es Following application CPE's matched on the remote system : cpe:/a:openbsd:openssh:4.3 -> OpenBSD OpenSSH 4.3 cpe:/a:apache:http_server: > Apache Software Foundation Apache HTTP Server cpe:/a:sendmail:sendmail: > Sendmail Sendmail Description: TCP/IP Timestamps Supported Synopsis: The remote service implements TCP timestamps. TCP None general 1.0 Impact: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. See also :

5 Description: OS Identification Synopsis: It is possible to guess the remote operating system. Impact: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system. Data Received: Remote operating system : Linux Kernel 2.6 on Red Hat Enterprise Linux 5 Confidence Level : 95 Method : HTTP TCP None general 1.0 Not all fingerprints could give a match. If you think some or all of the following could be used to identify the host's operating system, please them to ossignatures@securitymetrics.com. Be sure to include a brief description of the host itself, such as the actual operating system or product / model names. SinFP: P1:B10113:F0x12:W5840:O0204ffff:M1380: P2:B10113:F0x12:W5792:O0204ffff affffffff :M1380: P3:B00000:F0x00:W0:O0:M0 P4:5206_7_p=443R SMTP:!: www1.prestobiz.com ESMTP Sendmail /8.13.8; Sat, 14 Mar :18: SSLcert:!:i/CN:GeoTrust DV SSL CAi/O:GeoTrust Inc.i/OU:Domain Validated SSLs/CN:secure.prestomart.coms/OU:Domain Control Validated - QuickSSL(R) 08de91699a82b3b9959b57e57b260513afb523ad SSH:!:SSH-2.0- OpenSSH_4.3 The remote host is running Linux Kernel 2.6 on Red Hat Enterprise Linux 5

6 Description: Web Server robots.txt Information Disclosure Synopsis: The remote web server contains a 'robots.txt' file. Impact: The remote host contains a file named 'robots.txt' that is intended to prevent web 'robots' from visiting certain directories in a website for maintenance or indexing purposes. A malicious user may also be able to use the contents of this file to learn of sensitive documents or directories on the affected site and either retrieve them directly or target them for other attacks. See also : Data Received: Contents of robots.txt : user-agent: sistrix disallow: / user-agent: Goodzer disallow: / user-agent: AhrefsBot disallow: / User-agent: MJ12bot Disallow: / User-agent: BLEXBot Disallow: / TCP 80 http 1.0 User-agent: Baiduspider Disallow: / User-agent: FatBot Disallow: / User-agent: TweetmemeBot Disallow: / User-agent: ShowyouBot Disallow: / User- agent: spbot Disallow: / User-agent: Twitterbot Crawl-delay: 10 User- agent: NING Disallow: / User-agent: YandexBot Disallow: / User-agent: msnbot Crawl-delay: 10 User-agent: bingbot Crawl-delay: 10 Other references : OSVDB:238 Resolution: Review the contents of the site's robots.txt file, use Robots META tags instead of entries in the robots.txt file, and/or adjust the web server's access controls to limit access to sensitive material.

7 Description: HTTP Server Type and Version Synopsis: A web server is running on the remote host. Impact: This plugin attempts to determine the type and the version of the remote web server. TCP 80 http 1.0 Data Received: The remote web server type is : Apache/2.2.3 (Red Hat) You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Description: Backported Security Patch Detection (WWW) Synopsis: Security patches are backported. Impact: Security patches may have been 'backported' to the remote HTTP server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. See also : Data Received: Give SecurityMetrics credentials to perform local checks. Description: SSL Session Resume Supported Synopsis: The remote host allows resuming SSL sessions. Impact: This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed. Data Received: This port supports resuming SSLv3 / TLSv1 sessions.

8 Description: SSL / TLS Versions Supported Synopsis: The remote service encrypts communications. Impact: This script detects which SSL and TLS versions are supported by the remote service for encrypting communications. Data Received: This port supports SSLv3/TLSv1.0. Description: SSH Server Type and Version Information Synopsis: An SSH server is listening on this port. TCP 22 ssh 1.0 Impact: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Data Received: SSH version : SSH-2.0-OpenSSH_4.3 SSH supported authentication : publickey,password Description: HyperText Transfer Protocol (HTTP) Information Synopsis: Some information about the remote HTTP configuration can be extracted. Impact: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. TCP 80 http 1.0 Data Received: Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : GET,HEAD,POST,OPTIONS,TRACE Headers : Date: Sat, 14 Mar :35:58 GMT Server: Apache/2.2.3 (Red Hat) Last- Modified: Sun, 09 Oct :06:23 GMT Accept-Ranges: bytes Content- Length: 22 Cache- Control: max-age=7200, must-revalidate Connection: close Content- Type: text/html

9 Description: Web Server robots.txt Information Disclosure Synopsis: The remote web server contains a 'robots.txt' file. Impact: The remote host contains a file named 'robots.txt' that is intended to prevent web 'robots' from visiting certain directories in a website for maintenance or indexing purposes. A malicious user may also be able to use the contents of this file to learn of sensitive documents or directories on the affected site and either retrieve them directly or target them for other attacks. See also : Data Received: Contents of robots.txt : user-agent: sistrix disallow: / user-agent: Goodzer disallow: / user-agent: AhrefsBot disallow: / User-agent: MJ12bot Disallow: / User-agent: BLEXBot Disallow: / User-agent: Baiduspider Disallow: / User-agent: FatBot Disallow: / User-agent: TweetmemeBot Disallow: / User-agent: ShowyouBot Disallow: / User- agent: spbot Disallow: / User-agent: Twitterbot Crawl-delay: 10 User- agent: NING Disallow: / User-agent: YandexBot Disallow: / User-agent: msnbot Crawl-delay: 10 User-agent: bingbot Crawl-delay: 10 Other references : OSVDB:238 Resolution: Review the contents of the site's robots.txt file, use Robots META tags instead of entries in the robots.txt file, and/or adjust the web server's access controls to limit access to sensitive material.

10 Description: Device Type Synopsis: It is possible to guess the remote device type. TCP None general 1.0 Impact: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Data Received: Remote device type : general-purpose Confidence level : 95 Description: Apache Banner Linux Distribution Disclosure Synopsis: The name of the Linux distribution running on the remote host was found in the banner of the web server. Impact: This plugin extracts the banner of the Apache web server and attempts to determine which Linux distribution the remote host is running. TCP None general 1.0 Data Received: The Linux distribution detected was : - Red Hat Enterprise Linux 5 Resolution: If you do not wish to display this information, edit 'httpd.conf' and set the directive 'ServerTokens Prod' and restart Apache. Description: SSL Certificate Information Synopsis: This plugin displays the SSL certificate. Impact: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Data Received: Subject Name: : 958qFRDk3l-gFBlLexojXliwLukx/pr5 Organization Unit: GT Organization Unit: See (c)14 Organization Unit: Domain Control Validated - QuickSSL(R) Common Name: secure.prestomart.com Issuer Name: Country: US Organization: GeoTrust Inc. Organization Unit: Domain Validated SSL Common Name: GeoTrust DV SSL CA Serial Number: 08 3F 66 Version: 3 Signature Algorithm: SHA-1 With RSA Encryption

11 Not Valid Before: Jan 02 04:57: GMT Not Valid After: Feb 04 11:24: GMT Public Key Info: Algorithm: RSA Encryption Key Length: 2048 bits Public Key: 00 9F E7 0C A9 25 2C EA D9 CB E6 C6 77 7E B8 31 5D CB 8B F A D7 BA A7 3E EE AF 4E A F5 E9 EA B C2 3B D C AE 29 8E D0 E1 19 F D8 D4 E0 C7 DB 12 0E 8A 2F 0F 80 C4 11 C5 2C 4A 14 6A E E E4 99 9C 26 F9 18 C F F1 FA D9 55 F6 D4 73 9D 7B 30 AA F A 58 6A CD 8B 2D 74 0D 32 F0 3C AC D2 28 7E 1C C0 0F 8C A2 C0 68 4C FE 58 1B DC 4C 39 6F AD 1B 43 C3 8B F A FD 5D 66 CF 8A BA 66 EA 37 D0 C6 4D CF AA 45 AA A2 D1 EE 5C F1 AE CF CE 5F 77 9D E1 6B 4A 06 C E A C3 A E3 D9 22 7A D C5 BF 47 7D FB FF 59 3F B3 A3 98 4A FC C2 73 AC 54 F2 4A Exponent: Signature Length: 256 bytes / 2048 bits Signature: 00 6F B8 23 B1 55 D1 66 1E CD 9E BD E DC 15 FA 09 4D 19 F E9 E4 B4 ED E C3 AB 72 EF EA BB 3F DF 76 1C C 75 FC 7B E8 9D E9 AE 6E 38 5E 7F C2 7F D E4 6B D E1 17 4F DE FF 60 9B ED AE B B B1 2E FD CD FC C0 3A B9 1D C6 2C A1 C5 1D E0 E8 BA F E1 19 D8 7B EB E1 BA FF CE 76 C4 DF 80 D4 C4 0F A1 5E A5 D D 04 DB A5 95 5E 37 8E C 65 A2 CF 9E DF EA 8D F2 9A 50 F8 F8 A5 79 DD D A B BE D7 5F A4 A4 E3 AC 1F B3 30 A2 8F B1 19 1E 3E B5 AB F CD AB 44 B1 60 EC 2B DC C AC 88 AB ED 6D A Extension: Authority Key Identifier ( ) Critical: 0 Key Identifier: 8C F4 D9 93 0A 47 BC 00 A0 4A CE 4B 75 6E A0 B6 B0 B2 7E FC Extension: Key Usage ( ) Critical: 1 Key Usage: Digital Signature, Key Encipherment Extension: Extended Key Usage ( ) Critical: 0 Purpose#1: Web Server Authentication ( ) Purpose#2: Web Client Authentication ( ) Extension: Subject Alternative Name ( ) Critical: 0 DNS: secure.prestomart.com Extension: CRL Distribution Points ( ) Critical: 0 URI: Extension: Subject Key Identifier ( ) Critical: 0 Subject Key Identifier: 8F D 7A B FE E2 27 4F E9 6A B 91 9A Extension: Basic Constraints ( ) Critical: 1 Extension: Authority Information Access ( ) Critical: 0 Method#1: Online Certificate Status Protocol URI: Method#2: Certificate Authority Issuers URI: Extension: Policies ( ) Critical: 0 Policy ID #1: Qualifier ID #1: Certification Practice Statement ( ) CPS URI:

12 Description: SMTP Server Detection Synopsis: An SMTP server is listening on the remote port. Impact: The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it. TCP 25 smtp 1.0 Data Received: Remote SMTP server banner : www1.prestobiz.com ESMTP Sendmail /8.13.8; Sat, 14 Mar :18: Resolution: Disable this service if you do not use it, or filter incoming traffic to this port. Description: Backported Security Patch Detection (WWW) Synopsis: Security patches are backported. Impact: Security patches may have been 'backported' to the remote HTTP server without changing its version number. Banner-based checks have been disabled to avoid false positives. TCP 80 http 1.0 Note that this test is informational only and does not denote any security problem. See also : Data Received: Give SecurityMetrics credentials to perform local checks. Description: smtpscan SMTP Fingerprinting Synopsis: It is possible to fingerprint the remote mail server. Impact: smtpscan is a SMTP fingerprinting tool written by Julien Bordet. It identifies the remote mail server even if the banners were changed. TCP 25 smtp 1.0 Data Received: This server could be fingerprinted as : Sendmail Sendmail / Sendmail /8.14.9

13 Description: SSL Cipher Suites Supported Synopsis: The remote service encrypts communications using SSL. Impact: This script detects which SSL ciphers are supported by the remote service for encrypting communications. See also : Data Received: Here is the list of SSL ciphers supported by the remote server : Each group is reported per SSL Version. SSL Version : TLSv1 High Strength Ciphers (>= 112-bit key) RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 SSL Version : SSLv3 High Strength Ciphers (>= 112-bit key) RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc= {symmetric encryption method} Mac={message authentication code} {export flag} Description: Traceroute Information Synopsis: It was possible to obtain traceroute information. Impact: Makes a traceroute to the remote host. UDP None general 1.0 Data Received: For your information, here is the traceroute from to : ? Description: Host Fully Qualified Domain Name (FQDN) Resolution Synopsis: It was possible to resolve the name of the remote host. TCP None general 1.0 Impact: SecurityMetrics was able to resolve the FQDN of the remote host. Data Received: resolves as secure.prestomart.com.

14 Description: HyperText Transfer Protocol (HTTP) Information Synopsis: Some information about the remote HTTP configuration can be extracted. Impact: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Data Received: Protocol version : HTTP/1.1 SSL : yes Keep-Alive : no Options allowed : GET,HEAD,POST,OPTIONS,TRACE Headers : Date: Sat, 14 Mar :35:59 GMT Server: Apache/2.2.3 (Red Hat) Last- Modified: Sun, 09 Oct :06:23 GMT Accept-Ranges: bytes Content- Length: 22 Cache- Control: max-age=7200, must-revalidate Connection: close Content- Type: text/html Description: HTTP Server Type and Version Synopsis: A web server is running on the remote host. Impact: This plugin attempts to determine the type and the version of the remote web server. Data Received: The remote web server type is : Apache/2.2.3 (Red Hat) You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.

15 Description: SSL Compression Methods Supported Synopsis: The remote service supports one or more compression methods for SSL connections. Impact: This script detects which compression methods are supported by the remote service for SSL connections. See also : Data Received: SecurityMetrics was able to confirm that the following compression method is supported by the target : NULL (0x00) Description: ICMP Timestamp Request Remote Date Disclosure Synopsis: It is possible to determine the exact time set on the remote host. Impact: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. ICMP None general 0.0 Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time. Data Received: The remote clock is synchronized with the local clock. Resolution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk Factor: Low/ CVSS2 Base Score: 0.0 (AV:L/AC:L/Au:N/C:N/I:N/A:N) CVE: CVE CONFIDENTIAL AND PROPRIETARY INFORMATION SECURITYMETRICS PROVIDES THIS INFORMATION "AS IS" WITHOUT ANY WARRANTY OF ANY KIND. SECURITYMETRICS MAKES NO WARRANTY THAT THESE SERVICES WILL DETECT EVERY VULNERABILITY ON YOUR COMPUTER, OR THAT THE SUGGESTED SOLUTIONS AND ADVICE PROVIDED IN THIS REPORT, TOGETHER WITH THE RESULTS OF THE VULNERABILITY ASSESSMENT, WILL BE ERROR-FREE OR COMPLETE. SECURITYMETRICS SHALL NOT BE RESPONSIBLE OR LIABLE FOR THE ACCURACY, USEFULNESS, OR AVAILABILITY OF ANY INFORMATION TRANSMITTED VIA THE SECURITYMETRICS SERVICE, AND SHALL NOT BE RESPONSIBLE OR LIABLE FOR ANY USE OR APPLICATION OF THE INFORMATION CONTAINED IN THIS REPORT. DISSEMINATION, DISTRIBUTION, COPYING OR USE OF THIS DOCUMENT IN WHOLE OR IN PART BY A SECURITYMETRICS COMPETITOR OR THEIR AGENTS IS STRICTLY PROHIBITED. This report was generated by a PCI Approved Scanning Vendor, SecurityMetrics, Inc., under certificate number , within the guidelines of the PCI data security initiative.