ncircle PCI Compliance Report for Techno Kitchen Detail Report

Transcription

1 ncircle PCI Compliance Report for Techno Kitchen Detail Report Report Summary Scan Start Date :25:42 UTC Scan End Date :22:39 UTC Report Date :22:55 UTC ASPL Version 345 Target IPs This report was generated by a PCI approved scanning vendor, ncircle Network Security, under certificate number , within the guidelines of the PCI data security initiative. ncircle has determined that Techno Kitchen is NOT COMPLIANT with the PCI scan validation requirements. Hosts Hosts Found Compliant Hosts Non-compliant Hosts Status IP Address CVSS >= 4 CVSS < 4 Amendments Status Page 1

2 ( ) DNS Name IP360 Score 1776 NetBIOS Name Vulnerabilities 57 Domain/Workgroup Applications 34 Operating System Unix Variant ncircle has determined that is Not Compliant with the PCI scan requirements. NetBIOS Shares: None Applications: Port Service Applications 26 Unknown 1157 Unknown 2077 Unknown 2078 Unknown 2086 Unknown 2087 Unknown 2095 Unknown 2096 Unknown 21 FTP ProFTP SMTP Exim SMTP 53 DNS TCP Bind 9 tcp DNS 2082 HTTP HTTP Server 2083 HTTP HTTP Server 2082 HTTP HTTP-Based Application 2083 HTTP HTTP-Based Application 80 HTTP PHP 5.x 80 HTTP Apache 2.1.x x HTTP 80 HTTP Spidered Web Pages 143 IMAP Unknown 53 DNS UDP Bind 9 udp DNS 995 POP3 SSLv2 995 POP3 SSLv3 995 POP3 TLSv1 110 POP3 Dovecot POP3 465 SMTPS Exim SMTP 465 SMTPS SSLv2 Page 2

3 465 SMTPS SSLv3 465 SMTPS TLSv1 993 IMAPS SSLv2 993 IMAPS SSLv3 993 IMAPS TLSv1 443 HTTPS Apache 2.1.x x HTTP 443 HTTPS Spidered Web Pages IPv4 Layer 4 Unknown Vulnerabilities: BIND out-of-bailiwick Data Vulnerability ncircle ID: Port: 53 CVSS Score: 7.6 Not Compliant The following versions of BIND are vulnerable because they handle out-of-bailiwick data during a secure response without re-fetching from the data from the original source. This makes it possible for a remote attacker to perform unspecified actions through a crafted response. This vulnerability is part of a fix for an insufficient fix in CVE Vulnerable Versions: 9.0.x to 9.3.x 9.4 BEFORE P5 9.5 BEFORE P2 9.6 BEFORE P3 ISC recommends that users of BIND upgrade to the latest versions of BIND that address this vulnerability P P P3 CVE: CVE , CVSS Base Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C), CVSS Base Score: 7.6, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 6.3 GD Graphics Library '_gdgetcolors' Remote Buffer Overflow Vulnerability ncircle ID: Port: 80 CVSS Score: 7.5 Not Compliant A vulnerability allowing buffer overflow or buffer over-read attacks has been discovered in PHP and 5.3.x before Upgrade to the latest version of PHP, available at CVE: CVE , CVSS Base Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P), CVSS Base Score: 7.5, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 5.5 PHP 'session.save_path()' Arbitrary Code Execution Vulnerability ncircle ID: Port: 80 CVSS Score: 7.5 Not Compliant A vulnerability has been discovered in session.save_path in PHP that allows for corruption of the _SESSION superglobal array, and the session.save_path directive. This affects all versions prior to Upgrade to the latest version of PHP, available at CVE: CVE , CVSS Base Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P), CVSS Base Score: 7.5, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 5.5 PHP ext/posix/posix.c File Creation Vulnerability ncircle ID: Port: 80 CVSS Score: 6.8 Not Compliant A vulnerability has been discovered in PHP before and 5.3.x before which allows for unauthenticated creation of files, bypassing open_basdir restrictions, also potentially causing denial of service. Upgrade to the latest version of PHP, available at CVE: CVE , CVSS Base Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P), CVSS Base Score: 6.8, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 5.0 Page 3

4 OpenSSL Network Security Services (NSS) Library Support for MD2 with X.509 Certificates Vulnerability ncircle ID: Port: 80 CVSS Score: 6.4 Not Compliant OpenSSL versions that support MD2 with X.509 certificates are prone to a vulnerability which can be exploited by remote attackers to spoof certificates. A large amount of computational power is required to exploit flaws in MD2 in order to achieve a spoofed certificate, but the flaw could allow a certificate to be spoofed in less time than it would take to spoof the certificate via brute-force methods. Versions through 0.9.8k are vulnerable. CVE: CVE , CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P), CVSS Base Score: 6.4, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 4.7 OpenSSL Network Security Services (NSS) Library Support for MD2 with X.509 Certificates Vulnerability ncircle ID: Port: 443 CVSS Score: 6.4 Not Compliant OpenSSL versions that support MD2 with X.509 certificates are prone to a vulnerability which can be exploited by remote attackers to spoof certificates. A large amount of computational power is required to exploit flaws in MD2 in order to achieve a spoofed certificate, but the flaw could allow a certificate to be spoofed in less time than it would take to spoof the certificate via brute-force methods. Versions through 0.9.8k are vulnerable. CVE: CVE , CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P), CVSS Base Score: 6.4, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 4.7 OpenSSL TLS Protocol Session Renegotiation Vulnerability ncircle ID: Port: 80 CVSS Score: 6.4 Not Compliant OpenSSL is prone to a vulnerability in its' TLS and SSLv3 (and possibly earlier) protocols, which could allow a man-in-the-middle attacker to inject data into sessions protected by TLS or SSL, such as HTTPS sessions. The problem arises due to the failure of OpenSSL to associate renegotiated handshakes with existing connections. Versions before 0.9.8l are vulnerable. CVE: CVE , BugTraq: 36935, CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P), CVSS Base Score: 6.4, ncircle CVSS Temporal Vector: (E:POC/RL:OF/RC:C), ncircle CVSS Temporal Score: 5.0 OpenSSL TLS Protocol Session Renegotiation Vulnerability ncircle ID: Port: 443 CVSS Score: 6.4 Not Compliant OpenSSL is prone to a vulnerability in its' TLS and SSLv3 (and possibly earlier) protocols, which could allow a man-in-the-middle attacker to inject data into sessions protected by TLS or SSL, such as HTTPS sessions. The problem arises due to the failure of OpenSSL to associate renegotiated handshakes with existing connections. Versions before 0.9.8l are vulnerable. CVE: CVE , BugTraq: 36935, CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P), CVSS Base Score: 6.4, ncircle CVSS Temporal Vector: (E:POC/RL:OF/RC:C), ncircle CVSS Temporal Score: 5.0 Web Server HTTP TRACE Method Supported ncircle ID: 5041 Port: 80 CVSS Score: 5.8 Not Compliant The TRACE method is an HTTP command used for debugging purposes. A client sending the TRACE command to a web server will receive an echo of the entire request, including HTTP headers. It is possible for a malicious user to obtain sensitive information from the headers, such as cookies or authentication data. Many web servers released prior to January 2003 had the TRACE method enabled by default. These include Apache, Microsoft IIS, Sun ONE/iPlanet Web Server, and WebLogic Server and Express. Unless it is specifically needed, the TRACE method should be disabled. Under Apache, this can be done using the mod_rewrite module, with the following syntax: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule.* - [F] For Microsoft IIS, the URLScan tool should be used to deny HTTP TRACE requests. URLScan is available at The procedure for the Sun ONE/iPlanet Web Server can be found at For WebLogic Server and Express, the following products are vulnerable: * WebLogic Server and Express 8.1, released through Service Pack 2, all platforms * WebLogic Server and Express 7.0, released through Service Pack 4, all platforms * WebLogic Server and Express 6.1, released through Service Pack 6, all platforms * WebLogic Server and Express 5.1, released through Service Pack 13, all platforms The vendor has released an advisory and patches pertaining to the vulnerability. These are available at Page 4

5 CVE: CVE , BugTraq: 9506, BugTraq: 9561, CVSS Base Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N), CVSS Base Score: 5.8, ncircle CVSS Temporal Vector: (E:H/RL:W/RC:C), ncircle CVSS Temporal Score: 5.5 Web Server HTTP TRACE Method Supported ncircle ID: 5041 Port: 443 CVSS Score: 5.8 Not Compliant The TRACE method is an HTTP command used for debugging purposes. A client sending the TRACE command to a web server will receive an echo of the entire request, including HTTP headers. It is possible for a malicious user to obtain sensitive information from the headers, such as cookies or authentication data. Many web servers released prior to January 2003 had the TRACE method enabled by default. These include Apache, Microsoft IIS, Sun ONE/iPlanet Web Server, and WebLogic Server and Express. Unless it is specifically needed, the TRACE method should be disabled. Under Apache, this can be done using the mod_rewrite module, with the following syntax: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule.* - [F] For Microsoft IIS, the URLScan tool should be used to deny HTTP TRACE requests. URLScan is available at The procedure for the Sun ONE/iPlanet Web Server can be found at For WebLogic Server and Express, the following products are vulnerable: * WebLogic Server and Express 8.1, released through Service Pack 2, all platforms * WebLogic Server and Express 7.0, released through Service Pack 4, all platforms * WebLogic Server and Express 6.1, released through Service Pack 6, all platforms * WebLogic Server and Express 5.1, released through Service Pack 13, all platforms The vendor has released an advisory and patches pertaining to the vulnerability. These are available at CVE: CVE , BugTraq: 9506, BugTraq: 9561, CVSS Base Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N), CVSS Base Score: 5.8, ncircle CVSS Temporal Vector: (E:H/RL:W/RC:C), ncircle CVSS Temporal Score: 5.5 Apache Remote Username Enumeration Vulnerability ncircle ID: 1854 Port: 80 CVSS Score: 5.0 Not Compliant Versions of the Apache web server install with a default misconfiguration that allows remote users to determine whether a given username exists on the vulnerable system. When a remote user submits an HTTP request for a possible user's default home page, the server has one of three responses. In a case where the tested username is valid, and that account has been configured with a homepage, the server replies with HTTP result code 200, and the user's homepage. Alternatively, when the tested username does exist on the system, but does not have a homepage, the server responds with HTTP result code 403, and the server message "You don't have permission to access /~username on this server." However, if the tested username does not exist as an account on the system, the Apache server's response is HTTP result code 404 and the message "The requested URL /~username was not found on this server." Because the server responds differently in the latter two cases, a remote user can test and enumerate possible usernames. Properly exploited, this information could be used in further attacks on the vulnerable host. Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: support@ncircle.com MITIGATION Workaround 1 - Disable the default-enabled UserDir directive: % echo 'UserDir Disabled' >> /var/www/conf/httpd.conf Workaround 2 - Substitute URL for pathname in httpd.conf: % echo 'ErrorDocument >> /var/www/conf/httpd.conf % echo 'ErrorDocument >> /var/www/conf/httpd.conf % sudo apachectl restart Ensure users select hard to guess passwords (passwords that are not based on 'dictionary' words, names or other guessable strings). Disallow remote untrusted network traffic. CVE: CVE , BugTraq: 3335, CVSS Base Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:H/RL:W/RC:C), ncircle CVSS Temporal Score: 4.8 PHP ext/standard/file.c Context Dependent Safe Mode Bypass Vulnerability ncircle ID: Port: 80 CVSS Score: 5.0 Not Compliant A vulnerability in ext/standard/file.c has been discovered that allows for bypassing safe_mode, allowing for file creation in group or world writable directories. This affects all versions prior to , and before in the 5.3.x branch. Upgrade to the latest version of PHP, available at CVE: CVE , CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.7 BIND DNSSEC NSEC/NSEC3 Validation Code Vulnerability ncircle ID: Port: 53 CVSS Score: 4.3 Not Compliant The following versions of ISC BIND fail to properly validate DNSSEC, NSEC, or NSEC3 records. This vulnerability permits an attacker to add the authenticated data flag to a spoofed NXDOMAIN response for a given domain. The expected results are bogus NXDOMAIN responses. Vulnerable Versions: 9.0.x to 9.3.x 9.4 BEFORE P5 9.5 BEFORE P2 9.6 BEFORE P3 ISC recommends that users of BIND upgrade to the latest versions of BIND that address this vulnerability P P P3 CVE: CVE , BugTraq: 37865, CVSS Base Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N), CVSS Base Score: 4.3, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.6 Page 5

6 PHP overlong UTF-8 sequences remote cross-site scripting ncircle ID: Port: 80 CVSS Score: 4.3 Not Compliant A vulnerability has been discovered in PHP involving UTF-8, EUC-JP, and Shift_JIS handling, which allows for cross-site scripting (XSS) to occur in versions prior to Upgrade to the latest version of PHP, available at CVE: CVE , CVSS Base Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N), CVSS Base Score: 4.3, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.6 BIND DNSSEC Validation and DNS cache poisoning Vulnerability ncircle ID: Port: 53 CVSS Score: 4.0 Not Compliant An unspecified vulnerability exists in the following versions of ISC BIND. This vulnerability exists when DNSSEC validation is enabled but checking is disabled. This makes it possible for a remote attacker to perform DNS cache poisoning attacks. This occurs via interception of a client query for CNAME or DNAME records and returning attacker specified data. This takes place before caching. This vulnerability corrects an incomplete fix of CVE Vulnerable Versions: 9.0.x to 9.3.x 9.4 BEFORE P5 9.5 BEFORE P2 9.6 BEFORE P3 ISC recommends that users of BIND upgrade to the latest versions of BIND that address this vulnerability P P P3 CVE: CVE , CVSS Base Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:P), CVSS Base Score: 4, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.3 BIND DNSSEC Validation Enabled Vulnerability ncircle ID: Port: 53 CVSS Score: 4.0 Not Compliant The following BIND versions are vulnerable to an unspecified vulnerability. It is known that when DNSSEC validation is enabled and checking is disabled a remote attacker can perform a DNS cache poisoning attack. Vulnerable Versions: 9.0.x to 9.3.x 9.4 BEFORE P5 9.5 BEFORE P2 9.6 BEFORE P3 ISC recommends that users of BIND upgrade to the latest versions of BIND that address this vulnerability P P P3 CVE: CVE , BugTraq: 37118, CVSS Base Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:P), CVSS Base Score: 4, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.3 OpenSSL DTLS Record Buffer Limitation Vulnerability ncircle ID: Port: 80 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in the dtls1_buffer_record function in ssl/d1_pkt.c, which can be exploited by a remote attacker to cause a denial-of-service. The DTLS buffer has a size limitation that can be exploited by sending a large number of "future epoch" DTLS records to the server. Versions to 0.9.8k are vulnerable. CVE: CVE , BugTraq: 35001, CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.7 OpenSSL DTLS Record Buffer Limitation Vulnerability ncircle ID: Port: 443 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in the dtls1_buffer_record function in ssl/d1_pkt.c, which can be exploited by a remote attacker to cause a denial-of-service. The DTLS buffer has a size limitation that can be exploited by sending a large number of "future epoch" DTLS records to the server. Versions to 0.9.8k are vulnerable. CVE: CVE , BugTraq: 35001, CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.7 OpenSSL DTLS Fragment Handling Memory Leak Vulnerability ncircle ID: Port: 80 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in the dtls1_process_out_of_seq_message function in ssl/d1_both.c, which can be exploited by a remote attacker to cause a denial-of-service. The problem arises due to memory leaks that occur in OpenSSL when handling duplicate DTLS records or when handling DTLS records that have sequence numbers set which are much higher than current DTLS record sequence numbers. Versions to 0.9.8k are vulnerable. Page 6

7 CVE: CVE , BugTraq: 35001, CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.7 OpenSSL DTLS Fragment Handling Memory Leak Vulnerability ncircle ID: Port: 443 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in the dtls1_process_out_of_seq_message function in ssl/d1_both.c, which can be exploited by a remote attacker to cause a denial-of-service. The problem arises due to memory leaks that occur in OpenSSL when handling duplicate DTLS records or when handling DTLS records that have sequence numbers set which are much higher than current DTLS record sequence numbers. Versions to 0.9.8k are vulnerable. CVE: CVE , BugTraq: 35001, CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.7 OpenSSL 'ChangeCipherSpec' DTLS Packet Denial of Service Vulnerability ncircle ID: Port: 80 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in ssl/s3_pkt.c, which can be exploited by a remote attacker to cause a denial-of-service. An exploit is available for this vulnerability which causes a NULL-pointer dereference by sending a ChangeCipherSpec packet before ClientHello, ultimately causing the application to crash. Versions before 0.9.8i are vulnerable. CVE: CVE , BugTraq: 35174, CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 4.1 OpenSSL 'ChangeCipherSpec' DTLS Packet Denial of Service Vulnerability ncircle ID: Port: 443 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in ssl/s3_pkt.c, which can be exploited by a remote attacker to cause a denial-of-service. An exploit is available for this vulnerability which causes a NULL-pointer dereference by sending a ChangeCipherSpec packet before ClientHello, ultimately causing the application to crash. Versions before 0.9.8i are vulnerable. CVE: CVE , BugTraq: 35174, CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 4.1 OpenSSL 'dtls1_retrieve_buffered_fragment()' Out of Sequence DTLS Handshake Messages Denial of Service Vulnerability ncircle ID: Port: 80 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in dtls1_retrieve_buffered_fragment, which can be exploited by a remote attacker to cause a denial-of-service. This vulnerability occurs because OpenSSL cannot properly handle DTLS handshake messages that are sent out of sequence. Versions before Beta 2 are vulnerable. CVE: CVE , CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.7 OpenSSL 'dtls1_retrieve_buffered_fragment()' Out of Sequence DTLS Handshake Messages Denial of Service Vulnerability ncircle ID: Port: 443 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in dtls1_retrieve_buffered_fragment, which can be exploited by a remote attacker to cause a denial-of-service. This vulnerability occurs because OpenSSL cannot properly handle DTLS handshake messages that are sent out of sequence. Versions before Beta 2 are vulnerable. CVE: CVE , CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:U/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.7 Page 7

8 OpenSSL 'zlib_stateful_finish()' Denial of Service Vulnerability ncircle ID: Port: 80 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in zlib_stateful_finish, which can be exploited by a remote attacker to cause excessive memory consumption leading to a denial-of-service. A demonstration for this exploit is currently available which makes use of SSLv3, PHP, and Apache. Versions 0.9.8l and earlier, and Beta through Beta 4 are vulnerable. CVE: CVE , CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 4.1 OpenSSL 'zlib_stateful_finish()' Denial of Service Vulnerability ncircle ID: Port: 443 CVSS Score: 5.0 OpenSSL is prone to a vulnerability in zlib_stateful_finish, which can be exploited by a remote attacker to cause excessive memory consumption leading to a denial-of-service. A demonstration for this exploit is currently available which makes use of SSLv3, PHP, and Apache. Versions 0.9.8l and earlier, and Beta through Beta 4 are vulnerable. CVE: CVE , CVSS Base Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P), CVSS Base Score: 5, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 4.1 BIND 9 dns_db_findrdataset Function Denial of Service Vulnerability ncircle ID: Port: 53 CVSS Score: 4.3 ISC BIND 9.4 before P3, 9.5 before P3, and 9.6 before P1 are vulnerable to a Denial of Service attack caused by a specially crafted dynamic update message. This only applies when configured as a master server. Upgrade BIND version to P3, P3 or P1. CVE: CVE , CVSS Base Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P), CVSS Base Score: 4.3, ncircle CVSS Temporal Vector: (E:F/RL:OF/RC:C), ncircle CVSS Temporal Score: 3.6 PHP Python Extension 'safe_mode' Restriction Bypass Vulnerability ncircle ID: Port: 80 CVSS Score: 3.0 PHP is prone to a 'safe_mode' restriction-bypass vulnerability when the Python extension in enabled. Successful exploits could allow an attacker to execute arbitrary code. Specifically, this is caused by 'safe_mode' failing to properly restrict Python code embedded within PHP code. This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' restriction is expected to isolate users from each other. Versions prior to PHP 6 are vulnerable. NOTE: The severity of this issue can vary depending on the specific configuration of the server. Upgrade to the latest version of PHP, available at BugTraq: 32902, ncircle CVSS Base Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:N), ncircle CVSS Base Score: 3.0, ncircle CVSS Temporal Vector: (E:POC/RL:OF/RC:C), ncircle CVSS Temporal Score: 2.3 EXPIRED SSL/TLS CERTIFICATE ncircle ID: 5465 Port: 465 CVSS Score: 2.6 A SSL/TLS certificate on this host has expired. The certificate should be renewed at the earliest opportunity. ncircle CVSS Base Vector: (AV:N/AC:H/Au:N/C:N/I:N/A:P), ncircle CVSS Base Score: 2.6, ncircle CVSS Temporal Vector: (E:U/RL:W/RC:C), ncircle CVSS Temporal Score: 2.1 BIND Version ncircle ID: 63 Port: 53 CVSS Score: 0.0 BIND (Berkeley Internet Name Domain) software is an implementation of the DNS (Domain Name System) protocol. By default, BIND displays a version number when queried. This information can be useful for an attacker attempting to identify vulnerabilities in the BIND software running on a network. For this reason, it is strongly recommended that system administrators have the banner disabled. To prevent the version from being displayed under BIND 8, a zone must be created in the configuration file to prevent such information from being displayed: zone "bind" chaos { allow-query {localhost;} type master; file "bind.chaos"; }; Within the bind.chaos file one can either change the version.bind entry by adding a TXT record or not add any entires. Regardless, a standard zone file must be created to resemble the following 1D CHAOS SOA localhost. hostmaster.localhost. ( 1 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum CHAOS NS localhost. Page 8

9 FTP Banner Available ncircle ID: 71 Port: 21 CVSS Score: 0.0 An intruder can retrieve extended banner information. Banners provide information that can help an intruder guess the operating system of the server or discover other system vulnerabilities. Intruders routinely attempt to retrieve banner information from available services as a means of pre-attack reconnaissance. As with all services, disable this service if it is non-essential to the server's operations. Additionally, we recommend you use IP filtering software to restrict access to a limited set of trusted hosts. Various IP filtering packages can be used to control access to services by IP address or hostname, and provides an enhanced logging facility for services it protects. Be advised, services protected in this manner will still be vulnerable to IP spoofing attacks, however, the program does provide a much needed additional layer of security. HTTP Server Header Information Leakage ncircle ID: 534 Port: 80 CVSS Score: 0.0 The HTTP "Server" header contains information that can be useful to remote users planning an attack on the server. Most headers display information about the HTTP version being used and the OS of the webserver or device on which the HTTP server is running. The "Server" header is designed to advertise the type of server that the remote host is running. This header can be useful to attackers who wish to learn about the remote host for purposes of attacking it. Follow accepted methods for changing or disabling the "Server" header sent by your web server. SMTP VRFY Available ncircle ID: 538 Port: 25 CVSS Score: 0.0 The SMTP server running on this host allows the VRFY command. The VRFY command allows an anonymous user to confirm that an argument properly identifies a user. If the argument is a valid user's name, Sendmail will reply with the user's full name and mailbox. This information is useful to remote intruders both for purposes of social engineering and guessing account passwords. Disable the VRFY command. SMTP VRFY Available ncircle ID: 538 Port: 465 CVSS Score: 0.0 The SMTP server running on this host allows the VRFY command. The VRFY command allows an anonymous user to confirm that an argument properly identifies a user. If the argument is a valid user's name, Sendmail will reply with the user's full name and mailbox. This information is useful to remote intruders both for purposes of social engineering and guessing account passwords. Disable the VRFY command. POP3 Available ncircle ID: 929 Port: 110 CVSS Score: 0.0 POP3 (Post Office Protocol) is a remote mail access protocol. POP was designed to support "offline" mail processing. In the offline paradigm, mail is delivered to a (usually shared) server, and a personal computer user periodically invokes a mail "client" program that connects to the server and downloads all of the pending mail to the user's own machine. This service should be disabled if it is not needed. Page 9

10 POP3 Available ncircle ID: 929 Port: 995 CVSS Score: 0.0 POP3 (Post Office Protocol) is a remote mail access protocol. POP was designed to support "offline" mail processing. In the offline paradigm, mail is delivered to a (usually shared) server, and a personal computer user periodically invokes a mail "client" program that connects to the server and downloads all of the pending mail to the user's own machine. This service should be disabled if it is not needed. FTP Available ncircle ID: 1059 Port: 21 CVSS Score: 0.0 The FTP service was detected on the system. The file transfer protocol (FTP) uses a TCP connection to transfer files between remote hosts. FTP sessions involve two separate connections: the control connection and the data connection. The server listens for FTP control connections on TCP port 21. During the control connection the user may specify the port that will be available for data connection, though it is standard to use port 20 for FTP data transfer. Most FTP sessions require user authorization to transfer files. FTP is linked to several vulnerabilities and is a serious security risk. The protocol for this service is defined in RFC-959 and RFC Disable the FTP service if it is not required for business reasons. If the FTP service is needed internally, configure packet filters on firewalls and border routers to block external access to port 21 on your internal network. Additionally, we recommend you use TCP_wrappers to restrict access to this service to a limited set of trusted hosts. TCP_ wrappers is used to control access to services by IP address or hostname, and provides an enhanced logging facility for services it protects. Be advised, services protected in this manner will still be vulnerable to IP spoofing attacks, however, the program does provide a much needed additional layer of security. SMTP Available ncircle ID: 1064 Port: 25 CVSS Score: 0.0 SMTP provides a way to send mail across transport service environments. The TCP connection between the sender process and the receiver process provides a transmission channel with a default port of 25. Since SMTP is independent of the transmission subsystem, it requires only a reliable ordered data stream channel. The protocol for this service is defined in RFC-821. Disable your SMTP daemon if it is non-essential to the server's operations. Eliminating unnecessary services mitigates risk to the network by eliminating potential points of attack. If SMTP is needed, we recommend that it be encrypted. SMTP Available ncircle ID: 1064 Port: 465 CVSS Score: 0.0 SMTP provides a way to send mail across transport service environments. The TCP connection between the sender process and the receiver process provides a transmission channel with a default port of 25. Since SMTP is independent of the transmission subsystem, it requires only a reliable ordered data stream channel. The protocol for this service is defined in RFC-821. Disable your SMTP daemon if it is non-essential to the server's operations. Eliminating unnecessary services mitigates risk to the network by eliminating potential points of attack. If SMTP is needed, we recommend that it be encrypted. FTP SYST ncircle ID: 1224 Port: 21 CVSS Score: 0.0 FTP SYST vulnerability has been found on the device. The FTP SYST command provides information on the type of operating system being run by the server. This information can prove invaluable in developing attack strategies. Using the FTP SYST command, attackers can discover operating system version information. Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please us at support@ncircle.com Vector: (E:H/RL:U/RC:C), ncircle CVSS Temporal Score: 0.0 Page 10

11 DNS Available ncircle ID: 1282 Port: 53 CVSS Score: 0.0 The Domain Name System or DNS is an information system designed to provide a mechanism for naming resources in such a way that the names are usable in different hosts, networks, protocol families, Internets, and administrative organizations. It uses ports 53/TCP and 53/UDP respectively. A DNS server can be mined for information pertaining to your network. It can reveal host names and internal IP address if misconfigured. If DNS is not necessary on this host it should be disabled. To disable, remove DNS entries from the appropriate rc file or rc runlevel file. (Alternately, to disable DNS running on Windows, use the "services" control panel.) DNS Available ncircle ID: 1282 Port: 53 CVSS Score: 0.0 The Domain Name System or DNS is an information system designed to provide a mechanism for naming resources in such a way that the names are usable in different hosts, networks, protocol families, Internets, and administrative organizations. It uses ports 53/TCP and 53/UDP respectively. A DNS server can be mined for information pertaining to your network. It can reveal host names and internal IP address if misconfigured. If DNS is not necessary on this host it should be disabled. To disable, remove DNS entries from the appropriate rc file or rc runlevel file. (Alternately, to disable DNS running on Windows, use the "services" control panel.) HTTP Available ncircle ID: 1343 Port: 80 CVSS Score: 0.0 The Hyper Text Transfer Protocol (HTTP) is the application level protocol used by Web servers for transferring information over the Internet. HTTP includes several methods for web-enabled applications to interact, and is associated with specific security concerns. It is recommended that this service be enabled only on systems acting as dedicated web servers. HTTP should be disabled if it is not necessary for the planned operations of the server. IMAP Available ncircle ID: 1347 Port: 143 CVSS Score: 0.0 The INTERACTIVE MAIL ACCESS PROTOCOL - VERSION 2 is a service designed to allow workstations to access mail dynamically from a mailbox server. IMAP is a protocol to facilitate mail access, unlike SMTP, which is used to deliver mail over the Internet. IMAP defaults to clear-text transmission of data between the client and server, and is therefore vulnerable to standard sniffing attacks. If this service is needed it should default to SSL encrypted transfers to better ensure confidentiality. IMAP should be disabled if it is running but not in use by the server. Services Available ncircle ID: 1750 Port: 25 CVSS Score: 0.0 services such as SMTP, POP3 and IMAP allow users to send and receive messages. As a side effect, these same services can also be used to propagate viruses, and can be used to gather information about the users on the host running the mail server. Ensure that all services are properly updated and secured. Required updates will depend on the application in question. Services Available ncircle ID: 1750 Port: 110 CVSS Score: 0.0 services such as SMTP, POP3 and IMAP allow users to send and receive messages. As a side effect, these same services can also be used to propagate viruses, and can be used to gather information about the users on the host running the mail server. Page 11

12 Ensure that all services are properly updated and secured. Required updates will depend on the application in question. Services Available ncircle ID: 1750 Port: 143 CVSS Score: 0.0 services such as SMTP, POP3 and IMAP allow users to send and receive messages. As a side effect, these same services can also be used to propagate viruses, and can be used to gather information about the users on the host running the mail server. Ensure that all services are properly updated and secured. Required updates will depend on the application in question. Services Available ncircle ID: 1750 Port: 465 CVSS Score: 0.0 services such as SMTP, POP3 and IMAP allow users to send and receive messages. As a side effect, these same services can also be used to propagate viruses, and can be used to gather information about the users on the host running the mail server. Ensure that all services are properly updated and secured. Required updates will depend on the application in question. Services Available ncircle ID: 1750 Port: 995 CVSS Score: 0.0 services such as SMTP, POP3 and IMAP allow users to send and receive messages. As a side effect, these same services can also be used to propagate viruses, and can be used to gather information about the users on the host running the mail server. Ensure that all services are properly updated and secured. Required updates will depend on the application in question. Self-Signed SSL/TLS Certificate Present ncircle ID: 6211 Port: 465 CVSS Score: 0.0 An SSL certificate on this host has been self-signed; it has not been signed by a trusted certificate authority. If a connection is made via web browser, the user will be informed that the certificate is not signed by a trusted authority. If a malicious user has created the certificate, the security of the certificate cannot be guaranteed. Use a trusted third-party certificate authority to sign SSL certificates. MITIGATION Browsers can be configured to trust particular self-signed certificates. Self-Signed SSL/TLS Certificate Present ncircle ID: 6211 Port: 993 CVSS Score: 0.0 An SSL certificate on this host has been self-signed; it has not been signed by a trusted certificate authority. If a connection is made via web browser, the user will be informed that the certificate is not signed by a trusted authority. If a malicious user has created the certificate, the security of the certificate cannot be guaranteed. Use a trusted third-party certificate authority to sign SSL certificates. MITIGATION Browsers can be configured to trust particular self-signed certificates. Page 12

13 Self-Signed SSL/TLS Certificate Present ncircle ID: 6211 Port: 995 CVSS Score: 0.0 An SSL certificate on this host has been self-signed; it has not been signed by a trusted certificate authority. If a connection is made via web browser, the user will be informed that the certificate is not signed by a trusted authority. If a malicious user has created the certificate, the security of the certificate cannot be guaranteed. Use a trusted third-party certificate authority to sign SSL certificates. MITIGATION Browsers can be configured to trust particular self-signed certificates. SSL/TLS Certificate Domain Name Mismatch ncircle ID: 6214 Port: 465 CVSS Score: 0.0 The fully-qualified domain name (FQDN) of the server does not match the FQDN that was used when creating the certificate. Users who connect to this server cannot be certain that they have connected to the correct server. Obtain a new certificate, created using the correct FQDN. MITIGATION Most web browsers will alert the user to the domain name mismatch. Change the hostname of the affected server. NOTE: If you believe this vulnerability to be a False Positive, ensure your Device Profiler is configured to use the correct DNS server. SSL/TLS Certificate Domain Name Mismatch ncircle ID: 6214 Port: 993 CVSS Score: 0.0 The fully-qualified domain name (FQDN) of the server does not match the FQDN that was used when creating the certificate. Users who connect to this server cannot be certain that they have connected to the correct server. Obtain a new certificate, created using the correct FQDN. MITIGATION Most web browsers will alert the user to the domain name mismatch. Change the hostname of the affected server. NOTE: If you believe this vulnerability to be a False Positive, ensure your Device Profiler is configured to use the correct DNS server. SSL/TLS Certificate Domain Name Mismatch ncircle ID: 6214 Port: 995 CVSS Score: 0.0 The fully-qualified domain name (FQDN) of the server does not match the FQDN that was used when creating the certificate. Users who connect to this server cannot be certain that they have connected to the correct server. Obtain a new certificate, created using the correct FQDN. MITIGATION Most web browsers will alert the user to the domain name mismatch. Change the hostname of the affected server. NOTE: If you believe this vulnerability to be a False Positive, ensure your Device Profiler is configured to use the correct DNS server. SMTP Server Allows Plaintext Authentication ncircle ID: 6811 Port: 25 CVSS Score: 0.0 The SMTP Server supports one of the following authentication types: LOGIN, PLAIN, or PLAINTEXT. This means that credentials passed to this server could be sniffed and viewed by a third party. N/A SMTP Server Allows Plaintext Authentication ncircle ID: 6811 Port: 465 CVSS Score: 0.0 The SMTP Server supports one of the following authentication types: LOGIN, PLAIN, or PLAINTEXT. This means that credentials passed to this server could be sniffed and viewed by a third party. N/A Page 13

14 Host Configuration & Information: ID Check Value 41 IMAP Server Banner 40 POP3 Server Banner +OK Dovecot ready. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready., * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. 20 FTP Server Banners 220 ProFTPD 1.3.2d Server (ProFTPD) [::ffff: ] 22 SMTP Server Banner 220-techserver1.techwyse.com ESMTP Exim 4.69 #1 Fri\\, 30 Apr :54: We do not authorize the use of this system to transport unsolicited\\, 220 and/or bulk ., 220-techserver1.techwyse.com ESMTP Exim 4.69 #1 Fri\\, 30 Apr :54: We do not authorize the use of this system to transport unsolicited\\, 220 and/or bulk BIND Server Banner P1-RedHat P1.el5_ HTTP Server Banners Apache/ (Unix) mod_ssl/ OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ PHP/5.2.11, Apache/ (Unix) mod_ssl/ OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ PHP/5.2.11, cpsrvd/ Spidered Pages Port 80: 1 page(s) spidered, Port 443: 1 page(s) spidered 165 Meta Redirects Port 80: , Port 443: SSL Certificate Key Usage TCP(993):, TCP(995):, TCP(465): SSL Certificate Extended Key Usage SSL Certificate Serial Number SSL Certificate Public Key Size SSL Certificate SHA1 Thumbprint SSL Certificate MD5 Thumbprint 156 SSL Certificate Valid To 155 SSL Certificate Valid From TCP(993):, TCP(995):, TCP(465): TCP(993): 01:AC:1E:C2:0F, TCP(995): 01:AC:1E:C2:0F, TCP(465): 00:BD:41:CD:9F TCP(993): 1024 bits, TCP(995): 1024 bits, TCP(465): 1024 bits TCP(993): 48:E3:53:88:E8:AC:26:4C:3F:4D:C8:39:E8:06:B6:F4:2C:0D:E7:14, TCP(995): 48:E3:53:88:E8:AC:26:4C:3F:4D:C8:39:E8:06:B6:F4:2C:0D:E7:14, TCP(465): 06:4E:3F:D6:17:38:C8:10:C3:6E:42:51:DC:20:AD:17:79:32:AC:63 TCP(993): 95:C6:3D:3C:E3:25:FD:25:24:6F:31:83:76:51:42:70, TCP(995): 95:C6:3D:3C:E3:25:FD:25:24:6F:31:83:76:51:42:70, TCP(465): DC:A6:26:C1:99:07:9A:70:BF:B1:9F:62:A9:05:43:D6 TCP(993): Thu Jan 13 05:29: UTC, TCP(995): Thu Jan 13 05:29: UTC, TCP(465): Thu Apr 29 13:01: UTC TCP(993): Wed Jan 13 05:29: UTC, TCP(995): Wed Jan 13 05:29: UTC, TCP(465): Wed Apr 29 13:01: UTC Page 14

15 154 SSL Certificate Issuer 157 SSL Certificate Subject 153 SSL Certificate Signature Algorithm TCP(993): organizationalunitname=unknown\\, organizationname=unknown\\, statename=unknown\\, commonname=techserver1.techwyse.com\\, countryname=us\\, localityname=unknown\\, TCP(995): organizationalunitname=unknown\\, organizationname=unknown\\, statename=unknown\\, commonname=techserver1.techwyse.com\\, countryname=us\\, localityname=unknown\\, TCP(465): organizationalunitname=unknown\\, organizationname=unknown\\, statename=unknown\\, commonname=techserver1.techwyse.com\\, countryname=us\\, localityname=unknown\\, TCP(993): organizationalunitname=unknown\\, organizationname=unknown\\, statename=unknown\\, commonname=techserver1.techwyse.com\\, countryname=us\\, localityname=unknown\\, TCP(995): organizationalunitname=unknown\\, organizationname=unknown\\, statename=unknown\\, commonname=techserver1.techwyse.com\\, countryname=us\\, localityname=unknown\\, TCP(465): organizationalunitname=unknown\\, organizationname=unknown\\, statename=unknown\\, commonname=techserver1.techwyse.com\\, countryname=us\\, localityname=unknown\\, TCP(993): shawithrsaencryption, TCP(995): shawithrsaencryption, TCP(465): shawithrsaencryption Page 15