SNI Vulnerability Assessment Report

Transcription

1 SI Vulnerability Assessment Report Generated sample report Automated Infrastructure Discovery and Analysis Scan period : :27 umber of scanned hosts 12 umber of hosts requiring attention 6 Summary of findings 1 host having findings rated high 3 hosts having findings rated medium 3 hosts having findings rated low Description of vulnerability ratings [Rating >= 70] An attacker might be able to use a low risk vulnerability to gain potential sensitive information about a server, for instance the running applications and the logged in users H [Rating >= 85] An attacker might be able to use a medium risk vulnerability to get control over certain applications, to read or change sensitive information, and to try further attacks [Rating >= 100] An attacker might be able to use a high risk vulnerability to gain administrator access to a server, exploit and change sensitive information or to try to gain access to more servers Page 1 of 6

2 Server server1 ( X) Recorded on :53 Vulnerability rating 0 Scan period : :53 one Server server2 ( X) Recorded on :55 Vulnerability rating 0 Scan period : :55 one Server server3 ( X) Unresponsive Recorded on :47 False Scan period : :47 Server server4 ( X) Recorded on :49 Unresponsive Page 2 of 6

3 False Scan period : :49 Server server5 ( X) Recorded on :51 Vulnerability rating 70 Scan period : :51 ow An identd response on port 113 was detected. Identd is a daemon that looks up specific TCP/IP connections and returns the username (and optionally other information) of the process owning the connection. Some vulnerable applications, such as some versions of sendmail and Telnet, transmit a response back to port 113 of the originating computer to determine the identity of the originator. This behavior may help an attacker identify a vulnerable operating system or application. For Sendmail: grade to the lastest version of Sendmail (8.7.6 or later), as listed in CERT Advisory CA See References. For other applications that generate identd responses, contact your vendor for patch or upgrade information. Additional information: Server server6 ( X) edium Recorded on :05 Scan period : :05 URScan could allow a remote attacker to determine if URScan is running on a server, caused by improper handling of HTTP HEAD requests. A remote attacker could send a specially-crafted HTTP HEAD request, which would be converted into a GET request and sent to IIS, which would return a response indicating the presence of URScan on the system. o remedy available as of ovember 8, Additional information: Page 3 of 6

4 Server server7 ( X) Recorded on :10 Scan period : :10 one Server server8 ( X) Recorded on :13 Scan period : :13 ow The Check Point FireWall-1/VP-1 SecuRemote client does not encrypt or authenticate connections to the SecuRemote Server, which could expose possibly sensitive network topology information to remote attackers. The client and server of SecuRemote support string authentication and encryption of this data, but by default permit weaker, less secure connections for backward compatibility. An attacker could take advantage of these weaker connections to obtain sensitive network topology information. Disable the FireWall-1 option 'Respond to Unauthenticated Cleartext Topology Requests'. To disable this option from the FireWall-1 Policy Editor: 1. Open the FireWall-1 Policy Editor. 2. Select Policy -- Properties. 2. Click the Desktop Security tab. 3. Clear the 'Respond to Unauthenticated Cleartext Topology Requests' check box. Additional information: Server server9 ( X) Recorded on :15 Scan period : :15 High Page 4 of 6

5 IS-ITCS104Prod-07July08 H Transparent etwork Substrate (TS) istener handles all remote client connection requests for Oracle services. By default, the TS istener has an empty password. This could allow an unauthorized remote user to gain access and shut down the TS istener, which would result in a denial of service. Refer to the Oracle Database istener Security Guide PDF for information on properly securing the Oracle TS istener. See References. Additional information: An identd response on port 113 was detected. Identd is a daemon that looks up specific TCP/IP connections and returns the username (and optionally other information) of the process owning the connection. Some vulnerable applications, such as some versions of sendmail and Telnet, transmit a response back to port 113 of the originating computer to determine the identity of the originator. This behavior may help an attacker identify a vulnerable operating system or application. For Sendmail: grade to the lastest version of Sendmail (8.7.6 or later), as listed in CERT Advisory CA See References. For other applications that generate identd responses, contact your vendor for patch or upgrade information. Additional information: Server server10 ( X) Recorded on :21 Scan period : :21 one Server server11 ( X) edium Recorded on :27 Scan period : :27 IS-ITCS104Prod-07July08 The mountd daemon is running over a non-reserved port. This daemon is probably vulnerable to port hijacking and should be moved to a reserved port. port=32781 Page 5 of 6

6 If possible, only allow this service to run on a privileged port. Users are recommended to contact their vendor on patch or workaround information. Additional information: Server server12 ( X) edium Recorded on :25 Scan period : :25 A normal FTP session occurs by establishing a connection to the FTP control port (TCP port 21). Once this control channel is established, any files to be sent are transferred using a separate connection (the data connection). This is done by the FTP client sending a PORT command containing the IP address and port that it will listen for a TCP connection on. The FTP server then connects back to that port and transfers the file. (There is also a mechanism called Passive FTP whereby the client connects to the server instead, but this method is not involved in this form of attack.) By specifying a different IP address than its own, an FTP client can trick some FTP servers into making a connection and sending data to another host on the network; that host will look like it is being probed or attacked by the FTP server when it fact it is the FTP client that is indirectly attacking it. This can mask an attacker's identity in attacking a network. It is also possible that an attacker could use this vulnerability to bypass some poorly configured packet filters or firewalls. For example, if the mail server allows telnet connections from an internal FTP server but not from external hosts on the Internet, an attacker may be able to connect to the Telnet port on the STP server by 'bouncing' through the FTP server. grade to the latest version of your FTP server, which should include fixes for this problem. For SGI IRIX: grade to the latest version of IRIX ( or later), or apply the appropriate patch for your system, as listed in SGI Security Advisory P. See References. Additional information: Page 6 of 6