Scan Customer Information Scan Company Information Company: Example Name Company: SRC Security Research & Consulting GmbH Contact: Mr. Example Contact: Holger von Rhein : : Senior Consultant Telephone: 0000-123456 Telephone: +49 (0) 228 2806 166 E-Mail: customer@example.com E-Mail: sdpais@src-gmbh.de Business Business Example Street Address: Address: Graurheindorfer Strasse 149a City: City: Bonn State: Example Location State: NRW ZIP: 00000 ZIP: 53117 URL: www.example.com URL: www.src-gmbh.de Scan Status Status: FAIL Number of unique components scanned: 1 Number of Hosts not alive during scan: 0 Number of identified failing vulnerabilities: 3 Number of components found by Scanner but not scanned because scan customer confirmed components were out of scope: 0 Date scan completed: 2015-08-25 Scan expiration date (90 days from date scan completed): 2015-11-23 Scan Attestation This scan and report was prepared and conducted by SRC Security Research & Consulting GmbH. SRC Security Research & Consulting GmbH attests that the Cyber Security scan process was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, and 3) active scan interference. This report and any exceptions were reviewed by Holger von Rhein and Konstantin Pedan. 2015, SRC Security Research & Consulting GmbH
2015-08-25 Cyber Security Example Scan Page 2 Cyber Security Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Example Name Scan Company: SRC Security Research & Consulting GmbH Date scan was completed: 2015-08-25 Scan expiration date: 2015-11-23 Part 2. Component Summary IP Address: FAIL Part 3a. Vulnerabilities Noted for each IP Address IP Address Port: 80 Port: 80 Port: 443 Port: 443 Vulnerabilities Noted per IP Address Slow HTTP POST vulnerability Severity Level CVSS Score Status MEDIUM 6.8 PASS Server accepts unnecessarily large POST request body MEDIUM 5 PASS OpenSSH LoginGraceTime Denial of Service Vulnerability CVE-2010-5107 MEDIUM 5 PASS Cookie Does Not Contain The "secure" Attribute MEDIUM 4.3 FAIL OpenSSL Use-After-Free Memory Corruption Vulnerability CVE-2010-5298 MEDIUM 4 FAIL Remote Access or Management Service Detected LOW 2.3 PASS Exceptions, False Positives, or Compensating Controls (Noted by the Scanner for this Vulnerability) Vulnerability is not Cyber Security relevant. Vulnerability is not Cyber Security relevant. Vulnerability is not Cyber Security relevant. Automatic Failure: Session tokens have to be flagged as secure. Cyber Security Scan Report
2015-08-25 Cyber Security Example Scan Page 3 Part 3a. Vulnerabilities Noted for each IP Address IP Address Port: 80 Port: 80 Vulnerabilities Noted per IP Address Severity Level CVSS Score Status Links Discovered During User-Agent and Mobile Site Checks LOW 2.3 PASS List of Web Directories Host Names Found ICMP Replies Received Open TCP Services List Open UDP Services List SSH Banner Port: 22 Web Server Version Port: 80 Consolidated /Correction Plan for above IP Address: LOW 0 FAIL LOW 0 PASS LOW 0 PASS LOW 0 PASS LOW 0 PASS LOW 0 PASS LOW 0 PASS Exceptions, False Positives, or Compensating Controls (Noted by the Scanner for this Vulnerability) Automatic Failure: Direct access to database detected. Upgrade OpenSSH to a still supported major version and update/patch OpenSSH to the latest minor version of the chosen major version. Restrict access to remote access or remote management services only to the system administrators or intended users of the system. Audit the Open TCP services list and disable, remove or restrict any service which is not intended or not allowed to be available from the Internet. This should especially include database services or unencrypted remote console services. Audit the Open UDP services list and disable, remove or restrict any service which is not intended or not allowed to be available from the Internet. A detailed for all failing vulnerabilities can be found on the following pages. Cyber Security Scan Report
2015-08-25 Cyber Security Example Scan Page 4 Part 3b. Special Notes by IP Address IP Address Note Note to scan customer: Due to increased risk to the cardholder data environment when remote access software is present, please 1) justify the business need for this software to the Scanner and 2) confirm it is either implemented securely per Appendix C or disabled/ removed. Please consult your Contact if you have questions about this Special Note. Note to scan customer: Untypical service accessable to the internet. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configuration to the Scanner, or 2) confirm that it is disabled. Please consult your Contact if you have questions about this Special Note. Item Noted (remote access software, POS software, etc.) SSH SSH, NTP Scan customer s declaration that software is implemented securely (see next column if not implemented securely) Scan customer s description of actions taken to either: 1) remove the software or 2) implement security controls to secure the software Cyber Security Scan Report
Systems not scanned, but found during Discovery 1 2015-08-25 Cyber Security Example Scan Page 5
Scan Report Vulnerability Details Scan Information Scan Customer Company Date scan was completed Example Name Scan Company 2015-08-25 Scan expiration date 2015-11-23 SRC Security Research & Consulting GmbH System: This system is running with 3 disadvantages. Slow HTTP POST vulnerability Severity MEDIUM Status PASS IP Category Potential Port 80 Subcategory Web Application Protocol tcp Internal ID 150085 CVSS Base Score 6.8 CVSS Temporal Score 6.1 Comment This is a potential vulnerability. Please contact SRC in order to determine whether your system is affected by this vulnerability. The web application is possibly vulnerable to a "slow HTTP POST" Denial of Service (DoS) attack. This is an application-level DoS that consumes server resources by maintaining open connections for an extended period of time by slowly sending traffic to the server. If the server maintains too many connections open at once, then it may not be able to respond to new, legitimate connections. Unlike bandwidth-consumption DoS attacks, the "slow" attack does not require a large amount of traffic to be sent to the server only that the client is able to maintain open connections for several minutes at a time. The attack holds server connections open by sending properly crafted HTTP POST headers that contain a Content-Length header with a large value to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources. By waiting for the complete request body, the server is helping clients with slow or intermittent connections to complete requests, but is also exposing itself to abuse. More information can be found at the in this presentation 2. All other services remain intact but the web server itself becomes inaccessible. would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request timeout for connection with POST request Server-specific details can be found here 3. A tool that demonstrates this vulnerability in a more intrusive manner is available here 4. 2 https://media.blackhat.com/bh-dc-11/brennan/blackhat_dc_2011_brennan_denial_service-slides.pdf 3 https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks 4 http://code.google.com/p/slowhttptest/ 2015-08-25 Cyber Security Example Scan Page 6
url: http://www.example.com/ matched: Vulnerable to slow HTTP POST attack Connection with partial POST body remained open for: 305162 milliseconds 2015-08-25 Cyber Security Example Scan Page 7
Server accepts unnecessarily large POST request body Severity MEDIUM Status PASS IP Category Informational Port 80 Subcategory Web Application Protocol tcp Internal ID 150086 CVSS Base Score 5 Web application scanner successfully sent a POST request with content type of application/x-www-form-urlencoded and 65536 bytes length random text data. Accepting request bodies with unnecessarily large size could help attacker to use less connections to achieve Layer 7 DDoS of web server. More information can be found at the here 5 Could result in successful application level (Layer 7) DDoS attack. Limit the size of the request body to each form s requirements. For example, a search form with 256-char search field should not accept more than 1KB value. Server-specific details can be found here 6. Server responded 200 to unnecessarily large random request body(over 64 KB) for URL http://www.example.com/, significantly increasing attacker's chances to prolong slow HTTP POST attack. 5 https://media.blackhat.com/bh-dc-11/brennan/blackhat_dc_2011_brennan_denial_service-slides.pdf 6 https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks 2015-08-25 Cyber Security Example Scan Page 8
OpenSSH LoginGraceTime Denial of Service Vulnerability Severity MEDIUM Status PASS IP Category Potential Port Subcategory General remote services Protocol Internal ID 42413 CVSS Base Score 5 CVSS Temporal Score 3.9 CVE ID CVE-2010-5107 7 Comment This is a potential vulnerability. Please contact SRC in order to determine whether your system is affected by this vulnerability. OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol. Default OpenSSH installations have an overly long LoginGraceTime and a lack of early connection release for MaxStartups settings. Remote unauthenticated attackers could bypass the LoginGraceTime and MaxStartups thresholds by intermittently transmitting a large number of new TCP connections to the targeted server. This could lead to connection slot exhaustion. Affected Software: OpenSSH 6.1 and prior. Successful exploitation could allow an unauthenticated remote attacker to cause the targeted server to stop responding to legitimate user queries, leading to a denial of service on the targeted server. Customers are advised to upgrade to OpenSSH 6.2 8 and apply the associated server configuration settings to remediate this vulnerability. Patch: Following are links for downloading patches to fix the vulnerabilities: OpenSSH 6.2 9 ID: 42413 detected on port 22 over TCP - SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1 7 http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-5107 8 http://www.openssh.org/ 9 http://www.openssh.org/ 2015-08-25 Cyber Security Example Scan Page 9
Cookie Does Not Contain The "secure" Attribute Severity MEDIUM Status FAIL IP Category Vulnerability Port 443 Subcategory Web Application Protocol tcp Internal ID 150122 CVSS Base Score 4.3 The cookie does not contain the "secure" attribute. Cookies with the "secure" attribute are only permitted to be sent via HTTPS. Session cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account. Flag the session cookie as secure. If the affected software is not self-developed, please contact SRC. url: https://www.example.com/ matched: x5492c=5u8sh5cb8dq5g20ctiagss25l0; path=/; domain=www.example.com 2015-08-25 Cyber Security Example Scan Page 10
OpenSSL Use-After-Free Memory Corruption Vulnerability Severity MEDIUM Status FAIL IP Category Potential Port 443 Subcategory General remote services Protocol tcp Internal ID 42431 CVSS Base Score 4 CVSS Temporal Score 3.4 CVE ID CVE-2010-5298 10 Comment This is a potential vulnerability. Please contact SRC in order to determine whether your system is affected by this vulnerability. OpenSSL is an open source implementation of the SSL protocol that is used by a number of other projects. It is available for various platforms. OpenSSL is exposed to a remote memory corruption vulnerability which exists in the "ssl3_release_read_buffer" function of the "s3_pkt.c" source file. Affected Versions: OpenSSL 1.0.0 up to 1.0.0l and OpenSSL 1.0.1 up to 1.0.1g. If this vulnerability is successfully exploited, attackers can inject data from one connection into another. There are no OpenSSL official patches available at this time. OpenSSL fixed this issue in the git Source Repository. Contact the vendor of your Operation Systems for patch. ID: 42431 detected on port 443 over TCP - Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e 10 http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-5298 2015-08-25 Cyber Security Example Scan Page 11
Remote Access or Management Service Detected Severity LOW Status PASS IP Category Informational Port Subcategory General remote services Protocol Internal ID 42017 CVSS Base Score 2.3 A remote access or remote management service was detected. If such a service is accessible to malicious users it can be used to carry different type of attacks. Malicious users could try to brute force credentials or collect additional information on the service which could enable them in crafting further attacks. The s section includes information on the remote access service that was found on the target. Services like Telnet, Rlogin, SSH, windows remote desktop, pcanywhere, Citrix Management Console, Remote Admin (RAdmin), VNC, OPENVPN and ISAKMP are checked. s vary by the type of attack. Expose the remote access or remote management services only to the system administrators or intended users of the system. Service name: SSH on TCP port 22. 2015-08-25 Cyber Security Example Scan Page 12
Links Discovered During User-Agent and Mobile Site Checks Severity LOW Status PASS IP Category Informational Port 80 Subcategory Web Application Protocol tcp Internal ID 150067 CVSS Base Score 2.3 Links were discovered via requests using an alternate User-Agent or guessed based on common mobile device URI patterns. The scanner attempts to determine if the Web application changes its behavior when accessed by mobile devices. These checks are based on modifying the User-Agent, changing the domain name, and appending common directories. The extra links discovered by the Web application scanner during User-Agent manipulation are provided in the s section. The Web application should apply consistent security measures irrespective of browser platform, type or version used to access the application. If the Web application fails to apply security controls to alternate representations of the site, then it may be exposed to vulnerabilities like cross-site scripting, SQL injection, or authorization-based attacks. No specific vulnerability has been discovered that requires action to be taken. These links are provided to ensure that a review of the web application includes all possible access points. Unique content discovered during user-agent and common mobile device specific subdomains and paths manipulation: User-Agent: Mozilla/5.0 (iphone; U; CPU iphone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5 http://www.example.com/ User-Agen t: Opera/9.80 (IPhone; Opera Mini/5.0.019802/886; U; en) Presto/2.4.15 http://www.example.com/ User-Agent: BlackBerry9700/5.0.0.405 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/102 http://www.example.com/ 2015-08-25 Cyber Security Example Scan Page 13
List of Web Directories Severity LOW Status FAIL IP Category Informational Port 80 Subcategory Web server Protocol tcp Internal ID 86672 CVSS Base Score 0 Based largely on the HTTP reply code, the following directories are most likely present on the host. Directory Source /cgi-bin/ brute force /images/ brute force /login/ brute force /phpmyadmin/ brute force /cart/ brute force /search/ brute force /Cart/ brute force /content/ brute force /conf/ brute force /Content/ brute force /www/ brute force /installer/ brute force /content brute force /Content brute force /plugins/ brute force /cache/ web page /www/ web page /www/themes/ web page /www/themes/original/ web page /www/themes/original/img/ web page 2015-08-25 Cyber Security Example Scan Page 14
Host Names Found Severity LOW Status PASS IP Category Informational Port Subcategory Information gathering Protocol Internal ID 45039 CVSS Base Score 0 The following host names were discovered for this computer using various methods such as DNS look up, NetBIOS query, and SQL server name query. N/A N/A Host Name Source www.example.com FQDN 2015-08-25 Cyber Security Example Scan Page 15
ICMP Replies Received Severity LOW Status PASS IP Category Informational Port Subcategory TCP/IP Protocol Internal ID 82040 CVSS Base Score 0 ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP s principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts. We have sent the following types of packets to trigger the host to send us ICMP replies: Echo Request (to trigger Echo Reply) Timestamp Request (to trigger Timestamp Reply) Address Mask Request (to trigger Address Mask Reply) UDP Packet (to trigger Port Unreachable Reply) IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply) Listed in the "" section are the ICMP replies that we have received. 2015-08-25 Cyber Security Example Scan Page 16
ICMP Reply Type Triggered By Additional Information Echo (type=0 code=0) Echo Request Echo Reply Unreachable (type=3 code=3) UDP Port 1027 Port Unreachable Unreachable (type=3 code=3) UDP Port 4781 Port Unreachable Unreachable (type=3 code=3) UDP Port 1 Port Unreachable Unreachable (type=3 code=3) UDP Port 51413 Port Unreachable Unreachable (type=3 code=3) UDP Port 20001 Port Unreachable Unreachable (type=3 code=3) UDP Port 7301 Port Unreachable Unreachable (type=3 code=3) UDP Port 31335 Port Unreachable Time Stamp (type=14 code=0) Time Stamp Request 08:08:58 GMT Unreachable (type=3 code=3) UDP Port 1031 Port Unreachable Unreachable (type=3 code=3) UDP Port 53001 Port Unreachable Unreachable (type=3 code=3) UDP Port 1028 Port Unreachable Unreachable (type=3 code=2) IP with High Protocol Protocol Unreachable 2015-08-25 Cyber Security Example Scan Page 17
Open TCP Services List Severity LOW Status PASS IP Category Service Port Subcategory TCP/IP Protocol Internal ID 82023 CVSS Base Score 0 The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections. The s section displays the port number (Port), the default service listening on the port (IANA Assigned Ports/Services), the description of the service (Description) and the service that the scanner detected using service discovery (Service Detected). Unauthorized users can exploit this information to test vulnerabilities in each of the open services. Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider s support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site 11. Port IANA Assigned Ports/Services Description Service Detected OS On Redirected Port 21 ftp File Transfer [Control] unknown 22 ssh SSH Remote Login Protocol ssh 80 www World Wide Web HTTP http 443 https http protocol over TLS/SSL http over ssl 11 http://www.cert.org 2015-08-25 Cyber Security Example Scan Page 18
Open UDP Services List Severity LOW Status PASS IP Category Service Port Subcategory TCP/IP Protocol Internal ID 82004 CVSS Base Score 0 A port scanner was used to draw a map of all the UDP services on this host that can be accessed from the Internet. Note that if the host is behind a firewall, there is a small chance that the list includes a few ports that are filtered or blocked by the firewall but are not actually open on the target host. This (false positive on UDP open ports) may happen when the firewall is configured to reject UDP packets for most (but not all) ports with an ICMP Port Unreachable packet. This may also happen when the firewall is configured to allow UDP packets for most (but not all) ports through and filter/block/drop UDP packets for only a few ports. Both cases are uncommon. Unauthorized users can exploit this information to test vulnerabilities in each of the open services. Shut down any unknown or unused service on the list. If you have difficulty working out which service is provided by which process or program, contact your provider s support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site 12. Port IANA Assigned Ports/Services Description Service Detected 123 ntp Network Time Protocol ntp 12 http://www.cert.org 2015-08-25 Cyber Security Example Scan Page 19
SSH Banner Severity LOW Status PASS IP Category Service Port 22 Subcategory General remote services Protocol tcp Internal ID 38050 CVSS Base Score 0 SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1 2015-08-25 Cyber Security Example Scan Page 20
Web Server Version Severity LOW Status PASS IP Category Service Port 80 Subcategory Web server Protocol tcp Internal ID 86000 CVSS Base Score 0 N/A N/A N/A Server Version Server Banner Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e 2015-08-25 Cyber Security Example Scan Page 21