Nessus Scan Report ------------------ SUMMARY - Number of hosts which were alive during the test : 2 - Number of security holes found : 29 - Number of security warnings found : 27 - Number of security notes found : 33 TESTED HOSTS 192.168.2.4 (Security holes found) 192.168.5.12 (Security holes found) DETAILS + 192.168.2.4 : . List of open ports : o telnet (23/tcp) (Security warnings found) o loc-srv (135/tcp) (Security hole found) o netbios-ssn (139/tcp) (Security notes found) o microsoft-ds (445/tcp) (Security hole found) o listen (1025/tcp) (Security notes found) o general/tcp (Security warnings found) o netbios-ns (137/udp) (Security warnings found) o unknown (1026/udp) (Security notes found) o general/udp (Security notes found) o general/icmp (Security warnings found) . Warning found on port telnet (23/tcp) The Telnet service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the telnet client and the telnet server. This includes logins and passwords. You should disable this service and use OpenSSH instead. (www.openssh.com) Solution : Comment out the 'telnet' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0619 . Information found on port telnet (23/tcp) A telnet server seems to be running on this port . Information found on port telnet (23/tcp) Remote telnet banner : Server allows NTLM authentication only Server has closed connection . Vulnerability found on port loc-srv (135/tcp) : The remote host is running a version of Windows which has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of this host. Note that this is NOT the same bug as the one described in MS03-026 which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm. Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-039.asp Risk factor : High CVE : CAN-2003-0715, CAN-2003-0528, CAN-2003-0605 BID : 8458 . Vulnerability found on port loc-srv (135/tcp) : The remote host is running a version of Windows which has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Risk factor : Serious CVE : CAN-2003-0352 BID : 8205 . Warning found on port loc-srv (135/tcp) DCE services running on the remote can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution : filter incoming traffic to this port. Risk factor : Low . Information found on port netbios-ssn (139/tcp) An SMB server is running on this port . Vulnerability found on port microsoft-ds (445/tcp) : . It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html . All the smb tests will be done as ''/'' in domain ARBEITSGRUPPE CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222 . Warning found on port microsoft-ds (445/tcp) The host SID can be obtained remotely. Its value is : WIN2KSERVERIII : 5-21-606747145-813497703-839522115 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 . Warning found on port microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users of this host. (we only enumerated users name whose ID is between 1000 and 1200 for performance reasons) This gives extra knowledge to an attacker, which is not a good thing : - Administrator account name : Administrator (id 500) - Guest account name : Gast (id 501) Risk factor : Medium Solution : filter incoming connections this port CVE : CVE-2000-1200 BID : 959 . Warning found on port microsoft-ds (445/tcp) The following local accounts have never logged in : Gast Unused accounts are very helpful to hacker Solution : suppress these accounts Risk factor : Medium . Warning found on port microsoft-ds (445/tcp) The following local accounts have passwords which never expire : Administrator Gast Password should have a limited lifetime Solution : disable password non-expiry Risk factor : Medium . Information found on port microsoft-ds (445/tcp) A CIFS server is running on this port . Information found on port microsoft-ds (445/tcp) The following local accounts are disabled : Gast To minimize the risk of break-in, permanently disabled accounts should be deleted Risk factor : Low . Information found on port listen (1025/tcp) Here is the list of DCE services running on this port: UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncacn_ip_tcp:192.168.2.4[1025] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncacn_ip_tcp:192.168.2.4[1025] . Warning found on port general/tcp The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113 Solution : Contact your vendor for a patch Risk factor : Medium BID : 7487 . Warning found on port general/tcp The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host. An attacker may use this feature to determine if the remote host sent a packet in reply to another request. This may be used for portscanning and other things. Solution : Contact your vendor for a patch Risk factor : Low . Information found on port general/tcp Remote OS guess : Windows Millennium Edition (Me), Win 2000, or WinXP CVE : CAN-1999-0454 . Warning found on port netbios-ns (137/udp) . The following 6 NetBIOS names have been gathered : WIN2KSERVERIII ARBEITSGRUPPE = Workgroup / Domain name WIN2KSERVERIII ARBEITSGRUPPE = Workgroup / Domain name (part of the Browser elections) ARBEITSGRUPPE __MSBROWSE__ . The remote host has the following MAC address on its adapter : 0x00 0x50 0x56 0x40 0x00 0x5e If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk factor : Medium CVE : CAN-1999-0621 . Warning found on port netbios-ns (137/udp) The remote host is running a version of the NetBT name service which suffers from a memory disclosure problem. An attacker may send a special packet to the remote NetBT name service, and the reply will contain random arbitrary data from the remote host memory. This arbitrary data may be a fragment from the web page the remote user is viewing, or something more serious like a POP password or anything else. An attacker may use this flaw to continuously 'poll' the content of the memory of the remote host and might be able to obtain sensitive information. Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-034.asp Risk Factor : Medium CVE : CAN-2003-0661 BID : 8532 . Information found on port unknown (1026/udp) Here is the list of DCE services running on this port: UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncadg_ip_udp:192.168.2.4[1026] Annotation: Messenger Service . Information found on port general/udp For your information, here is the traceroute to 192.168.2.4 : 10.0.0.1 10.0.0.100 192.168.2.4 . Warning found on port general/icmp The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : Low CVE : CAN-1999-0524 + 192.168.5.12 : . List of open ports : o telnet (23/tcp) (Security warnings found) o ssh (22/tcp) (Security hole found) o ftp (21/tcp) (Security hole found) o smtp (25/tcp) (Security hole found) o finger (79/tcp) (Security warnings found) o sunrpc (111/tcp) (Security notes found) o shell (514/tcp) (Security warnings found) o login (513/tcp) (Security warnings found) o submission (587/tcp) (Security hole found) o kdm (1024/tcp) (Security notes found) o sunrpc (111/udp) (Security notes found) o unknown (1024/udp) (Security warnings found) o blackjack (1025/udp) (Security hole found) o general/tcp (Security warnings found) o general/icmp (Security hole found) o general/udp (Security notes found) . Warning found on port telnet (23/tcp) The Telnet service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the telnet client and the telnet server. This includes logins and passwords. You should disable this service and use OpenSSH instead. (www.openssh.com) Solution : Comment out the 'telnet' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0619 . Information found on port telnet (23/tcp) A telnet server seems to be running on this port . Information found on port telnet (23/tcp) Remote telnet banner : Red Hat Linux release 7.0 (Guinness) Kernel 2.2.16-22 on an i686 login: . Vulnerability found on port ssh (22/tcp) : You are running a version of OpenSSH which is older than 3.0.1. Versions older than 3.0.1 are vulnerable to a flaw in which an attacker may authenticate, provided that Kerberos V support has been enabled (which is not the case by default). It is also vulnerable as an excessive memory clearing bug, believed to be unexploitable. *** You may ignore this warning if this host is not using *** Kerberos V Solution : Upgrade to OpenSSH 3.0.1 Risk factor : Low (if you are not using Kerberos) or High (if kerberos is enabled) CVE : CVE-2002-0083 BID : 3560, 4560, 4241 . Vulnerability found on port ssh (22/tcp) : You are running a version of OpenSSH which is older than 2.1.1. If the UseLogin option is enabled, then sshd does not switch to the uid of the user logging in. Instead, sshd relies on login(1) to do the job. However, if the user specifies a command for remote execution, login(1) cannot be used and sshd fails to set the correct user id, so the command is run with the same privilege as sshd (usually root privileges). *** Note that Nessus did not determine whether the UseLogin *** option was activated or not, so this message may *** be a false alarm Solution : Upgrade to OpenSSH 2.1.1 or make sure that the option UseLogin is set to no in sshd_config Risk factor : High CVE : CVE-2000-0525 BID : 1334 . Vulnerability found on port ssh (22/tcp) : You are running a version of OpenSSH which is older than 3.4 There is a flaw in this version that can be exploited remotely to give an attacker a shell on this host. Note that several distribution patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server Returns : openssh-server-3.1p1-6 Solution : Upgrade to OpenSSH 3.4 or contact your vendor for a patch Risk factor : High CVE : CVE-2002-0639, CVE-2002-0640 BID : 5093 . Vulnerability found on port ssh (22/tcp) : You are running a version of OpenSSH which is older than 3.0.2. Versions prior than 3.0.2 are vulnerable to an environment variables export that can allow a local user to execute command with root privileges. This problem affect only versions prior than 3.0.2, and when the UseLogin feature is enabled (usually disabled by default) Solution : Upgrade to OpenSSH 3.0.2 or apply the patch for prior versions. (Available at: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH) Risk factor : High (If UseLogin is enabled, and locally) CVE : CVE-2001-0872 BID : 3614 . Vulnerability found on port ssh (22/tcp) : You are running a version of OpenSSH which is older than 3.7.1 Versions older than 3.7.1 are vulnerable to a flaw in the buffer management functions which might allow an attacker to execute arbitrary commands on this host. An exploit for this issue is rumored to exist. Note that several distribution patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive. If you are running a RedHat host, make sure that the command : rpm -q openssh-server Returns : openssh-server-3.1p1-13 (RedHat 7.x) openssh-server-3.4p1-7 (RedHat 8.0) openssh-server-3.5p1-11 (RedHat 9) Solution : Upgrade to OpenSSH 3.7.1 See also : http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2 http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2 Risk factor : High CVE : CAN-2003-0693, CAN-2003-0695 BID : 8628 . Vulnerability found on port ssh (22/tcp) : You are running a version of OpenSSH which is older than 3.1. Versions prior than 3.1 are vulnerable to an off by one error that allows local users to gain root access, and it may be possible for remote users to similarly compromise the daemon for remote access. In addition, a vulnerable SSH client may be compromised by connecting to a malicious SSH daemon that exploits this vulnerability in the client code, thus compromising the client system. Solution : Upgrade to OpenSSH 3.1 or apply the patch for prior versions. (See: http://www.openssh.org) Risk factor : High CVE : CVE-2002-0083 BID : 4241 . Vulnerability found on port ssh (22/tcp) : You are running a version of SSH which is older than version 1.2.32, or a version of OpenSSH which is older than 2.3.0. This version is vulnerable to a flaw which allows an attacker to gain a root shell on this host. Solution : Upgrade to version 1.2.32 of SSH which solves this problem, or to version 2.3.0 of OpenSSH More information: http://www.core-sdi.com/advisories/ssh1_deattack.htm Risk factor : High CVE : CVE-2001-0144 BID : 2347 . Vulnerability found on port ssh (22/tcp) : You are running a version of OpenSSH older than OpenSSH 3.2.1 A buffer overflow exists in the daemon if AFS is enabled on your system, or if the options KerberosTgtPassing or AFSTokenPassing are enabled. Even in this scenario, the vulnerability may be avoided by enabling UsePrivilegeSeparation. Versions prior to 2.9.9 are vulnerable to a remote root exploit. Versions prior to 3.2.1 are vulnerable to a local root exploit. Solution : Upgrade to the latest version of OpenSSH Risk factor : High CVE : CVE-2002-0575 BID : 4560 . Warning found on port ssh (22/tcp) You are running OpenSSH-portable 3.6.1 or older. There is a flaw in this version which may allow an attacker to bypass the access controls set by the administrator of this server. OpenSSH features a mechanism which can restrict the list of hosts a given user can log from by specifying a pattern in the user key file (ie: *.mynetwork.com would let a user connect only from the local network). However there is a flaw in the way OpenSSH does reverse DNS lookups. If an attacker configures his DNS server to send a numeric IP address when a reverse lookup is performed, he may be able to circumvent this mechanism. Solution : Upgrade to OpenSSH 3.6.2 when it comes out Risk Factor : Low CVE : CAN-2003-0386 BID : 7831 . Warning found on port ssh (22/tcp) You are running SSH protocol version 1.5. This version allows a remote attacker to decrypt and/or alter traffic via an attack on PKCS#1 version 1.5 knows as a Bleichenbacher attack. OpenSSH up to version 2.3.0, AppGate, and SSH Communications Security ssh-1 up to version 1.2.31 have the vulnerability present, although it may not be exploitable due to configurations. Solution : Patch and New version are available from SSH/OpenSSH. Risk factor : Low CVE : CVE-2001-0361 BID : 2344 . Warning found on port ssh (22/tcp) The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution : If you use OpenSSH, set the option 'Protocol' to '2' If you use SSH.com's set the option 'Ssh1Compatibility' to 'no' Risk factor : Low . Warning found on port ssh (22/tcp) You are running OpenSSH SSH client before 2.3.0. This version does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent. Solution : Patch and New version are available from OpenSSH. Risk factor : Medium CVE : CVE-2000-1169 BID : 1949 . Information found on port ssh (22/tcp) An ssh server is running on this port . Information found on port ssh (22/tcp) Remote SSH version : SSH-1.99-OpenSSH_2.1.1 . Information found on port ssh (22/tcp) The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 . Vulnerability found on port ftp (21/tcp) : The remote Wu-FTPd server seems to be vulnerable to an off-by-one overflow when dealing with huge directory structures. An attacker may exploit this flaw to obtain a shell on this host. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. *** Since Wu-FTPd 2.6.3 has not been released yet and only *** patches are available to fix this issue, this might be *** a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available or apply the patches available at http://www.wu-ftpd.org Risk Factor : High CVE : CAN-2003-0466 BID : 8315 . Vulnerability found on port ftp (21/tcp) : You seem to be running an FTP server which is vulnerable to the 'glob heap corruption' flaw. An attacker may use this problem to execute arbitrary commands on this host. *** Nessus relied solely on the banner of the server to issue this warning, *** so this alert might be a false positive *** NOTE: must have a valid username/password to fully check this vulnerability Solution : Upgrade your ftp server software to the latest version. Risk factor : High CVE : CAN-2001-0249, CVE-2001-0550 BID : 2550, 3581 . Warning found on port ftp (21/tcp) This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it may only cause troubles. The content of the remote FTP root is : total 16 d--x--x--x 2 root root 4096 Oct 5 2002 bin d--x--x--x 2 root root 4096 Oct 5 2002 etc drwxr-xr-x 2 root root 4096 Oct 5 2002 lib drwxr-sr-x 2 root ftp 4096 Aug 17 2000 pub Risk factor : Low CVE : CAN-1999-0497 . Information found on port ftp (21/tcp) An FTP server is running on this port. Here is its banner : 220 sauron.evil.com FTP server (Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000) ready. . Information found on port ftp (21/tcp) Remote FTP server banner : 220 sauron.evil.com FTP server (Version wu-2.6.1(1) Wed Aug 9 05:54:50 EDT 2000) ready. . Vulnerability found on port smtp (25/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a remote buffer overflow allowing remote users to gain root privileges. Sendmail versions from 5.79 to 8.12.7 are vulnerable. Solution : Upgrade to Sendmail ver 8.12.8 or greater or if you cannot upgrade, apply patches for 8.10-12 here: http://www.sendmail.org/patchcr.html NOTE: manual patches do not change the version numbers. Vendors who have released patched versions of sendmail may still falsely show vulnerabilty. *** Nessus reports this vulnerability using only *** the banner of the remote SMTP server. Therefore, *** this might be a false positive. see http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.cert.org/advisories/CA-2003-07.html http://www.kb.cert.org/vuls/id/398025 Risk factor : High CVE : CAN-2002-1337 BID : 6991 . Vulnerability found on port smtp (25/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a buffer overflow its DNS handling code. The owner of a malicious name server could use this flaw to execute arbitrary code on this host. Solution : Upgrade to Sendmail 8.12.5 Risk factor : High CVE : CVE-2002-0906 BID : 5122 . Vulnerability found on port smtp (25/tcp) : smrsh (supplied by Sendmail) is designed to prevent the execution of commands outside of the restricted environment. However, when commands are entered using either double pipes (||) or a mixture of dot and slash characters, a user may be able to bypass the checks performed by smrsh. This can lead to the execution of commands outside of the restricted environment. Solution : upgrade to the latest version of Sendmail (or at least 8.12.8). Risk factor : Medium CVE : CAN-2002-1165 BID : 5845 . Vulnerability found on port smtp (25/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a local buffer overflow allowing local users to gain root privileges. Solution : Upgrade to Sendmail 8.12beta19 or 8.11.6 Risk factor : High (Local) / None (remote with no account) CVE : CVE-2001-0653 BID : 3163 . Vulnerability found on port smtp (25/tcp) : The remote sendmail server, according to its version number, may be vulnerable to the -bt overflow attack which allows any local user to execute arbitrary commands as root. Solution : upgrade to the latest version of Sendmail Risk factor : High Note : This vulnerability is _local_ only . Vulnerability found on port smtp (25/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a remote buffer overflow allowing remote users to gain root privileges. Sendmail versions from 5.79 to 8.12.8 are vulnerable. Solution : Upgrade to Sendmail ver 8.12.9 or greater or if you cannot upgrade, apply patches for 8.10-12 here: http://www.sendmail.org/patchps.html NOTE: manual patches do not change the version numbers. Vendors who have released patched versions of sendmail may still falsely show vulnerabilty. *** Nessus reports this vulnerability using only *** the banner of the remote SMTP server. Therefore, *** this might be a false positive. Risk factor : High CVE : CAN-2003-0161 BID : 7230 . Vulnerability found on port smtp (25/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a remote buffer overflow allowing remote users to gain root privileges. Sendmail versions from 5.79 to 8.12.9 are vulnerable. Solution : Upgrade to Sendmail ver 8.12.10. See also : http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html NOTE: manual patches do not change the version numbers. Vendors who have released patched versions of sendmail may still falsely show vulnerabilty. *** Nessus reports this vulnerability using only *** the banner of the remote SMTP server. Therefore, *** this might be a false positive. Risk factor : High CVE : CAN-2003-0694 BID : 8641 . Warning found on port smtp (25/tcp) The remote SMTP server answers to the EXPN and/or VRFY commands. The EXPN command can be used to find the delivery address of mail aliases, or even the full name of the recipients, and the VRFY command may be used to check the validity of an account. Your mailer should not allow remote users to use any of these commands, because it gives them too much information. Solution : if you are using Sendmail, add the option : O PrivacyOptions=goaway in /etc/sendmail.cf. Risk factor : Low CVE : CAN-1999-0531 . Warning found on port smtp (25/tcp) According to the version number of the remote mail server, a local user may be able to obtain the complete mail configuration and other interesting information about the mail queue even if he is not allowed to access those information directly, by running sendmail -q -d0-nnnn.xxx where nnnn & xxx are debugging levels. If users are not allowed to process the queue (which is the default) then you are not vulnerable. Solution : upgrade to the latest version of Sendmail or do not allow users to process the queue (RestrictQRun option) Risk factor : Very low / none Note : This vulnerability is _local_ only CVE : CAN-2001-0715 BID : 3898 . Information found on port smtp (25/tcp) An SMTP server is running on this port Here is its banner : 220 sauron.evil.com ESMTP Sendmail 8.11.0/8.11.0; Wed, 12 Nov 2003 03:45:01 +0100 . Information found on port smtp (25/tcp) Remote SMTP server banner : 220 sauron.evil.com ESMTP Sendmail 8.11.0/8.11.0; Wed, 12 Nov 2003 03:45:08 +0100 This is probably: Sendmail version 8.11.0 . Information found on port smtp (25/tcp) This server could be fingerprinted as being Sendmail 8.10.1 . Information found on port smtp (25/tcp) For some reason, we could not send the EICAR test string to this MTA . Warning found on port finger (79/tcp) The 'finger' service provides useful information to attackers, since it allows them to gain usernames, check if a machine is being used, and so on... Here is the output we obtained for 'root' : Login: root Name: root Directory: /root Shell: /bin/bash Last login Sat Nov 1 08:09 (CET) on tty1 No mail. No Plan. Solution : comment out the 'finger' line in /etc/inetd.conf Risk factor : Low CVE : CVE-1999-0612 . Information found on port finger (79/tcp) A finger server seems to be running on this port . Information found on port sunrpc (111/tcp) The RPC portmapper is running on this port. An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port. Risk factor : Low CVE : CAN-1999-0632, CVE-1999-0189 BID : 205 . Information found on port sunrpc (111/tcp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port . Warning found on port shell (514/tcp) The rsh service is running. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rsh client and the rsh server. This includes logins and passwords. You should disable this service and use ssh instead. Solution : Comment out the 'rsh' line in /etc/inetd.conf. Risk factor : Low CVE : CAN-1999-0651 . Warning found on port login (513/tcp) The remote host is running the 'rlogin' service, a remote login daemon which allows people to log in this host and obtain an interactive shell. This service is dangerous in the sense thatit is not ciphered - that is, everyone can sniff the data that passes between the rlogin client and the rlogin server, which includes logins and passwords as well as the commands executed by the remote host. You should disable this service and use openssh instead (www.openssh.com) Solution : Comment out the 'login' line in /etc/inetd.conf and restart the inetd process. Risk factor : Low CVE : CAN-1999-0651 . Vulnerability found on port submission (587/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a remote buffer overflow allowing remote users to gain root privileges. Sendmail versions from 5.79 to 8.12.7 are vulnerable. Solution : Upgrade to Sendmail ver 8.12.8 or greater or if you cannot upgrade, apply patches for 8.10-12 here: http://www.sendmail.org/patchcr.html NOTE: manual patches do not change the version numbers. Vendors who have released patched versions of sendmail may still falsely show vulnerabilty. *** Nessus reports this vulnerability using only *** the banner of the remote SMTP server. Therefore, *** this might be a false positive. see http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.cert.org/advisories/CA-2003-07.html http://www.kb.cert.org/vuls/id/398025 Risk factor : High CVE : CAN-2002-1337 BID : 6991 . Vulnerability found on port submission (587/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a buffer overflow its DNS handling code. The owner of a malicious name server could use this flaw to execute arbitrary code on this host. Solution : Upgrade to Sendmail 8.12.5 Risk factor : High CVE : CVE-2002-0906 BID : 5122 . Vulnerability found on port submission (587/tcp) : smrsh (supplied by Sendmail) is designed to prevent the execution of commands outside of the restricted environment. However, when commands are entered using either double pipes (||) or a mixture of dot and slash characters, a user may be able to bypass the checks performed by smrsh. This can lead to the execution of commands outside of the restricted environment. Solution : upgrade to the latest version of Sendmail (or at least 8.12.8). Risk factor : Medium CVE : CAN-2002-1165 BID : 5845 . Vulnerability found on port submission (587/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a local buffer overflow allowing local users to gain root privileges. Solution : Upgrade to Sendmail 8.12beta19 or 8.11.6 Risk factor : High (Local) / None (remote with no account) CVE : CVE-2001-0653 BID : 3163 . Vulnerability found on port submission (587/tcp) : The remote sendmail server, according to its version number, may be vulnerable to the -bt overflow attack which allows any local user to execute arbitrary commands as root. Solution : upgrade to the latest version of Sendmail Risk factor : High Note : This vulnerability is _local_ only . Vulnerability found on port submission (587/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a remote buffer overflow allowing remote users to gain root privileges. Sendmail versions from 5.79 to 8.12.8 are vulnerable. Solution : Upgrade to Sendmail ver 8.12.9 or greater or if you cannot upgrade, apply patches for 8.10-12 here: http://www.sendmail.org/patchps.html NOTE: manual patches do not change the version numbers. Vendors who have released patched versions of sendmail may still falsely show vulnerabilty. *** Nessus reports this vulnerability using only *** the banner of the remote SMTP server. Therefore, *** this might be a false positive. Risk factor : High CVE : CAN-2003-0161 BID : 7230 . Vulnerability found on port submission (587/tcp) : The remote sendmail server, according to its version number, may be vulnerable to a remote buffer overflow allowing remote users to gain root privileges. Sendmail versions from 5.79 to 8.12.9 are vulnerable. Solution : Upgrade to Sendmail ver 8.12.10. See also : http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html NOTE: manual patches do not change the version numbers. Vendors who have released patched versions of sendmail may still falsely show vulnerabilty. *** Nessus reports this vulnerability using only *** the banner of the remote SMTP server. Therefore, *** this might be a false positive. Risk factor : High CVE : CAN-2003-0694 BID : 8641 . Warning found on port submission (587/tcp) According to the version number of the remote mail server, a local user may be able to obtain the complete mail configuration and other interesting information about the mail queue even if he is not allowed to access those information directly, by running sendmail -q -d0-nnnn.xxx where nnnn & xxx are debugging levels. If users are not allowed to process the queue (which is the default) then you are not vulnerable. Solution : upgrade to the latest version of Sendmail or do not allow users to process the queue (RestrictQRun option) Risk factor : Very low / none Note : This vulnerability is _local_ only CVE : CAN-2001-0715 BID : 3898 . Information found on port submission (587/tcp) An SMTP server is running on this port Here is its banner : 220 sauron.evil.com ESMTP Sendmail 8.11.0/8.11.0; Wed, 12 Nov 2003 03:44:56 +0100 . Information found on port submission (587/tcp) Remote SMTP server banner : 220 sauron.evil.com ESMTP Sendmail 8.11.0/8.11.0; Wed, 12 Nov 2003 03:45:07 +0100 This is probably: Sendmail version 8.11.0 . Information found on port submission (587/tcp) This server could be fingerprinted as being Sendmail 8.10.1 . Information found on port submission (587/tcp) For some reason, we could not send the EICAR test string to this MTA . Information found on port kdm (1024/tcp) RPC program #100024 version 1 'status' is running on this port . Information found on port sunrpc (111/udp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port . Warning found on port unknown (1024/udp) The nlockmgr RPC service is running. If you do not use this service, then disable it as it may become a security threat in the future, if a vulnerability is discovered. Risk factor : Low CVE : CVE-2000-0508 BID : 1372 . Information found on port unknown (1024/udp) RPC program #100021 version 1 'nlockmgr' is running on this port RPC program #100021 version 3 'nlockmgr' is running on this port . Vulnerability found on port blackjack (1025/udp) : The remote statd service may be vulnerable to a format string attack. This means that an attacker may execute arbitrary code thanks to a bug in this daemon. *** Nessus reports this vulnerability using only information that was gathered. *** Use caution when testing without safe checks enabled. Solution : upgrade to the latest version of rpc.statd Risk factor : High CVE : CVE-2000-0666 BID : 1480 . Warning found on port blackjack (1025/udp) The statd RPC service is running. This service has a long history of security holes, so you should really know what you are doing if you decide to let it run. *** No security hole regarding this program have been tested, so *** this might be a false positive. Solution : We suggest that you disable this service. Risk factor : High CVE : CVE-1999-0018, CVE-1999-0019, CVE-1999-0493 BID : 127, 450 . Information found on port blackjack (1025/udp) RPC program #100024 version 1 'status' is running on this port . Warning found on port general/tcp The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113 Solution : Contact your vendor for a patch Risk factor : Medium BID : 7487 . Information found on port general/tcp Remote OS guess : Linux 2.1.19 - 2.2.20 CVE : CAN-1999-0454 . Vulnerability found on port general/icmp : The remote host is vulnerable to an 'icmp leak' - when it receive a packet that raise an ICMP error packet (except ICMP destination unreachable), the ICMP packet is supposed to contain the original message. Due to a bug in the remote TCP/IP stack, it will also contain fragments of the content of the remote kernel memory. An attacker may use this flaw to remotely sniff what is going on into the host's memory, especially network packets that it sees, and obtain useful information such as POP passwords, HTTP authentication fields, and so on. Solution : Contact your vendor for a fix. If the remote host is running Linux 2.0, upgrade to Linux 2.0.40. See also : http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak http://www.kb.cert.org/vuls/id/471084 Risk factor : High . Warning found on port general/icmp The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : Low CVE : CAN-1999-0524 . Information found on port general/udp For your information, here is the traceroute to 192.168.5.12 : 192.168.5.12 ------------------------------------------------------ This file was generated by the Nessus Security Scanner