A2F-Dataway High Severity Host Report- IntranetScan by The Guardsman

Attachment 2F

Dataway High Severity Host Report November 12, 2009

This report was generated with an evaluation version of qualysguard This report was generated with an evaluation version of qualysguard

Report Summary User Name:

eoghan o'neill

ccsf_en

Company:

ccsf

User Role:

Manager

Address:

180 redwood st suite 300

City:

san francisco

State:

California

Zip:

94102

Country:

United States of America

Created:

11/12/2009 at 18:10:50 (GMT-0800)

Template Title:

Dataway High Severity Host Report

Sort by:

Host

IP Restriction:

Hosts Matching Filters:

scan/1246807525.1079:

07/05/2009 at 07:25:25 (GMT-0800)

scan/1246810541.23046: 07/05/2009 at 08:15:41 (GMT-0800)

Summary of Vulnerabilities Vulnerabilities Total

45 (+28)

Average Security Risk

1.9

by Status Status

Confirmed

Potential

Total

New

Active

Re-Opened Total

Fixed Changed by Severity Severity

Information Gathered

Total

(0) -

(+13)

(0) -

(+15)

(0) -

(+28)

Total

Confirmed

(Trend)

Potential

(Trend)

5 Biggest Categories Category General remote services

Confirmed 25

(Trend)

Information Gathered

Total

(0) -

Potential -

(+11)

(+8)

(+1)

Database

(0) -

File Transfer Protocol

(0) -

Dataway High Severity Host Report

(Trend)

page 1

Category

Information Gathered

Total

Web server

Confirmed 2

(0) -

(+2)

SMB / NETBIOS

(0) -

(+2)

(0) -

(+24)

Total

(Trend)

Potential

(Trend)

Vulnerabilities by Severity

Potential Vulnerabilities by Severity

Dataway High Severity Host Report

page 2

Information Gathered by Severity

Operating Systems Detected

Dataway High Severity Host Report

page 3

Services Detected

Dataway High Severity Host Report

page 4

Services Detected (Continued)

Detailed Results 147.144.1.2 (hills.ccsf.cc.ca.us, -)

HP-UX 11

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

Dataway High Severity Host Report

page 5

an unauthorized session key recovery problem Multiple vendors' implementations are vulnerable due to the fact that these are protocol design errors. Version 2 of the SSH protocol fixed these errors. Please refer to the following URLs for more information: http://www.ciac.org/ciac/bulletins/m-017.shtml (http://www.ciac.org/ciac/bulletins/m-017.shtml) http://www.kb.cert.org/vuls/id/684820 (http://www.kb.cert.org/vuls/id/684820) IMPACT: The consequences of vulnerabilities present is SSH Version 1 include: SSH protected traffic compromise root shell access to the system running SSH server

SOLUTION: Disable SSH1 support. See your vendor's Web site for information on how to disable SSH protocol Version 1 support. Some references are provided below: SSH Communications Security (http://www.ssh.com) F-Secure (http://www.f-secure.com) OpenSSH (http://www.openssh.org) Note: Do not enable SSH Version 1 Fallback since systems with upgraded versions of SSH and with Fallback Version 1 enabled are still vulnerable. COMPLIANCE: Not Applicable RESULTS: SSH1 supported

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive, password

147.144.1.3 (fog.ccsf.cc.ca.us, -)

HP-UX 11

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

THREAT: SSH1 protocol was deprecated due to multiple vulnerabilities and design flaws. Among multiple vulnerabilities that exist in SSH protocol Version 1 are: a CRC32 compensation attack detector vulnerability (buffer overflow) an unauthorized session key recovery problem Multiple vendors' implementations are vulnerable due to the fact that these are protocol design errors. Version 2 of the SSH protocol fixed these errors. Please refer to the following URLs for more information: http://www.ciac.org/ciac/bulletins/m-017.shtml (http://www.ciac.org/ciac/bulletins/m-017.shtml)

Dataway High Severity Host Report

page 6

http://www.kb.cert.org/vuls/id/684820 (http://www.kb.cert.org/vuls/id/684820) IMPACT: The consequences of vulnerabilities present is SSH Version 1 include: SSH protected traffic compromise root shell access to the system running SSH server

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive, password

147.144.1.18 (-, -)

IBM 4400 Printer

Vulnerabilities (1) 5

Multiple CUPS Vulnerabilities

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 631/tcp New

38160 General remote services CVE-2002-1369, CVE-2002-1371, CVE-2002-1367, CVE-2002-1368, CVE-2002-1372, CVE-2002-1383 RHSA-2002-295 6438 06/11/2009 No

THREAT: CUPS, Common Unix Printing System, is a widely used set of printing utilities for Unix-based systems. Several vulnerabilities have been reported in versions prior to 1.1.18. 1) CUPS makes it possible for attackers to execute code with root privileges. The vulnerability exists in the jobs.c source file. Some functions use the strncat() function call improperly. strncat()is used in an insecure manner to build the "options" string. When the CUPS daemon receives specially-constructed printer attributes, it will trigger a buffer overflow condition when building the "options" string, which may result in the corruption of sensitive memory with attacker-supplied values. (CVE ID: CAN-2002-1369) 2) The image handling component of CUPS is vulnerable to integer overflow conditions. Flaws may be exploited by local attackers to execute instructions with elevated privileges. Attackers may gain user "lp", group "sys" privileges. Depending on system configuration, other privileges may be gained. 3) CUPS image filters do not properly handle GIF files with a width field set to zero. As a result, if an attacker submits a properly malformed image, it may be possible to manipulate and corrupt chunk headers with attacker-supplied data. Given the ability to corrupt memory with attacker-supplied data, it may be possible for an attacker to cause arbitrary code to be executed. Successful exploitation results in code execution in the security context of CUPS. (CVE ID: CAN-2002-1371) 4) Some versions of CUPS may create temporary files in an insecure manner. The vulnerability occurs when creating the "/etc/cups/certs/" file. An attacker can exploit this vulnerability to create or overwrite any file with elevated privileges. Successful exploitation is time dependent and requires the attacker to obtain the

Dataway High Severity Host Report

page 7

"lp" user privileges. 5) CUPS is prone to a vulnerability that makes it possible for attackers to add printers. It has been reported that an attacker may send a specially crafted UDP packet to the CUPS server, which will cause a printer to be temporarily added and configured to listen on a high port. Then it's reportedly possible for the attacker to request and receive the local root certificate. This certificate may be used to authenticate to the Web administrative interface, where it is possible to create a printer with root privileges. Technical details about the exact nature of this issue are not known at this time. This issue is believed to be caused, in part, by a design flaw in the certificate authentication scheme employed by CUPS. (CVE ID: CAN-2002-1367) 6) A vulnerability has been reported that, if exploited, may result in a DoS or the execution of code on affected systems. An attacker can exploit this vulnerability by connecting to a vulnerable system on TCP port 631 and issuing malformed HTTP headers with a negative value for the "Content-Length" or "Transfer-Encoding" field. When the cupsd service receives this request, it will crash. (CVE ID: CAN-2002-1368) 7) CUPS may leak file descriptor information under some circumstances. This issue exists because CUPS does not adequately check any return values on file and socket operations. By exploiting this vulnerability, it's possible for a remote attacker to cause a denial of service. (CVE ID: CAN-2002-1372) 8) An integer overflow vulnerability has been reported in the HTTP server component of CUPS. The condition is related to the processing of HTML variables and their values. It's reportedly possible for remote attackers to exploit this vulnerability to execute instructions on target systems. Successful attacks may grant local access to adversaries with user "lp" and group "sys" privileges. (CVE ID: CAN-2002-1383) IMPACT: By exploiting these vulnerabilities, remote attackers can execute arbitary code under the user ID of the Daemon. SOLUTION: Upgrade to CUPS Version 1.1.18 or later. Upgrade packages are available for all affected distributions. Check CUP's Web site (http://www.cups.org/software.html) for more information.

COMPLIANCE: Not Applicable RESULTS: No results available

147.144.1.43 (ocean.ccsf.cc.ca.us, -)

HP-UX 11

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

Dataway High Severity Host Report

page 8

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive, password

147.144.1.62 (ezproxy.ccsf.edu, -)

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (2) 5

Debian OpenSSL Package Random Number Generator Weakness

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 443/tcp over SSL Active

42007 General remote services CVE-2008-0166 OpenSSH Debian Patch, OpenSSL Debain Patch 29179 06/30/2008 No

THREAT: OpenSSL is an open source implementation of the SSL protocol which is used by a number of other projects, including but not restricted to Apache, Sendmail and Bind. It is commonly found on Linux and Unix systems. The Debian OpenSSL package is prone to a random number generator weakness which causes the keys generated by this package to be predictable. IMPACT: Attackers can exploit this issue to predict random data used to generate encryption keys by certain applications. An attacker can record encrypted sessions (SSL,SSH, VPN) then in an off-line mode use a library of weak keys to find out the private key values used by the communication parties and decrypt the encrypted traffic. Specifically affected keys include RSA, SSH, OpenVPN and DNSSEC keys as well as X.509 certificates and session keys used in the SSL/TLS sessions. Attackers may exploit this issue to potentially compromise encryption keys and gain access to sensitive data. This may aid in further attacks. In the case of SSH attackers can gain full access to the target system. This issue affects only a modified OpenSSL package for Debian prior to Version 0.9.8c-4etch3. Please note that the keys that were generated on a vulnerable system and then moved to a different non-Debian system are still vulnerable and can cause a

Dataway High Severity Host Report

page 9

compromise of that non-Debian system. SOLUTION: The vendor has released updates to address this issue. See the references for more information. The Results section contains identifications for the weak keys detected on the target system. The keys are identified by calculating a hash over the public key. The hash function as well as the information the hash function is calculated upon is different for SSH and SSL keys. For SSL the following command can be used to calculate the hash of a key in a X.509 certificate: openssl x509 -in [cert name.pem] -modulus -noout|openssl sha1 For an SSH key the following command can be used to obtain the hash of the public key: ssh-keygen -f [SSH public key file name.pub] -l All the keys listed in the Results section are weak and need to be regenerated on a non-vulnerable or patched system. In the case of certificates, they need to be regenerated and signed again. COMPLIANCE: Not Applicable RESULTS: Certificate #0 RSA(1024), SSL, Hash: 2E202BACC1C4CF8762B5D3F157858B0989C23998

Debian OpenSSL Package Random Number Generator Weakness

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

42007 General remote services CVE-2008-0166 OpenSSH Debian Patch, OpenSSL Debain Patch 29179 06/30/2008 No

Dataway High Severity Host Report

page 10

hash function as well as the information the hash function is calculated upon is different for SSH and SSL keys. For SSL the following command can be used to calculate the hash of a key in a X.509 certificate: openssl x509 -in [cert name.pem] -modulus -noout|openssl sha1 For an SSH key the following command can be used to obtain the hash of the public key: ssh-keygen -f [SSH public key file name.pub] -l All the keys listed in the Results section are weak and need to be regenerated on a non-vulnerable or patched system. In the case of certificates, they need to be regenerated and signed again. COMPLIANCE: Not Applicable RESULTS: RSA(2048), SSH, Hash: 08FF698725A668282FC337BE4E89745B

147.144.1.69 (-, S-LIB-PC-COP01)

Windows 2003 Service Pack 2

Vulnerabilities (6) 5

Microsoft SQL Server 2000 Service Pack 4 Missing

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

New

19124 Database 05/11/2009 No

THREAT: The Microsoft SQL Server / MSDE 2000 host is missing Service Pack 4. IMPACT: SQL Server 2000 Service Pack 4 includes all security hotfixes released after the release of Service Pack 3. SOLUTION: Read Microsoft article KB290211 (http://support.microsoft.com/kb/290211) for details on downloading SQL Server 2000 Service Pack 4. COMPLIANCE: Not Applicable RESULTS: 8.0.313

Microsoft SQL Server Multiple Vulnerabilities

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

Dataway High Severity Host Report

New

90086 Database CVE-2003-0230, CVE-2003-0231, CVE-2003-0232 MS03-031 8275 02/23/2005 No

page 11

THREAT: Multiple vulnerabilities are present on the Microsoft SQL Server installed on the target, including the following: LPC port request buffer overflow vulnerability, Named Pipe denial of service vulnerability, and Named Pipe hijacking vulnerability. Local Procedure Calls (LPC) provide a mechanism for interprocess communications on some Microsoft platforms. Each LPC utilizes a collection of communication ports to allow for information exchange between the client and the server. Microsoft SQL Server is prone to a buffer overflow in the mechanism that accepts LPC port requests. If a specifically malformed message is received by the LPC port, stack memory may be overwritten due to insufficient bounds checking. Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a Named Pipe denial of service attack. Any local or remote user, who can authenticate and is part of the Everyone Group, may trigger a denial of service condition in an affected SQL Server. It has been reported that if a remote attacker sends an unusually large request to a named pipe, the SQL Server will become unresponsive. Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a privilege escalation vulnerability via named pipes. A named pipe is a conduit for interprocess communication that is identified by a specific name; it is used to pass information between a pipe server and its clients. It has been reported that a named pipe, used to control certain connection attempts to the SQL server, is prone to a vulnerability that may provide escalation of privileges. The issue presents itself within the checking routines for the affected pipe. Under certain circumstances, specifically during the authentication procedure, a local attacker may seize control of the named pipe. IMPACT: Successful exploitation of the LPC Port request buffer overrun vulnerability would allow an attacker to execute code with the privilege level of the SQL Server process. Under most conditions, exploitation would only allow an attacker to gain full access to the SQL database. However, if the SQL Server is running as Administrator or Local System, exploitation would allow for full system compromise. It's important to note that an attacker must be authenticated to the SQL Server in order to exploit this vulnerability. The impact of the denial of service vulnerability may vary between service packs and versions. It has been reported that on SQL Server 2000 without Service Pack 3 installed, the service will crash and must be restarted to restore normal operations. However, on SQL Server 2000 with Service Pack 3 applied, this is not the case. The service does not appear to crash but does not process requests received post-attack. It has also been reported that it's not possible to stop the affected service, and the system will require a reboot to restore normal operations. If the Named Pipe hijacking vulnerability is successfully exploited, the attacker may thereby inherit the permissions of the user who is attempting to connect to the SQL server via the compromised pipe. SOLUTION: Microsoft has released patches to address the issue. Check Microsoft Security Bulletin MS03-031 (http://www.microsoft.com/technet/security/bulletin/ms03-031.mspx) for the latest information on these vulnerabilities. COMPLIANCE: Not Applicable RESULTS: 8.0.313

Microsoft SQL Server 2000 SP1 Not Installed

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 1433/tcp New

19094 Database 05/21/2009 No

THREAT: The host is missing SQL Server 2000 Service Pack 1. IMPACT:

Dataway High Severity Host Report

page 12

Microsoft SQL Server Service Pack 1 contains several security fixes. SOLUTION: Refer to the SQL Server version 2000 Service Pack 1 Readme (http://support.microsoft.com/default.aspx?scid=%2fsupport%2fservicepacks%2fSQL%2f2000%2fSP1ReadMe.asp) for details. It's recommended that you install the latest Microsoft SQL Server service pack (sp3a or later). You can download the latest service pack from Microsoft's SQL Server Download page (http://www.microsoft.com/sql/downloads/default.asp). COMPLIANCE: Not Applicable RESULTS: 8.0.313

Microsoft SQL Server 2000 SP2 Not Installed

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 1433/tcp New

19096 Database 05/18/2009 No

THREAT: Microsoft SQL Server 2000 Service Pack 2 not installed on the host. IMPACT: SQL Server 2000 Service Pack 2 fixes several security holes which can be exploited by malicious users. SOLUTION: Refer to the SQL Server version 2000 Service Pack 2 Readme (http://support.microsoft.com/default.aspx?scid=%2fsupport%2fservicepacks%2fSQL%2f2000%2fSP2ReadMe.asp) for details. It's recommended that you install the latest Microsoft SQL Server service pack (sp3a or later). You can download the latest service pack from Microsoft's SQL Server Download page (http://www.microsoft.com/sql/downloads/default.asp). COMPLIANCE: Not Applicable RESULTS: 8.0.313

Microsoft SQL Server 2000 Service Pack 3 Not Installed

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 1433/tcp New

19099 Database 05/14/2009 No

THREAT: Microsoft SQL Server 2000 Service Pack 3 is not installed on the host. IMPACT: Dataway High Severity Host Report

page 13

Microsoft SQL Server 2000 Service Pack 3 fixes several security holes, which may be exploited by malicious users. SOLUTION: Refer to the Microsoft Service Packs for SQL Server Downloads page (http://www.microsoft.com/sql/downloads/servicepacks.asp) for instructions on downloading and installing the service pack. COMPLIANCE: Not Applicable RESULTS: 8.0.313

Microsoft SQL Server 2000 Latest Patch Not Installed

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 1433/tcp New

19090 Database 05/14/2009 No

THREAT: The latest Microsoft SQL security hotfixes are not installed. This check makes sure that Service Pack 4 is installed. The current version detected is shown in the result section of the vulnerability report. IMPACT: Microsoft SQL service packs and hotfixes are important because they fix a lot of security issues. SOLUTION: Apply the latest service packs and hotfixes available for download from the Microsoft SQL Server Support Center (http://www.microsoft.com/sql/). COMPLIANCE: Not Applicable RESULTS: 8.0.313

147.144.1.206 (webct0.ccsf.cc.ca.us, -)

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (3) 4

SSL Server Allows Anonymous Authentication Vulnerability

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 443/tcp over SSL Active

38142 General remote services 07/07/2008 No

THREAT: The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default.

Dataway High Severity Host Report

page 14

A vulnerability exists in SSL communcations when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack." IMPACT: An attacker can exploit this vulnerability to impersonate your server to clients. SOLUTION: Disable support for anonymous authentication. 1) Apache: Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM For Apache/apache_ssl include the following line in the configuration file (httpsd.conf): SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 2) IIS: For IIS please see: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services (http://support.microsoft.com/kb/187498/en-us), How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (http://support.microsoft.com/kb/245030/en-us), How to Determine the Cipher Suite for the Server and Client (http://support.microsoft.com/kb/299520/en-us), , and How to restrict the use of certain ciphers in Internet Information Services 5.0 (http://support.microsoft.com/kb/241447) 3) Wu-FTP: For Wu-FTP which supports TLS, the ciphers parameter in TLS configuration file should be set to -ALL +SSLv3 +TLSv1 For more details please consult the docs/HOWTO/ssl_and_tls_ftpd.HOWTO file provided by wu-ftpd distribution. Additional reading: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html (http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html) http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite (http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite) http://www.megasecurity.org/Info/ssl_servers.html (http://www.megasecurity.org/Info/ssl_servers.html)

COMPLIANCE: Not Applicable RESULTS: CIPHER

KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH GRADE )

SSLv3 SUPPORTS CIPHERS WITH NO AUTHENTICATION ADH-RC4-MD5

None

MD5 RC4(128)

MEDIUM

EXP-ADH-RC4-MD5

DH(512)

None

MD5 RC4(40)

LOW

ADH-RC4-MD5

None

MD5 RC4(128)

MEDIUM

EXP-ADH-RC4-MD5

DH(512)

None

MD5 RC4(40)

LOW

ADH-DES-CBC3-SHA

None

SHA1 3DES(168)

HIGH

ADH-DES-CBC-SHA

None

SHA1 DES(56)

LOW

EXP-ADH-DES-CBC-SHA

DH(512)

None

SHA1 DES(40)

LOW

TLSv1 SUPPORTS CIPHERS WITH NO AUTHENTICATION

SSL Server Allows Cleartext Communication Vulnerability

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Dataway High Severity Host Report

port 443/tcp over SSL Active

38143 General remote services 08/05/2008 page 15

Edited:

THREAT: The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client-server communication is general encrypted using a symmetric cipher like RC2, RC4, DES or 3DES. However, some SSL ciphers allow communication without encryption. This vulnerability allows anyone who can sniff the traffic between the client and the server to see the communication. Please note that this detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error message and abort further communication on the secure channel. This vulnerability may not be exploitable for such configurations. IMPACT: An attacker can exploit this vulnerability to read apparently secure communication. SOLUTION: Disable ciphers which support cleartext communication. Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM For Apache/apache_ssl include the following line in the configuration file (httpsd.conf): SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM How to Control the Ciphers for SSL and TLS on IIS (http://support.microsoft.com/kb/245030) For Novell Netware 6.5 please refer to the following document SSL Allows the use of Weak Ciphers. -TID10100633 (http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm) COMPLIANCE: Not Applicable RESULTS: CIPHER

KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE

SSLv3 SUPPORTS CIPHERS WITH NO ENCRYPTION NULL-SHA

RSA

SHA1 None

LOW

NULL-MD5

RSA

MD5 None

LOW

NULL-SHA

RSA

SHA1 None

LOW

NULL-MD5

RSA

MD5 None

LOW

TLSv1 SUPPORTS CIPHERS WITH NO ENCRYPTION

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

Dataway High Severity Host Report

page 16

Please refer to the following URLs for more information: http://www.ciac.org/ciac/bulletins/m-017.shtml (http://www.ciac.org/ciac/bulletins/m-017.shtml) http://www.kb.cert.org/vuls/id/684820 (http://www.kb.cert.org/vuls/id/684820) IMPACT: The consequences of vulnerabilities present is SSH Version 1 include: SSH protected traffic compromise root shell access to the system running SSH server

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, password

147.144.1.211 (sol.ccsf.cc.ca.us, -)

Solaris 8

Vulnerabilities (2) 5

Sun Solaris SAdmind Client Credentials Remote Administrative Access Vulnerability

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

New

68524 RPC CVE-2003-0722 8615 06/11/2009 No

THREAT: Solaris is the Unix operating system variant maintained and distributed by Sun Microsystems. A problem has been discovered in the Sun Solaris "sadmin" service. Because of this issue, it may be possible for a remote user to gain unauthorized administrative access to the target. The problem is in the handling of authentication credentials. In the default configuration, the "sadmin" service uses the AUTH_SYS or AUTH_UNIX RPC authentication mechanism, which is vulnerable to spoofing attacks. Since the authentication credentials (uid, gid, and hostname of client) are completely in an attacker's control, an attacker can circumvent any access restrictions the service may have in place. Note: The "sadmin" service is enabled by default. IMPACT: This vulnerability can be exploited to run arbitrary privileged commands on the vulnerable host, and can lead to a complete system compromise.

Dataway High Severity Host Report

page 17

SOLUTION: A solution is to either disable the "sadmin" service if it is not required, or restart the service with stronger authentication. The service may be disabled by commenting the service out of the inetd.conf configuration file, and restarting inetd. The service may be reconfigured to use stronger AUTH_DES authentication instead. To do this, append "-S 2" to the inetd.conf configuration and restart inetd. Please check Sun's Sadmind Alert (http://sunsolve.sun.com/search/document.do?assetkey=1-26-56740-1), which provides details about this configuration process. COMPLIANCE: Not Applicable RESULTS: /bin/sh could be executed on the target host.

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive, password

Dataway High Severity Host Report

page 18

147.144.1.212 (cloud.ccsf.cc.ca.us, -)

FreeBSD

Vulnerabilities (1) 4

Database Files Present on Anonymous FTP Server Vulnerability

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 21/tcp Active

27026 File Transfer Protocol CVE-1999-0527 04/03/2009 No

THREAT: Database files with a ".db" extension were found on the FTP Server. IMPACT: Files with the .db extension may contain sensitive information. Please verify that these documents should be on the FTP server. If the document(s) are encrypted, they can easily be cracked. And, if the user uses the same password for encrypting documents as for logging on to the server, their user accounts can be compromised. SOLUTION: Remove all *.db files that are not required. COMPLIANCE: Not Applicable RESULTS: /etc/pwd.db [user anonymous] /etc/pwd.db [user ftp]

147.144.1.214 (-, -)

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp New

38304 General remote services CVE-2001-1473 06/10/2009 No

Dataway High Severity Host Report

page 19

http://www.ciac.org/ciac/bulletins/m-017.shtml (http://www.ciac.org/ciac/bulletins/m-017.shtml) http://www.kb.cert.org/vuls/id/684820 (http://www.kb.cert.org/vuls/id/684820) IMPACT: The consequences of vulnerabilities present is SSH Version 1 include: SSH protected traffic compromise root shell access to the system running SSH server

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, password

147.144.1.215 (webct3.ccsf.edu, -)

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

Dataway High Severity Host Report

page 20

root shell access to the system running SSH server

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive, password

147.144.1.219 (cloudy.ccsf.cc.ca.us, -)

FreeBSD

Vulnerabilities (1) 4

Database Files Present on Anonymous FTP Server Vulnerability

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 21/tcp New

27026 File Transfer Protocol CVE-1999-0527 04/03/2009 No

Dataway High Severity Host Report

page 21

147.144.1.220 (cloudz.ccsf.cc.ca.us, -)

BSDI BSD/OS 4.0.1

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive, password

Dataway High Severity Host Report

page 22

147.144.1.245 (gw3.ccsf.edu, -)

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (2) 5

Null Authentication VNC Server Access

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 5901/tcp New

38161 General remote services CVE-2002-2088 4581 05/13/2009 No

THREAT: VNC (Virtual Network Computing) is similar to Xwindows in that it is a remote, graphical interface. It is freely available from multiple vendors (for example AT&T Cambridge). To create a session with VNC server, a primitive sort of authentication is implemented. There is an option to not use authentication at all, in which case anyone is allowed to connect to the VNC server. An example of such default configuration is ClumpOS. ClumpOS is a CD-based Linux and Mosix distribution that is maintained and distributed by the Mosix project. ClumpOS does not prompt a user to set a password for VNC when installed. Instead, ClumpOS leaves the default password for VNC blank, which allows remote root access to the system. IMPACT: By exploiting this vulnerability, an unauthenticated user can have the same privileges as the privileges of the user who launched a VNC server. SOLUTION: As a possible workaround, manually set a VNC password or remove the VNC server (if not needed). COMPLIANCE: Not Applicable RESULTS: No results available

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

Dataway High Severity Host Report

page 23

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive

147.144.1.246 (gw4.ccsf.edu, BAT-GW4)

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (3) 5

Null Authentication VNC Server Access

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 5901/tcp New

38161 General remote services CVE-2002-2088 4581 05/13/2009 No

Dataway High Severity Host Report

page 24

Not Applicable RESULTS: No results available

Null Session/Password NetBIOS Access

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

New

70003 SMB / NETBIOS CVE-1999-0519 10/08/2009 No

THREAT: Unauthorized users can connect to this NetBIOS service without a password. IMPACT: Unauthorized users may be able to exploit this vulnerability to obtain sensitive information about your system resources, such as a list of all accounts or shared resources on this host. For Windows hosts, unauthorized users may also be able to access the registry, and depending on the Windows version and registry permission settings, make modifications to the registry. SOLUTION: Null NetBIOS sessions can be disabled using the following methods: Windows NT: 1. Set the following registry key: HKLM\System\CurrentControlSet\Control\Lsa Name: RestrictAnonymous Type: REG_DWORD Value: 1 2. Restart your computer.

Windows 2000: 1. Start "Control Panel-->Administrative Tools-->Local Security Policy". 2. Open "Local Policies-->Security Options". 3. Make sure "Additional restrictions of anonymous connections" is set to "No access without explicit anonymous permissions". 4. Restart your computer.

Windows XP/2003: 1. Start "Control Panel-->Administrative Tools-->Local Security Policy". 2. Open "Local Policies-->Security Options". 3. Make sure the following two policies are enabled: * Network Access: Do not allow anonymous enumeration of SAM accounts * Network Access: Do not allow anonymous enumeration of SAM accounts and shares 4. Disable Network Access: Let Everyone permissions apply to anonymous users. 5. Restart your computer. The above settings have no impact on domain controllers. If this vulnerability was discovered on a domain controller, please note that some of the recommended settings may not have any effect. Read the Microsoft article Description of Dcpromo Permissions Choices (http://support.microsoft.com/kb/257988/) for more information regarding Pre-Windows 2000 Compatible Access. Please read the Microsoft documents called How to Use the RestrictAnonymous Registry Value (http://support.microsoft.com/default.aspx?scid=kb;en-us;246261) and Restricting Anonymous Access (http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx?mfr=true) for more information.

Samba: Make the following settings in smb.conf: * set "security" to "user" or "domain" or "server" as per your requirements. * set "map_to_guest" to "Never"

Dataway High Severity Host Report

page 25

SECURITY = USER This is the default security setting in Samba 2.2. With user-level security a client must first "log=on" with a valid username and password (which can be mapped using the username map parameter). Encrypted passwords can also be used in this security mode. Parameters such as user and guest only if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated. SECURITY = SERVER In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user, but note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the documentation file in the docs/ directory ENCRYPTION.txt for details on how to set this up. SECURITY = DOMAIN This mode will only work correctly if smbpasswd(8) has been used to add this machine into a Windows NT Domain. It expects the encrypted passwords parameter to be set to true. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that a Windows NT Server would do. A suggested workaround. Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment. Adding 'restrict anonymous = 2' in smb.conf can help resolve the issue. For SAMBA 3.0 and Active Directory Make the following settings in smb.conf: security = ADS COMPLIANCE: Not Applicable RESULTS: No results available

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

SOLUTION: Dataway High Severity Host Report

page 26

Disable SSH1 support. See your vendor's Web site for information on how to disable SSH protocol Version 1 support. Some references are provided below: SSH Communications Security (http://www.ssh.com) F-Secure (http://www.f-secure.com) OpenSSH (http://www.openssh.org) Note: Do not enable SSH Version 1 Fallback since systems with upgraded versions of SSH and with Fallback Version 1 enabled are still vulnerable. COMPLIANCE: Not Applicable RESULTS: SSH1 supported

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive

147.144.1.249 (ns9.ccsf.cc.ca.us, -)

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp New

38304 General remote services CVE-2001-1473 06/10/2009 No

Dataway High Severity Host Report

page 27

Not Applicable RESULTS: SSH1 supported

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, password

147.144.1.250 (ns7.ccsf.cc.ca.us, -)

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp New

38304 General remote services CVE-2001-1473 06/10/2009 No

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, password

Dataway High Severity Host Report

page 28

147.144.1.251 (ns3.ccsf.cc.ca.us, -)

Linux 2.4-2.6 / SonicWALL

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp New

38304 General remote services CVE-2001-1473 06/10/2009 No

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive, password

Dataway High Severity Host Report

page 29

147.144.1.252 (-, -)

Linux 2.4-2.6 / SonicWALL

Vulnerabilities (1) 4

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp New

38304 General remote services CVE-2001-1473 06/10/2009 No

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive, password

Dataway High Severity Host Report

page 30

147.144.1.254 (-, INST-DC1)

Windows 2000 Service Pack 3-4

Vulnerabilities (3) 4

Remote User List Disclosure Using NetBIOS

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

New

45003 Information gathering CVE-2000-1200 959 10/08/2009 No

THREAT: A null session connection to the IPC$ share was successful. NetBIOS access can be obtained with any authenticated account on this host. Therefore unauthorized users can steal the remote user list. This kind of attack is commonly exploited by users with weak passwords, such as the GUEST account. IMPACT: By exploiting this vulnerability, unauthorized users can launch brute force password attacks and other intrusive attacks based on collected information. Employee, customer, and partner information may be gathered. Spamming the user list is also possible. SOLUTION: It is recommended that you disable null sessions. Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment. Read the Microsoft documents called How to Use the RestrictAnonymous Registry Value (http://support.microsoft.com/default.aspx?scid=kb;en-us;246261) and Restricting Anonymous Access (http://technet2.microsoft.com/WindowsServer/en/library/2c82586e-bd58-42b7-9976-228a23721e351033.mspx?mfr=true) for more information. If this vulnerability was discovered on a domain controller, please note that some of the recommended settings may not have any effect. Read the Microsoft article Description of Dcpromo Permissions Choices (http://support.microsoft.com/kb/257988/) for more information regarding Pre-Windows 2000 Compatible Access. For Windows NT, setting this registry value limits only certain interfaces to this data. It is not possible to completely eliminate this vulnerability through a registry setting. There is another interesting Microsoft document called Local Policies (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/6d1cf160-25c8-4b0f-90b5-428bf5c24eae.mspx) about Windows security policies settings for local policies. Windows XP onwards Microsoft has added more granular control to the anonymous user access by adding couple of more DWORD registry values in the same key location as RestrictAnonymous, RestrictAnonymousSAM and EveryoneIncludesAnonymous. Set RestrictAnonymous = 1 to restrict share information access, RestrictAnonymousSAM = 1 to prevent enumeration of SAM accounts (User Accounts) and EveryoneIncludesAnonymous = 0 to prevent null-sessions from having any rights. Setting the RestrictAnonymous value to 1 restricts null session access to unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares entries. Additionally set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, NullSessionPipes and NullSessionShares, to a null string. For Samba servers there is no direct way of disabling null session access. A workaround is to specify a non exisiting UNIX account in global section of Samba config file. guest account = NON EXISTING USER. Adding 'restrict anonymous = 2' in smb.conf can help resolve the issue. Note: Please be aware that changing the restrictanonymous setting to the highest security level for example restrictanonymous = 2 in windows 2000 may disable older programs that make use of this account. It will also affect Windows NT 4.0 Domain Controllers from communicating with each other between trust relationships.

If possible, filter out Microsoft networking ports such as TCP ports 135, 137, 138, 139, and UDP ports 135, 137, 138.

COMPLIANCE: Not Applicable RESULTS:

Dataway High Severity Host Report

page 31

bookloan

1190

tboegel

1376

gknapp

2083

lindao

3086

ccruz

3095

schou

3105

creyes

3154

arichard

3176

mhock01

3266

mvipusit

3336

emmorris

3341

fbanh

3634

mentor-student

3644

monizuka

3707

mfelice

3839

rallyn

3880

tlamb

4006

plee

4471

ibell

4472

lbritton

4474

ecastill

4475

nchinn

4476

jchiu

4477

mchu

4478

tdang

4479

cdevore

4480

dgong

4482

khanamur

4483

kharper

4484

shuey

4485

njulin

4486

akerrar

4487

klau

4488

tle

4489

alira

4490

hma

4491

smance

4492

amonroe

4494

jpopely

4498

asalonga

4499

asimpson

4500

astanley

4501

pstrobel

4502

ltsang

4504

abader

4506

cchu

4507

kcolom

4508

bhall

4509

rheiman

4510

ahoward

4511

lhuynh

4512

vkartash

4513

ukukharc

4514

klam

4515

lleiva

4516

Dataway High Severity Host Report

page 32

tmccullo

4517

emelnice

4518

jmockbee

4519

rmoore

4520

pnabhan

4521

tnarlite

4522

dnichols

4523

aprum

4524

msong

4525

avelez

4526

jwang

4527

dyap

4528

eyussen

4529

vcrooks

4530

abrawley

4531

knawtsah

4532

ssmith

4533

llim

4534

pcheung

4535

hweeks

4536

mgrier

4537

jluddeke

4562

ytang

4563

tyip

4564

acanning

4573

ddarmo

4582

Null Session/Password NetBIOS Access

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

New

70003 SMB / NETBIOS CVE-1999-0519 10/08/2009 No

Dataway High Severity Host Report

page 33

Samba: Make the following settings in smb.conf: * set "security" to "user" or "domain" or "server" as per your requirements. * set "map_to_guest" to "Never"

SSH Protocol Version 1 Supported

QID: Category: CVE ID:

Dataway High Severity Host Report

port 22/tcp New

38304 General remote services CVE-2001-1473

page 34

Vendor Reference: Bugtraq ID: Modified: Edited:

06/10/2009 No

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive, password

147.144.4.4 (-, -)

HP-UX 11

Vulnerabilities (2) 5

Apache Chunked-Encoding Memory Corruption Vulnerability

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

Dataway High Severity Host Report

port 5050/tcp New

86352 Web server CVE-2002-0392 5033 10/22/2007 No

page 35

THREAT: Apache is a freely available Web server for Unix and Linux variants, as well as Microsoft operating systems. Various products, such as StrongHold, Oracle 9iAS and IBM Websphere, use or bundle Apache. The HTTP protocol specifies a method of data coding called 'Chunked Encoding', designed to facilitate fragmentation of HTTP requests in transit. A vulnerability has been discovered in the Apache implementation of 'Chunked Encoding'. When processing requests coded with the 'Chunked Encoding' mechanism, Apache fails to properly calculate required buffer sizes. This is due to improper (signed) interpretation of an unsigned integer value. On Windows and Netware platforms, Apache uses threads within a single server process to handle concurrent connections. Causing the server process to crash on these platforms may result in a denial of service. The link http://httpd.apache.org/info/security_bulletin_20020617.txt (http://httpd.apache.org/info/security_bulletin_20020617.txt) provides additional information on this vulnerability for Apache running on Windows. IMPACT: This vulnerability can be exploited by an attacker to cause a Denial of Service and even execute arbitrary code on the vulnerable machine. SOLUTION: This vulnerability has been fixed in Apache 1.3.26 and Apache 2.0.37. Please upgrade to the latest version (http://httpd.apache.org/download.cgi). An efix (via APAR PQ62369) (http://www.ibm.com/software/webservers/httpservers/support.html) is available for IHS from the IBM HTTP Server Downloads webpage. A complete list of vendor status and fixes can be found in CERT advisory CA-2002-17 (http://www.cert.org/advisories/CA-2002-17.html)

To manually verify this vulnerability, one may telnet to the host/port that the HTTP service is running on, and issue the following request directly: -----[snip]----GET / HTTP/1.1 Host: iopjfds Transfer-Encoding: Chunked AAAAAAAA -----[/snip]----A vulnerable webserver should respond by immediately closing the connection, while a patched webserver should respond with a valid HTTP response code; it may be necessary to try large integers other than AAAAAAAA (e.g. FFFFFFFF or 80000000). In order to eliminate erroneous behavior from intervening networking equipment, it is important to run the manual verification locally on the target host in question.

COMPLIANCE: Not Applicable RESULTS: No results available

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp New

38304 General remote services CVE-2001-1473 06/10/2009 No

THREAT: SSH1 protocol was deprecated due to multiple vulnerabilities and design flaws. Among multiple vulnerabilities that exist in SSH protocol Version 1 are:

Dataway High Severity Host Report

page 36

a CRC32 compensation attack detector vulnerability (buffer overflow) an unauthorized session key recovery problem Multiple vendors' implementations are vulnerable due to the fact that these are protocol design errors. Version 2 of the SSH protocol fixed these errors. Please refer to the following URLs for more information: http://www.ciac.org/ciac/bulletins/m-017.shtml (http://www.ciac.org/ciac/bulletins/m-017.shtml) http://www.kb.cert.org/vuls/id/684820 (http://www.kb.cert.org/vuls/id/684820) IMPACT: The consequences of vulnerabilities present is SSH Version 1 include: SSH protected traffic compromise root shell access to the system running SSH server

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, password

147.144.17.71 (wiz.ccsf.cc.ca.us, -)

Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Vulnerabilities (2) 4

Linux Kernel Multiple Memory Leak Local Denial of Service Vulnerabilities

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

New

115292 Local 2.6.14rc4 15076 09/28/2007 No

THREAT: Two local denial of service vulnerabilities affect the Linux kernel. These issues are due to a design flaw that creates memory leaks. IMPACT: These vulnerabilities may be exploited by local users to consume excessive kernel resources, likely triggering a kernel crash and denying service to legitimate users. SOLUTION: For more information, read Red Hat advisory RHSA-2005:808-14 (http://www.redhat.com/support/errata/RHSA-2005-808.html). A newer update RHSA-2007-0937 (http://rhn.redhat.com/errata/RHSA-2007-0937.html) is also available which obsoletes RHSA-2005-808 COMPLIANCE: Dataway High Severity Host Report

page 37

Not Applicable RESULTS: Detected through OS checks.

SSH Protocol Version 1 Supported

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 22/tcp Active

38304 General remote services CVE-2001-1473 06/10/2009 No

yes

Supported ciphers for SSH1

3des, blowfish

Supported authentications for SSH1

RSA, keyboard_interactive

Dataway High Severity Host Report

page 38

147.144.19.11 (peachie.ccsf.cc.ca.us, -)

Linux 2.2

Vulnerabilities (3) 5

Apache Chunked-Encoding Memory Corruption Vulnerability

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 9876/tcp New

86352 Web server CVE-2002-0392 5033 10/22/2007 No

COMPLIANCE: Not Applicable RESULTS: No results available

Dataway High Severity Host Report

page 39

WU-FTPD Remote Root Access with 'SITE EXEC' Command

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 21/tcp Active

27080 File Transfer Protocol CVE-2000-0573 1387 06/03/2009 No

THREAT: WU-FTPD is the most popular FTP server used on Internet. WU-FTPD Version 2.6 (shipped with RedHat Version 6.2) contains a vulnerability in the "SITE EXEC" command. The behavior of a "vsnprintf()" function can be modified by overwriting the return address on the stack. Therefore, unauthorized remote users can execute code on the host. Anonymous FTP access is the only requirement for exploiting this vulnerability. IMPACT: By exploiting this vulnerability, unauthorized users can execute arbitrary commands as root on your server. SOLUTION: As a temporary patch, you can disable anonymous access on your server. However, this will not prevent legitimate users from exploiting the vulnerability. You can download a patch directly from the WU-FTPD Web site (http://www.wuftpd.org). COMPLIANCE: Not Applicable RESULTS: No results available

WU-FTPd File Globbing Heap Corruption Vulnerability

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 21/tcp Active

27126 File Transfer Protocol CVE-2001-0550 RHSA-2001-157 3581 06/17/2009 No

THREAT: WU-FTPd is a popular Unix FTP server. It's based on the BSD FTPd, which is maintained by Washington University. WU-FTPd allows clients to organize files for FTP actions based on "file globbing" patterns. File globbing is also used by various shells. The implementation of file globbing included in WU-FTPd contains a heap corruption vulnerability that may allow a malicious remote user to execute arbitrary code on a server. During the processing of a globbing pattern, the WU-FTPd implementation creates a list of the files that match. The memory where this data is stored is on the heap, allocated using malloc(). The globbing function simply returns a pointer to the list. It is up to the calling functions to free the allocated memory. If an error occurs processing the pattern, memory will not be allocated and a variable indicating this should be set. The calling functions must check the value of this variable before attempting to use the globbed filenames (and later freeing the memory). Under certain circumstances, the globbing function does not set this variable when an error occurs. As a result of this, WU-FTPd will eventually attempt to free uninitialized memory. If this region of memory contained user-controllable data before the free call, it may be possible to have an arbitrary word in memory overwritten with an arbitrary value. This can lead to execution of arbitrary code if function pointers or return addresses are overwritten. If anonymous FTP is not enabled, then valid user credentials are required to exploit this vulnerability. IMPACT:

Dataway High Severity Host Report

page 40

If successfully exploited, a remote malicious user may be able to execute arbitrary code with the privileges of WU-FTPd, typically root. SOLUTION: Apply the patch supplied by your vendor. Alternatively, apply the patch provided by WU-FTPd. Workaround: Block or restrict access to the port used by WU-FTPd, typically 21/tcp. It may be possible to use TCP Wrapper or a similar technology to provide improved access control and logging. Additionally, an application-level firewall may be able to filter requests made to WU-FTPd. Disable anonymous FTP access. Disable WU-FTPd until a patch can be applied.

COMPLIANCE: Not Applicable RESULTS: No results available

147.144.40.253 (rpg1.ccsf.cc.ca.us, -)

Windows 2000 Service Pack 3-4

Vulnerabilities (3) 5

Microsoft SQL Server 2000 Service Pack 4 Missing

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

New

19124 Database 05/11/2009 No

Microsoft SQL Server 2000 Latest Patch Not Installed

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

Dataway High Severity Host Report

port 1433/tcp New

19090 Database 05/14/2009 No

page 41

PPTP VPN Configuration Allows Weak MS-CHAPv1 Authentication

QID: Category: CVE ID: Vendor Reference: Bugtraq ID: Modified: Edited:

port 1723/tcp New

38110 General remote services 02/09/2009 No

THREAT: The configuration of a PPTP Virtual Private Network server on this host allows clients to authenticate using the weak MS-CHAPv1 protocol (Microsoft's variation of Challenge Handshake Authentication Protocol, version 1), which contains several weaknesses. The most significant weakness is that encryption keys negotiated by MS-CHAPv1 are used for both directions of the link. This allows an attacker with access to the encrypted data stream to effectively decrypt all data in the data stream using a trivial XOR attack. IMPACT: An attacker with access to the data stream between client and server may be able to decrypt the data stream, thus negating the effects of data encryption. This may lead to further attacks, such as session hijacking or password theft. SOLUTION: Disable MS-CHAPv1 support on the VPN server, and only allow the stronger CHAP or MS-CHAPv2 protocols instead. Instructions on enabling the MS-CHAPv2 protocol are available at the MS-CHAP version 2 Web page (http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_RASS_MSCHAPv2.htm) on Microsoft's site. For machines running Windows NT 4.0, Windows 95, or Windows 98, this may require applying the latest security patch. Refer to this document (http://www.schneier.com/paper-pptp.html) for details. COMPLIANCE: Not Applicable RESULTS: No results available

147.144.49.242 (s-arx169-kcsf.ccsf.cc.ca.us, -)

Windows XP Service Pack 0-1

Vulnerabilities (1) 5

Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067)

QID: Category: CVE ID:

Dataway High Severity Host Report

New

90464 Windows CVE-2008-4250

page 42

Vendor Reference: Bugtraq ID: Modified: Edited:

MS08-067 31874 02/12/2009 No

THREAT: The Microsoft Windows Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC. The Server service is vulnerable to remote code execution issue, due to the service not properly handling specially-crafted RPC requests. Any anonymous user who can deliver a specially-crafted message to the affected system could try to exploit this vulnerability. Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s): December 2008 Updates are Available (including for XPe SP3 and Standard) (http://blogs.msdn.com/embedded/archive/2008/12/26/december-2008-updates-are-available-including-for-xpe-sp3-and-standard.aspx) (KB958644)October 2008 Security Updates Include a Bonus (http://blogs.msdn.com/embedded/archive/2008/10/30/october-2008-security-updates-include-a-bonus.aspx) (KB958644) IMPACT: An attacker who successfully exploits this vulnerability could take complete control of the affected system. SOLUTION: Patch: Following are links for downloading patches to fix the vulnerabilities: Microsoft Windows 2000 Service Pack 4: http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3 (http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3) Windows XP Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03 (http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03) Windows XP Service Pack 3: http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03 (http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03) Windows XP Professional x64 Edition: http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25 (http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25) Windows XP Professional x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25 (http://www.microsoft.com/downloads/details.aspx?familyid=4C16A372-7BF8-4571-B982-DAC6B2992B25) Windows Server 2003 Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D (http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D) Windows Server 2003 Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D (http://www.microsoft.com/downloads/details.aspx?familyid=F26D395D-2459-4E40-8C92-3DE1C52C390D) Windows Server 2003 x64 Edition: http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400 (http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400) Windows Server 2003 x64 Edition Service Pack 2: http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400 (http://www.microsoft.com/downloads/details.aspx?familyid=C04D2AFB-F9D0-4E42-9E1F-4B944A2DE400) Windows Server 2003 with SP1 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF (http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF) Windows Server 2003 with SP2 for Itanium-based Systems: http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF (http://www.microsoft.com/downloads/details.aspx?familyid=AB590756-F11F-43C9-9DCC-A85A43077ACF) Windows Vista and Windows Vista Service Pack 1: http://www.microsoft.com/downloads/details.aspx?familyid=18FDFF67-C723-42BD-AC5C-CAC7D8713B21 (http://www.microsoft.com/downloads/details.aspx?familyid=18FDFF67-C723-42BD-AC5C-CAC7D8713B21) For a complete list of patch download links, please refer to Micrsoft Security Bulletin MS08-067 (http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx). COMPLIANCE: Not Applicable RESULTS: Detected through MSRPC Interface

Dataway High Severity Host Report

page 43

Appendix Selected Scans Date :

07/05/2009 at 07:25:25 (GMT-0800)

Active Hosts :

Total Hosts :

269

Type :

On demand

Status :

Finished

Reference :

scan/1246807525.1079

Scanner Appliance : 64.39.104.154 (Scanner 5.1.39-1,Web 6.5.117-1,Vulnsigs 1.23.19-2) Duration :

00:47:34

Title :

InternetScan

Asset Groups :

ServerGroup

IPs :

147.144.1.0-147.144.1.255, 147.144.4.4, 147.144.17.71-147.144.17.72, 147.144.19.11, 147.144.20.19, 147.144.20.40, 147.144.33.130, 147.144.40.253, 147.144.49.242, 147.144.51.52, 147.144.55.252, 147.144.55.254, 147.144.79.245

Options Profile :

Initial Options

Date :

07/05/2009 at 08:15:41 (GMT-0800)

Active Hosts :

Total Hosts :

269

Type :

On demand

Status :

Finished

Reference :

scan/1246810541.23046

Scanner Appliance : 64.39.104.177 (Scanner 5.1.39-1,Web 6.5.117-1,Vulnsigs 1.23.19-2) Duration :

00:39:30

Title :

full-access-scan

Asset Groups :

ServerGroup

IPs :

Options Profile :

Initial Options

Options Profile Initial Options Scan Settings Ports: Scanned TCP Ports:

Standard Scan

Scanned UDP Ports:

Standard Scan

Scan Dead Hosts:

Off

Load Balancer Detection:

Off

Perform 3-way Handshake:

Off

Vulnerability Detection:

Complete

Password Brute Forcing: System:

Disabled

Custom:

Disabled

Authentication: Windows:

Disabled

Unix:

Disabled

Oracle:

Disabled

Oracle Listener:

Disabled

SNMP:

Disabled

Overall Performance:

Normal

Hosts to Scan in Parallel:

Dataway High Severity Host Report

page 44

External Scanners:

Scanner Appliances:

Processes to Run in Parallel: Total:

HTTP:

Packet (Burst) Delay:

Medium

Port Scanning and Host Discovery: Intensity:

Normal

Advanced Settings Host Discovery:

TCP Standard Scan, UDP Standard Scan, ICMP On

Ignore RST packets:

Off

Ignore firewall-generated SYN-ACK packets:

Off

Do not send ACK or SYN-ACK packets during host discovery: Off

Report Filters Vulnerability Lists:

Scan Report Template: High Severity Report

QIDs:

1001, 1002, 1005, 1006, 1007, 1008, 1009, 1010, 1011, 1012, 1013, 1014, 1016, 1017, 1019, 1021, 1022, 1023, 1024, 1025, 1026, 1114, 1115, 1116, 1117, 1119, 1120, 1121, 1122, 1125, 1126, 1128, 1129, 1131, 1132, 1133, 1134, 1135, 1137, 1138, 1139, 1140, 1141, 1142, 1143, 1144, 1145, 1146, 1147, 1148, 1149, 1150, 1151, 1152, 1153, 1154, 1155, 1156, 1157, 1158, 1159, 1160, 1161, 1163, 1166, 1167, 1168, 1169, 1171, 1172, 1173, 1175, 1176, 1177, 1178, 1180, 1181, 1182, 1183, 1184, 1185, 1186, 1187, 1188, 1190, 1191, 1192, 1193, 1195, 1199, 1201, 1203, 1204, 1205, 1206, 1207, 1210, 1212, 1213, 1214, 1216, 1217, 1222, 1224, 1225, 1226, 1227, 1228, 1232, 1406, 2600, 5000, 5005, 10000, 10001, 10003, 10004, 10006, 10007, 10008, 10009, 10010, 10012, 10013, 10014, 10017, 10018, 10021, 10022, 10024, 10025, 10026, 10027, 10028, 10029, 10031, 10032, 10034, 10035, 10036, 10037, 10038, 10040, 10042, 10044, 10045, 10048, 10049, 10053, 10054, 10056, 10057, 10059, 10062, 10065, 10066, 10067, 10069, 10070, 10071, 10072, 10073, 10074, 10079, 10082, 10087, 10090, 10094, 10096, 10098, 10103, 10107, 10109, 10113, 10114, 10117, 10122, 10123, 10124, 10126, 10127, 10129, 10130, 10131, 10132, 10134, 10135, 10137, 10141, 10142, 10143, 10144, 10146, 10151, 10154, 10158, 10161, 10162, 10163, 10164, 10165, 10167, 10168, 10170, 10171, 10174, 10177, 10180, 10181, 10184, 10188, 10191, 10192, 10194, 10195, 10197, 10200, 10204, 10206, 10208, 10212, 10216, 10218, 10220, 10221, 10222, 10223, 10230, 10232, 10233, 10236, 10237, 10239, 10243, 10244, 10245, 10249, 10250, 10252, 10253, 10254, 10257, 10258, 10259, 10260, 10263, 10265, 10266, 10268, 10328, 10329, 10332, 10333, 10335, 10336, 10341, 10342, 10346, 10349, 10353, 10355, 10356, 10357, 10359, 10361, 10364, 10365, 10367, 10371, 10374, 10375, 10381, 10383, 10386, 10389, 10392, 10394, 10396, 10397, 10398, 10399, 10401, 10402, 10403, 10404, 10405, 10406, 10409, 10410, 10411, 10412, 10413, 10415, 10416, 10417, 10418, 10428, 10429, 10430, 10431, 10435, 10436, 10438, 10451, 10454, 10467, 10486, 10490, 10493, 10521, 10524, 10525, 10534, 10536, 10537, 10540, 10557, 10558, 10568, 10570, 10571, 10572, 10577, 10578, 10580, 10581, 10583, 10584, 10585, 10586, 10587, 10590, 10623, 10624, 10625, 10626, 10630, 10633, 10636, 10647, 10650, 10651, 10655, 10656, 10662, 10664, 10669, 10670, 10681, 10684, 10694, 10701, 10702, 10703, 10704, 10710, 10711, 10712, 10715, 10719, 10720, 10723, 10730, 10732, 10734, 10739, 10740, 10746, 10752, 10753, 10758, 10760, 10779, 10784, 10789, 10794, 10798, 10802, 10808, 10810, 10812, 10821, 10822, 10832, 10837, 10848, 10849, 10850, 10854, 10855, 10856, 10861, 10863, 10865, 10867, 10869, 10870, 10871, 10872, 10873, 10874, 10875, 10876, 10877, 10879, 10885, 10886, 10888, 10890, 10893, 10897, 10900, 10901, 10916, 10918, 10932, 10935, 10942, 10943, 10949, 10952, 10957, 10958, 10964, 10965, 10966, 10967, 10968, 10969, 10970, 10971, 10972, 10975, 10977, 10978, 10979, 10980, 10982, 10984, 10987, 10988, 10989, 10990, 10991, 10992, 10997, 11003, 11005, 11008, 11009, 11013, 11024, 11027, 11039, 11040, 11041, 11048, 11050, 11054, 11057, 11058, 11060, 11064, 11068, 11080, 11081, 11083, 11085, 11089, 11090, 11092, 11093, 11096, 11098, 11104, 11105, 11106, 11108, 11112, 11113, 11116, 11118, 11119, 11120, 11123, 11132, 11133, 11145, 11157, 11158, 11159, 11161, 11164, 11166, 11167, 11170, 11177, 11180, 11182, 11184, 11186, 11187, 11188, 11194, 11195, 11196, 11198, 11200, 11202, 11205, 11210, 11211, 11212, 11213, 11214, 11215, 11218, 11219, 11223, 11230, 11232, 11233, 11236, 11237, 11238, 11241, 11243, 11245, 11246, 11247, 11250, 11251, 11259, 11263, 11265, 11270, 11271, 11272, 11278, 11281, 11283, 11285, 11296, 11297, 11300, 11304, 11305, 11307, 11309, 11310, 11312, 11318, 11326, 11327, 11329, 11337, 11339, 11348, 11362, 11364, 11366, 11371, 11372, 11384, 11386, 11390, 11396, 11400, 11413, 11415, 11417, 11419, 11430, 11436, 11437, 11438, 11439, 11440, 11452, 11453, 11455, 11458, 11464, 11465, 11466, 11467, 11468, 11473, 11481, 11482, 11483, 11485, 12001, 12002, 12003, 12005, 12010, 12017, 12018, 12020, 12023, 12025, 12026, 12027, 12030, 12032, 12035, 12036, 12039, 12041, 12042, 12043, 12045, 12047, 12050, 12052, 12053, 12054, 12055, 12056, 12057, 12060, 12062, 12067, 12068, 12069, 12075, 12077, 12079, 12080, 12081, 12082, 12085, 12097, 12098, 12099, 12100, 12103, 12119, 12121, 12128, 12133, 12135, 12138, 12139, 12141, 12142, 12151, 12153, 12157, 12165, 12168, 12175, 12177, 12178, 12183, 12186, 12191, 12193, 12195, 12196, 12205, 12210, 12211, 12212, 12214, 12221, 12236, 12258, 12260, 12263, 12278, 15033, 15037, 15039, 15040, 15041, 15042, 15043, 15044, 15047, 19001, 19003, 19004, 19005, 19013, 19029, 19058, 19059, 19060, 19061, 19064, 19065, 19066, 19067, 19068, 19069, 19070, 19071, 19078, 19086, 19089, 19090, 19091, 19093, 19094, 19096, 19099, 19103, 19106, 19107, 19108, 19109, 19112, 19124, 19146, 19147, 19150, 19151, 19154, 19155, 19156, 19157, 19158,

Dataway High Severity Host Report

page 45

19159, 19160, 19161, 19162, 19164, 19197, 19203, 19205, 19210, 19211, 19215, 19216, 19219, 19223, 19227, 19231, 19232, 19238, 19260, 19267, 19277, 19278, 19279, 19280, 19281, 19282, 19283, 19284, 19285, 19286, 19287, 19288, 19289, 19290, 19291, 19292, 19293, 19294, 19295, 19296, 19297, 19298, 19299, 19300, 19301, 19302, 19303, 19304, 19305, 19306, 19308, 19309, 19310, 19311, 19312, 19313, 19314, 19315, 19316, 19317, 19318, 19319, 19320, 19321, 19322, 19323, 19324, 19325, 19326, 19327, 19328, 19329, 19330, 19331, 19332, 19333, 19334, 19336, 19337, 19338, 19339, 19340, 19341, 19342, 19343, 19344, 19345, 19346, 19347, 19348, 19349, 19350, 19351, 19352, 19353, 19354, 19355, 19356, 19357, 19358, 19359, 19360, 19361, 19362, 19363, 19364, 19365, 19366, 19367, 19368, 19369, 19370, 19371, 19372, 19373, 19374, 19375, 19376, 19377, 19378, 19379, 19380, 19381, 19382, 19383, 19384, 19385, 19386, 19387, 19388, 19389, 19390, 19391, 19392, 19393, 19394, 19395, 19396, 19397, 19398, 19399, 19400, 19401, 19402, 19403, 19404, 19405, 19406, 19407, 19408, 19409, 19413, 19414, 19415, 19416, 19417, 19418, 19419, 19420, 19421, 19422, 19423, 19424, 19425, 19426, 19427, 19428, 19429, 19430, 19431, 19432, 19433, 19434, 19435, 19436, 19437, 19438, 19439, 19440, 19441, 19442, 19443, 19444, 19445, 19446, 19447, 19448, 19449, 19450, 19451, 19452, 19453, 19454, 19455, 19456, 19457, 19458, 19459, 19460, 19461, 19462, 19463, 19468, 19469, 19470, 19471, 19472, 19474, 19475, 19476, 19477, 19478, 19479, 19480, 19481, 19482, 19483, 19484, 19485, 19486, 19487, 19488, 19489, 19490, 19491, 19494, 19495, 19496, 19497, 19498, 19499, 23004, 23005, 23007, 23008, 23009, 23011, 23012, 23013, 23014, 23016, 27002, 27004, 27006, 27007, 27009, 27011, 27014, 27017, 27018, 27023, 27024, 27026, 27027, 27028, 27031, 27032, 27040, 27041, 27045, 27047, 27049, 27051, 27064, 27068, 27069, 27071, 27075, 27076, 27078, 27080, 27081, 27086, 27089, 27092, 27094, 27095, 27099, 27101, 27104, 27106, 27107, 27110, 27111, 27112, 27116, 27117, 27118, 27125, 27126, 27130, 27133, 27135, 27142, 27143, 27145, 27146, 27150, 27151, 27152, 27153, 27160, 27161, 27163, 27164, 27165, 27166, 27167, 27169, 27170, 27171, 27174, 27179, 27181, 27185, 27191, 27192, 27193, 27197, 27203, 27204, 27205, 27206, 27207, 27210, 27211, 27217, 27221, 27222, 27223, 27228, 27229, 27234, 27236, 27244, 27245, 27247, 27257, 27258, 27265, 27279, 27302, 31004, 31005, 31006, 31007, 31008, 31013, 31014, 34008, 34016, 34019, 34023, 34024, 34025, 34030, 34039, 38008, 38022, 38023, 38024, 38026, 38027, 38028, 38031, 38036, 38037, 38043, 38048, 38053, 38054, 38064, 38066, 38068, 38071, 38075, 38076, 38078, 38083, 38087, 38097, 38103, 38105, 38106, 38108, 38109, 38110, 38123, 38125, 38133, 38134, 38137, 38142, 38143, 38146, 38156, 38157, 38158, 38160, 38161, 38162, 38175, 38176, 38180, 38182, 38183, 38184, 38185, 38187, 38188, 38189, 38197, 38207, 38212, 38215, 38216, 38222, 38224, 38225, 38227, 38228, 38231, 38233, 38244, 38259, 38261, 38264, 38271, 38272, 38276, 38278, 38279, 38281, 38283, 38286, 38288, 38304, 38305, 38308, 38314, 38315, 38316, 38317, 38318, 38320, 38321, 38326, 38330, 38332, 38334, 38335, 38338, 38340, 38345, 38346, 38347, 38350, 38355, 38356, 38357, 38358, 38360, 38361, 38362, 38363, 38364, 38365, 38367, 38368, 38369, 38370, 38371, 38373, 38374, 38376, 38377, 38380, 38381, 38382, 38385, 38386, 38387, 38388, 38389, 38390, 38391, 38392, 38393, 38394, 38395, 38396, 38398, 38399, 38400, 38403, 38405, 38406, 38410, 38412, 38415, 38417, 38419, 38423, 38446, 38455, 38461, 38469, 38473, 38475, 38482, 38483, 38484, 38486, 38490, 38504, 38506, 38511, 38516, 38531, 38535, 38545, 38546, 38553, 38554, 38555, 38560, 38561, 38562, 38565, 38566, 38569, 38570, 38571, 38574, 38575, 38576, 38578, 38583, 38586, 38590, 38595, 42005, 42006, 42007, 42008, 42020, 43001, 43002, 43005, 43008, 43010, 43014, 43016, 43017, 43018, 43021, 43023, 43057, 43061, 43064, 43065, 43066, 43067, 43068, 43069, 43070, 43072, 43076, 43088, 43090, 43117, 43119, 43122, 43123, 43124, 43125, 43126, 43127, 43128, 43129, 45003, 50001, 50002, 50007, 50008, 50014, 50015, 50023, 50025, 50027, 50029, 50034, 50035, 50036, 50037, 50039, 50044, 50051, 50054, 50062, 50066, 50067, 50068, 50071, 50073, 50074, 50076, 50077, 50080, 50081, 50083, 50085, 50086, 50088, 54000, 54001, 54002, 54003, 54010, 62004, 62005, 62013, 62024, 62025, 62029, 62030, 62033, 62034, 62036, 62037, 62040, 62042, 62043, 62045, 62046, 62052, 62054, 62059, 66001, 66010, 66011, 66031, 66034, 66038, 66049, 68504, 68507, 68517, 68518, 68520, 68522, 68524, 68528, 68530, 68531, 68532, 68533, 70002, 70003, 70005, 70006, 70014, 70016, 70017, 70023, 70024, 70029, 70032, 70034, 70036, 70037, 70042, 70043, 70044, 70046, 70050, 74016, 74024, 74027, 74030, 74031, 74047, 74048, 74049, 74051, 74052, 74054, 74057, 74059, 74062, 74063, 74064, 74065, 74066, 74070, 74071, 74072, 74074, 74075, 74080, 74081, 74086, 74106, 74111, 74112, 74121, 74129, 74131, 74133, 74135, 74138, 74139, 74140, 74143, 74146, 74149, 74151, 74152, 74154, 74155, 74156, 74157, 74162, 74164, 74167, 74168, 74169, 74170, 74172, 74174, 74175, 74177, 74178, 74179, 74180, 74181, 74182, 74185, 74198, 74206, 74213, 74214, 74219, 74228, 74232, 78029, 78031, 78035, 78039, 78041, 78043, 78044, 82043, 82051, 82060, 86011, 86019, 86020, 86021, 86026, 86027, 86028, 86030, 86034, 86036, 86038, 86040, 86042, 86043, 86052, 86053, 86056, 86059, 86060, 86061, 86067, 86070, 86073, 86075, 86083, 86084, 86088, 86092, 86109, 86112, 86114, 86135, 86140, 86164, 86168, 86169, 86170, 86182, 86183, 86185, 86187, 86188, 86195, 86211, 86212, 86213, 86215, 86217, 86218, 86219, 86220, 86224, 86225, 86227, 86228, 86231, 86235, 86236, 86237, 86238, 86239, 86242, 86243, 86250, 86255, 86260, 86261, 86266, 86271, 86276, 86281, 86294, 86300, 86305, 86328, 86329, 86352, 86353, 86355, 86368, 86372, 86375, 86385, 86389, 86398, 86401, 86403, 86411, 86418, 86426, 86427, 86430, 86440, 86441, 86443, 86446, 86447, 86450, 86451, 86452, 86453, 86458, 86459, 86460, 86461, 86464, 86465, 86466, 86467, 86468, 86470, 86479, 86504, 86505, 86507, 86508, 86510, 86512, 86514, 86515, 86518, 86520, 86522, 86525, 86526, 86527, 86530, 86531, 86536, 86537, 86546, 86547, 86548, 86551, 86553, 86555, 86560, 86561, 86566, 86568, 86571, 86574, 86582, 86588, 86596, 86598, 86603, 86604, 86607, 86614, 86620, 86631, 86634, 86635, 86644, 86651, 86652, 86654, 86655, 86661, 86663, 86668, 86669, 86673, 86674, 86675, 86678, 86682, 86684, 86686, 86689, 86690, 86691, 86702, 86707, 86832, 86837, 90005, 90028, 90032, 90049, 90050, 90051, 90054, 90056, 90064, 90070, 90071, 90072, 90073, 90075, 90078, 90079, 90085, 90086, 90089, 90102, 90103, 90104, 90108, 90109, 90110, 90111, 90112, 90113, 90115, 90122, 90123, 90125, 90131, 90132, 90133, 90134, 90135, 90137, 90140, 90141, 90153, 90155, 90158, 90160, 90161, 90162, 90164, 90166, 90167, 90168, 90169, 90171, 90172, 90176, 90178, 90180, 90182, 90183, 90184, 90185, 90186, 90187, 90188, 90189, 90190, 90192, 90193, 90198, 90199, 90200, 90201, 90202, 90203, 90204, 90205, 90207, 90211, 90212, 90215, 90216, 90217, 90221, 90222, 90223, 90225, 90227, 90228, 90229, 90230, 90231, 90233, 90234, 90237, 90240, 90241, 90242, 90243, 90247, 90249, 90252, 90253, 90256, 90261, 90262, 90267, 90268, 90270, 90271, 90273, 90274, 90275, 90276, 90278, 90280, 90282, 90283, 90284, 90286, 90289, 90291, 90292, 90296, 90297, 90301, Dataway High Severity Host Report

page 46

90303, 90305, 90307, 90308, 90309, 90311, 90312, 90314, 90316, 90318, 90319, 90327, 90328, 90329, 90336, 90337, 90338, 90339, 90340, 90341, 90342, 90343, 90345, 90351, 90352, 90355, 90356, 90361, 90363, 90364, 90365, 90367, 90368, 90370, 90371, 90372, 90377, 90378, 90379, 90380, 90381, 90382, 90383, 90385, 90388, 90389, 90390, 90392, 90393, 90394, 90395, 90397, 90398, 90401, 90403, 90404, 90405, 90406, 90407, 90408, 90409, 90414, 90417, 90418, 90419, 90420, 90423, 90425, 90427, 90428, 90430, 90431, 90432, 90433, 90434, 90435, 90437, 90438, 90439, 90441, 90444, 90445, 90448, 90449, 90450, 90452, 90453, 90455, 90457, 90458, 90459, 90460, 90461, 90462, 90463, 90464, 90466, 90467, 90469, 90470, 90471, 90472, 90473, 90474, 90475, 90477, 90478, 90479, 90481, 90482, 90483, 90484, 90488, 90490, 90493, 90495, 90499, 90501, 90502, 90503, 90504, 90506, 90510, 90511, 90512, 90513, 90514, 90515, 90516, 90517, 90518, 90519, 90521, 90522, 90523, 90524, 90525, 90526, 90527, 90528, 90529, 90530, 90531, 90535, 90537, 90543, 90544, 90545, 90546, 90547, 90549, 90550, 90551, 90552, 90554, 90565, 90566, 90567, 90568, 95001, 95005, 95006, 95007, 100000, 100001, 100002, 100003, 100004, 100006, 100007, 100008, 100018, 100022, 100024, 100025, 100026, 100028, 100029, 100030, 100031, 100032, 100033, 100034, 100035, 100036, 100037, 100038, 100039, 100045, 100046, 100047, 100050, 100051, 100052, 100053, 100054, 100055, 100056, 100057, 100058, 100059, 100063, 100064, 100065, 100067, 100070, 100071, 100073, 105007, 105010, 105012, 105029, 105030, 105081, 105082, 105095, 105096, 110001, 110002, 110003, 110004, 110006, 110007, 110008, 110009, 110010, 110011, 110012, 110014, 110015, 110017, 110018, 110019, 110020, 110023, 110025, 110026, 110027, 110028, 110029, 110031, 110032, 110033, 110034, 110035, 110036, 110038, 110041, 110042, 110043, 110044, 110045, 110046, 110048, 110049, 110050, 110051, 110052, 110053, 110054, 110055, 110056, 110057, 110059, 110060, 110062, 110063, 110064, 110065, 110066, 110067, 110069, 110070, 110071, 110072, 110073, 110074, 110075, 110076, 110077, 110078, 110079, 110080, 110081, 110082, 110083, 110084, 110085, 110086, 110088, 110090, 110092, 110093, 110094, 110095, 110096, 110097, 110098, 110099, 110100, 110101, 110111, 115000, 115001, 115002, 115003, 115005, 115006, 115007, 115013, 115014, 115015, 115016, 115018, 115020, 115021, 115022, 115024, 115025, 115028, 115036, 115037, 115038, 115039, 115043, 115047, 115053, 115060, 115260, 115270, 115272, 115280, 115281, 115289, 115292, 115293, 115297, 115299, 115301, 115302, 115304, 115306, 115312, 115341, 115345, 115346, 115354, 115359, 115361, 115363, 115372, 115373, 115375, 115376, 115382, 115383, 115384, 115385, 115388, 115395, 115398, 115400, 115403, 115406, 115409, 115411, 115413, 115414, 115416, 115417, 115419, 115422, 115425, 115427, 115429, 115431, 115436, 115437, 115440, 115441, 115445, 115446, 115447, 115448, 115449, 115454, 115461, 115462, 115466, 115470, 115471, 115475, 115478, 115479, 115480, 115483, 115486, 115488, 115492, 115493, 115499, 115500, 115501, 115512, 115515, 115516, 115517, 115520, 115521, 115523, 115527, 115532, 115533, 115535, 115539, 115540, 115541, 115544, 115545, 115550, 115551, 115557, 115560, 115564, 115568, 115571, 115574, 115578, 115579, 115581, 115582, 115586, 115589, 115592, 115593, 115595, 115596, 115597, 115598, 115599, 115601, 115603, 115604, 115620, 115622, 115629, 115631, 115634, 115640, 115641, 115647, 115648, 115649, 115650, 115656, 115658, 115659, 115661, 115665, 115666, 115668, 115670, 115673, 115674, 115675, 115676, 115678, 115679, 115681, 115683, 115687, 115688, 115689, 115690, 115694, 115695, 115698, 115701, 115707, 115708, 115709, 115710, 115711, 115722, 115725, 115732, 115739, 115740, 115746, 115748, 115752, 115753, 115754, 115763, 115764, 115765, 115772, 115775, 115778, 115779, 115781, 115785, 115790, 115793, 115796, 115802, 115803, 115807, 115808, 115809, 115811, 115812, 115816, 115817, 115818, 115819, 115823, 115824, 115828, 115829, 115836, 115838, 115842, 115847, 115848, 115851, 115852, 115855, 115859, 115860, 115862, 115865, 115866, 115870, 115872, 115876, 115879, 115885, 115894, 115901, 115903, 115908, 115918, 115921, 115924, 115925, 115926, 115928, 115932, 115935, 115937, 115940, 115943, 115944, 115949, 115955, 115959, 115960, 115963, 115967, 115969, 115978, 115979, 115983, 115987, 115989, 115991, 115992, 115995, 115996, 116003, 116007, 116011, 116012, 116017, 116025, 116027, 116031, 116032, 116035, 116039, 116044, 116046, 116063, 116068, 116069, 116081, 116086, 116088, 116089, 116091, 116109, 116114, 116134, 116136, 116137, 116139, 116142, 116143, 116145, 116148, 116149, 116151, 116155, 116164, 116170, 116172, 116173, 116174, 116178, 116179, 116180, 116181, 116182, 116184, 116185, 116194, 116195, 116196, 116197, 116205, 116215, 116219, 116220, 116232, 116234, 116238, 116244, 116247, 116255, 116257, 116258, 116261, 116263, 116264, 116273, 116275, 116281, 116311, 116318, 116328, 116333, 116334, 116339, 116345, 116348, 116351, 116353, 116358, 116360, 116363, 116367, 116369, 116374, 116384, 116385, 116387, 116389, 116390, 116391, 116393, 116395, 116396, 116399, 116400, 116403, 116407, 116408, 116416, 116420, 116423, 116424, 116428, 116429, 116431, 116437, 116440, 116443, 116453, 116455, 116459, 116461, 116463, 116471, 116473, 116474, 116477, 116484, 116496, 116509, 116510, 116517, 116521, 116528, 116529, 116530, 116535, 116536, 116539, 116542, 116547, 116548, 116552, 116553, 116556, 116602, 116603, 116607, 116608, 116609, 116624, 116635, 116637, 116645, 116650, 116660, 116672, 116677, 150000, 150001, 150003, 150012, 150013, 150046, 150047, 150048, 150049, 155358, 175000, 175001, 175002, 175003 Status:

New, Active, Re-Opened

Vulnerabilities:

State:Active

Included Operating Systems: All Operating Systems

Report Legend Vulnerability Levels A Vulnerability is a design flaw or mis-configuration which makes your network (or a host on your network) susceptible to malicious attacks from local or remote users. Vulnerabilities can exist in several areas of your network, such as in your firewalls, FTP servers, Web servers, operating systems or CGI bins. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information about the host to a complete compromise of the host. Severity Dataway High Severity Host ReportLevel

Description

page 47

Severity

Level

Description

Minimal

Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.

Medium

Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.

Serious

Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.

Critical

Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.

Urgent

Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.

Potential Vulnerability Levels A potential vulnerability is one which we cannot confirm exists. The only way to verify the existence of such vulnerabilities on your network would be to perform an intrusive scan, which could result in a denial of service. This is strictly against our policy. Instead, we urge you to investigate these potential vulnerabilities further. Severity

Level

Description

Minimal

If this vulnerability exists on your system, intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.

Medium

If this vulnerability exists on your system, intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.

Serious

If this vulnerability exists on your system, intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.

Critical

If this vulnerability exists on your system, intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.

Urgent

If this vulnerability exists on your system, intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.

Information Gathered Information Gathered includes visible information about the network related to the host, such as traceroute information, Internet Service Provider (ISP), or a list of reachable hosts. Information Gathered severity levels also include Network Mapping data, such as detected firewalls, SMTP banners, or a list of open TCP services. Severity

Level

Description

Minimal

Intruders may be able to retrieve sensitive information related to the host, such as open UDP and TCP services lists, and detection of firewalls.

Medium

Intruders may be able to determine the operating system running on the host, and view banner versions.

Serious

Intruders may be able to detect highly sensitive data, such as global system user lists.

Dataway High Severity Host Report

page 48

This report was generated with an evaluation version of qualysguard This report was generated with an evaluation version of qualysguard

CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2009, Qualys, Inc.

Dataway High Severity Host Report

page 49