Attachment 3
IT Discovery Audit Report Prepared for:
This report is the result of a high-level discovery audit of City College of San Francisco’s (CCSF) Information Technology organization.
______________________________________________________________________
San Francisco • Orange County • Chicago • Atlanta Corporate Address: 35 Topaz Way San Francisco, CA 94131 http://www.usdn.net • info@usdn.net
Legal Notice COPYRIGHTS © 2010, USDN Inc. This document contains proprietary and confidential material of USDN. Any unauthorized reproduction, use or disclosure of this material, or any part thereof, is strictly prohibited. This document is solely for the use by City College of San Francisco employees. This is an unpublished work protected under the copyright laws. All rights reserved.
Document Details Document Type:
Audit Report
Project Name:
City College of San Francisco Discovery Audit
Document Version:
2.00
Created by:
USDN Inc.
Revision History Version
Date
Author
Change Description
1.00
10/14/10
CYC
Document Created
2.00
11/08/10
CYC
Risk ratings, recommendation summary, paths forward added
USDN Contact Information Anthony Castillo, CCIE, CISA, CISSP – Chief Scientist and Chief Executive Officer
702.858.4681 tony@usdn.net
Gabriel Straight – Senior Partner Christine Castillo – Senior Partner
510.409.0409 christine@usdn.net
USDN Inc.
Proprietary and Confidential
Page 2 of 74
Table of Contents IT Discovery Audit Report _______________________________________________________ 1 Prepared for:_________________________________________________________________ 1 COPYRIGHTS © 2010, USDN Inc ___________________________________________________________ 2
How to Use This Report ________________________________________________________ 1 Executive Summary ___________________________________________________________ 2 Background _______________________________________________________________________ 2 Audit Objective ____________________________________________________________________ 2 Audit Scope _______________________________________________________________________ 2 Method __________________________________________________________________________ 2 Assessment of Findings ______________________________________________________________ 3 Conclusion and Paths Forward ________________________________________________________ 3 Conclusion ______________________________________________________________________________ 3 Paths Forward ___________________________________________________________________________ 4
Audit Findings Detail __________________________________________________________ 7 IT Asset Inventory __________________________________________________________________ 7 Risk Assessment __________________________________________________________________________ 7 Observation Details _______________________________________________________________________ 7 Recommendations ________________________________________________________________________ 8 IT Security Policies & Procedures ______________________________________________________ 9 Risk Assessment __________________________________________________________________________ 9 Observation Details _______________________________________________________________________ 9 Recommendations _______________________________________________________________________ 10 Critical Applications _______________________________________________________________ 11 Risk Assessment _________________________________________________________________________ 11 Observation Details ______________________________________________________________________ 11 Recommendations _______________________________________________________________________ 11 User Access Controls _______________________________________________________________ 12 Risk Assessment _________________________________________________________________________ 12 Observation Details ______________________________________________________________________ 12 Recommendations _______________________________________________________________________ 12 Security Architecture and Design _____________________________________________________ 13 Risk Assessment _________________________________________________________________________ 13 Observation Details ______________________________________________________________________ 13 Recommendations _______________________________________________________________________ 13 Network Security __________________________________________________________________ 14 Risk Assessment _________________________________________________________________________ 14 Observation Details ______________________________________________________________________ 14 Recommendations _______________________________________________________________________ 14 Network Monitoring _______________________________________________________________ 15
USDN Inc.
Proprietary and Confidential
Page 3 of 74
Risk Assessment _________________________________________________________________________ 15 Observation Details ______________________________________________________________________ 15 Recommendations _______________________________________________________________________ 15
Changes of Opportunity _______________________________________________________ 16 Background ______________________________________________________________________ 16 Vulnerability Issue Found and Fixed __________________________________________________ 17 Recommendations ________________________________________________________________ 17
Recommendations Summary ___________________________________________________ 18 Appendix A – USDN Key Audit Member Biographies ________________________________ 19 Anthony P. Castillo, CCIE, CISA, CISSP _________________________________________________ 19 Biography ______________________________________________________________________________ 19 Summary of Qualifications _________________________________________________________________ 19 Relevant Experience ______________________________________________________________________ 19 Awards & Recognition ____________________________________________________________________ 19 Gabriel Straight ___________________________________________________________________ 20 Biography ______________________________________________________________________________ 20 Summary of Qualifications _________________________________________________________________ 20 Relevant Experience ______________________________________________________________________ 20 Other Skills _____________________________________________________________________________ 20 Christine Castillo __________________________________________________________________ 21 Biography ______________________________________________________________________________ 21 Summary of Qualifications _________________________________________________________________ 21 Relevant Experience ______________________________________________________________________ 21
Appendix B – CCSF IT Organization Chart _________________________________________ 22 CCSF IT Organization – Overview _____________________________________________________ 22
Appendix C – Security Issues and Recommended Fixes for 147.144.1.3 _________________ 23
USDN Inc.
Proprietary and Confidential
Page 4 of 74
How to Use This Report This report is organized into the following sections:
Executive Summary - Includes a synopsis of the audit scope, objectives, audit method, assessment of findings and conclusion. It provides audit highlights, problem areas and offers strategic recommendations for paths forward.
Audit Findings Detail – Provides an assessment, description of risk and recommendations for each IT audit are covered.
Changes of Opportunity – Describes findings that although were not a part of the planned audit scope, were determined to be significant and impactful to CCSF’s IT organization
Recommendations Summary – Provides a centralized collection of the recommendations made within the audit report.
Appendix A – Biographies of Key USDN Audit Members
Appendix B – CCSF IT Organization Chart
Appendix C - Security Issues and Recommended Fixes for 147.144.1.3. Provides findings associated with external penetration testing.
USDN Inc.
Proprietary and Confidential
Page 1 of 74
Executive Summary Background The City College of San Francisco IT Department supports systems, applications and web sites utilized by CCSF faculty, administrative staff and students. In order to gain a understanding of current conditions, Dr, Hotchkiss engaged USDN to perform a Discovery Audit of the CCSF IT organization.
Audit Objective The purpose of the Discovery Audit was to provide an initial high-level assessment of the CCSF IT department’s general security position, risks, security practices and relevant policies and procedures. The ensuing evaluation findings were to provide CCSF management with an understanding of its strengths and weaknesses as well as a roadmap from which it could embark on proactive measures and improvements.
Audit Scope The designated audit target was the CCSF IT organization and the assessment focused upon the following areas:
Server operating system and application vulnerabilities Protocol and network infrastructure vulnerabilities Excessive or inappropriate user privileges Internal access controls and procedures Internal firewalls separating sub-networks and the internet Effectiveness in monitoring to identify security events and anomalies Ability to identify and contain attacks and exploits
Method The USDN audit team conducted interviews with key CCSF personnel and reviewed evidence materials provided which were relevant to the audit areas covered. Members of the USDN audit team who participated in the CCSF Discovery Audit included the individuals listed in the table below. Refer to Appendix A, “USDN Audit Team Biographies” for additional information. Name
USDN Functional Title
Audit Responsibility
Anthony P. Castillo
CEO and Chief Scientist
Audit Lead
Christine Castillo
Senior Partner
Project management, documentation
Gabriel Straight
Senior Partner
Technical audit
USDN Inc.
Proprietary and Confidential
Page 2 of 74
CCSF key contact personnel who participated in audit interviews with USDN included the individuals listed in the table below. Name
Functional Title
Area of Responsibility
David A. Hotchkiss, PhD
Chief Technology Officer
CCSF IT Organization
Tim Ryan
Networking Lead
Networking
Doug Re
Systems Lead
Systems
Frank Morales
Administrative Applications Lead
Administrative Applications
Glen Van Lehn
Systems Administrator
Systems
Shirley Barger
Systems Administrator
Systems
Mia Rusali
Associate Dean
Human Resources
Assessment of Findings Based upon the findings of the Discovery Audit performed, USDN has determined that IT security is non-existent within the CCSF IT Organization. The current computing environment has been structured to address usability but not security. In its current condition it would be impossible to build a security framework upon the existing architecture because there is a fundamental lack of the basic foundation blocks needed to maintain a secure and available IT infrastructure.
Conclusion and Paths Forward
Conclusion The CCSF IT organization is acting in a mostly reactionary state as it relates to information technology. The status quo within the organization is for circumstance and events to act as the main drivers for needs fulfillment. This leads to a running treadmill effect where everyone is moving very fast but essentially staying in exactly the same place. One example of this is mode of operation is the recent network intrusion incident that took place on August 6, 2010. The response to this incident was handled in a linear, flat hierarchical manner with little opportunity for formal governance or oversight by upper management. The manner in which the intrusion incident was handled clearly demonstrates the need for segregation of duties. In this example, the staff that carried out the remediation tasks also developed the project plan for handling this specific incident. This procedural failure resulted in the presentation of unverified data to upper management as if it were factual data, which in turn skewed every decision that was based upon it, including the decision to declare that the hostile takeover incident of a critical server was now over and remediation complete.
USDN Inc.
Proprietary and Confidential
Page 3 of 74
After examining the completed response procedure carried out by CCSF IT, it was determined by USDN that since the hostile intruder had obtained administrative ("root") access rights on the compromised server which gave them the ability to falsify all of the log files and audit trails in use, nothing obtained from the server as evidence could be declared factual or complete. Comparison metrics relating the CCSF IT organization to other organizations cannot be derived at this time since the CCSF IT control environment which is the basis of a comparative framework is incomplete.
Paths Forward Path Forward Recommendation # 1: Implement Formalized Configuration Change Control Configuration change control is a set of processes and approval stages required to change a configuration item's attributes and to re-baseline them. The concepts have been widely adopted by numerous technical management models, including systems engineering, integrated logistics support, Capability Maturity Model Integration (CMMI), ISO 9000, Prince2 project management methodology, COBIT, Information Technology Infrastructure Library (ITIL), product lifecycle management, and application lifecycle management. The purpose of configuration change control is to minimize the risks associated with any and all changes to the operating IT environment. Remediation Details: Install configuration change control software and institute a framework of policies and procedures to support the initiative. The ISO 10007 Quality management - Guidelines for configuration management standard is a good place to start. Some software that can be used for this process is listed below: 
Cfengine is a policy-based configuration management system written by Mark Burgess at Oslo University College. Its primary function is to provide automated configuration and maintenance of computers and networks, from a policy specification. The cfengine project was started in 1993 as a reaction to the complexity and non-portability of shell scripting for Unix configuration management, and continues today. The aim was to absorb frequently used coding paradigms into a declarative, domain-specific language that would offer self-documenting configuration.

Bcfg2 is a configuration management tool developed in the Mathematics and Computer Science Division of Argonne National Laboratory. The tool is written in Python and enables system administrator to manage the configuration of a large number of computers using a central configuration model.

There are also many commercially available software packages for configuration change control that can be deployed as well.
Path Forward Recommendation #2: Develop internal facing IT employee policies and procedures
USDN Inc.
Proprietary and Confidential
Page 4 of 74
Following on the previously discussed configuration change control needs, policies and procedures have to be put into place, specifically describing what constitutes an IT employee violation of a policy or procedure and as well as the consequences for each violation. An example of one such consequence is that in most companies that are following any kind of best practice standard, should an employee make an unauthorized change to the live corporate infrastructure without approval of senior management (with or without resulting damage) that employee would be written up, then terminated. If damage did occur it would be common for the employee to be immediately terminated. Without such policies in place, minimizing the risk to the CCSF network infrastructure due to employee negligence is not possible. Recommendation Details: Author formalized IT controls and implement procedures to insure the controls are meeting the needs of the CCSF Infrastructure. ISO 27002 (Formally ISO 17799) and the CoBIT framework are great references to help with this task. Path Forward Recommendation #3: Start the Business Continuity Planning process Business Continuity Planning is an interdisciplinary concept used to create and validate a practiced logistical plan for how an organization will recover and restore partially or completely interrupted critical function(s) within a predetermined time after a disaster or extended disruption. In plain language, business continuity planning is how an organization prepares for future incidents that could jeopardize the organization's core mission and its long term health. Incidents include local incidents like building fires or hardware outages, regional incidents like earthquakes or electrical blackouts, or national incidents like pandemic illnesses. During the audit process it was discovered that no business continuity planning exists. Recommendation Details: Develop a business continuity plan and set up a cycle of paper testing, walk though testing, and once a year full testing of the plan to keep it relevant and useful. Some resources that will help with this are:
ISO/IEC 27001:2005 (formerly BS 7799-2:2002) by the International Organization for Standardization
ISO/IEC 17799:2005 by the International Organization for Standardization
Purpose of Standard Checklist Criteria For Business Recovery (no date)
Federal Emergency Management Agency. Retrieved July 26, 2006
A Guide to Business Continuity Planning" by James C. Barnes
Path Forward Recommendation #4: Develop a Disaster Recovery Plan Disaster Recovery is the process, policies and procedures of restoring operations critical to the resumption of business, including regaining access to data (records, hardware, software, etc.), communications (incoming, outgoing, toll-free, fax, etc.), workspace, and other business processes after a natural or human-induced disaster.
USDN Inc.
Proprietary and Confidential
Page 5 of 74
To increase the opportunity for a successful recovery of critical data, a well-established and thoroughly tested disaster recovery plan must be developed. This task requires the cooperation of a well-organized committee led by an experienced chairperson. A disaster recovery plan (DRP) should also include plans for coping with the unexpected or sudden loss of communications and/or key personnel. There is no formal Disaster Recovery Plan in use at CCSF. Recommendation Details: This will be developed during the business continuity planning process to which this is a part. An excellent reference on the topic can be found here: "Emergency preparedness." from Paul Banks and Roberta Pilette. Preservation Issues and Planning. Chicago: American Library Association, 2000. 159-165. ISBN 978-0-8389-0776-4 Path Forward Recommendation #5: Retrain Staff on Common IT Procedures During the course of the audit and by observing the events surrounding the network intrusion incident, USDN has determined that some serious risks to the organization could have been avoided by following common IT procedures. The first common procedure not followed by an IT staff member involved the redeployment of a compromised server into the enterprise environment without making any effort to verify the integrity of the operating system software. This redeployment method into the actual "live" network meant the effect it would have to network stability was totally unknown, leaving the impact to the organization unquantifiable. The proper procedure that should have been followed is called "sandboxing", where all test deployments are made in an environment which does not touch the live enterprise network. This lack of basic knowledge on common IT procedures seen through most organizations, calls into question the level of experience and training held by members of the CCSF IT staff. Recommendation Details: Re-evaluate the current skill sets of the CCSF IT staff and determine on a case by case basis if additional training is a suitable solution or if the knowledge deficiencies need to be mitigated by additional staff. Path Forward Recommendation #6: Leverage Infrastructure Monitoring Infrastructure monitoring is not only the gathering of real time data for alerting purposes, it is also preserves the historical data upon which IT decisions are based. Without proper monitoring and analysis of historical data, these decisions become a guessing game. Recommendation Details: Deploy complete network monitoring tools to alert the CCSF IT organization of potential problems before they become service effecting issues and gather historical data to help make data driven decisions concerning IT expenditures.
USDN Inc.
Proprietary and Confidential
Page 6 of 74
Audit Findings Detail This section provides a Risk Assessment, Observation Details and Recommendations for each of the areas included in USDN’s Discovery Audit. The Risk Assessment describes the overall risk evaluation for a given area based upon standard baseline measures and the relative importance of the evaluation area to the CCSF IT organization. The Observation Details section provides background information on interviews conducted and finding information which support USDN’s risk assessment of the area. The Recommendations section provides USDN’s remediation recommendations for the risks identified.
IT Asset Inventory
Risk Assessment An organization’s network asset inventory is the starting point and basis of the Discovery Audit. The CCSF IT Department was not able to produce current network topology or IT asset documentation. Since no current network diagrams, topology information or asset inventory could be provided, it was not possible for USDN to conduct a standard assessment of CCSF’s network environment. The lack of current network topology information is a high risk to the organization and a fundamental deficiency. Without current data it is not possible for CCSF to have an understanding of the IT organization’s vulnerabilities, exposures and risks.
Observation Details On 9/20/10, Mr. Gabriel Straight, USDN interviewed Mr. Tim Ryan, Networking Lead to discuss the current network topology. Mr. Ryan provided Visio diagrams which were not current and indicated the network directory where the department maintained network diagrams and topology data. Mr. Straight examined the documents within this directory, but did not find information that was current. Mr. Anthony Castillo interviewed Glen Van Lehn, UNIX/LINUX System Administrator, for information regarding network diagrams and topology. Mr. Van Lehn indicated the Visio directory that Tim Ryan directed USDN to. USDN indicated the outdated nature of the documentation and Mr. Van Lehn indicated the diagrams represented what was available. Mr. Van Lehn provided a diagram of the firewall legs that was from 2006 but had been updated with handwritten notes. Mr. Castillo spoke with Dr. David Hotchkiss, Chief Technology Officer indicating that obtaining current network topology information was critical to the audit. Dr. Hotchkiss asked Mr. Van Lehn to shift his priorities and fulfill the audit request. That afternoon, USDN provided a request list of items required to Mr. Van Lehn which included:
Performance Logs
USDN Inc.
Proprietary and Confidential
Page 7 of 74
Security Logs
Log Monitoring
Network Topology Maps
Security Perimeter Devices
Running Services
Access Control Lists
Mr. Van Lehn indicted that he would produce the information by the following day. On the morning of 9/22/10 Mr. Straight checked in with Mr. Van Lehn for a status update on to find out if Mr. Van Lehn was able to gather the items on the list that had provided the previous day. Mr. Van Lehn said that he had not been able to gather the information as he had DNS issues to deal with. Mr. Straight asked if there was anything that Mr. Van Lehn could provide, and Mr. Van Lehn stated that he didn’t have any time to give him. Mr. Van Lehn then said that he might be able to get Mr. Straight something by 1:30p. Mr. Straight then said that the audit would be over so it would be too late and should he just indicate on the record that nothing was available. Mr. Van Lehn then said to Mr. Straight that he could write whatever he wanted in the report.
Recommendations USDN recommends that the CCSF IT department update network topology and IT asset inventory information to reflect the current computing environment. If the current IT department cannot update this information, USDN recommends contracting a qualified vendor to perform this task as it is critical to the success of the CCSF IT department.
USDN Inc.
Proprietary and Confidential
Page 8 of 74
IT Security Policies & Procedures
Risk Assessment The CCSF IT department could not produce a comprehensive set of current IT security policies and procedures at the time of audit. The one document that was provided to USDN addressing acceptable computer usage was the “Classified Handbook” F04-SP05, dated Fall 2004-Spring 2005, written by the City College of San Francisco Human Resources Department. The other piece of information consisted of the Wi-Fi usage policy which appears on the default start page when a user accesses the wireless network from their workstation. Additionally, IT department personnel were not aware of change control, delivery mechanisms or enforcement controls related to IT security policies and procedures. Auditable evidence of policy and procedure dissemination to the user community and enforcement was not provided to USDN. It is also noted that on an organizational level there was a general lack of awareness regarding IT security policies and procedures. The existence of these policies was not readily recognized and the USDN Human Resources contact, the Associate Dean of CCSF’s Human Resources department initially indicated she was not familiar with the existence of IT security policies or termination procedures. Upon research the Associate Dean was able to provide a URL to IT policies, but her response indicated that Security Policies and procedures are not a part of the everyday vernacular. The lack of IT security policies and procedures, lack of effective information dissemination and policy enforcement mechanisms constitute a high risk to the IT organization and a fundamental deficiency. IT security policies and procedures provide the foundation from which security is architected, and define the procedures, guidelines and practices for managing security in an IT organization. Without policies and procedures there is no basis for security. Both dissemination of current information and the ability to enforce policies and procedures is of critical importance as without this, policies and procedures are meaningless.
Observation Details On 9/20/10 Mr. Straight interviewed Mr. Ryan about the existence of IT policies in place at CCSF. Mr. Ryan provided a handbook, “Classified Handbook” F04-SP05, dated Fall 2004Spring 2005, written by the City College of San Francisco Human Resources Department. Mr. Ryan also provided the Wi-Fi usage policy which automatically comes up on the default start page when a user accesses the wireless network. Mr. Ryan indicated that the above referenced documents were all the IT policies he was aware of. Subsequent to Mr. Straight’s interview with Mr. Ryan, Ms. Christine Castillo, USDN, interviewed Dr. Hotchkiss to inquire if he could provide information on the person or area responsible for the creation and maintenance of IT policies and procedures. Dr. Hotchkiss indicated that he had not seen IT security policies and that if anyone would have knowledge of these it would be Mr. Ryan. Dr. Hotchkiss also said that internal audit had brought up the lack of IT security policies as a finding. USDN notes that the internal audit took place before Dr. Hotchkiss arrived at CCSF.
USDN Inc.
Proprietary and Confidential
Page 9 of 74
On 9/21/10 Ms. Castillo spoke with Mia Rusali, Associate Dean – HR, and asked for computer usage and employee termination policies. Ms. Rusali was not familiar with computer usage policies but indicated she would obtain the current version of the employee handbook and termination checklist which employees who are leaving CCSF employment complete. On 9/22/10 Ms. Castillo received voice message from Ms. Rusali indicating that the employee handbook which includes a section addressing acceptable use is provided to all new employees at the time of hire. Updates are also distributed to all employees and added to the IT policy found at Ccsf.edu/vcfa-policies. However, given that the IT department personnel were not aware of the existence of current IT policies, the implication is that the on-line policies are most likely out of date. It should also be noted that USDN could not reach the IT policies from the URL provided.
Recommendations USDN strongly recommends that the CCSF establish and document standard IT security policies and procedures. This is of paramount necessity and importance for establishing a framework for the overall IT security of the organization. It should be clear that the security polices and written documentation of the organization are without a doubt the single most important components of any organization’s overall security strategy. An Acceptable Use Policy is a document that describes the responsibilities of the organization and each individual user in maintaining the security of the computers and the computer network or system. It not only educates and teaches employees to be responsible users of an organization’s computer facilities and resources, but it also empowers system staff to create and maintain a safe, stable, and usable computing environment. In order for a security policy to be effective, it is imperative that it (or the concepts and ideas contained within it) be disseminated to everyone in the organization. In addition, the policy should have sufficient backing from upper management to ensure that people adhere to it and that the consequences of transgressions from the policy be both clearly worded and fairly meted out to offenders. USDN recommends the creation of the following IT security policy documents:
USDN Inc.
Acceptable Use Policy (Root Policy) User Rights & Privacy Policy Remote Access & VPN Policy Email and Communications Activities System and Network Activities Enforcement
Proprietary and Confidential
Page 10 of 74
Critical Applications
Risk Assessment USDN obtained a list of critical applications which included the ERP system Banner, a key system on which financial, personnel and benefits information is captured, maintained and reported upon. On 9/21/10, USDN was made aware that a direct tunnel to Banner from at least one other location, namely the Fog server, existed. This vulnerability constitutes a high risk to CCSF’s network. It is important to note that not only had the Fog server had been compromised in the August 2010 (refer to the section, “Changes of Opportunity” for details), but USDN’s external network penetration testing had revealed that several pathways that could be used to compromise Banner still exist (refer to the section, “Network Security” for details).
Observation Details On 9/21/10, USDN obtained a list of critical applications from Dr. Hotchkiss and corroborated criticality with Frank Morales, Administrative Applications Lead. The list of critical applications is indicated in the table below. Importance
Application
First Tier
Banner (ERP) Telephone System Web Site Email Medicat (student health, HIPPA)
Second Tier
AccuTrac (accountability of SF Unified School District K-12 students enrolled in classes at CCSF) SARS Group (Student Appointment & Reservation System)
Recommendations Due to the severance of the tunnel between the Fog and Gold servers (refer to the section, “Changes of Opportunity” for details), USDN recommends that it is imperative that CCSF IT research and implement an acceptable remote VPN access tunnel which does not create an inherent risk to the Banner (ERP) application.
USDN Inc.
Proprietary and Confidential
Page 11 of 74
User Access Controls
Risk Assessment USDN could not evaluate user access controls as current network topology information was not provided during the audit.
Observation Details There are no observation details for this audit area since the client was not able to provide the necessary network asset and topology required.
Recommendations USDN cannot provide a specific recommendation for this area as the audit could not be performed.
USDN Inc.
Proprietary and Confidential
Page 12 of 74
Security Architecture and Design
Risk Assessment USDN could not evaluate CCSF’s security architecture and design as current network topology information was not provided during the audit.
Observation Details There are no observation details for this audit area since the client was not able to provide the necessary network asset and topology required.
Recommendations USDN cannot provide a specific recommendation for this area as the audit could not be performed.
USDN Inc.
Proprietary and Confidential
Page 13 of 74
Network Security
Risk Assessment USDN examined the entire CCSF external network. On October 11, 2010 USDN held a meeting with CCSF IT staff to verify the validity of the external audit findings. The IT department members present, which included Mr. Ryan, Mr. Re, Mr. Morales and Dr. Hotchkiss, indicated their agreement with USDN’s findings. Through the course of the penetration test, USDN found the CCSF network to be exploitable in 22 separate ways. (Refer to “Appendix C – Security Issues and Recommended Fixes for 147.144.1.3” for details.) USDN estimates the time to traverse from the Internet to behind the CCSF firewall by utilizing these vulnerabilities to be under five (5) minutes. USDN asserts that the existence of the 22 vulnerabilities found is what made the August 2010 network intrusion possible. Furthermore, it is USDN’s opinion that no steps have been taken by CCSF to ensure that that the intrusion occurring on August 2010 is even over as no steps have been taken to verify the integrity of the systems after “root” access had been obtained.
Observation Details Refer to “Appendix C – Security Issues and Recommended Fixes for 147.144.1.3” for details regarding issues and fixes associated with the Fog server (IP 147.144.1.3). Findings on the Fog server are indicative of serious vulnerability findings inherent within the CCSF network and may be extrapolated to other hosts on the network of similar configuration.
Recommendations It is USDN’s opinion that if vulnerable services are determined to be required by the CCSF IT organization, then the recommendations applicable to those services as noted in Appendix C need to be followed. Otherwise, USDN advocates terminating any of the vulnerable services noted that are not needed in order to fulfill the CCSF IT organization’s objectives. USDN also recommends that a full security audit of the deployed IT assets and infrastructure should be conducted immediately, not only to ascertain the level of risk, but to even enumerate the integrity of the user access controls currently in place.
USDN Inc.
Proprietary and Confidential
Page 14 of 74
Network Monitoring
Risk Assessment USDN could not perform a comprehensive evaluation of monitoring mechanisms utilized by CCSF’s IT department as the client could not produce network topology information or IT asset data. However, USDN understands that manual monitoring is conducted on the Fog server. USDN became aware of this when discussing the detection of an intrusion event which took place in early August 2010. (Refer to the section, “Changes of Opportunity”)
Observation Details Based on interviews conducted during the 9/20/10 to 9/22/10 audit period, it is USDN’s understanding that no automated network monitoring or IDS mechanisms are in place. Manual log monitoring does take place on the Fog server as a part of the Systems Administrators’ daily process, but formal monitoring procedures do not exist.
Recommendations USDN strongly recommends that the CCSF install an IDS solution such as AlienVault to conduct monitoring on a 24 x 7 basis. AlienVault (http://www.alienvault.com/community.php?section=Home) is an OSSIM (Open Source Security Information Management) solution that is configurable and consists of a comprehensive set of tools that work in concert to provide detailed views of the network and network devices, low medium and high level visualization interfaces and incident management reporting. Furthermore, AlienVault is a free open source, thus, if implementation exceeds the skill set of current IT personnel, then assistance is easily attainable.
USDN Inc.
Proprietary and Confidential
Page 15 of 74
Changes of Opportunity Background On 9/20/10 Dr. Hotchkiss, indicated to Mr. Castillo that an intrusion occurred on around 8/6/10 on the Fog server, which is utilized by CCSF faculty and staff. Shirley Barger, a UNIX administrator within the Systems group and reporting to Doug Re, Systems Lead, discovered the intrusion by manually reviewing access logs. The level of penetration was the installation of Enlightenment (LL3) which intruders were able to install as root. Permissions used were Human Resources and ESL. The immediate resolution performed was to disable the compromised accounts and change the root passwords. Although Ms. Barger was not available to be interviewed as she was ill and out of the office, USDN was able to interview Mr. Ryan and Mr. Re about the incident. Although Mr. Ryan indicated to USDN that he did not know of any event that affected an HR or ESL account, Mr. Re was able to provide his understanding. Christine Castillo interviewed Mr. Re and asked him questions focused primarily on the discovery of the intrusion event. During the discussion, Mr. Re corroborated that root control had been obtained on a UNIX server with the host name “Fog” and two accounts had been compromised. According to Mr. Re, the Fog server was used to store web pages and class preparations documents used by teaching faculty and staff and did not contain CCSF information. He also said that grades may be stored on the server. Ms. Castillo asked for information on the compromised accounts, Mr. Re indicated that the Fog account of a Human Resources employee had been compromised but did not have information about the other account. While Ms. Castillo was in his office, Mr. Re placed a call to Mr. Van Lehn who responded that he did not know the specific domain the other hacked account belonged to. Ms. Castillo asked if the account belonging to the HR employee was the only account held by the employee and Mr. Re said he did not know. When asked if the account of the HR employee could be a conduit to ERP, Mr. Re indicated that it would be possible to SSH to the ERP system but there was no indication that such a bridge occurred. Ms. Castillo asked how Mr. Re became aware of the incident and he corroborated that Ms. Barger found the presence of extra processes while she was manually reviewing the monitoring logs for Fog as a part of her morning process. She then traced the accounts associated with the addition of the new directories by looking at history files and discovered that one of the accounts resolved to Siskiou County. When asked what remediation actions were taken after the incident, Mr. Re said that the following had occurred: ‐
Root passwords were changed
‐
Non-authorized directories were removed
‐
Compromised accounts were shut down
USDN Inc.
Proprietary and Confidential
Page 16 of 74
Vulnerability Issue Found and Fixed Besides the issue associated with the fact that there was an intrusion that occurred on the CCSF network. USDN discovered that the Fog server can serve as a direct conduit to the Gold server, which runs CCSF’s ERP Banner system. On 9/21/10 Mr. Castillo spoke with Shirley Barger, Systems Administrator, to obtain details regarding her discovery of the intrusion incident in August. Ms. Barger was the individual who had discovered the intrusion and provided notes on the chronology of her findings. Ms. Barger confirmed that there are SSH and Telnet are tunnels from Fog to the Gold (Banner) server. Based on the information above, Mr. Castillo advised Dr. Hotchkiss that firewall configurations should be changed to close the SSH and Telnet tunnels since the Gold server was at risk since there were currently no security controls preventing intrusion. Dr. Hotchkiss agreed with the proposed action. Mr. Castillo found and severed the SSH and Telnet tunnels due to lack of confidence of the intrusion event being over on Fog server, thereby protecting Banner on Gold server.
Recommendations Refer to the recommendations provided in the section, “Network Security”.
USDN Inc.
Proprietary and Confidential
Page 17 of 74
Recommendations Summary The recommendations included within this report are summarized within the table below. Audit Area
Recommendation
Paths Forward
Implement Formalized Configuration Change Control Develop internal facing IT employee policies and procedures Start the Business Continuity Planning process Develop a Disaster Recovery Plan Retrain Staff on Common IT Procedures Leverage Infrastructure Monitoring
IT Asset Inventory
Update network topology and IT asset inventory information to reflect the current computing environment
IT Security Policies & Procedures
Establish and document standard IT security policies and procedures
Critical Applications
Research and implement an acceptable remote VPN access tunnel which does not create an inherent risk to the Banner (ERP) application
User Access Controls
Cannot render an opinion
Security Architecture & Design
Cannot render an opinion
Network Security
Appendix C – Security Issues and Recommended Fixes for 147.144.1.3 Conduct a full security audit of the deployed IT assets and infrastructure
Network Monitoring
USDN Inc.
Install an IDS solution such as AlienVault to conduct monitoring on a 24 x 7 basis
Proprietary and Confidential
Page 18 of 74
Appendix A – USDN Key Audit Member Biographies Anthony P. Castillo, CCIE, CISA, CISSP
Biography Anthony P. Castillo currently holds the position of Chief Executive Officer and Chief Scientist of USDN Inc. a premier information technology infrastructure security solutions provider, which he founded in 1987. The company is industry-independent with clients ranging from mid-size businesses to national defense contractors, large financial institutions and major utility companies. Mr. Castillo regularly advises domestic and international government entities. Notably, he has trained the FBI in identity theft protection and digital fraud detection techniques and has been the recipient of multiple commendations from the FBI for his contributions. Mr. Castillo is frequently invited by Fortune 500 companies and prominent international organizations to speak on topics of technological financial fraud and network security.
Summary of Qualifications
Cisco Certified Internetwork Expert (CCIE)
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Auditor (CISA)
Expert Witness in Information Technology & Digital Forensics – U.S. District Court, California Superior Court
Relevant Experience
Twenty years of professional experience in application vulnerability research, carrier class infrastructure engineering.
Author & Instructor of highly technical training programs for financial institutions, Department of Defense, Department of Homeland Security (National Early Warning System) and the medical industry.
Trainer and Author to the Federal Bureau of Investigation in Technological Computer Crime and Identity Theft Techniques
.Regular Speaker on Forensics, Computer Crime and Technological Identity Theft for conferences by the FBI, Comerica Bank, InfraGard, VISA, American Express and The Department of Defense.
Awards & Recognition Mr. Castillo has received two awards from the Director of the Federal Bureau of Investigation for Outstanding Service in the Public Interest. These awards were received in March 2007 and August 2009.
USDN Inc.
Proprietary and Confidential
Page 19 of 74
Gabriel Straight
Biography Gabriel Straight currently holds the position of Chief Operations Officer of USDN Inc., a premier IT infrastructure auditing and security solutions provider with an in house exploit creation and network defense laboratory. USDN is industry-independent with clients ranging from mid-size businesses to national defense, large financial institutions and major utility companies. Clients include Cisco Systems, Federal Bureau Of Investigation, Southern Union Company, Oracle, Honda Motor Company, Sprint, Xerox, and GE Capital.
Summary of Qualifications
Certified Information Forensics Instructor (CIFI)
GIAC Certified Forensic Analyst (GCFA)
Expert Witness in Information Technology & Digital Forensics – U.S. District Court
Relevant Experience
Sixteen years of professional experience in IT audit program management, application vulnerability research, digital forensics, disaster recovery, network penetration testing technical/business process development and re-engineering.
Assists the Federal Bureau of Investigation CART Team in evidence collection and data preservation techniques.
Develops training programs to assist the FBI, Infragard, and DHS to obtain consistent results by standardizing collection techniques.
Board Member & Technology Advisor of the FBI’s InfrraGard program.
Other Skills
Languages: PERL
Operating Systems: All Windows workstation and server versions, Linux, Unix, FreeBSD, NetBSD, OpenBSD, OS400, OSX, ComOS, Cisco IOS
Applications: FTK (Forensics Tool Kit), EnCase
USDN Inc.
Proprietary and Confidential
Page 20 of 74
Christine Castillo
Biography Christine Castillo currently holds the position of Vice President, Business Development of USDN Inc., a premier IT infrastructure auditing and security solutions provider with an in house exploit creation and network defense laboratory. USDN is industry-independent with clients ranging from mid-size businesses to national defense, large financial institutions and major utility companies. Clients include Cisco Systems, Federal Bureau Of Investigation, Southern Union Company, Oracle, Honda Motor Company, Sprint, Xerox, and GE Capital. Christine possesses over 20 years of experience in the technology, financial services and energy industries. She has dedicated the past 11 years to developing solutions in the areas of risk analysis, corporate governance, IT audit, process development and technical knowledge communication. Christine’s breadth of knowledge in both technical and functional business areas within a variety of industries enables her to provide her clients with a unique service offering, drawing from vast sources of experience and perspective.
Summary of Qualifications
Over 17 years project management and corporate leadership experience applied across multiple industries and discipline areas
Over 6 years experience IT, financial and regulatory audit experience within the energy, transportation, wine, biotechnology and financial services industries.
Over 3 years experience in project management and implementation program development related to NERC Critical Infrastructure Protection standards compliance
Relevant Experience
Audit program management and implementation (Sarbanes Oxley, NERC CIP, SAS 109) to include program design, performance of risk assessments, testing.
International consulting experience in China to include compliance program management and training
Engineered/re-engineered processes and methodologies for IT management, software development and energy service areas.
Developed and designed technical, business and training documentation for utility, technology and financial services clientele
USDN Inc.
Proprietary and Confidential
Page 21 of 74
Appendix B – CCSF IT Organization Chart The CCSF IT organization consists of the Office of the CTO and four technology areas: Networking, Systems, Administrative Applications and End User Support. As of the date of this report the department’s headcount of 76 individuals was distributed as follows:
Networking: 9
Systems: 17
Administrative Applications: 20
End User Support: 30
CCSF IT Organization – Overview
CTO
Administrative Staff
Networking
Systems
Administrative Apps
End User Suppo rt
Administrative Staff End User Suppo rt
Administrative Staff
USDN Inc.
Proprietary and Confidential
Page 22 of 74
Appendix C – Security Issues and Recommended Fixes for 147.144.1.3
Type
Port
Issue and Fix
Security Note
echo (7/tcp) An echo server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
echo (7/tcp) Overview: Echo Service is running at this Host. The echo service is an Internet protocol defined in RFC 862. It was originally proposed for testing and measurement of round-trip times in IP networks. While still available on most UNIX-like operating systems, testing and measurement is now performed with the Internet Control Message Protocol (ICMP), using the applications ping and traceroute. Solution: Disable echo Service. Risk factor : Low OID : 1.3.6.1.4.1.25623.1.0.100075
Warning
http (80/tcp) Overview: This host is running Apache Web Server and is prone to Information Disclosure Vulnerability. Vulnerability Insight: This flaw is caused due to an error in 'mod_proxy_ajp' when handling improperly malformed POST requests. Impact: Successful exploitation will let the attacker craft a special HTTP POST request and gain sensitive information about the web server. Impact level: Application Affected Software/OS: Apache HTTP Version 2.2.11
USDN Inc.
Proprietary and Confidential
Page 23 of 74
Type
Port
Issue and Fix Workaround: Update mod_proxy_ajp.c through SVN Repository (Revision 767089) http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff Fix: No solution or patch is available as on 29th April, 2009. Information regarding this issue will be updated once the solution details are available. For further updates refer, http://httpd.apache.org/download.cgi References: http://secunia.com/advisories/34827 http://xforce.iss.net/xforce/xfdb/50059 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=766938&r2=76708 9 CVSS Score: CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N) CVSS Temporal Score : 4.0 Risk factor: Medium CVE : CVE-2009-1191 BID : 34663 OID : 1.3.6.1.4.1.25623.1.0.900499
Security Note
http (80/tcp) A web server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
http (80/tcp) The remote web server type is : Apache/1.3.41 (Unix)
Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. OID : 1.3.6.1.4.1.25623.1.0.10107 Security Note
http (80/tcp) The following directories were discovered: /cgi-bin, /sysadmin, /docs, /icons, /mail, /mysql While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 OID : 1.3.6.1.4.1.25623.1.0.11032
USDN Inc.
Proprietary and Confidential
Page 24 of 74
Type
Port
Issue and Fix
Security Note
http (80/tcp) An information leak occurs on Apache based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.
Solution: 1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'. Or 2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1 Or 3) Add into httpd.conf: ErrorDocument 404 http://localhost/sample.html ErrorDocument 403 http://localhost/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly). Additional Information: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Risk factor : Low CVE : CAN-2001-1013 BID : 3335 OID : 1.3.6.1.4.1.25623.1.0.10766 Security Note
pop3 (110/tcp)
A pop3 server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
pop3 (110/tcp)
identd reveals that this service is running as user root OID : 1.3.6.1.4.1.25623.1.0.14674
Security Note
USDN Inc.
pop3 (110/tcp)
The remote POP3 servers leak information about the software it is running, through the login banner. This may assist an attacker in choosing an attack strategy.
Proprietary and Confidential
Page 25 of 74
Type
Port
Issue and Fix
Versions and types should be omitted where possible. The version of the remote POP3 server is : +OK fog.ccsf.cc.ca.us 2006h.96 server ready Solution : Change the login banner to something generic. Risk factor : Low OID : 1.3.6.1.4.1.25623.1.0.10185 Security Note
sunrpc (111/tcp)
RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port OID : 1.3.6.1.4.1.25623.1.0.11111
Security Note
ident (113/tcp)
An identd server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
daytime (13/tcp)
Daytime is running on this port OID : 1.3.6.1.4.1.25623.1.0.11153
Warning
ssh (22/tcp) Overview: The host is installed with OpenSSH and is prone to information disclosure vulnerability. Vulnerability Insight: The flaw is caused due to the improper handling of errors within an SSH session encrypted with a block cipher algorithm in the Cipher-Block Chaining 'CBC' mode. Impact: Successful exploits will allow attackers to obtain four bytes of plaintext from an encrypted session. Impact Level: Application Affected Software/OS: Versions prior to OpenSSH 5.2 are vulnerable. Various versions of SSH Tectia
USDN Inc.
Proprietary and Confidential
Page 26 of 74
Type
Port
Issue and Fix are also affected. Fix: Upgrade to higher version http://www.openssh.com/portable.html References: http://www.securityfocus.com/bid/32319 Risk factor: Medium BID : 32319 OID : 1.3.6.1.4.1.25623.1.0.100153
Security Note
ssh (22/tcp)
An ssh server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
ssh (22/tcp)
Remote SSH version : SSH-1.99-OpenSSH_4.4p1-hpn12v11 Remote SSH supported authentication : publickey,password,keyboard-interactive
OID : 1.3.6.1.4.1.25623.1.0.10267 Security Note
ssh (22/tcp)
identd reveals that this service is running as user root OID : 1.3.6.1.4.1.25623.1.0.14674
Security Note
ftp (21/tcp)
An FTP server is running on this port. Here is its banner : 220 fog.ccsf.cc.ca.us FTP server (Revision 1.1 Version wuftpd2.6.1(PHNE_38578) Fri Jun 26 09:21:37 GMT 2009) ready. OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
ftp (21/tcp)
Remote FTP server banner : 220 fog.ccsf.cc.ca.us FTP server (Revision 1.1 Version wuftpd2.6.1(PHNE_38578) Fri Jun 26 09:21:37 GMT 2009) ready. OID : 1.3.6.1.4.1.25623.1.0.10092
Security Note
ftp (21/tcp)
identd reveals that this service is running as user root OID : 1.3.6.1.4.1.25623.1.0.14674
Security Note
USDN Inc.
telnet (23/tcp)
A telnet server seems to be running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Proprietary and Confidential
Page 27 of 74
Type
Port
Issue and Fix
Security Note
telnet (23/tcp)
Overview: A telnet Server is running at this host. Experts in computer security, such as SANS Institute, and the members of the comp.os.linux.security newsgroup recommend that the use of Telnet for remote logins should be discontinued under all normal circumstances, for the following reasons: * Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often practical to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access to a router, switch, hub or gateway located on the network between the two hosts where Telnet is being used can intercept the packets passing by and obtain login and password information (and whatever else is typed) with any of several common utilities like tcpdump and Wireshark. * Most implementations of Telnet have no authentication that would ensure communication is carried out between the two desired hosts and not intercepted in the middle. * Commonly used Telnet daemons have several vulnerabilities discovered over the years. Risk factor : Medium OID : 1.3.6.1.4.1.25623.1.0.100074
Security Note
telnet (23/tcp)
Remote telnet banner : HP-UX fog B.11.23 U ia64 (ta) login: OID : 1.3.6.1.4.1.25623.1.0.10281
Security Note
smtp (25/tcp) An SMTP server is running on this port Here is its banner : 220 fog.ccsf.cc.ca.us ESMTP Sendmail 8.14.2/8.14.2; Mon, 4 Oct 2010 23:35:17 0700 (PDT) OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
smtp (25/tcp) Remote SMTP server banner : 220 fog.ccsf.cc.ca.us ESMTP Sendmail 8.14.2/8.14.2; Mon, 4 Oct 2010 23:38:49 -
USDN Inc.
Proprietary and Confidential
Page 28 of 74
Type
Port
Issue and Fix 0700 (PDT)
This is probably: Sendmail version 8.14.2 OID : 1.3.6.1.4.1.25623.1.0.10263 Security Note
time (37/tcp) A time server seems to be running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
imap (143/tcp)
An IMAP server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
imap (143/tcp)
The remote imap server banner is : * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS] fog.ccsf.cc.ca.us IMAP4rev1 2006h.380 at Mon, 4 Oct 2010 23:35:20 -0700 (PDT) Versions and types should be omitted where possible. Change the imap banner to something generic. OID : 1.3.6.1.4.1.25623.1.0.11414
Security Note
hp-alarmmgr (383/tcp)
Security Note
diagmond (1508/tcp)
A web server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330 identd reveals that this service is running as user root OID : 1.3.6.1.4.1.25623.1.0.14674
Warning
distinct32 (9998/tcp) Overview: This host is running Apache Web Server and is prone to Information Disclosure Vulnerability. Vulnerability Insight: This flaw is caused due to an error in 'mod_proxy_ajp' when handling improperly malformed POST requests. Impact: Successful exploitation will let the attacker craft a special HTTP POST request and gain sensitive information about the web server. Impact level: Application
USDN Inc.
Proprietary and Confidential
Page 29 of 74
Type
Port
Issue and Fix
Affected Software/OS: Apache HTTP Version 2.2.11 Workaround: Update mod_proxy_ajp.c through SVN Repository (Revision 767089) http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff Fix: No solution or patch is available as on 29th April, 2009. Information regarding this issue will be updated once the solution details are available. For further updates refer, http://httpd.apache.org/download.cgi References: http://secunia.com/advisories/34827 http://xforce.iss.net/xforce/xfdb/50059 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=766938&r2=76708 9 CVSS Score: CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N) CVSS Temporal Score : 4.0 Risk factor: Medium CVE : CVE-2009-1191 BID : 34663 OID : 1.3.6.1.4.1.25623.1.0.900499 Security Note
distinct32 (9998/tcp)
A web server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
distinct32 (9998/tcp)
The remote web server type is : Apache/1.3.41 (Unix)
Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. OID : 1.3.6.1.4.1.25623.1.0.10107 Security Note
distinct32 (9998/tcp)
The following directories were discovered: /cgi-bin, /sysadmin, /docs, /icons, /mail, /mysql While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company
USDN Inc.
Proprietary and Confidential
Page 30 of 74
Type
Port
Issue and Fix security standards Other references : OWASP:OWASP-CM-006 OID : 1.3.6.1.4.1.25623.1.0.11032
Security Note
distinct32 (9998/tcp)
An information leak occurs on Apache based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.
Solution: 1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'. Or 2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1 Or 3) Add into httpd.conf: ErrorDocument 404 http://localhost/sample.html ErrorDocument 403 http://localhost/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly). Additional Information: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Risk factor : Low CVE : CAN-2001-1013 BID : 3335 OID : 1.3.6.1.4.1.25623.1.0.10766 Vulnerability
USDN Inc.
distinct (9999/tcp)
Overview: PHP is prone to a vulnerability that an attacker could exploit to execute arbitrary code with the privileges of the user running the affected application. Successful exploits will compromise the application and possibly the computer.
Proprietary and Confidential
Page 31 of 74
Type
Port
Issue and Fix References: https://www.securityfocus.com/bid/40948 https://bugzilla.redhat.com/show_bug.cgi?id=605641 http://www.php.net CVE : CVE-2010-2225 BID : 40948 OID : 1.3.6.1.4.1.25623.1.0.100684
Vulnerability
distinct (9999/tcp)
Overview: PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer-overflow and corrupt process memory. Exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition. This issue affects versions prior to PHP 4.4.5 and 5.2.1. Solution: The vendor released PHP 4.4.5 and 5.2.1 to address this issue. Please see the references for more information. References: http://www.securityfocus.com/bid/23233 http://www8.itrc.hp.com/service/cki/docDisplay.do?docId=c01056506 http://www.php-security.org/MOPB/MOPB-39-2007.html http://www.php.net/releases/4_4_5.php http://www.php.net/releases/5_2_1.php http://www.php.net/ CVE : CVE-2007-1885, CVE-2007-1886 BID : 23233 OID : 1.3.6.1.4.1.25623.1.0.100594
Vulnerability
distinct (9999/tcp) Overview: The host is running PHP and is prone to Buffer Overflow vulnerability. Vulnerability Insight: The flaw is caused due to error in mbfilter_htmlent.c file in the mbstring extension. These can be exploited via mb_convert_encoding, mb_check_encoding,
USDN Inc.
Proprietary and Confidential
Page 32 of 74
Type
Port
Issue and Fix mb_convert_variables, and mb_parse_str functions. Impact: Successful exploitation could allow attackers to execute arbitrary code via a crafted string containing an HTML entity. Impact Level: Application Affected Software/OS: PHP version 4.3.0 to 5.2.6 on all running platform. Fix: Upgrade to version 5.2.7 or later, http://www.php.net/downloads.php References: http://bugs.php.net/bug.php?id=45722 http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0477.html CVSS Score: CVSS Base Score : 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C) CVSS Temporal Score : 7.4 Risk factor: High CVE : CVE-2008-5557 BID : 32948 OID : 1.3.6.1.4.1.25623.1.0.900185
Vulnerability
distinct (9999/tcp)
Overview: PHP is prone to multiple vulnerabilities that may allow attackers to execute arbitrary code. Attackers can exploit these issues to run arbitrary code within the context of the PHP process. This may allow them to bypass intended security restrictions or gain elevated privileges. References: http://www.securityfocus.com/bid/40013 http://php-security.org/2010/05/07/mops-2010-012-php-sqlite_single_queryuninitialized-memory-usage-vulnerability/index.html http://php-security.org/2010/05/07/mops-2010-013-php-sqlite_array_queryuninitialized-memory-usage-vulnerability/index.html http://www.php.net http://php-security.org/2010/05/07/mops-submission-03-sqlite_single_querysqlite_array_query-uninitialized-memory-usage/index.html
USDN Inc.
Proprietary and Confidential
Page 33 of 74
Type
Port
Issue and Fix BID : 40013 OID : 1.3.6.1.4.1.25623.1.0.100631
Vulnerability
distinct (9999/tcp) Overview: The host is installed with PHP, that is prone to multiple vulnerabilities. Vulnerability Insight: The flaws are caused by, - an unspecified stack overflow error in FastCGI SAPI (fastcgi.c). - an error during path translation in cgi_main.c. - an error with an unknown impact/attack vectors. - an unspecified error within the processing of incomplete multibyte characters in escapeshellcmd() API function. - error in curl/interface.c in the cURL library(libcurl), which could be exploited by attackers to bypass safe_mode security restrictions. - an error in PCRE. i.e buffer overflow error when handling a character class containing a very large number of characters with codepoints greater than 255(UTF-8 mode). Impact: Successful exploitation could result in remote arbitrary code execution, security restrictions bypass, access to restricted files, denial of service. Impact Level: System Affected Software/OS: PHP version prior to 5.2.6 Fix: Upgrade to PHP version 5.2.6 or above, http://www.php.net/downloads.php References: http://pcre.org/changelog.txt http://www.php.net/ChangeLog-5.php http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0178 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0086 CVSS Score: CVSS Base Score : 9.0 (AV:N/AC:L/Au:NR/C:P/I:P/A:C)
USDN Inc.
Proprietary and Confidential
Page 34 of 74
Type
Port
Issue and Fix CVSS Temporal Score : 7.0 Risk factor : High CVE : CVE-2008-2050, CVE-2008-2051, CVE-2007-4850, CVE-2008-0599, CVE-2008-0674 BID : 29009, 27413, 27786 Other references : CB-A:08-0118 OID : 1.3.6.1.4.1.25623.1.0.800110
Vulnerability
distinct (9999/tcp)
Overview: PHP is prone to a buffer-overflow vulnerability because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users. This issue affects PHP versions prior to 4.4.5 and 5.2.1. References: http://www.securityfocus.com/bid/23234 http://www.php-security.org/MOPB/MOPB-40-2007.html http://www.php.net/ CVE : CVE-2007-1825 BID : 23234 OID : 1.3.6.1.4.1.25623.1.0.100600
Vulnerability
distinct (9999/tcp)
Overview: PHP is prone to multiple format-string vulnerabilities due to a design error when casting 64-bit variables to 32 bits. Attackers may be able to exploit these issues to execute arbitrary code in the context of the webserver process or to cause denial-ofservice conditions. These issues affect PHP versions prior to 4.4.5 and 5.2.1 running on 64-bit computers. Solution: The vendor released versions 5.2.1 and 4.4.5 to address these issues. Please see the references for more information. References:
USDN Inc.
Proprietary and Confidential
Page 35 of 74
Type
Port
Issue and Fix http://www.securityfocus.com/bid/23219 http://www8.itrc.hp.com/service/cki/docDisplay.do?docId=c01056506 http://www.php-security.org/MOPB/MOPB-38-2007.html http://www.php.net/releases/4_4_5.php http://www.php.net/releases/5_2_1.php http://www.php.net CVE : CVE-2007-1884 BID : 23219 OID : 1.3.6.1.4.1.25623.1.0.100595
Vulnerability
distinct (9999/tcp)
Overview: PHP4 is prone to a code-execution vulnerability due to a design error in a vulnerable extension. For this vulnerability to occur, the non-maintained 'Ovrimos SQL Server Extension' must have been compiled into the targetted PHP implementation. Successful exploits may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploits would likely crash PHP. PHP versions prior to 4.4.5 with a compiled 'Ovrimos SQL Server Extension' are vulnerable to this issue. References: http://www.securityfocus.com/bid/22833 http://www.php.net http://www.php-security.org/MOPB/MOPB-13-2007.html CVE : CVE-2007-1379, CVE-2007-1378 BID : 22833 OID : 1.3.6.1.4.1.25623.1.0.100604
Vulnerability
distinct (9999/tcp)
Overview: phpMyAdmin is prone to a vulnerability that lets attackers execute arbitrary code in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Versions prior to phpMyAdmin 3.0.0 or 2.11.10 are vulnerable. Solution: Updates are available. Please see the references for more information.
USDN Inc.
Proprietary and Confidential
Page 36 of 74
Type
Port
Issue and Fix
References: http://www.securityfocus.com/bid/37861 http://www.phpmyadmin.net/ http://www.phpmyadmin.net/home_page/security/PMASA-2010-3.php CVE : CVE-2009-4605 BID : 37861 OID : 1.3.6.1.4.1.25623.1.0.100589 Vulnerability
distinct (9999/tcp)
Overview: PHP is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory. Exploiting this issue may allow attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in a denial-of-service condition. This issue affects PHP versions prior to 4.4.5 and 5.2.1. Solution: Reports indicate that the vendor released version 4.4.5 and 5.2.1 to address this issue. Symantec has not confirmed this. Please contact the vendor for information on obtaining and applying fixes. References: http://www.securityfocus.com/bid/23236 http://www.php-security.org/MOPB/MOPB-43-2007.html http://www.php.net/ http://lists.suse.com/archive/suse-security-announce/2007-May/0007.html CVE : CVE-2007-1889 BID : 23236 OID : 1.3.6.1.4.1.25623.1.0.100592
Vulnerability
distinct (9999/tcp)
Overview: This host is running PHP and is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - Error in 'proc_open()' function in 'ext/standard/proc_open.c' that does not enforce the 'safe_mode_allowed_env_vars' and 'safe_mode_protected_env_vars'
USDN Inc.
Proprietary and Confidential
Page 37 of 74
Type
Port
Issue and Fix directives, which allows attackers to execute programs with an arbitrary environment via the env parameter. - Error in 'zend_restore_ini_entry_cb()' function in 'zend_ini.c', which allows attackers to obtain sensitive information. Impact: Successful exploitation could allow local attackers to bypass certain security restrictions and cause denial of service. Impact Level: Network Affected Software/OS: PHP version 5.2.10 and prior. PHP version 5.3.x before 5.3.1 Fix: Upgrade to PHP version 5.3.1 http://www.php.net/downloads.php References: http://secunia.com/advisories/37482 http://bugs.php.net/bug.php?id=49026 http://securityreason.com/achievement_securityalert/65 http://www.openwall.com/lists/oss-security/2009/11/23/15 CVSS Score: CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P) CVSS Temporal Score : 5.9 Risk factor : High CVE : CVE-2009-4018, CVE-2009-2626 BID : 37138, 36009 OID : 1.3.6.1.4.1.25623.1.0.801060
Vulnerability
distinct (9999/tcp)
Overview: PHP is prone to a buffer-overflow vulnerability because the application fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users. This issue affects PHP versions prior to 4.4.5 and 5.2.1.
USDN Inc.
Proprietary and Confidential
Page 38 of 74
Type
Port
Issue and Fix Solution: Reports indicate that the vendor released versions 4.4.5 and 5.2.1 to address this issue. Please contact the vendor for information on obtaining and applying fixes. The reporter of this issue indicates that if you are using a shared copy of an external Sqlite library, you will remain vulnerable to this issue, even after upgrading to nonvulnerable versions. References: http://www.securityfocus.com/bid/23235 http://www.php.net/ChangeLog-5.php#5.2.3 http://www.php-security.org/MOPB/MOPB-41-2007.html http://www.php.net/ http://www.securityfocus.com/archive/1/481830 CVE : CVE-2007-1888, CVE-2007-1887 BID : 23235 OID : 1.3.6.1.4.1.25623.1.0.100593
Vulnerability
distinct (9999/tcp) Overview: The host is running PHP and is prone to Security Bypass and File Writing vulnerability. Vulnerability Insight: The flaw is caused due to, - An error in initialization of 'page_uid' and 'page_gid' global variables for use by the SAPI 'php_getuid' function, which bypass the safe_mode restrictions. - When 'safe_mode' is enabled through a 'php_admin_flag' setting in 'httpd.conf' file, which does not enforce the 'error_log', 'safe_mode restrictions. - In 'ZipArchive::extractTo' function which allows attacker to write files via a ZIP file. Impact: Successful exploitation could allow remote attackers to write arbitrary file, bypass security restrictions and cause directory traversal attacks. Impact Level: System/Application Affected Software/OS: PHP versions prior to 5.2.7.
USDN Inc.
Proprietary and Confidential
Page 39 of 74
Type
Port
Issue and Fix
Fix: Upgrade to version 5.2.7 or later http://www.php.net/downloads.php References: http://www.php.net/ChangeLog-5.php#5.2.7 http://www.php.net/archive/2008.php#id2008-12-07-1 http://www.securityfocus.com/archive/1/archive/1/498985/100/0/threaded CVSS Score: CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P) CVSS Temporal Score : 5.9 Risk factor: High CVE : CVE-2008-5624, CVE-2008-5625, CVE-2008-5658 BID : 32383, 32625, 32688 OID : 1.3.6.1.4.1.25623.1.0.900184 Vulnerability
distinct (9999/tcp)
Overview: PHP shared memory functions (shmop) are prone to an arbitrary-codeexecution vulnerability. An attacker may exploit this issue to execute arbitrary code within the context of the affected webserver. The attacker may also gain access to RSA keys of the SSL certificate. This issue affects PHP 4 versions prior to 4.4.5 and PHP 5 versions prior to 5.2.1. Solution: The vendor released versions 4.4.5 and 5.2.1 to address this issue. Please see the references for more information. References: http://www.securityfocus.com/bid/22862 http://www.php-security.org/MOPB/MOPB-15-2007.html http://www.php.net http://lists.suse.com/archive/suse-security-announce/2007-May/0007.html CVE : CVE-2007-1376 BID : 22862 OID : 1.3.6.1.4.1.25623.1.0.100605
Vulnerability
USDN Inc.
distinct (9999/tcp)
Overview: SquirrelMail is prone to a remote denial-of-service vulnerability
Proprietary and Confidential
Page 40 of 74
Type
Port
Issue and Fix because it fails to properly handle certain user requests. An attacker can exploit this issue to cause the application to consume excessive disk space, resulting in denial-of-service conditions. SquirrelMail versions prior and up to 1.4.20 are vulnerable; others may also be affected. Solution: Updates are available. Please see the references for more information. References: https://www.securityfocus.com/bid/42399 http://www.squirrelmail.org/ http://www.squirrelmail.org/security/issue/2010-07-23 https://bugzilla.redhat.com/show_bug.cgi?id=618096 CVE : CVE-2010-2813 BID : 42399 OID : 1.3.6.1.4.1.25623.1.0.100759
Vulnerability
distinct (9999/tcp)
Overview: The host is running PHP and is prone to Buffer Overflow vulnerability. Vulnerability Insight: The flaw is due to error in '_gdGetColors' function in gd_gd.c which fails to check certain colorsTotal structure member, whicn can be exploited to cause buffer overflow or buffer over-read attacks via a crafted GD file. Impact: Successful exploitation could allow attackers to potentially compromise a vulnerable system. Impact Level: System Affected Software/OS: PHP version 5.2.x to 5.2.11 and 5.3.0 on Linux. Fix: Apply patches from SVN repository, http://svn.php.net/viewvc?view=revision&revision=289557 ***** NOTE: Ignore this warning if patch is already applied.
USDN Inc.
Proprietary and Confidential
Page 41 of 74
Type
Port
Issue and Fix ***** References: http://secunia.com/advisories/37080/ http://www.vupen.com/english/advisories/2009/2930 http://marc.info/?l=oss-security&m=125562113503923&w=2 CVSS Score: CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P) CVSS Temporal Score : 5.5 Risk factor: High CVE : CVE-2009-3546 BID : 36712 OID : 1.3.6.1.4.1.25623.1.0.801123
Vulnerability
distinct (9999/tcp)
Overview: PHP is prone to an arbitrary-code-execution vulnerability. An attacker may exploit this issue to execute arbitrary code within the context of the affected webserver. This issue affects PHP 4 versions prior to 4.4.5 and PHP 5 versions prior to 5.2.1. Solution: Please see the references for more information. References: http://www.securityfocus.com/bid/23120 http://www.securityfocus.com/bid/23119 http://www8.itrc.hp.com/service/cki/docDisplay.do?docId=c01056506 http://www.php-security.org/MOPB/MOPB-31-2007.html http://www.php.net CVE : CVE-2007-1701, CVE-2007-1700 BID : 23120, 23119 OID : 1.3.6.1.4.1.25623.1.0.100602
Vulnerability
USDN Inc.
distinct (9999/tcp)
Overview: PHP 5.2.0 and prior versions are prone to multiple security vulnerabilities. Successful exploits could allow an attacker to write files in unauthorized locations, cause a denial-of-service condition, and potentially execute code.
Proprietary and Confidential
Page 42 of 74
Type
Port
Issue and Fix These issues are reported to affect PHP 4.4.4 and prior versions in the 4 branch, and 5.2.0 and prior versions in the 5 branch; other versions may also be vulnerable. Solution: The vendor has released updates to address these issues. Contact the vendor for details on obtaining and applying the appropriate updates. Please see the advisories for more information. References: http://www.securityfocus.com/bid/22496 http://support.avaya.com/elmodocs2/security/ASA-2007-136.htm http://www.php.net/ChangeLog-5.php#5.2.1 http://www.php.net/releases/5_2_1.php http://support.avaya.com/elmodocs2/security/ASA-2007-101.htm http://rhn.redhat.com/errata/RHSA-2007-0076.html http://rhn.redhat.com/errata/RHSA-20070081.html#Red%20Hat%20Linux%20Advanced%20Workstation%202.1%20for% 20the%20Itanium%20Processor http://rhn.redhat.com/errata/RHSA-2007-0082.html http://rhn.redhat.com/errata/RHSA-2007-0089.html http://www.novell.com/linux/security/advisories/2007_44_php.html CVE : CVE-2007-0905, CVE-2007-0906, CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910 BID : 22496 OID : 1.3.6.1.4.1.25623.1.0.100606
Vulnerability
distinct (9999/tcp) Overview: This host is running phpMyAdmin and is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws are due to, - BLOB streaming feature in 'bs_disp_as_mime_type.php' causes CRLF Injection which lets the attacker inject arbitrary data in the HTTP headers through the 'c_type' and 'file_type' parameters. - XSS Vulnerability in 'display_export.lib.php' as its not sanitizing the 'pma_db_filename_template' parameter. - Static code injection vulnerability in 'setup.php' which can be used to inject PHP Codes. - Filename 'bs_disp_as_mime_type.php' which is not sanitizing user supplied
USDN Inc.
Proprietary and Confidential
Page 43 of 74
Type
Port
Issue and Fix inputs in the filename variable which causes directory traversal attacks. Impact: Successful exploitation will let the attacker cause XSS, Directory Traversal attacks or can injection malicious PHP Codes to gain sensitive information about the remote host. Affected Software/OS: phpMyAdmin version 2.11.x to 2.11.9.4 and 3.0.x to 3.1.3 Fix: Upgrade to version 2.11.9.5 or 3.1.3.1 http://www.phpmyadmin.net/home_page/downloads.php Workaround: Update the existing PHP files from the below SVN Revisions. http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision= 12301 http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision= 12302 http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision= 12303 ***** Note: Igone the warning, if already replaced according to the fixed svn revision numbers. ***** References: http://secunia.com/advisories/34430 http://www.phpmyadmin.net/home_page/security/PMASA-2009-1.php http://www.phpmyadmin.net/home_page/security/PMASA-2009-2.php http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php CVSS Score: CVSS Base Score : 7.5 (AV:N/AC:L/Au:NR/C:P/I:P/A:P) CVSS Temporal Score : 5.5 Risk factor: High CVE : CVE-2009-1148, CVE-2009-1149, CVE-2009-1150, CVE-2009-1151 BID : 34251, 34253, 34236 OID : 1.3.6.1.4.1.25623.1.0.800381
USDN Inc.
Proprietary and Confidential
Page 44 of 74
Type
Port
Issue and Fix
Vulnerability
distinct (9999/tcp)
Overview: PHP is prone to multiple security vulnerabilities. An attacker can exploit these issues to execute arbitrary code, crash the affected application, gain access to sensitive information and bypass security restrictions. Other attacks are also possible. These issues affect the following: PHP 5.3 (Prior to 5.3.3) PHP 5.2 (Prior to 5.2.14) Solution: Updates are available. Please see the references for more information. References: https://www.securityfocus.com/bid/41991 http://www.php.net/ChangeLog-5.php#5.3.3 http://www.php.net/ CVE : CVE-2010-2531, CVE-2010-2484 BID : 41991 OID : 1.3.6.1.4.1.25623.1.0.100726
Vulnerability
distinct (9999/tcp)
Overview: phpMyAdmin is prone to a remote PHP code-injection vulnerability. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying computer; other attacks are also possible. Versions prior to phpMyAdmin 2.11.10.1 are affected. Solution: Vendor updates are available. Please see the references for more information. References: https://www.securityfocus.com/bid/42591 http://www.phpmyadmin.net/ http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php The installed version (2.11.9.1) of phpMyAdmin under /phpMyAdmin is affected, but the vulnerabillity could not be exploited at this time because the Webserver has
USDN Inc.
Proprietary and Confidential
Page 45 of 74
Type
Port
Issue and Fix no permisson to write the configuration to the 'config' directory.
CVE : CVE-2010-3055 BID : 42591 OID : 1.3.6.1.4.1.25623.1.0.100760 Warning
distinct (9999/tcp) Overview: phpMyAdmin is prone to a remote PHP code-injection vulnerability and to a cross-site scripting vulnerability. An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.
Solution: Vendor updates are available. Please see http://www.phpmyadmin.net for more Information. See also: http://www.securityfocus.com/bid/34236 http://www.securityfocus.com/bid/34251 Risk factor : Medium BID : 34236, 34251 OID : 1.3.6.1.4.1.25623.1.0.100077 Warning
distinct (9999/tcp) Overview: SquirrelMail is prone to multiple vulnerabilities, including multiple session-fixation issues, a code-injection issue, and multiple cross-site scripting issues. Attackers may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user, to hijack the session of a
USDN Inc.
Proprietary and Confidential
Page 46 of 74
Type
Port
Issue and Fix valid user, or to inject and execute arbitrary PHP code in the context of the webserver process. This may facilitate a compromise of the application and the computer; other attacks are also possible. Versions prior to SquirrelMail 1.4.18 are vulnerable. See also: http://www.securityfocus.com/bid/34916 Risk factor : Medium CVE : CVE-2009-1578, CVE-2009-1579, CVE-2009-1580, CVE-2009-1581 BID : 34916 OID : 1.3.6.1.4.1.25623.1.0.100203
Warning
distinct (9999/tcp)
Overview: PHP is prone to a denial-of-service vulnerability because the application fails to handle certain file requests. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. PHP 4.4 prior to 4.4.9 and PHP 5.2 through 5.2.6 are vulnerable. Solution: Updates are available. Please see the references for more information. References: http://www.securityfocus.com/bid/31612 http://www.openwall.com/lists/oss-security/2008/08/08/2 http://www.php.net/ChangeLog-5.php#5.2.8 http://www.php.net http://support.avaya.com/elmodocs2/security/ASA-2009-161.htm CVE : CVE-2008-3660 BID : 31612 OID : 1.3.6.1.4.1.25623.1.0.100582
Warning
distinct (9999/tcp) Overview: This host is running Apache Web Server and is prone to Information Disclosure Vulnerability. Vulnerability Insight:
USDN Inc.
Proprietary and Confidential
Page 47 of 74
Type
Port
Issue and Fix This flaw is caused due to an error in 'mod_proxy_ajp' when handling improperly malformed POST requests. Impact: Successful exploitation will let the attacker craft a special HTTP POST request and gain sensitive information about the web server. Impact level: Application Affected Software/OS: Apache HTTP Version 2.2.11 Workaround: Update mod_proxy_ajp.c through SVN Repository (Revision 767089) http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/PR46949.diff Fix: No solution or patch is available as on 29th April, 2009. Information regarding this issue will be updated once the solution details are available. For further updates refer, http://httpd.apache.org/download.cgi References: http://secunia.com/advisories/34827 http://xforce.iss.net/xforce/xfdb/50059 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=766938&r2=76708 9 CVSS Score: CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N) CVSS Temporal Score : 4.0 Risk factor: Medium CVE : CVE-2009-1191 BID : 34663 OID : 1.3.6.1.4.1.25623.1.0.900499
Warning
distinct (9999/tcp) Overview: phpMyAdmin is prone to multiple input-validation vulnerabilities, including an HTTP response-splitting vulnerability and a local file-include vulnerability. These issues can be leveraged to view or execute arbitrary local
USDN Inc.
Proprietary and Confidential
Page 48 of 74
Type
Port
Issue and Fix scripts, or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into a false sense of trust. Other attacks are also possible. Versions prior to phpMyAdmin 3.1.3.1 are vulnerable. Solution: Vendor updates are available. Please see http://www.phpmyadmin.net for more Information. See also: http://www.securityfocus.com/bid/34253 Risk factor : Medium BID : 34253 OID : 1.3.6.1.4.1.25623.1.0.100078
Warning
distinct (9999/tcp)
Overview: phpMyAdmin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. The following versions are vulnerable: phpMyAdmin 2.11.x prior to 2.11.10.1 phpMyAdmin 3.x prior to 3.3.5.1 Solution: Updates are available. Please see the references for details. References: https://www.securityfocus.com/bid/42584 http://www.phpmyadmin.net/ http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php CVE : CVE-2010-3056 BID : 42584 OID : 1.3.6.1.4.1.25623.1.0.100761
Warning
USDN Inc.
distinct
Overview:
Proprietary and Confidential
Page 49 of 74
Type
Port
Issue and Fix
(9999/tcp)
PHP is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. References: https://www.securityfocus.com/bid/41265 http://permalink.gmane.org/gmane.comp.security.oss.general/3109 http://www.php.net/ BID : 41265 OID : 1.3.6.1.4.1.25623.1.0.100695
Warning
distinct (9999/tcp)
Overview: PHP 'php_binary' serialization handler is prone to a heapinformation leak. The vulnerability arises because of a missing boundary check in the extraction of variable names. A local attacker can exploit this issue to obtain sensitive information (such as heap offsets and canaries) that may aid in other attacks. These versions are affected: PHP4 versions prior to 4.4.5 PHP5 versions prior to 5.2.1 Updates are available. Solution: This issue was previously disclosed to the PHP development team. It has been fixed in the latest releases. References: http://www.securityfocus.com/bid/22805 http://www8.itrc.hp.com/service/cki/docDisplay.do?docId=c01056506 http://www.php.net http://lists.suse.com/archive/suse-security-announce/2007-May/0007.html CVE : CVE-2007-1380 BID : 22805 OID : 1.3.6.1.4.1.25623.1.0.100603
Warning
USDN Inc.
distinct (9999/tcp)
Overview: SquirrelMail is prone to a remote information-disclosure vulnerability.
Proprietary and Confidential
Page 50 of 74
Type
Port
Issue and Fix
Attackers can exploit this issue to obtain potentially sensitive information that may lead to further attacks. This issue affects SquirrelMail 1.4.x versions. Solution: Updates are available. Please see the references for more information. References: https://www.securityfocus.com/bid/40291 http://permalink.gmane.org/gmane.comp.security.oss.general/2935 http://permalink.gmane.org/gmane.comp.security.oss.general/3064 http://permalink.gmane.org/gmane.comp.security.oss.general/2936 http://conference.hitb.org/hitbsecconf2010dxb/materials/D1%20%20Laurent%20Oudot%20%20Improving%20the%20Stealthiness%20of%20Web%20Hacking.pdf#page=69 http://www.squirrelmail.org CVE : CVE-2010-1637 BID : 40291 OID : 1.3.6.1.4.1.25623.1.0.100688 Warning
distinct (9999/tcp) Overview: The host is running PHP and is prone to Memory Information Disclosure vulnerability. Vulnerability Insight: The flaw is caused due to improper validation of bgd_color or clrBack argument in imageRotate function. Impact: Successful exploitation could let the attacker read the contents of arbitrary memory locations through a crafted value for an indexed image. Impact Level: Application Affected Software/OS: PHP version 5.x to 5.2.8 on all running platform. Fix: No solution or patch is available as on 31st December, 2008. Information regarding this issue will be updated once the solution details are available. For updates refer, http://www.php.net/
USDN Inc.
Proprietary and Confidential
Page 51 of 74
Type
Port
Issue and Fix
References: http://securitytracker.com/alerts/2008/Dec/1021494.html http://downloads.securityfocus.com/vulnerabilities/exploits/33002.php http://downloads.securityfocus.com/vulnerabilities/exploits/33002-2.php CVSS Score: CVSS Base Score : 5.0 (AV:N/AC:L/Au:NR/C:P/I:N/A:N) CVSS Temporal Score : 2.9 Risk factor: Low CVE : CVE-2008-5498 BID : 33002 OID : 1.3.6.1.4.1.25623.1.0.900186 Warning
distinct (9999/tcp) Overview: This host is running phpMyAdmin and is prone to cross site scripting vulnerability. Vulnerability Insight: Input passed to the 'db' parameter in pmd_pdf.php file is not properly sanitised before returning to the user. Impact: Allows execution of arbitrary HTML and script code, and steal cookie-based authentication credentials. Impact Level: System Affected Software/OS: phpMyAdmin phpMyAdmin versions 3.0.1 and prior on all running platform. Fix: Upgrade to phpMyAdmin 3.0.1.1 or later References: http://secunia.com/advisories/32449/ http://seclists.org/bugtraq/2008/Oct/0199.html CVSS Score: CVSS Base Score : 4.0 (AV:N/AC:H/Au:NR/C:P/I:P/A:N) CVSS Temporal Score : 3.2 Risk factor: Medium CVE : CVE-2008-4775
USDN Inc.
Proprietary and Confidential
Page 52 of 74
Type
Port
Issue and Fix BID : 31928 OID : 1.3.6.1.4.1.25623.1.0.800301
Warning
distinct (9999/tcp)
Overview: PHP is prone to a denial-of-service vulnerability in its exif_read_data()' function. Successful exploits may allow remote attackers to cause denial-ofservice conditions in applications that use the vulnerable function. Versions prior to PHP 5.2.10 are affected. Solution: Updates are available. Please see the references for more information. References: http://www.securityfocus.com/bid/35440 http://www.php.net/releases/5_2_10.php http://www.php.net/ http://lists.debian.org/debian-security-announce/2009/msg00263.html http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0339.html http://support.avaya.com/css/P8/documents/100072880 CVE : CVE-2009-2687 BID : 35440 OID : 1.3.6.1.4.1.25623.1.0.100581
Warning
distinct (9999/tcp) Overview: The host is running PHP and is prone to Cross-Site Scripting vulnerability. Vulnerability Insight: The flaw is caused due to improper handling of certain inputs when display_errors settings is enabled. Impact: Successful exploitation could allow attackers to inject arbitrary web script or HTML via unspecified vectors and conduct Cross-Site Scripting attacks. Impact Level: Application Affected Software/OS:
USDN Inc.
Proprietary and Confidential
Page 53 of 74
Type
Port
Issue and Fix PHP, PHP version 5.2.7 and prior on all running platform. Fix: Upgrade to version 5.2.8 or later http://www.php.net/downloads.php References: http://jvn.jp/en/jp/JVN50327700/index.html http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000084.html CVSS Score: CVSS Base Score : 2.6 (AV:N/AC:H/Au:NR/C:N/I:P/A:N) CVSS Temporal Score : 1.9 Risk factor : Low CVE : CVE-2008-5814 OID : 1.3.6.1.4.1.25623.1.0.800334
Warning
distinct (9999/tcp) Overview: PHP is prone to multiple security vulnerabilities. Successful exploits could allow an attacker to cause a denial-of-service condition. An unspecified issue with an unknown impact was also reported. These issues affect PHP 5.2.8 and prior versions. Solution: The vendor has released PHP 5.2.9 to address these issues. Please see http://www.php.net/ fore more information. See also: http://www.securityfocus.com/bid/33927 Risk factor : Medium CVE : CVE-2009-1271 BID : 33927 OID : 1.3.6.1.4.1.25623.1.0.100146
Warning
distinct (9999/tcp)
Overview: This host is running PHP and is prone to multiple information disclosure vulnerabilities. Vulnerability Insight:
USDN Inc.
Proprietary and Confidential
Page 54 of 74
Type
Port
Issue and Fix Multiple flaws are due to: - Error in 'trim()', 'ltrim()','rtrim()' and 'substr_replace()' functions, which causes a userspace interruption of an internal function within the call time pass by reference feature. - Error in 'parse_str()', 'preg_match()', 'unpack()' and 'pack()' functions, 'ZEND_FETCH_RW()', 'ZEND_CONCAT()', and 'ZEND_ASSIGN_CONCAT()' opcodes, and the 'ArrayObject::uasort' method, trigger memory corruption by causing a userspace interruption of an internal function or handler. Impact: Successful exploitation could allow local attackers to bypass certain security restrictions and to obtain sensitive information. Impact Level: Network Affected Software/OS: PHP version 5.2 through 5.2.13 and 5.3 through 5.3.2 Fix: No solution or patch is available as on 11th June, 2010. Information regarding this issue will be updated once the solution details are available. For updates refer, http://www.php.net/downloads.php References: http://www.php-security.org/2010/05/30/mops-2010-048-php-substr_replaceinterruption-information-leak-vulnerability/index.html http://www.php-security.org/2010/05/30/mops-2010-047-php-trimltrimrtriminterruption-information-leak-vulnerability/index.html CVE : CVE-2010-2190, CVE-2010-2191 OID : 1.3.6.1.4.1.25623.1.0.801359
Warning
distinct (9999/tcp)
Overview: PHP is prone to multiple buffer-overflow vulnerabilities. Successful exploits may allow attackers to execute arbitrary code in the context of applications using the vulnerable PHP functions. This may result in a compromise of the underlying system. Failed attempts may lead to a denial-of-service condition. Versions prior to PHP 4.4.9 and PHP 5.2.8 are vulnerable. Solution: Updates are available. Please see the references for more information.
USDN Inc.
Proprietary and Confidential
Page 55 of 74
Type
Port
Issue and Fix
References: http://www.securityfocus.com/bid/30649 http://www.php.net/ChangeLog-5.php#5.2.8 http://www.php.net/archive/2008.php#id2008-08-07-1 http://www.php.net/ http://support.avaya.com/elmodocs2/security/ASA-2009-161.htm CVE : CVE-2008-3659, CVE-2008-3658 BID : 30649 OID : 1.3.6.1.4.1.25623.1.0.100583 Warning
distinct (9999/tcp)
Overview : The host is running Apache, which is prone to cross-site scripting vulnerability. Vulnerability Insight : Input passed to the module mod_proxy_ftp with wildcard character is not properly sanitized before returning to the user. Impact : Remote attackers can execute arbitrary script code. Impact Level : Application Affected Software/OS : Apache 2.0.0 to 2.0.63 and Apache 2.2.0 to 2.2.9 on All Platform *** Note: The script might report a False Positive as it is only checking for the vulnerable version of Apache. Vulnerability is only when mod_proxy and mod_proxy_ftp is configured with the installed Apache version. *** Fix : Fixed is available in the SVN repository, http://svn.apache.org/viewvc?view=rev&revision=682871 http://svn.apache.org/viewvc?view=rev&revision=682868 References : http://httpd.apache.org/ http://www.securityfocus.com/archive/1/495180 http://httpd.apache.org/docs/2.0/mod/mod_proxy_ftp.html
USDN Inc.
Proprietary and Confidential
Page 56 of 74
Type
Port
Issue and Fix CVSS Score : CVSS Base Score : 5.8 (AV:N/AC:M/Au:NR/C:P/I:P/A:N) CVSS Temporal Score : 4.5 Risk factor : Medium CVE : CVE-2008-2939 BID : 30560 OID : 1.3.6.1.4.1.25623.1.0.900107
Warning
distinct (9999/tcp)
The /doc directory is browsable. /doc shows the content of the /usr/doc directory and therefore it shows which programs and - important! - the version of the installed programs. Solution : Use access restrictions for the /doc directory. If you use Apache you might use this in your access.conf: <Directory /usr/doc> AllowOverride None order deny,allow deny from all allow from localhost </Directory> Risk factor : High CVE : CVE-1999-0678 BID : 318 OID : 1.3.6.1.4.1.25623.1.0.10056
Security Note
distinct (9999/tcp)
A web server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
distinct (9999/tcp)
The remote web server type is : Apache/2.0.58 HP-UX_Apache-based_Web_Server (Unix) DAV/2 PHP/5.2.0
Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. OID : 1.3.6.1.4.1.25623.1.0.10107 Security Note
distinct (9999/tcp) phpMyAdmin is running at this Host.
USDN Inc.
Proprietary and Confidential
Page 57 of 74
Type
Port
Issue and Fix phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. Risk factor : None phpMyAdmin was detected on the remote host in the following directory(s): phpMyAdmin (Ver. 2.11.9.1) under /phpMyAdmin. (Not protected by Username/Password). OID : 1.3.6.1.4.1.25623.1.0.900129
Security Note
distinct (9999/tcp)
Synopsis : The remote web server contains a webmail application. Description : The remote host is running SquirrelMail, a PHP-based webmail package that provides access to mail accounts via POP3 or IMAP. See also : http://www.squirrelmail.org/ Risk factor : None Plugin output : SquirrelMail 1.4.11 was detected on the remote host under the path '/mail'. OID : 1.3.6.1.4.1.25623.1.0.12647
Security Note
distinct (9999/tcp)
Synopsis : Debugging functions are enabled on the remote HTTP server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
USDN Inc.
Proprietary and Confidential
Page 58 of 74
Type
Port
Issue and Fix are HTTP methods which are used to debug web server connections. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. Solution : Disable these methods. See also : http://www.kb.cert.org/vuls/id/867593 Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Plugin output :
Solution : Add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
CVE : CVE-2004-2320 BID : 9506, 9561, 11604 OID : 1.3.6.1.4.1.25623.1.0.11213 Security Note
USDN Inc.
distinct (9999/tcp)
An information leak occurs on Apache based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.
Proprietary and Confidential
Page 59 of 74
Type
Port
Issue and Fix Solution: 1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'. Or 2) Use a RedirectMatch rewrite rule under Apache -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1 Or 3) Add into httpd.conf: ErrorDocument 404 http://localhost/sample.html ErrorDocument 403 http://localhost/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly). Additional Information: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Risk factor : Low CVE : CAN-2001-1013 BID : 3335 OID : 1.3.6.1.4.1.25623.1.0.10766 Security Note
distinct (9999/tcp)
The following directories were discovered: /cgi-bin, /doc, /icons, /manual While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards The following directories require authentication: /phpMyAdmin Other references : OWASP:OWASP-CM-006 OID : 1.3.6.1.4.1.25623.1.0.11032
Warning
sd (9876/tcp) The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided
USDN Inc.
Proprietary and Confidential
Page 60 of 74
Type
Port
Issue and Fix in the request). The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code. Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high). Sample url : http://fog.ccsf.cc.ca.us:9876/foo.jsp?param=<SCRIPT>foo</SCRIPT>.jsp Risk factor : Medium Solutions: . Allaire/Macromedia Jrun: - http://www.macromedia.com/software/jrun/download/update/ - http://www.securiteam.com/windowsntfocus/Allaire_fixes_CrossSite_Scripting_security_vulnerability.html . Microsoft IIS: - http://www.securiteam.com/windowsntfocus/IIS_CrossSite_scripting_vulnerability__Patch_available_.html . Apache: - http://httpd.apache.org/info/css-security/ . ColdFusion: - http://www.macromedia.com/v1/handlers/index.cfm?ID=23047 . General: http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dyna mically_generated_web_site.html - http://www.cert.org/advisories/CA-2000-02.html CVE : CVE-2002-1060 BID : 5305, 7344, 7353, 8037, 9245 OID : 1.3.6.1.4.1.25623.1.0.10815
Warning
sd (9876/tcp) Overview: ClearBudget is prone to an unauthorized-access vulnerability because it fails to properly restrict access to certain directories. An attacker can exploit this vulnerability to gain access to database contents. Information harvested can lead to further attacks.
USDN Inc.
Proprietary and Confidential
Page 61 of 74
Type
Port
Issue and Fix
ClearBudget 0.6.1 is vulnerable; other versions may also be affected. Solution: The vendor released an update to address this issue. Please see http://clearbudget.douteaud.com/ for more information. Risk factor : Medium BID : 33643 OID : 1.3.6.1.4.1.25623.1.0.100010 Warning
sd (9876/tcp) Overview: Turnkey eBook Store is prone to a cross-site scripting vulnerability. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. Turnkey eBook Store 1.1 is vulnerable; other versions may also be affected. Risk factor : Medium BID : 34324 OID : 1.3.6.1.4.1.25623.1.0.100098
Warning
sd (9876/tcp) Overview: DHCart is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible. DHCart 3.84 is vulnerable; other versions may also be affected.
USDN Inc.
Proprietary and Confidential
Page 62 of 74
Type
Port
Issue and Fix Risk factor : Medium CVE : CVE-2008-6297 BID : 32117 OID : 1.3.6.1.4.1.25623.1.0.100028
Security Note
sd (9876/tcp) A web server is running on this port OID : 1.3.6.1.4.1.25623.1.0.10330
Security Note
sd (9876/tcp) Synopsis : Remote web server does not reply with 404 error code. Description : This web server is [mis]configured in that it does not return '404 Not Found' error codes when a non-existent file is requested, perhaps returning a site map, search page or authentication page instead. OpenVAS enabled some counter measures for that, however they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate Risk factor : None OID : 1.3.6.1.4.1.25623.1.0.10386
Security Note
sd (9876/tcp) The remote web server type is : GoAhead-Webs OID : 1.3.6.1.4.1.25623.1.0.10107
Security Note
sd (9876/tcp) The following directories were discovered: /cgi-bin, /cgi-bin2 While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006
USDN Inc.
Proprietary and Confidential
Page 63 of 74
Type
Port
Issue and Fix OID : 1.3.6.1.4.1.25623.1.0.11032
Vulnerability
mysql (3306/tcp) Overview: According to its version number, the remote version of MySQL is prone to a security-bypass vulnerability. An attacker can exploit this issue to gain access to table files created by other users, bypassing certain security restrictions. NOTE 1: This issue was also assigned CVE-2008-4097 because CVE-2008-2079 was incompletely fixed, allowing symlink attacks. NOTE 2: CVE-2008-4098 was assigned because fixes for the vector described in CVE-2008-4097 can also be bypassed. This issue affects versions prior to MySQL 4 (prior to 4.1.24) and MySQL 5 (prior to 5.0.60). Solution: Updates are available. Update to newer Version. See also: http://www.securityfocus.com/bid/29106 Risk factor : Medium CVE : CVE-2008-2079, CVE-2008-4097, CVE-2008-4098 BID : 29106 OID : 1.3.6.1.4.1.25623.1.0.100156
Warning
mysql (3306/tcp)
Overview: The host is running MySQL and is prone to multiple vulnerabilities. Vulnerability Insight: The flaws are due to: - An error in 'my_net_skip_rest()' function in 'sql/net_serv.cc' when handling a large number of packets that exceed the maximum length, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption). - buffer overflow when handling 'COM_FIELD_LIST' command with a long table name, allows remote authenticated users to execute arbitrary code. - directory traversal vulnerability when handling a '..' (dot dot) in a table name, which allows remote authenticated users to bypass intended
USDN Inc.
Proprietary and Confidential
Page 64 of 74
Type
Port
Issue and Fix table grants to read field definitions of arbitrary tables. Impact: Successful exploitation could allow users to cause a denial of service and to execute arbitrary code. Impact Level: Application Affected Software/OS: MySQL 5.0.x before 5.0.91 and 5.1.x before 5.1.47 on all running platform. Fix: Upgrade to MySQL version 5.0.91 or 5.1.47, For Updates Refer, http://dev.mysql.com/downloads References: http://securitytracker.com/alerts/2010/May/1024031.html http://securitytracker.com/alerts/2010/May/1024033.html http://securitytracker.com/alerts/2010/May/1024032.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html CVE : CVE-2010-1848, CVE-2010-1849, CVE-2010-1850 OID : 1.3.6.1.4.1.25623.1.0.801355
Warning
mysql (3306/tcp)
Overview: MySQL is prone to a denial-of-service vulnerability. An attacker can exploit these issues to crash the database, denying access to legitimate users. This issues affect versions prior to MySQL 5.1.49. Solution: Updates are available. Please see the references for more information. References: https://www.securityfocus.com/bid/42598 http://bugs.mysql.com/bug.php?id=54044 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-49.html http://www.mysql.com/ BID : 42598 OID : 1.3.6.1.4.1.25623.1.0.100763
USDN Inc.
Proprietary and Confidential
Page 65 of 74
Type
Port
Warning
mysql (3306/tcp)
Issue and Fix
Overview: The host is running MySQL and is prone to Denial Of Service vulnerability. Vulnerability Insight: The flaw is due to an error when processing the 'ALTER DATABASE' statement and can be exploited to corrupt the MySQL data directory using the '#mysql50#' prefix followed by a '.' or '..'. NOTE: Successful exploitation requires 'ALTER' privileges on a database. Impact: Successful exploitation could allow an attacker to cause a Denial of Service. Impact Level: Application Affected Software/OS: MySQL version priot to 5.1.48 on all running platform. Fix: Upgrade to MySQL version 5.1.48 For Updates Refer, http://dev.mysql.com/downloads References: http://secunia.com/advisories/40333 http://bugs.mysql.com/bug.php?id=53804 http://securitytracker.com/alerts/2010/Jun/1024160.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-48.html CVE : CVE-2010-2008 BID : 41198 OID : 1.3.6.1.4.1.25623.1.0.801380
Security Note
mysql (3306/tcp)
Security Note
mysql (3306/tcp)
An unknown service is running on this port. It is usually reserved for MySQL OID : 1.3.6.1.4.1.25623.1.0.10330
Overview: MySQL, a open source database system is running at this host. See also: http://www.mysql.com
USDN Inc.
Proprietary and Confidential
Page 66 of 74
Type
Port
Issue and Fix
Risk factor : None MySQL Version '5.0.45-log' was detected on the remote host.
OID : 1.3.6.1.4.1.25623.1.0.100152 Security Note
unknown (982/tcp)
RPC program #100068 version 2 is running on this port RPC program #100068 version 3 is running on this port RPC program #100068 version 4 is running on this port RPC program #100068 version 5 is running on this port OID : 1.3.6.1.4.1.25623.1.0.11111
Security Note
unknown (56324/tcp)
RPC program #1342177279 version 4 is running on this port RPC program #1342177279 version 1 is running on this port RPC program #1342177279 version 3 is running on this port RPC program #1342177279 version 2 is running on this port OID : 1.3.6.1.4.1.25623.1.0.11111
Security Note
sunrpc (111/udp)
RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port OID : 1.3.6.1.4.1.25623.1.0.11111
Security Note
unknown RPC program #100068 version 2 is running on this port (49153/udp) RPC program #100068 version 3 is running on this port RPC program #100068 version 4 is running on this port RPC program #100068 version 5 is running on this port OID : 1.3.6.1.4.1.25623.1.0.11111
Security Note
general/tcp
phpMyAdmin version 2.11.9.1 running at location /phpMyAdmin was detected on the host OID : 1.3.6.1.4.1.25623.1.0.900129
Security Note
general/tcp
PHP version 5.2.0 was detected on the host
USDN Inc.
Proprietary and Confidential
Page 67 of 74
Type
Port
Issue and Fix OID : 1.3.6.1.4.1.25623.1.0.800109
Security Note
general/tcp
Sendmail version 8.14.2 was detected on the host OID : 1.3.6.1.4.1.25623.1.0.800608
Security Note
general/tcp
ICMP based OS fingerprint results: HP UX 11.0x (accuracy 90%)
OID : 1.3.6.1.4.1.25623.1.0.102002 Security Note
general/tcp
Apache Web Server version 1.3.41 was detected on the host OID : 1.3.6.1.4.1.25623.1.0.900498
Security Note
general/tcp
Apache Web Server version 1.3.41 was detected on the host OID : 1.3.6.1.4.1.25623.1.0.900498
Security Note
general/tcp
Apache Web Server version 2.0.58 was detected on the host OID : 1.3.6.1.4.1.25623.1.0.900498
Security Note
ntp (123/udp)
It is possible to determine a lot of information about the remote host by querying the NTP (Network Time Protocol) variables - these include OS descriptor, and time settings. It was possible to gather the following information from the remote NTP host : system='UNIX/HPUX', leap=0, stratum=2, rootdelay=3.86, rootdispersion=5.11, peer=19460, refid=204.152.184.72, reftime=0xd0554574.3613e000, poll=10, clock=0xd0554683.30c20000, phase=0.102, freq=-29503.74, error=0.15
Quickfix: Set NTP to restrict default access to ignore all info packets: restrict default ignore Risk factor : Low OID : 1.3.6.1.4.1.25623.1.0.10884 Warning
xdmcp (177/udp)
The remote host is running XDMCP. This protocol is used to provide X display connections for X terminals. XDMCP is completely insecure, since the traffic and passwords are not encrypted. An attacker may use this flaw to capture all the keystrokes of the users
USDN Inc.
Proprietary and Confidential
Page 68 of 74
Type
Port
Issue and Fix using this host through their X terminal, including passwords. Also XDMCP is an additional login mechanism that you may not have been aware was enabled, or may not be monitoring failed logins on. Solution : Disable XDMCP Risk factor : Medium OID : 1.3.6.1.4.1.25623.1.0.10891
Security Note
echo (7/udp) Overview: Echo Service is running at this Host. The echo service is an Internet protocol defined in RFC 862. It was originally proposed for testing and measurement of round-trip times in IP networks. While still available on most UNIX-like operating systems, testing and measurement is now performed with the Internet Control Message Protocol (ICMP), using the applications ping and traceroute. Solution: Disable echo Service. Risk factor : Low OID : 1.3.6.1.4.1.25623.1.0.100075
Warning
tftp (69/udp) The remote host has a TFTP server installed that is serving one or more sensitive HP Ignite-UX files. These files potentially include sensitive information about the hardware and software configuration of the HPUX host, so should not be exposed to unnecessary scrutiny. Solution: If it is not required, disable or uninstall the TFTP server. Otherwise restrict access to trusted sources only. Risk factor: Medium OID : 1.3.6.1.4.1.25623.1.0.19508
Security Note
tftp (69/udp) Synopsis : The remote host has TFTP server running.
USDN Inc.
Proprietary and Confidential
Page 69 of 74
Type
Port
Issue and Fix
Description : The remote host has TFTP server running. TFTP stands for Trivial File Transfer Protocol. Solution : Disable TFTP server if not used. Risk factor : None OID : 1.3.6.1.4.1.25623.1.0.80100
USDN Inc.
Proprietary and Confidential
Page 70 of 74