|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vulnerability Name: |
|
chargen service enabled |
| |
Level of Risk: |
|
60 |
|
 |
| |
Description: |
|
NetRecon has discovered a network resource running the chargen service.
The chargen service causes a TCP server to send a continual stream of characters to the client until the client terminates the connection. chargen can be used legitimately for a number of testing purposes.
Because chargen produces a continual stream of characters, it is susceptible to misuse for denial of service attacks. For example, spoofed packets can link the chargen port to the echo port, creating an infinite loop. This type of attack consumes increasing amounts of network bandwidth, degrading network performance or, in some cases, completely disabling portions of a network. |
| |
Solution: |
|
To avoid this type of attack, disable the chargen service. Additionally, monitoring attempted access to the chargen service can tip you off to the presence of potential attackers.
AXENT's Intruder Alert can be used to disable and monitor attempted connections to this service.
Microsoft has released a hotfix to address chargen attacks directed at Windows NT 4.0 Simple TCP/IP services. The hotfix can be downloaded from:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes
/usa/nt40/hotfixes-postSP3/simptcp-fix (1) |
| |
Additional Information: |
| |
Links: |
|
1. ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/simptcp-fix
|
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
proxy.ccm.itesm.mx |
|
148.241.155.240, proxy.ccm.itesm.mx |
|
IP host; System V 4; SunOS 5.x+; SunOS 5.6 |
|
Protocol = TCP; Port = 19; Service = chargen |
| |
| |
Vulnerability Name: |
|
daytime service enabled |
| |
Level of Risk: |
|
11 |
|
 |
| |
Description: |
|
NetRecon has discovered a network resource running the daytime service.
The daytime service returns the date and time.
The format of the daytime service can sometimes tell an attacker something about a network resource, such as the operating system it's running. This service is potentially vulnerable to misaddressed packet attacks, which can link the daytime port to the echo port, etc., consuming network bandwidth. |
| |
Solution: |
|
You should disable this service if it isn't needed. Additionally, monitoring attempted access to disabled services can tip you off to the presence of attackers.
AXENT's Intruder Alert can be used to disable and monitor attempted connections to this service. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 13; Service = daytime |
| |
| |
Vulnerability Name: |
|
discard service enabled |
| |
Level of Risk: |
|
15 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running the discard service.
The discard service reads packets sent to it and then discards them.
Receiving a connect response from any service verifies that a network resource exists. |
| |
Solution: |
|
You should disable this service if it isn't needed. Additionally, monitoring attempted access to disabled services can tip you off to the presence of attackers.
AXENT's Intruder Alert can be used to disable and monitor attempted connections to this service. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 9; Service = discard |
| |
| |
Vulnerability Name: |
|
echo service enabled |
| |
Level of Risk: |
|
60 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running the echo service.
The echo service causes a server to return whatever a client sends. It can be used for a number of testing purposes, much like chargen .
Since the echo port returns whatever is sent to it, it is susceptible to attacks that create false return addresses. For example, spoofed packets can link the echo port to the chargen port, creating an infinite loop. This type of attack consumes increasing amounts of network bandwidth, degrading network performance or, in some cases, completely disabling portions of a network. |
| |
Solution: |
|
To avoid this type of attack, disable the echo service. Additionally, monitoring attempted access to the echo service can tip you off to the presence potential attackers.
AXENT's IntruderAlert can be used to disable and monitor attempted connections to this service. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 7; Service = echo |
| |
| |
Vulnerability Name: |
|
exec service enabled |
| |
Level of Risk: |
|
42 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running the exec service.
The exec service (also called rexec) provides remote command execution facilities with authentication based on user names and passwords.
Since the service relies on user names and passwords for authentication, it is vulnerable to user name and password guessing. |
| |
Solution: |
|
If possible, consider disabling the exec service. Additionally, monitoring attempted access to the exec service can tip you off to the presence potential attackers.
AXENT's IntruderAlert can be used to disable and monitor attempted connections to this service. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 512; Service = exec |
| |
| |
Vulnerability Name: |
|
finger service enabled |
| |
Level of Risk: |
|
37 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running the finger service.
The finger service allows remote users and processes to obtain information about system processes and individual users.
Among other things, finger can provide the following information to an attacker:
- Valid login names
- Users' full names
- Names of other systems
- A user's login shell |
| |
Solution: |
|
You should disable this service if it isn't needed. Additionally, monitoring attempted access to disabled services can tip you off to the presence of attackers.
AXENT's Intruder Alert can be used to disable and monitor attempted connections to this service. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 79; Service = finger |
| |
| |
Vulnerability Name: |
|
finger service lists all users |
| |
Level of Risk: |
|
39 |
|
|
| |
Description: |
|
The finger service answers queries for information about all users. This allows remote attackers to identify and obtain information about all user accounts, and monitor their activity. |
| |
Solution: |
|
Finger should be configured to disable this query, and unless it is absolutely necessary, finger should be disabled completely. If it must be enabled, finger should reveal minimal information about users, and should require very specific queries. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
finger service lists all users who have ever logged in |
| |
Level of Risk: |
|
38 |
|
|
| |
Description: |
|
The finger service answers queries for information about users who have ever logged in. This allows remote attackers to identify all accounts which are actively being used. |
| |
Solution: |
|
Finger should be configured to disallow this query, and it is unless it is absolutely necessary, finger should be disabled completely. If it must be enabled, finger should reveal minimal information about users, and should require very specific queries. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
finger service lists users currently logged in |
| |
Level of Risk: |
|
37 |
|
|
| |
Description: |
|
The finger service answers queries for information about users currently logged in. This allows remote attackers to monitor usage of the system, obtain useful social engineering information, and identify some active accounts. |
| |
Solution: |
|
Finger should be configured to disallow this query, and unless absolutely necessary, finger should be disabled completely. If it must be enabled, finger should reveal minimal information about users, and should require every specific queries. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
finger service lists users who have never logged in |
| |
Level of Risk: |
|
38 |
|
|
| |
Description: |
|
The finger service answers queries for information about users who have never logged in. This allows remote attackers to identify accounts which are likely to have default passwords, the use of which is unlikely to be noticed. Such accounts are also often easily breached through simple social engineering techniques. |
| |
Solution: |
|
In general, inactive accounts should not be left on the system. Even disabled accounts can provide potentially useful information for social engineering. Finger should be configured to disallow this query, and unless it is absolutely necessary, finger should be disabled completely. If it must be enabled, finger should reveal minimal information about users, and should require very specific queries. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vulnerability Name: |
|
finger service recursively redirects queries |
| |
Level of Risk: |
|
59 |
|
|
| |
Description: |
|
The finger service will act as a proxy, redirecting queries multiple times (possibly through multiple hosts). This can potentially be used to finger machines that are otherwise unreachable. By using a complex series of redirections, an attacker can make it difficult to identify the source of the original query. By recursively redirecting queries to localhost, system resources can be consumed, slowing the system to the point of being unusable. |
| |
Solution: |
|
Finger should be configured to disable redirection, and unless it is absolutely necessary, finger should be disabled completely. If it must be enabled, finger should reveal minimal information about users, and should require very specific queries. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
finger service redirects queries |
| |
Level of Risk: |
|
77 |
|
 |
| |
Description: |
|
The finger service will act as a proxy, redirecting queries. This can potentially be used to finger machines that are otherwise unreachable, as well as make it difficult to identify who is actually performing the query. |
| |
Solution: |
|
Finger should be configured to disable redirection, and unless it is absolutely necessary, finger should be disabled completely. If it must be enabled, finger should reveal minimal information about users, and should require very specific queries. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
ftp service enabled |
| |
Level of Risk: |
|
42 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running the ftp service.
FTP (file transfer protocol) is a protocol for transferring files between systems. The ftp service is used by many applications for data communications. Some systems also allow users to connect to an ftp server to upload and download files.
ftp servers are vulnerable to a wide range of attacks designed to retrieve files without authorization (including password files) and execute commands on other parts of the server. |
| |
Solution: |
|
Obtain the latest patches from your vendor. Older versions of ftp on both UNIX and Windows NT contain many security holes. Don't allow anonymous ftp access unless it is absolutely necessary. Configure your system to log all ftp accesses and transfers and periodically check these logs for patterns of misuse.
Make sure the home directory of your ftp server is not writable and disallow connections from system IDs (including root, uucp, nobody, and bin).
AXENT's Intruder Alert can be used to monitor any connections to the ftp port. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 21; Service = ftp |
| |
| |
Vulnerability Name: |
|
http service enabled |
| |
Level of Risk: |
|
42 |
|
|
| |
Description: |
|
The http service is enabled. HTTP is the protocol used for the World Wide Web. There are many vulnerabilities associated with this service, and new security problems are being discovered with web software all the time.
The http service enabled means the system is running a web server (as opposed to being able to connect to the WWW via a browser). |
| |
Solution: |
|
Disable HTTP if it is not necessary (that system doesn't need to be a web server).
If HTTP is necessary and is used to host a public web site, consider placing the server in a demilitarized zone (DMZ) on a network segment isolated from systems containing sensitive data.
If HTTP is necessary only for internal use, restrict access from untrusted hosts with a firewall. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Service = http; Port = 8080; Protocol = TCP |
| |
| |
Vulnerability Name: |
|
IP address found from name |
| |
Level of Risk: |
|
5 |
|
|
| |
Description: |
|
NetRecon has successfully discovered the IP address of a network resource using its name.
If NetRecon discovers the names of any network resources (via Windows networking, for example), it attempts to obtain their IP address as well.
Finding the IP address of a network resource verifies that the resource exists. It also helps attackers identify TCP/IP networks to scan for further resources. Having an IP address also opens up the possibility of a wide range of TCP/IP information gathering (port scans, for example)and attacks. |
| |
Solution: |
|
Do not allow hosts outside your firewall to resolve internal IP addresses unless absolutely necessary. Public DNS should contain only public systems. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Alias = 148.241.155.240 |
| |
| |
Vulnerability Name: |
|
IP name obtained |
| |
Level of Risk: |
|
10 |
|
|
| |
Description: |
|
NetRecon has discovered the IP name of a network resource.
System names often reveal something about the system. For example, servers sometimes have the word server in the name, systems are named after their users, etc. Systems with an IP address but no name are usually either old, unused systems (which can be attacked with less risk of notice) or protected systems (containing highly significant information).
Knowing system names can, therefore, help attackers focus their attacks on key systems. |
| |
Solution: |
|
Do not allow hosts outside your firewall to resolve internal IP addresses unless absolutely necessary. Public DNS should contain only public systems. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Alias = proxy.ccm.itesm.mx |
| |
| |
Vulnerability Name: |
|
login names obtained via finger |
| |
Level of Risk: |
|
37 |
|
|
| |
Description: |
|
One or more finger queries yielded results which included account login names. This information can be used for social engineering or brute force password guessing. |
| |
Solution: |
|
Unless it is absolutely necessary, finger should be disabled completely. If it must be enabled, finger should reveal minimal information about users, and should require very specific queries. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 79; Service = finger; Login Name = bin |
| |
Protocol = TCP; Port = 79; Service = finger; Login Name = daemon |
| |
Protocol = TCP; Port = 79; Service = finger; Login Name = sys |
| |
Protocol = TCP; Port = 79; Service = finger; Login Name = ogarcia |
| |
| |
Vulnerability Name: |
|
login service enabled |
| |
Level of Risk: |
|
42 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running the login service.
The login service (sometimes referred to as rlogin ) allows remote users to obtain user and sometimes administrator access to a system.
Since the service relies on user names and passwords for authentication, it is vulnerable to user name and password guessing. |
| |
Solution: |
|
You should disable this service if it isn't needed. Additionally, monitoring attempted access to disabled services can tip you off to the presence of attackers.
AXENT's Intruder Alert can be used to disable and monitor attempted connections to this service. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 513; Service = login |
| |
| |
Vulnerability Name: |
|
network resource identified |
| |
Level of Risk: |
|
16 |
|
|
| |
Description: |
|
NetRecon has obtained information that helps to identify a particular network resource. This information could include full or partial identification of the operating system, server types (SMB server, for example), whether a machine is an IP host, etc.
This information can be used by an attackers to help focus their attempts to circumvent security. |
| |
Solution: |
|
Using the data table in NetRecon, determine how the information was obtained. Either eliminate the service responsible or configure it to not give any clues that can help identify the network resource. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Type = IP host |
| |
Type = System V |
| |
Type = System V; Revision = 4 |
| |
Type = SunOS |
| |
Type = SunOS; Revision = 5.x+ |
| |
Type = SunOS; Revision = 5.6 |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vulnerability Name: |
|
open RPC service may allow unauthorized activity |
| |
Level of Risk: |
|
18 |
|
|
| |
Description: |
|
NetRecon has discovered an RPC service.
Remote Procedure Calls (RPC) is a client-server standard for network application communication, allowing applications to communicate and execute functions remotely without having to know anything about the underlying network operating system.
Since the purpose of RPC services is to permit remote execution of programs and functions, a successful attack on an RPC service gives an attacker this ability or denies legitimate users this ability.
An example of a common RPC service is NFS, which is known to be vulnerable to a wide range of attacks, which could result in unauthorized access to files. |
| |
Solution: |
|
If the service found is not necessary, disable it. If it is necessary, consider using a TCP/UDP wrapper to limit which hosts can use the service. Firewall the portmap service (usually port 111) so that attackers cannot enumerate RPC services from outside the firewall. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Port = 4045; Protocol = UDP; Service = nlockmgr; Revision = 3 |
| |
Port = 111; Protocol = TCP; Service = rpcbind; Revision = 4 |
| |
Port = 111; Protocol = TCP; Service = rpcbind; Revision = 3 |
| |
Port = 4045; Protocol = TCP; Service = nlockmgr; Revision = 2 |
| |
Port = 32779; Protocol = UDP; Service = 100068; Revision = 2 |
| |
Port = 32779; Protocol = UDP; Service = 100068; Revision = 3 |
| |
Port = 32779; Protocol = UDP; Service = 100068; Revision = 4 |
| |
Port = 32779; Protocol = UDP; Service = 100068; Revision = 5 |
| |
Port = 32775; Protocol = TCP; Service = 100083; Revision = 1 |
| |
Port = 111; Protocol = TCP; Service = rpcbind; Revision = 2 |
| |
Port = 32777; Protocol = TCP; Service = 100230; Revision = 1 |
| |
Port = 4045; Protocol = UDP; Service = nlockmgr; Revision = 2 |
| |
Port = 32774; Protocol = TCP; Service = 100235; Revision = 1 |
| |
Port = 4045; Protocol = TCP; Service = nlockmgr; Revision = 1 |
| |
Port = 32776; Protocol = TCP; Service = 100229; Revision = 1 |
| |
Port = 4045; Protocol = TCP; Service = nlockmgr; Revision = 3 |
| |
Port = 4045; Protocol = TCP; Service = nlockmgr; Revision = 4 |
| |
Port = 32786; Protocol = UDP; Service = 300598; Revision = 1 |
| |
Port = 32778; Protocol = TCP; Service = 300598; Revision = 1 |
| |
Port = 32786; Protocol = UDP; Service = 805306368; Revision = 1 |
| |
Port = 32778; Protocol = TCP; Service = 805306368; Revision = 1 |
| |
Port = 32787; Protocol = UDP; Service = 100249; Revision = 1 |
| |
Port = 32780; Protocol = TCP; Service = 100249; Revision = 1 |
| |
Port = 4045; Protocol = UDP; Service = nlockmgr; Revision = 4 |
| |
Port = 32773; Protocol = UDP; Service = rquotad; Revision = 1 |
| |
Port = 111; Protocol = UDP; Service = rpcbind; Revision = 4 |
| |
Port = 111; Protocol = UDP; Service = rpcbind; Revision = 3 |
| |
Port = 4045; Protocol = UDP; Service = nlockmgr; Revision = 1 |
| |
Port = 32772; Protocol = UDP; Service = sadmind; Revision = 10 |
| |
Port = 32773; Protocol = TCP; Service = 100221; Revision = 1 |
| |
Port = 32774; Protocol = UDP; Service = rusersd; Revision = 2 |
| |
Port = 32774; Protocol = UDP; Service = rusersd; Revision = 3 |
| |
Port = 32771; Protocol = TCP; Service = rusersd; Revision = 2 |
| |
Port = 32771; Protocol = TCP; Service = rusersd; Revision = 3 |
| |
Port = 32775; Protocol = UDP; Service = status; Revision = 1 |
| |
Port = 32776; Protocol = UDP; Service = sprayd; Revision = 1 |
| |
Port = 32778; Protocol = UDP; Service = rstatd; Revision = 3 |
| |
Port = 111; Protocol = UDP; Service = rpcbind; Revision = 2 |
| |
Port = 32778; Protocol = UDP; Service = rstatd; Revision = 4 |
| |
Port = 32778; Protocol = UDP; Service = rstatd; Revision = 2 |
| |
Port = 32777; Protocol = UDP; Service = walld; Revision = 1 |
| |
Port = 32772; Protocol = TCP; Service = status; Revision = 1 |
| |
| |
Vulnerability Name: |
|
open TCP port may allow unauthorized activity |
| |
Level of Risk: |
|
14 |
|
|
| |
Description: |
|
NetRecon has discovered an open TCP port.
When this vulnerability is included in a NetRecon scan report, the following pieces of information are in the Details section:
-port number |
| |
Solution: |
|
If the service using this port is not necessary, disable it. If you don't know what this service is, or didn't expect to see it, verify that the service is not a back door left by an intruder. If the service is required only for internal use, firewall it. If the service is required for external use, consider running it from a demilitarized zone, and use appropriate authentication. |
| |
Additional Information: |
|
If you think your system may have been compromised, see:
http://www.cert.org/nav/recovering.html (1) |
| |
Links: |
|
1. http://www.cert.org/nav/recovering.html
|
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 111; Service = portmap |
| |
Protocol = TCP; Port = 9; Service = discard |
| |
Protocol = TCP; Port = 25; Service = smtp |
| |
Protocol = TCP; Port = 79; Service = finger |
| |
Protocol = TCP; Port = 21; Service = ftp |
| |
Protocol = TCP; Port = 19; Service = chargen |
| |
Protocol = TCP; Port = 32771 |
| |
Protocol = TCP; Port = 8080 |
| |
Protocol = TCP; Port = 512; Service = exec |
| |
Protocol = TCP; Port = 514; Service = shell |
| |
Protocol = TCP; Port = 23; Service = telnet |
| |
Protocol = TCP; Port = 513; Service = login |
| |
Protocol = TCP; Port = 7; Service = echo |
| |
Protocol = TCP; Port = 13; Service = daytime |
| |
| |
Vulnerability Name: |
|
portmap service allows RPC services to be enumerated |
| |
Level of Risk: |
|
29 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running the portmap service, and has used portmap to enumerate RPC services.
Remote Procedure Calls (RPC) is a client-server standard for network application communication, allowing applications to communicate and execute functions remotely without having to know anything about the underlying network operating system.
The portmap service can be used to find out which RPC services are running and which ports they're running on, so that an RPC communications session can be started.
Many RPC services are vulnerable to attacks. Knowing which services are running and what ports they're running on helps attackers focus their efforts.
An example of a common RPC service is NFS, which is known to be vulnerable to a wide range of attacks, which could result in unauthorized access to files. |
| |
Solution: |
|
If it's not absolutely necessary, don't use RPC. If it is necessary, be sure to firewall the portmap port (usually 111). Consider using a TCP/UDP wrapper to limit which hosts can access portmap. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 32771; Service = portmap |
| |
Protocol = TCP; Port = 32773; Service = portmap |
| |
Protocol = TCP; Port = 32772; Service = portmap |
| |
Protocol = UDP; Port = 32774; Service = portmap |
| |
Protocol = UDP; Port = 32773; Service = portmap |
| |
Protocol = UDP; Port = 32772; Service = portmap |
| |
Protocol = TCP; Port = 111; Service = portmap |
| |
Protocol = TCP; Port = 32774; Service = portmap |
| |
| |
Vulnerability Name: |
|
Sendmail gecos overflow allows shell users root access |
| |
Level of Risk: |
|
82 |
|
|
| |
Description: |
|
Versions up to and including 8.7.5 of Berkeley sendmail allows shell users to obtain privileges of root and the default user account (usually daemon). |
| |
Solution: |
|
Upgrade sendmail. |
| |
Additional Information: |
|
See the following CERT Advisory:
ftp://ftp.cert.org/pub/cert_advisories/CA-96.20.sendmail_vul (1) |
| |
Links: |
|
1. ftp://ftp.cert.org/pub/cert_advisories/CA-96.20.sendmail_vul |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 25; Service = smtp |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vulnerability Name: |
|
Sendmail redirect possible |
| |
Level of Risk: |
|
34 |
|
|
| |
Description: |
|
Versions up to and including 8.8.0 of Berkeley sendmail contain a bug which allows users to redirect any e-mail in the queue addressed to an unqualified domain name to a host of their choosing. In some versions, users may be able to redirect mail even with fully qualified addresses. |
| |
Solution: |
|
Upgrade sendmail. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
Sendmail resource starvation allows shell users root access |
| |
Level of Risk: |
|
83 |
|
|
| |
Description: |
|
Versions up to and including 8.7.5 of Berkeley sendmail allow shell users to execute commands as the default user. |
| |
Solution: |
|
Upgrade sendmail. |
| |
Additional Information: |
|
See the following CERT Advisory:
ftp://ftp.cert.org/pub/cert_advisories/CA-96.20.sendmail_vul (1) |
| |
Links: |
|
1. ftp://ftp.cert.org/pub/cert_advisories/CA-96.20.sendmail_vul |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 25 |
| |
| |
Vulnerability Name: |
|
service identified |
| |
Level of Risk: |
|
39 |
|
|
| |
Description: |
|
NetRecon has identified a service by software product, version, or both.
Knowing the product and/or version allows attackers to precisely focus their attacks.
Berkeley sendmail, for example, is known to be vulnerable to certain exploits in some versions, but not in others. If attackers can identify that you are running a vulnerable version of Berkeley sendmail they can direct known exploits towards those resources. Even for services with no known exploits, it is possible that vulnerabilities will be discovered in the future.
If attackers can obtain version information for a service, they can eliminate attacks known to fail with that version, or try attacks known to work with that version. Eliminating techniques to try is helpful in speeding up the attack, and can also help to avoid alerting administrators, since it is usually possible to monitor attempted exploits of fixed vulnerabilities. |
| |
Solution: |
|
Consider the benefits of product identification and weigh them against the security risk. Remove unique banners from services wherever practical. If the identifying information cannot be suppressed, consider using a different product.
For the extremely security conscious, it can sometimes be worthwhile to provide intentionally misleading identification of the service product and version. This misdirects attackers to attempt to exploit vulnerabilities which are not present. The administrator can monitor such attacks and take appropriate action to stop attackers before they are successful. Keep in mind that incorrect banners will also fool NetRecon. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Service = nlockmgr; Revision = 2; Protocol = TCP; Port = 4045 |
| |
Service = 100221; Revision = 1; Protocol = TCP; Port = 32773 |
| |
Service = 100068; Revision = 2; Protocol = UDP; Port = 32779 |
| |
Service = rpcbind; Revision = 4; Protocol = TCP; Port = 111 |
| |
Service = 100068; Revision = 4; Protocol = UDP; Port = 32779 |
| |
Service = 100068; Revision = 5; Protocol = UDP; Port = 32779 |
| |
Service = 100083; Revision = 1; Protocol = TCP; Port = 32775 |
| |
Service = 100229; Revision = 1; Protocol = TCP; Port = 32776 |
| |
Service = 100230; Revision = 1; Protocol = TCP; Port = 32777 |
| |
Service = nlockmgr; Revision = 1; Protocol = UDP; Port = 4045 |
| |
Service = nlockmgr; Revision = 2; Protocol = UDP; Port = 4045 |
| |
Service = nlockmgr; Revision = 3; Protocol = UDP; Port = 4045 |
| |
Service = rstatd; Revision = 4; Protocol = UDP; Port = 32778 |
| |
Service = nlockmgr; Revision = 1; Protocol = TCP; Port = 4045 |
| |
Service = 100235; Revision = 1; Protocol = TCP; Port = 32774 |
| |
Service = nlockmgr; Revision = 3; Protocol = TCP; Port = 4045 |
| |
Service = nlockmgr; Revision = 4; Protocol = TCP; Port = 4045 |
| |
Service = 300598; Revision = 1; Protocol = UDP; Port = 32786 |
| |
Service = 300598; Revision = 1; Protocol = TCP; Port = 32778 |
| |
Service = 805306368; Revision = 1; Protocol = UDP; Port = 32786 |
| |
Service = 805306368; Revision = 1; Protocol = TCP; Port = 32778 |
| |
Service = 100249; Revision = 1; Protocol = UDP; Port = 32787 |
| |
Service = smtp/SMI Sendmail; Protocol = TCP; Port = 25 |
| |
Service = smtp/Berkeley Sendmail; Protocol = TCP; Port = 25 |
| |
Service = 100249; Revision = 1; Protocol = TCP; Port = 32780 |
| |
Service = smtp/SMI Sendmail; Revision = 8.6; Protocol = TCP; Port = 25 |
| |
Service = smtp/Berkeley Sendmail; Revision = 25; Protocol = TCP; Port = 25 |
| |
Service = nlockmgr; Revision = 4; Protocol = UDP; Port = 4045 |
| |
Service = rusersd; Revision = 2; Protocol = TCP; Port = 32771 |
| |
Service = rpcbind; Revision = 3; Protocol = TCP; Port = 111 |
| |
Service = rpcbind; Revision = 2; Protocol = TCP; Port = 111 |
| |
Service = rpcbind; Revision = 4; Protocol = UDP; Port = 111 |
| |
Service = rpcbind; Revision = 3; Protocol = UDP; Port = 111 |
| |
Service = rpcbind; Revision = 2; Protocol = UDP; Port = 111 |
| |
Service = sadmind; Revision = 10; Protocol = UDP; Port = 32772 |
| |
Service = 100068; Revision = 3; Protocol = UDP; Port = 32779 |
| |
Service = rstatd; Revision = 3; Protocol = UDP; Port = 32778 |
| |
Service = rusersd; Revision = 2; Protocol = UDP; Port = 32774 |
| |
Service = rusersd; Revision = 3; Protocol = UDP; Port = 32774 |
| |
Service = rquotad; Revision = 1; Protocol = UDP; Port = 32773 |
| |
Service = rusersd; Revision = 3; Protocol = TCP; Port = 32771 |
| |
Service = status; Revision = 1; Protocol = TCP; Port = 32772 |
| |
Service = sprayd; Revision = 1; Protocol = UDP; Port = 32776 |
| |
Service = rstatd; Revision = 2; Protocol = UDP; Port = 32778 |
| |
Service = status; Revision = 1; Protocol = UDP; Port = 32775 |
| |
Service = walld; Revision = 1; Protocol = UDP; Port = 32777 |
| |
| |
Vulnerability Name: |
|
shell service enabled |
| |
Level of Risk: |
|
42 |
|
|
| |
Description: |
|
The shell service provides remote execution facilities with authentication based on privileged port numbers and trustedhosts.;
It is possible to configure this service to allow anyone with a valid user name to execute commands without authentication. |
| |
Solution: |
|
You should disable this service if it isn't needed. Additionally, monitoring attempted access to disabled services can tip you off to the presence of attackers.;
AXENT's Intruder Alert can be used to disable and monitor attempted connections to this service. |
| |
Additional Information: |
| |
Links: |
|
1. http://www.cs.purdue.edu/coast/satan-html/tutorials/vulnerability/remote_shell_access.html
|
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 514; Service = shell |
| |
| |
Vulnerability Name: |
|
SMTP allows remote command execution via bounce filter |
| |
Level of Risk: |
|
86 |
|
|
| |
Description: |
|
Attackers can execute arbitrary shell commands by specifying a filter as a return address e-mail in e-mail that will bounce.
Note: If your SMTP software does not support filters, this is not a vulnerability. If you are not sure if your SMTP software supports filters, contact your vendor. |
| |
Solution: |
|
Upgrade or replace your SMTP server, or verify that it does not support filters. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Service = smtp; Protocol = TCP; Port = 25 |
| |
| |
Vulnerability Name: |
|
SMTP allows user verification with rcpt |
| |
Level of Risk: |
|
35 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running an SMTP implementation that allows rcpt verification.
Some SMTP mail transport agents (MTAs) will return an error if the recipient of a mail message isn't valid. This fact can be used much like VRFY to determine whether particular mail accounts exist. |
| |
Solution: |
|
If possible, disable this feature in your MTA. If it is not possible, consider upgrading or switching to a MTA that permits disabling of rcpt verification. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Vulnerability Name: |
|
SMTP configuration allows relaying |
| |
Level of Risk: |
|
61 |
|
|
| |
Description: |
|
Your SMTP configuration allows relaying of e-mail between arbitrary hosts. This is the default in many older SMTP implementations. Some SMTP implementations do not allow you to block relaying. Berkeley Sendmail introduced relay-blocking in version 8.8, but it must be enabled.
This vulnerability is actively exploited by bulk e-mail soliciters(spammers), allowing them to conceal their identity and decrease the demand on their own resources.
Exploitation can result in consumption of disk space and bandwidth. Recipients may mistakenly identifying your site as the source of unwanted e-mail, which can lead to further attacks. |
| |
Solution: |
|
Disable SMTP or upgrade and (if necessary) configure your SMTP server to deny relaying. |
| |
Additional Information: |
|
Sendmail home page:
http://www.sendmail.org/ (1)
Sendmail 8.8 anti-relay configuration information:
http://falbala.informatik.uni-kiel.de/~ca/email/check.html (2)
Hewlett-Packard Sendmail upgrade information:
http://www.software.hp.com/software/HPsoftware/Sendmail/index.html (3)
Sun Microsystems states that Solaris 2.7 will ship with Sendmail 8.8,and that a backport of Sendmail 8.8 will be available soon for prior operating system versions. |
| |
Links: |
|
1. http://www.sendmail.org/
2. http://falbala.informatik.uni-kiel.de/~ca/email/check.html
3. http://www.software.hp.com/software/HPsoftware/Sendmail/index.html
|
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Port = 25; Protocol = TCP; Service = smtp |
| |
| |
Vulnerability Name: |
|
SMTP connections can be established quickly |
| |
Level of Risk: |
|
20 |
|
|
| |
Description: |
|
NetRecon has discovered an SMTP implementation that allows connections to be made very quickly.
Since SMTP mail transport agents (MTAs) are notorious for having many security problems, they are common targets for attackers. If an attacker can make quick connections to the MTA, they can test out a number of potential problems with relative ease. If, however, there is a substantial delay for each test performed, there is a greater chance that an attacker will lose patience and move on to another target.
Assuming the NetRecon system is not running an ident server, this vulnerability also typically indicates that the MTA does not attempt to ident the connection. |
| |
Solution: |
|
Some MTAs have a secure mode that prevents rapid connections. If possible, put your MTA into a secure mode. If it is not possible, consider upgrading or switching to another MTA.
Using ident authentication can make it easier to trace abuse and warn of possible e-mail forgeries. Enable ident authentication if your MTA supports it. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Service = smtp; Protocol = TCP; Port = 25 |
| |
| |
Vulnerability Name: |
|
SMTP EXPN feature enabled |
| |
Level of Risk: |
|
35 |
|
|
| |
Description: |
|
The expn command allows a client to expand a mail address. If it is a shell user address, it shows the results of aliasing through a user's ~/.forward file. If the address is an alias, it shows all the addresses that result from the alias expansion. The expn command is generally used for testing purposes, to test the validity of aliases.;
Many systems have easily guessable mail distribution aliases (such as everyone, all, staff, etc.). Being able to expand such aliases to obtain particular user names is very useful to attackers. Some user names are the same as system names, and some accounts have identical user names and passwords.;
The expn command also allows an attacker to verify particular user names. |
| |
Solution: |
|
Consider disabling the expn command in your MTA implementation (commonly sendmail ). If you choose not to disable expn , enable logging. Some newer versions of sendmail allow detailed logging of requests and include a privacy option, which allows you to require that requesting sites identify themselves before certain operations can take place. Check with your vendor for the details of the latest MTA program version. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
SMTP recipient identified |
| |
Level of Risk: |
|
37 |
|
|
| |
Description: |
|
NetRecon has identified a valid mail account.
A valid mail account could be a user or an alias. Each valid account name is a potential login name for network resources on the same network. Knowing valid mail accounts opens up the possibility of social engineering attacks. Attackers can also use valid mail accounts for mail bombing attacks. |
| |
Solution: |
|
Disable features of your SMTP mail transport agent (MTA) that allow verification and discovery of mail accounts. The most common examples are: VRFY, EXPN, and rcpt notification. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Miscellaneous = SMTP recipient=majordomo; Service = smtp; Protocol = TCP; Port = 25 |
| |
| |
Vulnerability Name: |
|
smtp service enabled |
| |
Level of Risk: |
|
45 |
|
|
| |
Description: |
|
The smtp service uses the Simple Mail Transfer Protocol (SMTP) to send electronic messages. The smtp service may be used to obtain information about valid user names and other systems in the network.
The smtp service is vulnerable to a variety of attacks. |
| |
Solution: |
|
Disable this service if it isn't necessary. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = TCP; Port = 25; Service = smtp |
| |
| |
Vulnerability Name: |
|
SMTP supports EHLO greeting |
| |
Level of Risk: |
|
9 |
|
|
| |
Description: |
|
NetRecon has discovered an SMTP implementation that responds to the EHLO greeting protocol.
The EHLO greeting protocol is an indication of the ESMTP (Extended Simple Mail Transfer Protocol) protocol. ESMTP has additional vulnerabilities, so knowing that a network resource supports it permits an attacker to focus their efforts. |
| |
Solution: |
|
Configure your mail transport agent (MTA) to permit the minimum amount of information transfer necessary for completing mail transport tasks. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Service = smtp; Protocol = TCP; Port = 25 |
| |
| |
Vulnerability Name: |
|
SMTP VRFY feature enabled |
| |
Level of Risk: |
|
35 |
|
|
| |
Description: |
|
NetRecon has discovered an SMTP implementation that allows mail accounts to be verified.
The smtp (the service used to handling e-mail) vrfy command allows a client to verify whether a particular address is valid. The vrfy command is sometimes used by e-mail applications to verify that users exist before sending them messages.;
Being able to verify particular user names is very useful to attackers. Some user names are the same as system names, and some accounts have identical user names and passwords. An attacker can also use the vrfy command to search for common distribution aliases (such as everyone, all, or staff),which can then be expanded to reveal many valid user names. |
| |
Solution: |
|
Consider disabling the vrfy command in your MTA implementation (commonly sendmail ). If vrfy is required by any of the applications you use, enable the logging option. Obtain the newest version of your MTA. Many newer versions of sendmail allow detailed logging of sendmail requests, including the hostname or IP address of the requester. |
| |
Additional Information: |
| |
Links: |
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
Solaris library overflows allow remote root access |
| |
Level of Risk: |
|
87 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running a version of Solaris that may be susceptible to unauthorized access attacks.
Any program linked with libc and/or libnsl on unpatched Solaris 2.5/2.5.1(SunOS 5.5/5.5.1) systems is vulnerable to a buffer overflow. Setuid or setgid programs using these libraries can be exploited to gain access. This vulnerability can be exploited by remote attackers to gain root access.
Note: This vulnerability is detected based on version information, which means NetRecon reports it even if you have applied the solution, as long as the version number remains the same. |
| |
Solution: |
|
Upgrade or patch your operating system. |
| |
Additional Information: |
|
See the following CERT advisory:
ftp://ftp.cert.org/pub/cert_advisories/cert_bulletins/VB-96.18.sun (1) |
| |
Links: |
|
1. ftp://ftp.cert.org/pub/cert_advisories/cert_bulletins/VB-96.18.sun
|
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
Solaris rpcbind could be on an unprotected high port |
| |
Level of Risk: |
|
13 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running an operating system version that may be providing a service not protected by a firewall.
SunOS versions 5.3, 5.4, 5.5, 5.5.1, 5.4_x86, 5.5_x86, and 5.5.1_x86ship with an rpcbind program which listens on a high port (greater than32770) as well as the standard TCP and UDP port 111, thus escaping the notice of many firewalls.
Attackers can use this vulnerability to obtain RPC program information, allowing them to identifyhosts running vulnerable RPC programs.
Note: This vulnerability is detected based on version information, which means NetRecon reports it even if you have applied the solution, as long as the version number remains the same. |
| |
Solution: |
|
Upgrade or patch your operating system. |
| |
Additional Information: |
|
See the following CERT Vendor-Initiated Bulletin:
ftp://ftp.cert.org/pub/cert_advisories/cert_bulletins/VB-96.18.sun (1) |
| |
Links: |
|
1. ftp://ftp.cert.org/pub/cert_advisories/cert_bulletins/VB-96.18.sun
|
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
| |
| |
Vulnerability Name: |
|
Solaris rpcbind high port is open |
| |
Level of Risk: |
|
32 |
|
|
| |
Description: |
|
NetRecon has discovered a network resource running a service that may not be protected by a firewall.
SunOS versions 5.3, 5.4, 5.5, 5.5.1, 5.4_x86, 5.5_x86, and 5.5.1_x86ship with an rpcbind program which listens on a high port (greater than32770) as well as the standard TCP and UDP port 111, thus escaping the notice of many firewalls.
Attackers can use this vulnerability to obtain RPC program information, allowing them to identifyhosts running vulnerable RPC programs.
Note: This vulnerability is detected based on version information, which means NetRecon reports it even if you have applied the solution, as long as the version number remains the same. |
| |
Solution: |
|
Upgrade or patch your operating system or only permit rpcbind to run on a privileged port (1-1024). |
| |
Additional Information: |
|
See the following CERT Vendor-Initiated Bulletin:
ftp://ftp.cert.org/pub/cert_advisories/cert_bulletins/VB-96.18.sun (1) |
| |
Links: |
|
1. ftp://ftp.cert.org/pub/cert_advisories/cert_bulletins/VB-96.18.sun
|
| |
# of Network Resources: |
|
1 |
| |
| |
Network Resource Name |
|
Aliases |
|
Network Resource Type |
|
Details |
| |
|
|
|
|
|
|
Protocol = UDP; Port = 32772; Service = portmap |
| |
Protocol = UDP; Port = 32774; Service = portmap |
| |
Protocol = TCP; Port = 32771; Service = portmap |
| |
Protocol = TCP; Port = 32772; Service = portmap |
| |
Protocol = TCP; Port = 32774; Service = portmap |
| |
Protocol = TCP; Port = 32773; Service = portmap |
| |
Protocol = UDP; Port = 32773; Service = portmap |
| |