Your Company Vulnerability Descriptions - January 2008

All [Selected]NewFixed Stoplist

Vulnerability Statistics

 12
 17
 15
 16
 9
 2
 3		High risk vulnerabilities found.
Medium risk vulnerabilities found.
Low risk vulnerabilities found.
SANS vulnerabilities found.
New vulnerabilities found.
Urgent vulnerabilities found.
Overdue vulnerabilities found. 		 4
 5
 1
 7
 10
 3
 1
 2		 Systems (31%) had high risk vulnerabilities.
Systems (38%) had medium risk vulnerabilities.
Systems (8%) had low risk vulnerabilities.
Systems (54%) had SANS vulnerabilities.
Systems (77%) had vulnerabilities.
Systems (23%) had no vulnerabilities.
Systems (8%) had urgent vulnerabilities.
Systems (15%) had overdue vulnerabilities. 		Scan Type
Start Date
End Date
Systems Scanned
New Systems 		Enterprise
13-Jan-08 11:54
13-Apr-08 13:47
13
3

Key Increase No change DecreaseHigh RiskMedium RiskLow RiskNot Subnet Scanned

 

Summary of Vulnerabilities

Download Summary CSV...  
Filter by CVE or Vulnerability Id:      
Expand / collapse allCollapse Details   Collapse Graphs   Collapse Systems

Collapse   Vulnerability Collapse   90027High Risk Ports OpenCollapse  3 SystemsHigh Risk
DescriptionThe following high risk ports are open: 
[For specific url or description click server link below.]
It is generally not recommended to expose these ports to the internet as they may be used as attack vectors. If access to these services from remote sites is required, tunnelling or a VPN would be recommended instead of exposing these ports.

Note: Even if the ports are immediately closed after being opened, this is still a security risk as packets are reaching the destination host. It is recommended to completely drop packets from untrusted sources instead. 

SolutionEnsure that the ports are filtered by your router or firewall or close the ports on the affected systems. 
Systemssql2.manc.yourcompany.com (192.168.1.53)   [Nov 2007] www.your_company.nl (192.168.0.103)   [May 2007]
www.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   11030Apache < 1.3.26 Chunked Encoding Vulnerability   SANSCollapse  2 SystemsHigh Risk
DescriptionThis system is running a vulnerable version of Apache, according to its banner. There is a buffer overrun vulnerability in code related to chunked encoding. A remote attacker could use this to crash the service and may be able to take control of the system. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesCVE-2002-0392    Apache Security Alert    CERT Advisory CA-2002-17    Bugtraq ID 5033    Oracle Security Alert #36   
Systemswww.example.com (192.168.0.112)   NEWwww.yourcompany.net (192.168.0.102)   [May 2007]

Collapse   Vulnerability Collapse   10264SNMP Default Community Names   SANSCollapse  2 SystemsHigh Risk
DescriptionThis system is running an SNMP agent which uses an easily guessable community string. This enables an attacker to extract a large amount of useful information. If a writeable community string is guessable, an attacker could make configuration changes to the server. Here is a sample of the information that can be extracted: 
[For specific url or description click server link below.]
 
SolutionDisable SNMP, or change the community string to something unguessable. 
ReferencesCVE-1999-0517    CVE-1999-0186    CVE-1999-0254    CVE-1999-0516   
CVSS Score7.5  (AV:N/AC:L/Au:N/C:P/I:P/A:P) 
Systemswww.your_company.nl (192.168.0.103)   NEWwww.yourcompany.net (192.168.0.102)   [May 2007]

Collapse   Vulnerability Collapse   11424IIS WebDAV Buffer OverrunCollapse  1 SystemHigh Risk
DescriptionThis system is an IIS server running WebDAV. This may be vulnerable to a buffer overrun when a malicious WebDAV request is sent. When running on an unpatched Windows 2000 server, a remote attacker could use this to crash the service or take control of the system.
Note: This may be a false positive as it is not possible to determine remotely if the patch has been applied. 
SolutionApply the patch from Microsoft. In addition we suggest you edit registry to disable WebDAV, following these instructions. If you do not disable WebDAV then this vulnerability will continue appearing until you stoplist it. 
ReferencesMicrosoft Security Bulletin MS03-007    CERT Advisory CA-2003-09    Microsoft Knowledge Base Q241520    CVE-2003-0109   
Systemswww.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   10481MySQL Database Accessible Without Password   URGENTCollapse  1 SystemHigh Risk
DescriptionThis system is running a MySQL service that allows network connections with no password. A remote attacker could use this to manipulate the database in any way. The unpassworded accounts are: 
[For specific url or description click server link below.]
 
SolutionAdd a password or restrict access to trusted addresses. 
ReferencesBugtraq ID 11704    CVE-2004-1532   
Deadline01 April 2008
CVSS Score7.5  (AV:N/AC:L/Au:N/C:P/I:P/A:P) 
Systemswww.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   10605BIND < 8.2.3 Buffer Overrun   SANS   OVERDUECollapse  1 SystemHigh Risk
DescriptionThis system is running a vulnerable version of BIND, according to its banner. There is a buffer overrun vulnerability in code related to transaction signatures (TSIG). A remote attacker could use this to crash the service and take control of the system. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesCVE-2001-0011    CVE-2001-0012    CVE-2001-0013    CVE-2001-0010   
Deadline13 August 2007
Systemswww.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   11192MySQL < 3.23.54, 4.0.6 Multiple Vulnerabilities   SANS   OVERDUECollapse  1 SystemHigh Risk
DescriptionThis system is running a version of MySQL which is older than 3.23.54 or 4.0.6. These contain multiple vulnerabilities that allow remote users with no login credentials to bypass authentication, crash the service and execute arbitrary code. 
SolutionUpgrade to the latest version. 
ReferencesCVE-2002-1373    CVE-2002-1374    CVE-2002-1375    Bugtraq ID 6368    Bugtraq ID 6370    Bugtraq ID 6373    Bugtraq ID 6374    Bugtraq ID 6375    Bugtraq ID 8796    CVE-2002-1376   
Deadline13 September 2007
CVSS Score5  (AV:N/AC:L/Au:N/C:N/I:N/A:P) 
Systemswww.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   11316Sendmail < 8.12.8 Buffer Overrun   SANS   URGENTCollapse  1 SystemHigh Risk
DescriptionThis system is running a vulnerable version of Sendmail, according to its banner. There is a buffer overrun vulnerability in code related to message header parsing. A remote attacker could use this to crash the service or possibly take control of the system. This version may also be vulnerable to a flaw in smrsh which allows local users to escalate their privileges. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesCVE-2001-1349    CVE-2002-1337    CVE-2002-1165   
Deadline01 May 2008
Systemswww.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   11718Lotus Domino < 5.0.9 Database Lock DoS   NEWCollapse  1 SystemMedium Risk
DescriptionThis system is running a vulnerable version of Lotus Domino, according to its banner. There is a vulnerability in the code related to database locking. A remote attack could use this to lock out some databases, by requesting them through the web interface with a carefully crafted URL. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesCVE-2001-0954   
Systemswww.yourcompany.com.my (192.168.0.106)   NEW  

Collapse   Vulnerability Collapse   11267OpenSSL < 0.9.6j, 0.9.7b Password Interception   SANS   NEWCollapse  1 SystemMedium Risk
DescriptionAccording to its banner, the remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b. This version is vulnerable to a timing based attack which may allow an attacker to guess the content of fixed data blocks, such as passwords or credit card numbers. 
SolutionUpgrade to an unaffected version 
ReferencesCVE-1999-0428    CVE-2003-0078    CVE-2003-0131    CVE-2003-0147   
Systemswww.example.com (192.168.0.112)   NEW  

Collapse   Vulnerability Collapse   11378MySQL < 3.23.56 Privilege Escalation   SANSCollapse  3 SystemsMedium Risk
DescriptionThis system is running a vulnerable version of MySQL, according to its banner. There is insufficient permissions checking in code related to the "select into outfile" SQL command. A database user could use this to overwrite configuration files and escalate privileges. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesBugtraq ID 7052    CVE-2003-0150   
CVSS Score9  (AV:N/AC:L/Au:S/C:C/I:C/A:C) 
Systemsmail.example.com (192.168.0.111)   [May 2007] sql2.manc.yourcompany.com (192.168.1.53)   [Dec 2007]
www.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   11137Apache < 1.3.27 Multiple VulnerabilitiesCollapse  2 SystemsMedium Risk
DescriptionThis system is running a vulnerable version of Apache, according to its banner. There is a cross-site scripting vulnerability through the Host: header, if UseCanonicalName is Off. Exploitation is only possible where wildcard DNS is used. There is also a buffer overrun in the ApacheBench module - if this is enabled, it may allow arbitrary code execution. A further vulnerability exists in the shared memory scoreboard, but this is only exploitable by a local user. 
SolutionUpgrade to an unaffected version, or apply a patch.
Workaround : Set UseCanonicalName to On and disable ApacheBench 
ReferencesCVE-2002-0840    CVE-2002-0839    CVE-2002-0843   
Systemswww.example.com (192.168.0.112)   NEWwww.yourcompany.co.uk (192.168.0.100)   [Nov 2007]

Collapse   Vulnerability Collapse   11039Apache mod_ssl < 2.8.10 off by one VulnerabilityCollapse  2 SystemsMedium Risk
DescriptionThis system is running a vulnerable version of the mod_ssl Apache module. There is an "off by one" buffer overrun in code related to parsing configuration. A local user with control over .htaccess files could use this to crash the service or take control of the system. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesCVE-2002-0653    Securiteam advisory    Bugtraq ID 5084   
Systemswww.example.com (192.168.0.112)   NEWwww.yourcompany.net (192.168.0.102)   [May 2007]

Collapse   Vulnerability Collapse   11041Apache Tomcat / Servlet Cross-Site Scripting   SANSCollapse  1 SystemMedium Risk
DescriptionBy forcing the invoker servlet to throw an exception, an attacker can embed HTML code in the server's response. Special characters are not escaped, so malicious javascript can be embedded, which runs with the same access rights as other scripts on the server. An attacker can use this to steal cookies, redirect form output, etc. An example URL to exploit this is: 
[For specific url or description click server link below.]
 
SolutionEdit /tomcat-install-dir/conf/web.xml to unmap the invoker servlet, currently mapped to /servlet/ 
ReferencesCVE-2002-0682   
CVSS Score4.3  (AV:N/AC:M/Au:N/C:N/I:P/A:N) 
Systemsmail.example.com (192.168.0.111)   [May 2007]  

Collapse   Vulnerability Collapse   11299MySQL < 3.23.55 Multiple Vulnerabilities   SANSCollapse  1 SystemMedium Risk
DescriptionThis system is running a vulnerable version of MySQL, according to its banner. Insufficient permissions checking related to the "select into outfile" SQL command allows a database user to escalate their priviliges to root. There is also a double free vulnerability that allows a database user to crash the service. A "database user" could be a remote attacker who has valid database credentials. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesCVE-2003-0073    CVE-2003-0150   
CVSS Score4  (AV:N/AC:L/Au:S/C:N/I:N/A:P) 
Systemssql2.manc.yourcompany.com (192.168.1.53)   [Nov 2007]  

Collapse   Vulnerability Collapse   10249SMTP Server Allows VRFY/EXPNCollapse  1 SystemMedium Risk
DescriptionThis system is running an SMTP server which allows the VRFY and/or EXPN commands. These can be used to check the validity of accounts, find the delivery address of mail aliases, or even determine the full name of a recipient. An attacker could use this information to focus their attacks, or aid social engineering. The information leakage is unnecessary so you should disable these commands. 
SolutionIf you are using sendmail, add the configuration directive 'PrivacyOptions=goaway'. For other mail daemons, consult the documentation. 
ReferencesCVE-1999-0531   
CVSS Score5  (AV:N/AC:L/Au:N/C:P/I:N/A:N) 
Systemswww.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   10815Cross-Site ScriptingCollapse  1 SystemMedium Risk
DescriptionThis system is running a web server or web application which is vulnerable to Cross-Site Scripting (XSS) attacks. Certain pages include user-supplied input in the response and HTML special characters are not escaped. An attacker could use this to inject malicious JavaScript or HTML code, which will run at the same trust level as the server. This may enable them to steal session cookies, form details, etc. An example that demonstrates this is: 
[For specific url or description click server link below.]
This is simply an example that illustrates the problem, you should fix the underlying issue rather than attempting to prevent this exploit from working.

Note: This vulnerability must be addressed server-side. Adding JavaScript (client-side) validation on form fields does not offer any protection against Cross-Site Scripting or other attacks. 

SolutionRecode your web application to ensure all user supplied input is escaped when displayed, or contact your web application vendor for a patch. Any JavaScript-based fix will not be effective. 
ReferencesXSS Anatomy    CVE-2002-1060    General Info    CERT Advisory CA-2000-02    PHP htmlspecialchars quoting function    How To: Prevent Cross-Site Scripting in ASP.NET   
CVSS Score4.3  (AV:N/AC:M/Au:N/C:N/I:P/A:N) 
Systemswww.yourcompany.net (192.168.0.102)   [Dec 2007]  

Collapse   Vulnerability Collapse   10629Lotus Domino Anonymous Database AccessCollapse  1 SystemMedium Risk
DescriptionThis system is running Lotus Domino. Some databases are accessible without authentication:
[For specific url or description click server link below.]
This usually represents a security risk as the information contained is accessible to anyone on the internet. 
SolutionReconfigure Domino to require authentication for these databases. 
ReferencesCVE-2002-0664    CVE-2000-0021   
CVSS Score5  (AV:N/AC:L/Au:N/C:P/I:N/A:N) 
Systemswww.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   12110OpenSSL < 0.9.6m, 0.9.7d Multiple Vulnerabilities   SANSCollapse  1 SystemMedium Risk
DescriptionThis system is running a vulnerable version of OpenSSL, according to its banner. A remote attacker could crash the service by conducting a deliberately invalid SSL/TLS handshake. Also, this version is vulnerable to a timing based attack which may allow an attacker to guess the content of fixed data blocks, such as passwords or credit card numbers. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesBugtraq ID 9899    CVE-2004-0079    CVE-2004-0081    CVE-2004-0112    CVE-1999-0428    CVE-2003-0078    CVE-2003-0131    CVE-2003-0147   
CVSS Score5  (AV:N/AC:L/Au:N/C:N/I:N/A:P) 
Systemsapollo.example.com (192.168.0.81)   [Nov 2007]  

Collapse   Vulnerability Collapse   10394SMB NULL Session   SANSCollapse  1 SystemMedium Risk
DescriptionIt is possible to log into the remote host using a null username and password, and gain guest access. This may allow an attacker to enumerate users and shares.  
SolutionDisable NULL session access, or use a firewall to restrict access to this service. 
ReferencesCVE-2000-0222    CVE-2002-1117    http://www.softheap.com/security/session-access.html    CVE-1999-0505    CVE-1999-0504    CVE-1999-0506   
Systemsdns0.example.com (192.168.0.110)   [Oct 2007]  

Collapse   Vulnerability Collapse   10539Globally Useable Name Server   SANSCollapse  1 SystemMedium Risk
DescriptionThis system is running a name server that allows any system on the Internet to perform recursive queries and resolve third-party domain names. A remote attacker could use this to extract information about your name lookup patterns, and may be able to perform DNS cache poisoning attacks. 
SolutionRestrict recursive queries to trusted addresses. For servers running BIND, use the allow-recursion or allow-query directives. 
ReferencesCVE-1999-0024    Securing Windows Server 2003 Domain Controllers   
CVSS Score5  (AV:N/AC:L/Au:N/C:N/I:P/A:N) 
Systemswww.yourcompany.net (192.168.0.102)   [May 2007]  

Collapse   Vulnerability Collapse   10882SSH Protocol Version 1 Enabled   NEWCollapse  1 SystemLow Risk
DescriptionThis system is running an SSH service with SSH protocol version 1 enabled. This version of the protocols is not completely cryptographically secure. A passive eavesdropper could use these weaknesses to extract information such as the lengths of passwords and commands. 
SolutionConfigure your SSH service to only use protocol version 2. For OpenSSH, set the 'Protocol' option to '2'. 
ReferencesCVE-2001-0572   
CVSS Score2.6  (AV:N/AC:H/Au:N/C:P/I:N/A:N) 
Systemswww.yourcompany.net (192.168.0.102)   NEW  

Collapse   Vulnerability Collapse   11213TRACE and/or TRACK Methods EnabledCollapse  2 SystemsLow Risk
DescriptionThis system supports the HTTP TRACE and/or TRACK methods. These increase the exploitability of any cross-site scripting vulnerabilities that may exist in your site. As they are primarily intended for debugging, they can be turned off without reduction of service. 
SolutionDisable these methods on production servers
IIS : Use the IIS Lockdown Wizard
Apache : Use mod_rewrite to redirect unallowed verbs to the forbidden target, or with newer versions use the configuration option 'TraceEnable off'. 
ReferencesCERT VU#867593    CVE-2004-2320   
CVSS Score5  (AV:N/AC:L/Au:N/C:P/I:N/A:N) 
Systemswww.yourcompany.co.uk (192.168.0.100)   [May 2007] www.yourcompany.net (192.168.0.102)   [Dec 2007]

Collapse   Vulnerability Collapse   10021Identd enabledCollapse  2 SystemsLow Risk
DescriptionThe ident service appears to be running on the remote host. This service provides sensitive information to an attacker, allowing them to enumerate which accounts are running which services.  
SolutionDisable this service or restrict it to trusted IP addresses 
ReferencesCVE-1999-0629   
Systemsdns0.example.com (192.168.0.110)   NEWwww.your_company.fr (192.168.0.105)   [May 2007]

Collapse   Vulnerability Collapse   11915Apache < 1.3.29 Multiple Local FlawsCollapse  2 SystemsLow Risk
DescriptionThis system is running a vulnerable version of Apache, according to its banner. This version contains buffer overruns in mod_alias and mod_rewrite. A local user could exploit these to escalate their privileges. 
SolutionUpgrade to an unaffected version, or apply a patch. 
ReferencesBugtraq    CVE-2003-0542   
Systemswww.example.com (192.168.0.112)   NEWwww.yourcompany.co.uk (192.168.0.100)   [Nov 2007]

Collapse   Vulnerability Collapse   10940Windows Terminal Service EnabledCollapse  1 SystemLow Risk
DescriptionWindows Terminal Services are enabled on the remote host. This allows a remote user to obtain a graphical login, and therefore act as a local user on the remote host. This may be intentional, but it is usual practice to restrict access to this service. 
SolutionUse a firewall to restrict access to trusted addresses. 
ReferencesCVE-2001-0540   
Systemsmail.example.com (192.168.0.111)   [Nov 2007]  

Collapse   Vulnerability Collapse   10114ICMP Timestamp RequestCollapse  1 SystemLow Risk
DescriptionThis system responds to ICMP timestamp requests. A remote attacker could use such requests to determine the exact date and time on the system. This information could be used in attacks against time-based authentication protocols. 
SolutionEither disable timestamp replies, or filter them at your firewall. 
ReferencesCVE-1999-0524   
Systemswww.your_company.nl (192.168.0.103)   [May 2007]  

Collapse   Vulnerability Collapse   90001Holes Detected in Firewall ConfigurationCollapse  1 SystemLow Risk
DescriptionThis system is protected by a firewall. Incoming TCP connections to most ports are blocked, however some ports were discovered where the firewall allows connections, but no service is running. This often indicates a firewall configuration error.
The affected ports are: [For specific url or description click server link below.] 
SolutionReconfigure your firewall to block all ports that you are not running services on. 
ReferencesFirewalls FAQ   
Systemswww.example.com (192.168.0.112)   [Nov 2007]  

Collapse   Vulnerability Collapse   10766Apache mod_userdir Information LeakCollapse  1 SystemLow Risk
DescriptionThis system has the mod_userdir Apache module enabled. This leaks information about which user accounts exists. A request to a non-existant user will always return a 404 (file not found) code. However, if the user exists then the web server may return a 403 (permission denied) code, depending on the permissions on the user's home directory. 
SolutionIf you do not need the functionality, disable mod_userdir. Alternatively, mod_rewrite can provide equivalent functionality without the information leak. 
ReferencesSecuriTeam advisory    CVE-2001-1013   
CVSS Score2  (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) 
Systemsapollo.example.com (192.168.0.81)   [Dec 2007]  

Collapse   Vulnerability Collapse   10077Microsoft Frontpage Extensions InstalledCollapse  1 SystemLow Risk
DescriptionThis system is running Microsoft Frontpage extensions. These have had a history of insecurity, so you should carefully check that you have the latest patches applied. It is also common for Frontpage extensions to be insecure because they are misconfigured.

[For specific url or description click server link below.] 
SolutionIf you do not require Frontpage extensions, disable them. If they are required, make sure the latest patches are applied. 
ReferencesMicrosoft Knowledge Base Q813379    Microsoft Knowledge Base Q813380    Microsoft Security Bulletin MS02-018    CVE-2000-0114   
Systemswww.your_company.nl (192.168.0.103)   [May 2007]  

Collapse   Vulnerability Collapse   10056/doc directory browsable Collapse  1 SystemLow Risk
DescriptionThe /doc directory is browsable. This lets an attacker know what software is installed on the host, and more importantly what version of the software. This allows an attacker to make more focussed attacks. You can browse the directory at this URL:

[For specific url or description click server link below.]

 
SolutionUse an appropriate access control lists to restrict access to the /doc directory.  
ReferencesCVE-1999-0678   
Systemsmail.example.com (192.168.0.111)   [Nov 2007]  

Collapse   Vulnerability Collapse   10640Kerberos PingPong DOSCollapse  1 SystemLow Risk
DescriptionThe remote kerberos server seems to be vulnerable to a pingpong attack. When contacted on the UDP port, this service always responds, even to bogus data. An attacker can cause a denial of service attack, by spoofing a packet between two machines running this service. This will cause them to spew data at each other, saturating the network.  
SolutionDisable this service in /etc/inetd.conf.  
ReferencesCVE-1999-0103   
CVSS Score7.8  (AV:N/AC:L/Au:N/C:N/I:N/A:C) 
Systemswww.your_company.fr (192.168.0.105)   [Dec 2007]  

Collapse   Vulnerability Collapse   11229Script Calling phpinfo() Detected   OVERDUECollapse  1 SystemLow Risk
DescriptionThis system has a PHP script that calls phpinfo(). This function displays a significant amount of system and configuration information. A remote attacker could use this for reconnaissance. An example of a URL you can use to exploit this is: 
[For specific url or description click server link below.]
 
SolutionRemove this script, or protect it with some kind of authentication. 
Deadline13 January 2008
CVSS Score5  (AV:N/AC:L/Au:N/C:P/I:N/A:N) 
Systemsapollo.example.com (192.168.0.81)   [Nov 2007]  

Scans by Sec52