Linux Report

Nessus Report
Nessus Scan Report

Mon, 06 Jun 2016 12:52:32 NPT
Table Of Contents
Vulnerabilities By Host......................................................................................................... 3
•192.168.0.128.............................................................................................................................................................. 4
Remediations.................................................................................................................... 167
•Suggested Remediations........................................................................................................................................ 168
Vulnerabilities By Host
192.168.0.128
Scan Information
Start time: Mon Jun 6 12:34:47 2016
End time: Mon Jun 6 12:52:31 2016

Host Information
Netbios Name: METASPLOITABLE
IP: 192.168.0.128
MAC Address: 08:00:27:99:57:da
OS: Linux Kernel 2.6 on Ubuntu 8.04 (hardy)

Results Summary
Critical High Medium Low Info Total
17 37 70 8 111 243
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The remote clock is synchronized with the local clock.
12264 - Record Route

Synopsis
Record route
Description
It is possible to obtain the traceroute to the remote host by sending packets with the 'Record Route' option set. It is a
complement to traceroute.
Solution
4
N/A
Risk Factor
None
Plugin Information:
Ports
icmp/0
Here is the route recorded between 192.168.0.122 and 192.168.0.128 :
192.168.0.128
192.168.0.128
0/tcp
33850 - Unsupported Unix Operating System
Synopsis
The remote host is running an operating system that is no longer supported.
Description
According to its version, the remote Unix operating system is no longer supported.
Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is
likely to contain security vulnerabilities.
Solution
Upgrade to a more recent version that is currently supported.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Ports
tcp/0
Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).

Upgrade to Ubuntu 15.10.
For more information, see : https://wiki.ubuntu.com/Releases
12213 - TCP/IP Sequence Prediction Blind Reset Spoofing DoS

Synopsis
It may be possible to send spoofed RST packets to the remote system.
Description
The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker to
send spoofed RST packets to the remote host and close established connections. This may cause problems for some
dedicated services (BGP, a VPN over TCP, etc).
See Also
https://downloads.avaya.com/elmodocs2/security/ASA-2006-217.htm
http://www.kb.cert.org/vuls/id/JARL-5ZQR4D
http://www-01.ibm.com/support/docview.wss?uid=isg1IY55949
5
http://www.juniper.net/support/security/alerts/niscc-236929.txt
http://technet.microsoft.com/en-us/security/bulletin/ms05-019
http://technet.microsoft.com/en-us/security/bulletin/ms06-064
http://www.kb.cert.org/vuls/id/JARL-5YGQ9G
http://www.kb.cert.org/vuls/id/JARL-5ZQR7H
http://www.kb.cert.org/vuls/id/JARL-5YGQAJ
http://www.nessus.org/u?9a548ae4
http://isc.sans.edu/diary.html?date=2004-04-20
Solution
Contact the vendor for a patch or mitigation advice.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.5 (CVSS2#E:POC/RL:ND/RC:C)
References
BID 10183
CVE CVE-2004-0230
XREF OSVDB:4030
XREF OSVDB:13619
XREF CERT:415294
XREF EDB-ID:276
XREF EDB-ID:291
Plugin Information:
Ports
tcp/0
56283 - Linux Kernel TCP Sequence Number Generation Security Weakness
Synopsis
It may be possible to predict TCP/IP Initial Sequence Numbers for the remote host.
Description
The Linux kernel is prone to a security weakness related to TCP sequence number generation. Attackers can exploit
this issue to inject arbitrary packets into TCP sessions using a brute-force attack.
An attacker may use this vulnerability to create a denial of service condition or a man-in-the-middle attack.
Note that this plugin may fire as a result of a network device (such as a load balancer, VPN, IPS, transparent proxy,
etc.) that is vulnerable and that re-writes TCP sequence numbers, rather than the host itself being vulnerable.
See Also
http://lwn.net/Articles/455135/
http://www.nessus.org/u?9881d9af
6
Solution
Contact the OS vendor for a Linux kernel update / patch.
Risk Factor
Medium
CVSS Base Score
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
5.9 (CVSS2#E:ND/RL:OF/RC:C)
References
BID 49289
CVE CVE-2011-3188
XREF OSVDB:75716
Plugin Information:
Ports
tcp/0
57608 - SMB Signing Disabled
Synopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct
man-in-the-middle attacks against the SMB server.
See Also
https://support.microsoft.com/en-us/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
http://www.nessus.org/u?a3cac4ea
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network
server: Digitally sign communications (always)'. On Samba, the setting is called 'server signing'. See the 'see also'
links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#E:U/RL:OF/RC:C)
Plugin Information:
Ports
tcp/0
25220 - TCP/IP Timestamps Supported
Synopsis
7
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be identified from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit Organizationally Unique Identifier (OUI). These OUIs are registered
by IEEE.
See Also
http://standards.ieee.org/faqs/regauth.html
http://www.nessus.org/u?794673b4
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/0
The following card manufacturers were identified :
08:00:27:99:57:da : Cadmus Computer Systems
14788 - IP Protocols Scan

Synopsis
This plugin detects the protocols understood by the remote IP stack.
Description
This plugin detects the protocols understood by the remote IP stack.
See Also
http://www.iana.org/assignments/protocol-numbers
Solution
n/a
Risk Factor
None
Plugin Information:
8
Ports
tcp/0
The following IP protocols are accepted on this host:
1 ICMP
2 IGMP
6 TCP
17 UDP
136 UDPLite
18261 - Apache Banner Linux Distribution Disclosure

Synopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This plugin extracts the banner of the Apache web server and attempts to determine which Linux distribution the
remote host is running.
Solution
If you do not wish to display this information, edit 'httpd.conf' and set the directive 'ServerTokens Prod' and restart
Apache.
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/0
The Linux distribution detected was :

- Ubuntu 8.04 (gutsy)
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name
of the remote operating system in use. It is also possible sometimes to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/0
Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)

Confidence level : 95
Method : SSH
Not all fingerprints could give a match. If you think some or all of
the following could be used to identify the host's operating system,
please email them to os-signatures@nessus.org. Be sure to include a
brief description of the host itself, such as the actual operating
system or product / model names.
SinFP:
P1:B10113:F0x12:W5840:O0204ffff:M1460:
9
P2:B10113:F0x12:W5792:O0204ffff0402080affffffff4445414401030307:M1460:
P3:B10120:F0x04:W0:O0:M0
P4:6700_7_p=111
SMTP:!:220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
SSLcert:!:i/CN:ubuntu804-base.localdomaini/O:OCOSAi/OU:Office for Complication of Otherwise Simple
Affairss/CN:ubuntu804-base.localdomains/O:OCOSAs/OU:Office for Complication of Otherwise Simple
Affairs
ed093088706603bfd5dc237399b498da2d4d31c6
SSH:SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
45590 - Common Platform Enumeration (CPE)

Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
https://nvd.nist.gov/cpe.cfm
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/0
The remote operating system matched the following CPE :
cpe:/o:canonical:ubuntu_linux:8.04
Following application CPE's matched on the remote system :
cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7

cpe:/a:samba:samba:3.0.20 -> Samba 3.0.20
cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8
cpe:/a:php:php:5.2.4 -> PHP 5.2.4
cpe:/a:isc:bind:9.4.
54615 - Device Type

Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
10
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 95
66334 - Patch Report

Synopsis
The remote host is missing several patches.
Description
The remote host is missing one or more security patches. This plugin lists the newest version of each patch to install
to make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Ports
tcp/0
. You need to take the following 12 actions :
[ Apache 2.2.x < 2.2.28 Multiple Vulnerabilities (77531) ]
+ Action to take : Upgrade to Apache version 2.2.29 or later.
Note that version 2.2.28 was never officially released.
+ Impact : Taking this action will resolve the following 42 different vulnerabilities :
CVE-2014-0231, CVE-2014-0226, CVE-2014-0118, CVE-2014-0098, CVE-2013-6438
CVE-2009-0023, CVE-2007-6750
[ ISC BIND 9 resolver.c / db.c DNAME Resource Record Signature Handling DoS (89999) ]
+ Action to take : Upgrade to ISC BIND version 9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4 or later.
Note that version 9.9.8-S6 is a preview version of BIND provided exclusively to ISC Support
customers.
CVE-2009-0696
[ ISC BIND 9 sexpr.c / alist.c Control Channel Packet Handling DoS (89998) ]
+ Action to take : Upgrade to ISC BIND version 9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4 or later.
Note that version 9.9.8-S6 is a preview version of BIND provided exclusively to ISC Support
customers.
CVE-2015-5722, CVE-2015-5477, CVE-2014-8680, CVE-2014-8500, CVE-2012-5 [...]
11
19506 - Nessus Scan Information
Synopsis
This plugin displays information about the Nessus scan.
Description
This plugin displays, for each tested host, information about the scan itself :
- The version of the plugin set.
- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- Whether credentialed or third-party patch management checks are possible.
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/0
Information about this scan :
Nessus version : 6.7.0

Plugin feed version : 201605311930
Scanner edition used : Nessus
Scan type : Normal
Scan policy used : Demo
Scanner IP : 192.168.0.122
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 2
Report verbosity : 2
Safe checks : no
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2016/6/6 12:34 NPT
Scan duration : 1064 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
12
None
Plugin Information:
Ports
udp/0
For your information, here is the traceroute from 192.168.0.122 to 192.168.0.128 :
192.168.0.122
192.168.0.128
21/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Ports
tcp/21
Port 21/tcp was found to be open
22964 - Service Detection

Synopsis
The remote service could be identified.
Description
Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it
receives an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/21
An FTP server is running on this port.
10092 - FTP Server Detection

Synopsis
An FTP server is listening on a remote port.
Description
It is possible to obtain the banner of the remote FTP server by connecting to a remote port.
Solution
n/a
Risk Factor
13
None
Plugin Information:
Ports
tcp/21
The remote FTP banner is :
220 (vsFTPd 2.3.4)
52703 - vsftpd Detection

Synopsis
An FTP server is listening on the remote port.
Description
The remote host is running vsftpd, an FTP server for UNIX-like systems written in C.
See Also
http://vsftpd.beasts.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/21
Source : 220 (vsFTPd 2.3.4)

Version : 2.3.4
22/tcp
85382 - OpenSSH < 7.0 Multiple Vulnerabilities
Synopsis
The SSH server running on the remote host is affected by multiple vulnerabilities.
Description
According to its banner, the version of OpenSSH running on the remote host is prior to 7.0. It is, therefore, affected by
the following vulnerabilities :
- A flaw exists in the kbdint_next_device() function in file auth2-chall.c that allows the circumvention of MaxAuthTries
during keyboard-interactive authentication.
An attacker can exploit this issue to force the same authentication method to be tried thousands of times in a single
pass by using a crafted keyboard-interactive 'devices' string, thus allowing a brute-force attack or causing a denial of
service. (CVE-2015-5600)
- A security bypass vulnerability exists in sshd related to PAM support. An authenticated, remote attacker can exploit
this to impact the pre-authentication process, allowing the possible execution of arbitrary code. Note that this issue
only affects Portable OpenSSH.
(OSVDB 126030)
- A flaw exists in sshd due to setting insecure world-writable permissions for TTYs. A local attacker can exploit this, by
injecting crafted terminal escape sequences, to execute commands for logged-in users.
(OSVDB 126031)
- A use-after-free error exists in sshd related to PAM support. A remote attacker can exploit this to impact the pre-
authentication process, allowing the possible execution of arbitrary code. Note that this issue only affects Portable
OpenSSH. (OSVDB 126033)
See Also
http://www.openssh.com/txt/release-7.0
Solution
Upgrade to OpenSSH 7.0 or later.
14
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
References
BID 75990
CVE CVE-2015-5600
XREF OSVDB:124938
XREF OSVDB:126030
XREF OSVDB:126031
XREF OSVDB:126033
Plugin Information:
Ports
tcp/22
Version source : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
Installed version : 4.7p1

Fixed version : 7.0

Synopsis
The SSH server running on the remote host is affected by multiple vulnerabilities.
Description
the following vulnerabilities :
- A flaw exists within the x11_open_helper() function in the 'channels.c' file that allows connections to be permitted
after 'ForwardX11Timeout' has expired. A remote attacker can exploit this to bypass timeout checks and XSECURITY
restrictions. (CVE-2015-5352)
- Various issues were addressed by fixing the weakness in agent locking by increasing the failure delay, storing the
salted hash of the password, and using a timing-safe comparison function.
- An out-of-bounds read error exists when handling incorrect pattern lengths. A remote attacker can exploit this to
cause a denial of service or disclose sensitive information in the memory.
- An out-of-bounds read error exists when parsing the 'EscapeChar' configuration option.
See Also
http://www.nessus.org/u?725c4682
Solution
Risk Factor
High
CVSS Base Score
8.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C)
CVSS Temporal Score
15
References
BID 75525
CVE CVE-2015-5352
XREF OSVDB:124008
XREF OSVDB:124019
Plugin Information:
Ports
tcp/22

Fixed version : 6.9
86328 - SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam)

Synopsis
The remote host allows SSH connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.
Description
The remote SSH server allows connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits.
Through cryptanalysis, a third party can find the shared secret in a short amount of time (depending on modulus size
and attacker resources).
This allows an attacker to recover the plaintext or potentially violate the integrity of connections.
See Also
http://weakdh.org/
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Solution
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 74733
CVE CVE-2015-4000
XREF OSVDB:122331
Plugin Information:
Ports
tcp/22
The SSH server is vulnerable to the Logjam attack because :
It supports diffie-hellman-group1-sha1 key

exchange.
It supports diffie-hellman-group-exchange-sha1
key exchange and allows a moduli smaller than
or equal to 1024.
Note that only an attacker with nation-state level resources
16
can effectively make use of the vulnerability, and only
against sessions where the vulnerable key exchange
algorithms are used.
44079 - OpenSSH < 4.9 'ForceCommand' Directive Bypass

Synopsis
The remote SSH service is affected by a security bypass vulnerability.
Description
According to its banner, the version of OpenSSH installed on the remote host is earlier than 4.9. It may allow a
remote, authenticated user to bypass the 'sshd_config' 'ForceCommand' directive by modifying the '.ssh/rc' session
file.
See Also
http://www.openssh.org/txt/release-4.9
Solution
Upgrade to OpenSSH version 4.9 or later.
Risk Factor
Medium
CVSS Base Score
6.5 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score
References
BID 28531
CVE CVE-2008-1657
XREF OSVDB:43911
XREF CWE:264
Plugin Information:
Ports
tcp/22

Fixed version : 4.9
90022 - OpenSSH < 7.2 Untrusted X11 Forwarding Fallback Security Bypass
Synopsis
The SSH server running on the remote host is affected by a security bypass vulnerability.
Description
a security bypass vulnerability due to a flaw in ssh(1) that is triggered when it falls back from untrusted X11 forwarding
to trusted forwarding when the SECURITY extension is disabled by the X server. This can result in untrusted X11
connections that can be exploited by a remote attacker.
See Also
Solution
Risk Factor
Medium
17
CVSS Base Score
CVSS Temporal Score
References
XREF OSVDB:135128
Plugin Information:
Ports
tcp/22

Fixed version : 7.2
44065 - OpenSSH < 5.2 CBC Plaintext Disclosure

Synopsis
The SSH service running on the remote host has an information disclosure vulnerability.
Description
The version of OpenSSH running on the remote host has an information disclosure vulnerability. A design flaw in the
SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected
connection in the standard configuration. An attacker could exploit this to gain access to sensitive information.
See Also
http://www.nessus.org/u?4984aeb9
http://www.openssh.com/txt/cbc.adv
Solution
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N)
CVSS Temporal Score
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Ports
tcp/22
18

Fixed version : 5.2
90023 - OpenSSH < 7.2p2 X11Forwarding xauth Command Injection

Synopsis
The SSH server running on the remote host is affected by a security bypass vulnerability.
Description
According to its banner, the version of OpenSSH running on the remote host is prior to 7.2p2. It is, therefore, affected
by a security bypass vulnerability due to improper sanitization of X11 authentication credentials. An authenticated,
remote attacker can exploit this, via crafted credentials, to inject arbitrary xauth commands, resulting in gaining read
and write access to arbitrary files, connecting to local ports, or performing further attacks on xauth itself. Note that
exploiting this vulnerability requires X11Forwarding to have been enabled.
See Also
http://www.openssh.com/txt/release-7.2p2
http://www.openssh.com/txt/x11fwd.adv
Solution
Upgrade to OpenSSH version 7.2p2 or later.
Risk Factor
Medium
CVSS Base Score
4.9 (CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N)
CVSS Temporal Score
3.8 (CVSS2#E:POC/RL:OF/RC:C)
References
CVE CVE-2016-3115
XREF OSVDB:135714
XREF EDB-ID:39569
Plugin Information:
Ports
tcp/22

Fixed version : 7.2p2

Synopsis
The SSH server on the remote host has multiple vulnerabilities.
Description
According to its banner, the version of OpenSSH running on the remote host is prior to version 6.6. It is, therefore,
affected by the following vulnerabilities :
- An error exists related to the function 'hash_buffer' in the file 'schnorr.c' that could allow denial of service attacks.
Note that the J-PAKE protocol must be enabled at compile time via the 'CFLAGS' variable '-DJPAKE' in the file
'Makefile.inc' in order for the OpenSSL installation to be vulnerable. This is not enabled by default. Further note that
only versions 5.3 through 6.5.x are affected by this issue. (CVE-2014-1692)
- An error exists related to the 'AcceptEnv' configuration setting in 'sshd_config' and wildcards. An attacker can bypass
environment restrictions by using a specially crafted request. (CVE-2014-2532)
See Also
19
http://www.gossamer-threads.com/lists/openssh/dev/57663#57663
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 65230
BID 66355
CVE CVE-2014-1692
CVE CVE-2014-2532
XREF OSVDB:102611
XREF OSVDB:104578
Plugin Information:
Ports
tcp/22

Fixed version : 6.6
90317 - SSH Weak Algorithms Supported

Synopsis
The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.
Description
Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all.
RFC 4253 advises against using Arcfour due to an issue with weak keys.
See Also
https://tools.ietf.org/html/rfc4253#section-6.3
Solution
Contact the vendor or consult product documentation to remove the weak ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Ports
tcp/22
20
The following weak server-to-client encryption algorithms are supported :
arcfour
arcfour128
arcfour256
The following weak client-to-server encryption algorithms are supported :
arcfour
arcfour128
arcfour256
31737 - OpenSSH X11 Forwarding Session Hijacking

Synopsis
The remote SSH service is prone to an X11 session hijacking vulnerability.
Description
According to its banner, the version of SSH installed on the remote host is older than 5.0. Such versions may
allow a local user to hijack X11 sessions because it improperly binds TCP ports on the local IPv6 interface if the
corresponding ports on the IPv4 interface are in use.
See Also
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
Solution
Risk Factor
Medium
CVSS Base Score
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
References
BID 28444
CVE CVE-2008-1483
CVE CVE-2008-3234
XREF OSVDB:43745
XREF OSVDB:48791
XREF Secunia:29522
XREF CWE:264
Plugin Information:
Ports
tcp/22
The remote OpenSSH server returned the following banner :
SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
67140 - OpenSSH LoginGraceTime / MaxStartups DoS

Synopsis
21
The remote SSH service is susceptible to a remote denial of service attack.
Description
According to its banner, a version of OpenSSH earlier than version 6.2 is listening on this port. The default
configuration of OpenSSH installs before 6.2 could allow a remote attacker to bypass the LoginGraceTime and
MaxStartups thresholds by periodically making a large number of new TCP connections and thereby prevent
legitimate users from gaining access to the service.
Note that this plugin has not tried to exploit the issue or detect whether the remote service uses a vulnerable
configuration. Instead, it has simply checked the version of OpenSSH running on the remote host.
See Also
http://www.openwall.com/lists/oss-security/2013/02/06/5
http://openssh.org/txt/release-6.2
http://tools.cisco.com/security/center/viewAlert.x?alertId=28883
Solution
Upgrade to OpenSSH 6.2 and review the associated server configuration settings.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 58162
CVE CVE-2010-5107
XREF OSVDB:90007
Plugin Information:
Ports
tcp/22

Fixed version : 6.2

Synopsis
The remote SSH service may be affected by multiple vulnerabilities.
Description
According to its banner, the version of OpenSSH running on the remote host is earlier than 5.7. Versions before 5.7
may be affected by the following vulnerabilities :
- A security bypass vulnerability because OpenSSH does not properly validate the public parameters in the J-PAKE
protocol. This could allow an attacker to authenticate without the shared secret. Note that this issue is only exploitable
when OpenSSH is built with J-PAKE support, which is currently experimental and disabled by default, and that Nessus
has not checked whether J-PAKE support is indeed enabled. (CVE-2010-4478)
- The auth_parse_options function in auth-options.c in sshd provides debug messages containing authorized_keys
command options, which allows remote, authenticated users to obtain potentially sensitive information by reading
these messages. (CVE-2012-0814)
See Also
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
22
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/jpake.c#rev1.5
http://www.nessus.org/u?3f1722f0
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 45304
BID 51702
CVE CVE-2010-4478
CVE CVE-2012-0814
XREF OSVDB:69658
XREF OSVDB:78706
Plugin Information:
Ports
tcp/22

Fixed version : 5.7
53841 - Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information
Disclosure
Synopsis
Local attackers may be able to access sensitive information.
Description
According to its banner, the version of OpenSSH running on the remote host is earlier than 5.8p2. Such versions may
be affected by a local information disclosure vulnerability that could allow the contents of the host's private key to
be accessible by locally tracing the execution of the ssh-keysign utility. Having the host's private key may allow the
impersonation of the host.
Note that installations are only vulnerable if ssh-rand-helper was enabled during the build process, which is not the
case for *BSD, OS X, Cygwin and Linux.
See Also
http://www.openssh.com/txt/portable-keysign-rand-helper.adv
http://www.openssh.com/txt/release-5.8p2
Solution
Upgrade to Portable OpenSSH 5.8p2 or later.
Risk Factor
Low
CVSS Base Score
23
2.1 (CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
References
BID 47691
CVE CVE-2011-4327
XREF OSVDB:72183
XREF Secunia:44347
Plugin Information:
Ports
tcp/22

Fixed version : 5.8p2
44080 - OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking

Synopsis
The remote SSH service may be affected by an X11 forwarding port hijacking vulnerability.
Description
According to its banner, the version of SSH installed on the remote host is older than 5.1 and may allow a local user to
hijack the X11 forwarding port. The application improperly sets the 'SO_REUSEADDR'
socket option when the 'X11UseLocalhost' configuration option is disabled.
Note that most operating systems, when attempting to bind to a port that has previously been bound with the
'SO_REUSEADDR' option, will check that either the effective user-id matches the previous bind (common BSD-
derived systems) or that the bind addresses do not overlap (Linux and Solaris). This is not the case with other
operating systems such as HP-UX.
See Also
Solution
Risk Factor
Low
CVSS Base Score
1.2 (CVSS2#AV:L/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
References
BID 30339
CVE CVE-2008-3259
XREF OSVDB:47227
XREF CWE:200
Plugin Information:
Ports
24
tcp/22

Fixed version : 5.1
71049 - SSH Weak MAC Algorithms Enabled

Synopsis
The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.
Description
The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered
weak.
Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Ports
tcp/22
The following client-to-server Message Authentication Code (MAC) algorithms

are supported :
hmac-md5
hmac-md5-96
hmac-sha1-96
The following server-to-client Message Authentication Code (MAC) algorithms

are supported :
hmac-md5
hmac-md5-96
hmac-sha1-96
70658 - SSH Server CBC Mode Ciphers Enabled

Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to
recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or
GCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
CVSS Temporal Score
25
2.6 (CVSS2#E:ND/RL:ND/RC:ND)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Ports
tcp/22
The following client-to-server Cipher Block Chaining (CBC) algorithms

are supported :
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
The following server-to-client Cipher Block Chaining (CBC) algorithms

are supported :
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc

Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/22

Synopsis
26
Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version Information

Synopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/22
SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
10881 - SSH Protocol Versions Supported

Synopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/22
The remote SSH daemon supports the following versions of the
SSH protocol :
- 1.99
- 2.0
70657 - SSH Algorithms and Languages Supported

Synopsis
27
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encrypting
communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/22
Nessus negotiated the following encryption algorithm with the server : aes128-cbc
The server supports the following options for kex_algorithms :
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
The server supports the following options for server_host_key_algorithms :
ssh-dss
ssh-rsa
The server supports the following options for encryption_algorithms_client_to_server :
3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
The server supports the following options for encryption_algorithms_server_to_client :
3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
The server supports the following options for mac_algorithms_client_to_server :
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
28
umac-64@openssh.com
The server supports the following options for mac_algorithms_server_to_client :
hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
umac-64@openssh.com
The server supports the following options for compression_algorithms_client_to_server :
none
zlib@openssh.com
The server supports the following options for compression_algorithms_server_to_client :
none
zlib@openssh.com
23/tcp
42263 - Unencrypted Telnet Server
Synopsis
The remote Telnet server transmits traffic in cleartext.
Description
The remote host is running a Telnet server over an unencrypted channel.
Using Telnet over an unencrypted channel is not recommended as logins, passwords, and commands are transferred
in cleartext. This allows a remote, man-in-the-middle attacker to eavesdrop on a Telnet session to obtain credentials
or other sensitive information and to modify traffic exchanged between a client and server.
SSH is preferred over Telnet since it protects credentials from eavesdropping and can tunnel additional data streams
such as an X11 session.
Solution
Disable the Telnet service and use SSH instead.
Risk Factor
Medium
CVSS Base Score
5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)
Plugin Information:
Ports
tcp/23
Nessus collected the following banner from the remote Telnet server :
------------------------------ snip ------------------------------

_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login:
------------------------------ snip ------------------------------
29
Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/23

Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/23
A telnet server is running on this port.
10281 - Telnet Server Detection

Synopsis
A Telnet server is listening on the remote port.
Description
The remote host is running a Telnet server, a remote terminal server.
Solution
Disable this service if you do not use it.
Risk Factor
None
Plugin Information:
Ports
tcp/23
Here is the banner from the remote Telnet server :
------------------------------ snip ------------------------------

_ _ _ _ _ _ ____
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
30
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | | __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | | __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
|_|
Warning: Never expose this VM to an untrusted network!
Contact: msfdev[at]metasploit.com
Login with msfadmin/msfadmin to get started
metasploitable login:
------------------------------ snip ------------------------------
25/tcp
32321 - Debian OpenSSH/OpenSSL Package Random Number Generator Weakness (SSL check)
Synopsis
The remote SSL certificate uses a weak key.
Description
The remote x509 certificate on the remote SSL server has been generated on a Debian or Ubuntu system which
contains a bug in the random number generator of its OpenSSL library.
The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.
An attacker can easily obtain the private part of the remote key and use this to decipher the remote session or set up
a man in the middle attack.
See Also
http://www.nessus.org/u?5d01bdab
http://www.nessus.org/u?f14f4224
Solution
Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL and
OpenVPN key material should be re-generated.
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
8.3 (CVSS2#E:F/RL:OF/RC:C)
References
BID 29179
CVE CVE-2008-0166
XREF OSVDB:45029
XREF OSVDB:45503
XREF CWE:310
Exploitable with
Core Impact (true)
Plugin Information:
Ports
tcp/25
74326 - OpenSSL 'ChangeCipherSpec' MiTM Potential Vulnerability
Synopsis
31
The remote host is potentially affected by a vulnerability that could allow sensitive data to be decrypted.
Description
The OpenSSL service on the remote host is potentially vulnerable to a man-in-the-middle (MiTM) attack, based on its
response to two consecutive 'ChangeCipherSpec' messages during the incorrect phase of an SSL/TLS handshake.
This flaw could allow a MiTM attacker to decrypt or forge SSL messages by telling the service to begin encrypted
communications before key material has been exchanged, which causes predictable keys to be used to secure future
traffic.
OpenSSL 1.0.1 is known to be exploitable. OpenSSL 0.9.8 and 1.0.0 are not known to be vulnerable; however, the
OpenSSL team has advised that users of these older versions upgrade as a precaution. This plugin detects and
reports all versions of OpenSSL that are potentially exploitable.
Note that Nessus has only tested for an SSL/TLS MiTM vulnerability (CVE-2014-0224). However, Nessus has inferred
that the OpenSSL service on the remote host is also affected by six additional vulnerabilities that were disclosed in
OpenSSL's June 5th, 2014 security advisory :
- An error exists in the 'ssl3_read_bytes' function that permits data to be injected into other sessions or allows
denial of service attacks. Note that this issue is exploitable only if SSL_MODE_RELEASE_BUFFERS is enabled.
(CVE-2010-5298)
- An error exists related to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that allows
nonce disclosure via the 'FLUSH+RELOAD' cache side-channel attack. (CVE-2014-0076)
- A buffer overflow error exists related to invalid DTLS fragment handling that permits the execution of arbitrary code
or allows denial of service attacks.
Note that this issue only affects OpenSSL when used as a DTLS client or server. (CVE-2014-0195)
- An error exists in the 'do_ssl3_write' function that permits a NULL pointer to be dereferenced, which could allow
denial of service attacks. Note that this issue is exploitable only if SSL_MODE_RELEASE_BUFFERS is enabled.
(CVE-2014-0198)
- An error exists related to DTLS handshake handling that could allow denial of service attacks. Note that this issue
only affects OpenSSL when used as a DTLS client.
(CVE-2014-0221)
- An error exists in the 'dtls1_get_message_fragment'
function related to anonymous ECDH cipher suites. This could allow denial of service attacks. Note that this issue only
affects OpenSSL TLS clients. (CVE-2014-3470)
OpenSSL did not release individual patches for these vulnerabilities, instead they were all patched under a single
version release. Note that the service will remain vulnerable after patching until the service or host is restarted.
See Also
http://www.nessus.org/u?d5709faa
https://www.imperialviolet.org/2014/06/05/earlyccs.html
https://www.openssl.org/news/secadv/20140605.txt
Solution
OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users
(client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade
to 1.0.1h.
Risk Factor
High
CVSS Base Score
9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
References
BID 66363
BID 66801
BID 67193
BID 67898
BID 67899
32
BID 67900
BID 67901
CVE CVE-2010-5298
CVE CVE-2014-0076
CVE CVE-2014-0195
CVE CVE-2014-0198
CVE CVE-2014-0221
CVE CVE-2014-0224
CVE CVE-2014-3470
XREF OSVDB:104810
XREF OSVDB:105763
XREF OSVDB:106531
XREF OSVDB:107729
XREF OSVDB:107730
XREF OSVDB:107731
XREF OSVDB:107732
XREF CERT:978508
Exploitable with
Core Impact (true)
Plugin Information:
Ports
tcp/25
The remote service accepted two consecutive ChangeCipherSpec messages at an incorrect point in
the
handshake, without closing the connection or sending an SSL alert. This behavior indicates that
the
service is vulnerable; however, this could also be the result of network interference.
15901 - SSL Certificate Expiry

Synopsis
The remote server's SSL certificate has already expired.
Description
This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and reports
whether any have already expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
Risk Factor
Medium
CVSS Base Score
33
Plugin Information:
Ports
tcp/25
The SSL certificate has already expired :
Subject : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA,

OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain,
emailAddress=root@ubuntu804-base.localdomain
Issuer : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA,
OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain,
emailAddress=root@ubuntu804-base.localdomain
Not valid before : Mar 17 14:07:45 2010 GMT
Not valid after : Apr 16 14:07:45 2010 GMT
51192 - SSL Certificate Cannot Be Trusted

Synopsis
The SSL certificate for this service cannot be trusted.
Description
The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can
occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.
First, the top of the certificate chain sent by the server might not be descended from a known public certificate
authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when
intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate
authority.
Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either
when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.
Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not
be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.
Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus
either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the
authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the
remote host.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Ports
tcp/25
The following certificate was part of the certificate chain

sent by the remote host, but has expired :
|-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for

Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/E=root@ubuntu804-
base.localdomain
|-Not After : Apr 16 14:07:45 2010 GMT
The following certificate was at the top of the certificate

chain sent by the remote host, but is signed by an unknown
certificate authority :
34
base.localdomain
|-Issuer : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for
base.localdomain
57582 - SSL Self-Signed Certificate

Synopsis
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a
public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against
the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed
by an unrecognized certificate authority.
Solution
Risk Factor
Medium
CVSS Base Score
Plugin Information:
Ports
tcp/25
The following certificate was found at the top of the certificate

chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

base.localdomain
58751 - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability

(BEAST)
Synopsis
It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
Description
A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted
traffic served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
This plugin tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite and then
solicits return data.
If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable.
OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS'
option is specified when OpenSSL is initialized.
Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendExtraRecord.
Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while others may
not be, depending on whether or not a countermeasure has been enabled.
Note that this plugin detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not
detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet browser). The detection
at server-side does not necessarily mean your server is vulnerable to the BEAST attack, because the attack exploits
the vulnerability at the client-side, and both SSL/TLS clients and servers can independently employ the split record
countermeasure.
See Also
http://www.openssl.org/~bodo/tls-cbc.txt
35
https://www.imperialviolet.org/2011/09/23/chromeandbeast.html
http://vnhacker.blogspot.com/2011/09/beast.html
https://technet.microsoft.com/library/security/ms12-006
https://support.microsoft.com/en-us/kb/2643584
http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-beast.aspx
Solution
Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
Note that additional configuration may be required after the installation of the MS12-006 security update in order to
enable the split-record countermeasure. See Microsoft KB2643584 for details.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
STIG Severity
I
References
BID 49778
CVE CVE-2011-3389
XREF OSVDB:74829
XREF CERT:864643
XREF MSFT:MS12-006
XREF IAVB:2012-B-0006
Plugin Information:
Ports
tcp/25
Negotiated cipher suite: AES256-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=AES-CBC(256)|Mac=SHA1
45411 - SSL Certificate with Wrong Hostname

Synopsis
The SSL certificate for this service is for a different host.
Description
The commonName (CN) of the SSL certificate presented on this service is for a different machine.
Solution
Risk Factor
Medium
CVSS Base Score
36
Plugin Information:
Ports
tcp/25
The identities known by Nessus are :
192.168.0.128
192.168.0.128
The Common Name in the certificate is :
ubuntu804-base.localdomain
52611 - SMTP Service STARTTLS Plaintext Command Injection

Synopsis
The remote mail service allows plaintext command injection while negotiating an encrypted communications channel.
Description
The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote,
unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the
ciphertext protocol phase.
Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication
and Security Layer) credentials.
See Also
http://tools.ietf.org/html/rfc2487
http://www.securityfocus.com/archive/1/516901/30/0/threaded
Solution
Contact the vendor to see if an update is available.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
References
BID 46767
CVE CVE-2011-0411
CVE CVE-2011-1430
CVE CVE-2011-1431
CVE CVE-2011-1432
CVE CVE-2011-1506
CVE CVE-2011-2165
XREF OSVDB:71020
XREF OSVDB:71021
XREF OSVDB:71854
XREF OSVDB:71946
37
XREF OSVDB:73251
XREF OSVDB:75014
XREF OSVDB:75256
XREF CERT:555316
Plugin Information:
Ports
tcp/25
Nessus sent the following two commands in a single packet :
STARTTLS\r\nRSET\r\n
And the server sent the following two responses :
220 2.0.0 Ready to start TLS

250 2.0.0 Ok
11270 - Multiple Anti-Virus SMTP Message Long Line Parsing DoS

Synopsis
The remote SMTP server is vulnerable to denial of service.
Description
Some antivirus scanners die when they process an email with a long string without line breaks.
Such a message was sent. If there is an antivirus on your MTA, it might have crashed. Please check its status right
now, as it is not possible to do it remotely
Solution
This plugin tests for a generic condition. It may be remedied by upgrading, reconfiguring, or changing your email
antivirus solution.
Risk Factor
Medium
CVSS Base Score
Plugin Information:
Ports
tcp/25
Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
38
tcp/25

Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/25
An SMTP server is running on this port.
11421 - smtpscan SMTP Fingerprinting

Synopsis
It is possible to fingerprint the remote mail server.
Description
smtpscan is a SMTP fingerprinting tool written by Julien Bordet. It identifies the remote mail server even if the banners
were changed.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/25
This server could be fingerprinted as :
Postfix 2.0.3
Postfix 2.6.5-3 (Ubuntu Karmic)
10263 - SMTP Server Detection

Synopsis
An SMTP server is listening on the remote port.
Description
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Risk Factor
None
Plugin Information:
39
Ports
tcp/25
Remote SMTP server banner :
220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
42088 - SMTP Service STARTTLS Command Support

Synopsis
The remote mail service supports encrypting traffic.
Description
The remote SMTP service supports the use of the 'STARTTLS' command to switch from a cleartext to an encrypted
communications channel.
See Also
http://en.wikipedia.org/wiki/STARTTLS
http://tools.ietf.org/html/rfc2487
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/25
Here is the SMTP service's SSL certificate that Nessus was able to
collect after sending a 'STARTTLS' command :
------------------------------ snip ------------------------------

Subject Name:
Country: XX
State/Province: There is no such thing outside US
Locality: Everywhere
Organization: OCOSA
Organization Unit: Office for Complication of Otherwise Simple Affairs
Common Name: ubuntu804-base.localdomain
Email Address: root@ubuntu804-base.localdomain
Issuer Name:
Country: XX
Organization: OCOSA
Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC
Version: 1
Signature Algorithm: SHA-1 With RSA Encryption
Not Valid Before: Mar 17 14:07:45 2010 GMT

Not Valid After: Apr 16 14:07:45 2010 GMT
Public Key Info:
Algorithm: RSA Encryption

Key Length: 1024 bits
Public Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9
40
7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24
73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B
D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF
8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E
98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97
00 90 9D DC 99 0D 33 A4 B5
Exponent: 01 00 01
Signature Length: 128 bytes / 1024 bits

Signature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A
0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F
1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49
68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68
83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53
A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C
15 6E 8D 30 38 F6 CA 2E 75
------------------------------ snip --------- [...]
56984 - SSL / TLS Versions Supported

Synopsis
The remote service encrypts communications.
Description
This plugin detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/25
This port supports SSLv2/SSLv3/TLSv1.0.
10863 - SSL Certificate Information

Synopsis
This plugin displays the SSL certificate.
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/25
Subject Name:
Country: XX
Organization: OCOSA
Issuer Name:
41
Country: XX
Organization: OCOSA
Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC
Version: 1
Signature Algorithm: SHA-1 With RSA Encryption
Not Valid Before: Mar 17 14:07:45 2010 GMT

Not Valid After: Apr 16 14:07:45 2010 GMT
Public Key Info:
Algorithm: RSA Encryption

Key Length: 1024 bits
Public Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9
7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24
73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B
D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF
8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E
98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97
00 90 9D DC 99 0D 33 A4 B5
Exponent: 01 00 01
Signature Length: 128 bytes / 1024 bits

Signature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A
0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F
1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49
68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68
83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53
A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C
15 6E 8D 30 38 F6 CA 2E 75
Fingerprints :
SHA-256 Fingerprint: E7 A7 FA 0D 63 E4 57 C7 C4 A5 9B 38 B7 08 49 C6 A7 0B DA 6F
83 0C 7A F1 E3 2D EE 43 6D E8 13 CC
SHA-1 Fingerprint: ED 09 30 88 70 66 03 BF D5 DC 23 73 99 B4 98 DA 2D [...]
50845 - OpenSSL Detection

Synopsis
The remote service appears to use OpenSSL to encrypt traffic.
Description
Based on its response to a TLS request with a specially crafted server name extension, it seems that the remote
service is using the OpenSSL library to encrypt traffic.
Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC
4366).
See Also
http://www.openssl.org
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/25
45410 - SSL Certificate commonName Mismatch
Synopsis
42
The SSL certificate commonName does not match the host name.
Description
This service presents an SSL certificate for which the 'commonName'
(CN) does not match the host name on which the service listens.
Solution
If the machine has several names, make sure that users connect to the service through the DNS host name that
matches the common name in the certificate.
Risk Factor
None
Plugin Information:
Ports
tcp/25
The host name known by Nessus is :
metasploitable
The Common Name in the certificate is :
ubuntu804-base.localdomain
53/tcp
Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/53
11002 - DNS Server Detection

Synopsis
A DNS server is listening on the remote host.
Description
The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP
addresses.
See Also
http://en.wikipedia.org/wiki/Domain_Name_System
Solution
Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.
Risk Factor
None
43
Plugin Information:
Ports
tcp/53
72779 - DNS Server Version Detection
Synopsis
Nessus was able to obtain version information on the remote DNS server.
Description
Nessus was able to obtain version information by sending a special TXT record query to the remote host.
Note that this version is not necessarily accurate and could even be forged, as some DNS servers send the
information based on a configuration file.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/53
DNS server answer for "version.bind" (over TCP) :
9.4.2
53/udp
86072 - ISC BIND Unsupported Version Detection
Synopsis
The remote host is running an unsupported version of ISC BIND.
Description
According to its self-reported version number, the installation of ISC BIND running on the remote name server is 9.8.x
or earlier. It is, therefore, no longer supported.
Solution
Upgrade to a version of ISC BIND that is currently supported.
Risk Factor
Critical
CVSS Base Score
Plugin Information:
Ports
udp/53
Installed version : 9.4.2

Fixed version : 9.9.8 or higher
End of Support URL: https://www.isc.org/downloads/
33447 - Multiple Vendor DNS Query ID Field Prediction Cache Poisoning

Synopsis
The remote name resolver (or the server it uses upstream) may be vulnerable to DNS cache poisoning.
Description
The remote DNS resolver does not use random ports when making queries to third-party DNS servers.
44
This problem might be exploited by an attacker to poison the remote DNS server more easily, and therefore, divert
legitimate traffic to arbitrary sites.
Solution
Contact your DNS server vendor for a patch
Risk Factor
High
CVSS Base Score
9.4 (CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C)
CVSS Temporal Score
8.9 (CVSS2#E:F/RL:ND/RC:ND)
STIG Severity
I
References
BID 30131
CVE CVE-2008-1447
XREF OSVDB:46776
XREF OSVDB:46777
XREF OSVDB:46786
XREF OSVDB:46836
XREF OSVDB:46837
XREF OSVDB:46916
XREF OSVDB:47232
XREF OSVDB:47233
XREF OSVDB:47510
XREF OSVDB:47546
XREF OSVDB:47588
XREF OSVDB:47660
XREF OSVDB:47916
XREF OSVDB:47926
XREF OSVDB:47927
XREF OSVDB:48186
XREF OSVDB:48244
XREF OSVDB:48256
XREF OSVDB:53530
XREF OSVDB:53917
XREF CERT:800113
45
XREF IAVA:2008-A-0045
Plugin Information:
Ports
udp/53
The remote DNS server uses non-random ports for its

DNS requests. An attacker may spoof DNS responses.
List of used ports:
+ DNS Server: 49.204.47.126

|- Port: 40742
|- Port: 40742
|- Port: 40742
|- Port: 40742
88385 - ISC BIND 9.3.0 < 9.9.8-P3 / 9.9.x-Sx < 9.9.8-S4 / 9.10.x < 9.10.3-P3 Multiple DoS
Synopsis
The remote name server is affected by multiple denial of service vulnerabilities.
Description
According to its self-reported version number, the installation of ISC BIND running on the remote name server is
affected by multiple denial of service vulnerabilities :
- A denial of service vulnerability exists due to improper handling of certain string formatting options. An authenticated,
remote attacker can exploit this, via a malformed Address Prefix List (APL) record, to cause an INSIST assertion
failure and daemon exist.
(CVE-2015-8704)
- A denial of service vulnerability exists due to a failure to properly convert OPT records and ECS options to formatted
text. A remote attacker can exploit this to cause a REQUIRE assertion failure and daemon exit.
Note that this issue only affects BIND 9.10.x.
(CVE-2015-8705)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.
See Also
https://kb.isc.org/article/AA-01335
Solution
Upgrade to BIND version 9.9.8-P3 / 9.9.8-S4 / 9.10.3-P3 or later.
Risk Factor
Medium
CVSS Base Score
6.8 (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C)
CVSS Temporal Score
References
CVE CVE-2015-8704
CVE CVE-2015-8705
XREF OSVDB:133380
XREF OSVDB:133381
Plugin Information:
Ports
46
udp/53

Fixed version : 9.9.8-P3
79861 - ISC BIND 9 Multiple DoS Vulnerabilities

Synopsis
Description
According to its self-reported version number, the remote installation of BIND is affected by multiple denial of service
vulnerabilities :
- A flaw exists within the Domain Name Service due to an error in the code used to follow delegations. A remote
attacker, with a maliciously-constructed zone or query, could potentially cause the service to issue unlimited queries
leading to resource exhaustion. (CVE-2014-8500)
- Multiple flaws exist with the GeoIP feature. These flaws could allow a remote attacker to cause a denial of service.
Note these issues only affect the 9.10.x branch. (CVE-2014-8680)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.
See Also
https://kb.isc.org/article/AA-01216/
http://www.nessus.org/u?92718697
http://www.nessus.org/u?9f54d158
Solution
Upgrade to BIND version 9.9.6-P1 / 9.10.1-P1 or later.
Risk Factor
High
CVSS Base Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score
References
BID 71590
BID 73191
CVE CVE-2014-8500
CVE CVE-2014-8680
XREF OSVDB:115524
XREF OSVDB:115596
Plugin Information:
Ports
udp/53

59446 - ISC BIND 9 Zero-Length RDATA Section Denial of Service / Information Disclosure
Synopsis
47
The remote name server may be affected by a denial of service / information disclosure vulnerability.
Description
According to its self-reported version number, the remote installation of BIND does not properly handle resource
records with a zero-length RDATA section, which may lead to unexpected outcomes, such as crashes of the affected
server, disclosure of portions of memory, corrupted zone data, or other problems.
Note that Nessus has only relied on the version itself and has not attempted to determine whether or not the install is
actually affected.
See Also
http://ftp.isc.org/isc/bind9/9.6-ESV-R7-P1/CHANGES
http://ftp.isc.org/isc/bind9/9.7.6-P1/CHANGES
https://www.isc.org/software/bind/advisories/cve-2012-1667
Solution
Upgrade to BIND 9.6-ESV-R7-P1 / 9.7.6-P1 / 9.8.3-P1 / 9.9.1-P1 or later.
Risk Factor
High
CVSS Base Score
8.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C)
CVSS Temporal Score
References
BID 53772
CVE CVE-2012-1667
XREF OSVDB:82609
XREF CERT:381699
Plugin Information:
Ports
udp/53

Fixed version : 9.6-ESV-R7-P1
89999 - ISC BIND 9 resolver.c / db.c DNAME Resource Record Signature Handling DoS
Synopsis
The remote name server is affected by a denial of service vulnerability.
Description
According to its self-reported version number, ISC BIND installed on the remote name server is affected by a denial
of service vulnerability in files resolver.c and db.c when handling DNAME resource signatures. An unauthenticated,
remote attacker can exploit this, via a crafted query that generates a response containing a signature record, to cause
an assertion failure and daemon exit.
number.
See Also
48
Solution
Upgrade to ISC BIND version 9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4 or later.
Note that version 9.9.8-S6 is a preview version of BIND provided exclusively to ISC Support customers.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
STIG Severity
I
References
CVE CVE-2016-1286
XREF OSVDB:135664
Plugin Information:
Ports
udp/53

Fixed version : 9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4
89998 - ISC BIND 9 sexpr.c / alist.c Control Channel Packet Handling DoS
Synopsis
Description
According to its self-reported version number, ISC BIND installed on the remote name server is affected by a denial
of service vulnerability in files sexpr.c and alist.c when handling control channel packets. An unauthenticated, remote
attacker can exploit this, via crafted packets sent to the control channel (rndc) interface, to cause an assertion failure
and daemon exit.
number.
See Also
Solution
Upgrade to ISC BIND version 9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4 or later.
Note that version 9.9.8-S6 is a preview version of BIND provided exclusively to ISC Support customers.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
49
STIG Severity
I
References
CVE CVE-2016-1285
XREF OSVDB:135663
Plugin Information:
Ports
udp/53

60120 - ISC BIND 9 Multiple Denial of Service Vulnerabilities

Synopsis
The remote name server may be affected by multiple denial of service vulnerabilities.
Description
According to its self-reported version number, the remote installation of BIND is affected by multiple denial of service
vulnerabilities :
- Under a heavy query load, the application may use uninitialized data structures related to failed query cache access.
This error can cause the application to crash. Note this issue only affects the application when DNSSEC validation is
enabled. (CVE-2012-3817)
- Under a heavy, incoming TCP query load, the application can be affected by a memory leak that can lead to
decreased performance and application termination on systems that kill processes that are out of memory.
(CVE-2012-3868)
Note that Nessus has only relied on the version itself and has not attempted to determine whether or not the install is
actually affected.
See Also
Solution
Upgrade to BIND 9.6-ESV-R7-P2 / 9.7.6-P2 / 9.8.3-P2 / 9.9.1-P2 or later.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 54658
BID 54659
50
CVE CVE-2012-3817
CVE CVE-2012-3868
XREF OSVDB:84228
XREF OSVDB:84229
Plugin Information:
Ports
udp/53

85896 - ISC BIND 9.0.x < 9.9.7-P3 / 9.10.x < 9.10.2-P4 Multiple DoS
Synopsis
Description
According to its self-reported version number, the installation of ISC BIND running on the remote name server is
potentially affected by the following vulnerabilities :
- A denial of service vulnerability exists due to an assertion flaw that is triggered when parsing malformed DNSSEC
keys. An unauthenticated, remote attacker can exploit this, via a specially crafted query to a zone containing such a
key, to cause a validating resolver to exit. (CVE-2015-5722)
- A denial of service vulnerability exists in the fromwire_openpgpkey() function in openpgpkey_61.c that is triggered
when the length of data is less than 1. An unauthenticated, remote attacker can exploit this, via a specially crafted
response to a query, to cause an assertion failure that terminates named. (CVE-2015-5986)
number.
See Also
Solution
Upgrade to BIND version 9.9.7-P3 / 9.10.2-P4 or later.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
6.4 (CVSS2#E:F/RL:OF/RC:ND)
References
CVE CVE-2015-5722
CVE CVE-2015-5986
XREF OSVDB:126995
XREF OSVDB:126997
Plugin Information:
Ports
udp/53
51
85241 - ISC BIND 9.7.x < 9.9.7-P2 / 9.10.x < 9.10.2-P3 TKEY Query Handling Remote DoS
Synopsis
Description
According to its self-reported version number, the installation of ISC BIND on the remote name server is potentially
affected by a denial of service vulnerability due to a REQUIRE assertion flaw that occurs while handling TKEY
queries. A remote attacker can exploit this by using a specially crafted TKEY query to crash the daemon.
number.
See Also
Solution
Upgrade to BIND version 9.9.7-P2 / 9.10.2-P3 or later, or apply the patch referenced in the advisory.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
CVE CVE-2015-5477
XREF OSVDB:125438
XREF EDB-ID:37721
Exploitable with
Core Impact (true)
Plugin Information:
Ports
udp/53

35450 - DNS Server Spoofed Request Amplification DDoS

Synopsis
The remote DNS server could be used in a distributed denial of service attack.
Description
The remote DNS server answers to any request. It is possible to query the name servers (NS) of the root zone ('.')
and get an answer that is bigger than the original request. By spoofing the source IP address, a remote attacker can
leverage this 'amplification' to launch a denial of service attack against a third-party host using the remote DNS server.
See Also
https://isc.sans.edu/diary/DNS+queries+for+/5713
Solution
52
Restrict access to your DNS server from public network or reconfigure it to reject such queries.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
CVE CVE-2006-0987
XREF OSVDB:25895
Plugin Information:
Ports
udp/53
The DNS query was 17 bytes long, the answer is 228 bytes long.
12217 - DNS Server Cache Snooping Remote Information Disclosure

Synopsis
The remote DNS server is vulnerable to cache snooping attacks.
Description
The remote DNS server responds to queries for third-party domains that do not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and
therefore which hosts have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial
institution, they would be able to use this attack to build a statistical model regarding company usage of that financial
institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers,
and more.
Note: If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal
network. This may include employees, consultants and potentially users on a guest network or WiFi connection if
supported.
See Also
http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf
Solution
Contact the vendor of the DNS software for a fix.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin Information:
Ports
udp/53
Nessus sent a non-recursive query for example.com

and received 1 answer :
93.184.216.34
62355 - ISC BIND Cache Update Policy Deleted Domain Name Resolving Weakness
Synopsis
The remote name server may be affected by a DNS integrity vulnerability.
53
Description
According to its self-reported version number, the remote installation of BIND will continue to allow revoked domain
names to be resolved due to an issue related to the cache update policy. Note that Nessus has only relied on the
version itself and has not attempted to determine whether or not the install is actually affected.
See Also
http://www.nessus.org/u?38f47769
https://www.isc.org/software/bind/advisories/cve-2012-1033
http://ftp.isc.org/isc/bind9/9.6-ESV-R6/CHANGES
http://ftp.isc.org/isc/bind9/9.7.5/CHANGES
Solution
Upgrade to BIND 9.6-ESV-R6 / 9.7.5 / 9.8.2 / 9.9.0 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 51898
CVE CVE-2012-1033
XREF OSVDB:78916
XREF CERT:542123
Plugin Information:
Ports
udp/53

Fixed version : 9.6-ESV-R6
87502 - ISC BIND 9.x < 9.9.8-P2 / 9.10.x < 9.10.3-P2 Response Parsing Class Attribute Handling DoS
Synopsis
Description
According to its self-reported version number, the remote installation of BIND is affected by a denial of service
vulnerability due to improper parsing of incorrect class attributes in db.c. An unauthenticated, remote attacker can
exploit this, via a malformed class attribute, to trigger a REQUIRE assertion failure, resulting in a denial of service
condition.
number.
See Also
http://www.nessus.org/u?06404c1c
54
Solution
Upgrade to BIND version 9.9.8-P2 / 9.9.8-S3 / 9.10.3-P2 or later.
Note that 9.9.8-S3 is a preview version of BIND provided exclusively to ISC Support customers.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 79349
CVE CVE-2015-8000
XREF OSVDB:131837
Plugin Information:
Ports
udp/53

62119 - ISC BIND Assertion Error Resource Record RDATA Query Parsing Remote DoS
Synopsis
The remote name server may be affected by a denial of service vulnerability.
Description
According to its self-reported version number, the remote installation of BIND will exit with an assertion failure if a
resource record with RDATA in excess of 65535 bytes is loaded and then subsequently queried. Note that Nessus
has only relied on the version itself and has not attempted to determine whether or not the install is actually affected.
See Also
https://kb.isc.org/article/AA-00778/74
Solution
Upgrade to BIND 9.6-ESV-R7-P3 / 9.6-ESV-R8 / 9.7.6-P3 / 9.7.7 / 9.8.3-P3 / 9.8.4 / 9.9.1-P3 / 9.9.2 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 55522
55
CVE CVE-2012-4244
XREF OSVDB:85417
Plugin Information:
Ports
udp/53

40422 - ISC BIND Dynamic Update Message Handling Remote DoS

Synopsis
Description
The version of BIND installed on the remote host suggests that it suffers from a denial of service vulnerability, which
may be triggered by sending a malicious dynamic update message to a zone for which the server is the master, even
if that server is not configured to allow dynamic updates.
Note that Nessus obtained the version by sending a special DNS request for the text 'version.bind' in the domain
'chaos', the value of which can be and sometimes is tweaked by DNS administrators.
See Also
https://www.isc.org/node/474
Solution
Upgrade to BIND 9.4.3-P3 / 9.5.1-P3 / 9.6.1-P3 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 35848
CVE CVE-2009-0696
XREF OSVDB:56584
XREF CERT:725188
XREF CWE:16
Exploitable with
Core Impact (true)
Plugin Information:
Ports
udp/53
62562 - ISC BIND 9 DNS RDATA Handling DoS
Synopsis
Description
56
According to its self-reported version number, the remote installation of BIND can become locked up if certain
combinations of RDATA are loaded into the server. Note that Nessus has only relied on the version itself and has not
attempted to determine whether or not the install is actually affected.
See Also
Solution
Upgrade to BIND 9.6-ESV-R7-P4 / 9.6-ESV-R8 / 9.7.6-P4 / 9.7.7 / 9.8.3-P4 / 9.8.4 / 9.9.1-P4 / 9.9.2 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 55852
CVE CVE-2012-5166
XREF OSVDB:86118
Plugin Information:
Ports
udp/53

42983 - ISC BIND 9 DNSSEC Cache Poisoning

Synopsis
The remote name server is affected by a cache poisoning vulnerability.
Description
According to its version number, the remote installation of BIND suffers from a cache poisoning vulnerability. This
issue affects all versions prior to 9.4.3-P5, 9.5.2-P2 or 9.6.1-P3.
Note that only nameservers that allow recursive queries and validate DNSSEC records are affected. Nessus has not
attempted to verify if this configuration applies to the remote service, though, so this could be a false positive.
See Also
https://www.isc.org/advisories/CVE2009-4022
http://www.vupen.com/english/advisories/2010/1352
Solution
Upgrade to BIND 9.4.3-P5 / 9.5.2-P2 / 9.6.1-P3 or later.
57
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
References
BID 37118
CVE CVE-2009-4022
CVE CVE-2010-0382
XREF OSVDB:60493
XREF OSVDB:62008
XREF CERT:418861
Plugin Information:
Ports
udp/53
11002 - DNS Server Detection
Synopsis
A DNS server is listening on the remote host.
Description
The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP
addresses.
See Also
http://en.wikipedia.org/wiki/Domain_Name_System
Solution
Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.
Risk Factor
None
Plugin Information:
Ports
udp/53
35371 - DNS Server hostname.bind Map Hostname Disclosure
Synopsis
The DNS server discloses the remote host name.
Description
It is possible to learn the remote host name by querying the remote DNS server for 'hostname.bind' in the CHAOS
domain.
Solution
It may be possible to disable this feature. Consult the vendor's documentation for more information.
Risk Factor
None
Plugin Information:
58
Ports
udp/53
The remote host name is :
metasploitable
11951 - DNS Server Fingerprinting

Synopsis
It may be possible to fingerprint the remote DNS server.
Description
This script attempts to identify the remote DNS server type and version by sending various invalid requests to the
remote DNS server and analyzing the error codes returned.
See Also
http://cr.yp.to/surveys/dns1.html
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
udp/53
Nessus was not able to reliably identify the remote DNS server type.
It might be :
ISC BIND 9.4.2
The fingerprint differs from these known signatures on 1 points.

If you know the type and version of the remote DNS server, please send
the following signature to dns-signatures@nessus.org :
4q:2:5:1q:1:1q:1q:1q:1q:0X:0AAXD:0X:0X:0Z0X:0X:0X:4q:4q:4q:0X:0X:2:0AAXD:
10028 - DNS Server BIND version Directive Remote Version Detection

Synopsis
It is possible to obtain the version number of the remote DNS server.
Description
The remote host is running BIND or another DNS server that reports its version number when it receives a special
request for the text 'version.bind' in the domain 'chaos'.
This version is not necessarily accurate and could even be forged, as some DNS servers send the information based
on a configuration file.
Solution
It is possible to hide the version number of BIND by using the 'version' directive in the 'options' section in named.conf.
Risk Factor
None
References
XREF OSVDB:23
Plugin Information:
Ports
udp/53
59
Version : 9.4.2
69/udp
11819 - TFTP Daemon Detection
Synopsis
A TFTP server is listening on the remote port.
Description
The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by routers and
diskless hosts to retrieve their configuration. It can also be used by worms to propagate.
Solution
Risk Factor
None
Plugin Information:
Ports
udp/69
80/tcp
45004 - Apache 2.2.x < 2.2.15 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities
Description
According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.15. It is, therefore,
potentially affected by multiple vulnerabilities :
- A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555)
- The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-end
server to be put into an error state. (CVE-2010-0408)
- The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-
backs in an undefined state. (CVE-2010-0425)
- A flaw in the core sub-request process code can lead to sensitive information from a request being handled by the
wrong thread if a multi-threaded environment is used. (CVE-2010-0434)
- Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
https://archive.apache.org/dist/httpd/CHANGES_2.2.15
Solution
Upgrade to Apache version 2.2.15 or later.
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
References
BID 21865
BID 36935
60
BID 38491
BID 38494
BID 38580
CVE CVE-2007-6750
CVE CVE-2009-3555
CVE CVE-2010-0408
CVE CVE-2010-0425
CVE CVE-2010-0434
XREF OSVDB:59969
XREF OSVDB:62674
XREF OSVDB:62675
XREF OSVDB:62676
XREF Secunia:38776
XREF CWE:200
Exploitable with
Core Impact (true)
Plugin Information:
Ports
tcp/80
Version source : Server: Apache/2.2.8

Fixed version : 2.2.15
57603 - Apache 2.2.x < 2.2.13 APR apr_palloc Heap Overflow

Synopsis
The remote web server is affected by a buffer overflow vulnerability.
Description
According to its self-reported banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.13. As
such, it includes a bundled version of the Apache Portable Runtime (APR) library that contains a flaw in 'apr_palloc()'
that could cause a heap overflow.
Note that the Apache HTTP server itself does not pass unsanitized, user-provided sizes to this function so it could
only be triggered through some other application that uses it in a vulnerable way.
See Also
Solution
Upgrade to Apache 2.2.13 or later.
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
61
References
BID 35949
CVE CVE-2009-2412
XREF OSVDB:56765
XREF CWE:189
Plugin Information:
Ports
tcp/80

58987 - PHP Unsupported Version Detection

Synopsis
The remote host contains an unsupported version of a web application scripting language.
Description
According to its version, the installation of PHP on the remote host is no longer supported.
See Also
http://php.net/eol.php
https://wiki.php.net/rfc/releaseprocess
Solution
Upgrade to a version of PHP that is currently supported.
Risk Factor
Critical
CVSS Base Score
Plugin Information:
Ports
tcp/80
Source : X-Powered-By: PHP/5.2.4-2ubuntu5.10

Installed version : 5.2.4-2ubuntu5.10
End of support date : 2011/01/06
Announcement : http://php.net/eol.php
Supported versions : 5.6.x / 5.5.x

Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
- Faulty error handling in the Solaris pollset support could lead to a denial of service. (CVE-2009-2699)
- The 'mod_proxy_ftp' module allows remote attackers to bypass intended access restrictions. (CVE-2009-3095)
62
- The 'ap_proxy_ftp_handler' function in 'modules/proxy/proxy_ftp.c' in the 'mod_proxy_ftp' module allows remote FTP
servers to cause a denial of service. (CVE-2009-3094)
Note that the remote web server may not actually be affected by these vulnerabilities as Nessus did not try to
determine whether the affected modules are in use or check for the issues themselves.
See Also
http://www.securityfocus.com/advisories/17947
http://www.securityfocus.com/advisories/17959
http://www.nessus.org/u?e470f137
http://www.nessus.org/u?c34c4eda
Solution
Upgrade to Apache version 2.2.14 or later. Alternatively, ensure that the affected modules are not in use.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
7.5 (CVSS2#E:ND/RL:ND/RC:C)
References
BID 36254
BID 36260
BID 36596
CVE CVE-2009-2699
CVE CVE-2009-3094
CVE CVE-2009-3095
XREF OSVDB:57851
XREF OSVDB:57882
XREF OSVDB:58879
XREF Secunia:36549
XREF CWE:264
Plugin Information:
Ports
tcp/80


Synopsis
Description
63
- An flaw exists within the 'mod_headers' module which allows a remote attacker to inject arbitrary headers.
This is done by placing a header in the trailer portion of data being sent using chunked transfer encoding.
(CVE-2013-5704)
- An flaw exists within the 'mod_deflate' module when handling highly compressed bodies. Using a specially crafted
request, a remote attacker can exploit this to cause a denial of service by exhausting memory and CPU resources.
(CVE-2014-0118)
- The 'mod_status' module contains a race condition that can be triggered when handling the scoreboard. A remote
attacker can exploit this to cause a denial of service, execute arbitrary code, or obtain sensitive credential information.
(CVE-2014-0226)
- The 'mod_cgid' module lacks a time out mechanism. Using a specially crafted request, a remote attacker can
use this flaw to cause a denial of service by causing child processes to linger indefinitely, eventually filling up the
scoreboard. (CVE-2014-0231)
number.
See Also
http://www.zerodayinitiative.com/advisories/ZDI-14-236/
http://martin.swende.se/blog/HTTPChunked.html
Solution
Note that version 2.2.28 was never officially released.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 66550
BID 68678
BID 68742
BID 68745
CVE CVE-2013-5704
CVE CVE-2014-0118
CVE CVE-2014-0226
CVE CVE-2014-0231
XREF OSVDB:105190
XREF OSVDB:109216
XREF OSVDB:109231
XREF OSVDB:109234
64
XREF EDB-ID:34133
Plugin Information:
Ports
tcp/80

48244 - PHP 5.2 < 5.2.14 Multiple Vulnerabilities

Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP 5.2 installed on the remote host is older than 5.2.14. Such versions may
be affected by several security issues :
- An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug
#51288) (CVE-2010-0397)
- An error exists in the function 'fnmatch' that can lead to stack exhaustion.
- An error exists in the sqlite extension that could allow arbitrary memory access.
- A memory corruption error exists in the function 'substr_replace'.
- The following functions are not properly protected against function interruptions :
addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode,
htmlentities, htmlspecialchars, str_getcsv, http_build_query, strpbrk, strstr, str_pad, str_word_count, wordwrap,
strtok, setcookie, strip_tags, trim, ltrim, rtrim, parse_str, pack, unpack, uasort, preg_match, strrchr, strchr, substr,
str_repeat (CVE-2010-1860, CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101,
CVE-2010-2190, CVE-2010-2191, CVE-2010-2484)
- The following opcodes are not properly protected against function interruptions :
ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW (CVE-2010-2191)
- The default session serializer contains an error that can be exploited when assigning session variables having user
defined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!',
character in variable names.
- A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225)
- An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions.
(CVE-2010-2531)
See Also
http://www.php.net/releases/5_2_14.php
http://www.php.net/ChangeLog-5.php#5.2.14
Solution
Upgrade to PHP version 5.2.14 or later.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 38708
BID 40948
BID 41991
CVE CVE-2007-1581
65
CVE CVE-2010-0397
CVE CVE-2010-1860
CVE CVE-2010-1862
CVE CVE-2010-1864
CVE CVE-2010-2097
CVE CVE-2010-2100
CVE CVE-2010-2101
CVE CVE-2010-2190
CVE CVE-2010-2191
CVE CVE-2010-2225
CVE CVE-2010-2484
CVE CVE-2010-2531
CVE CVE-2010-3065
XREF OSVDB:33942
XREF OSVDB:63078
XREF OSVDB:64322
XREF OSVDB:64544
XREF OSVDB:64546
XREF OSVDB:65755
XREF OSVDB:66087
XREF OSVDB:66093
XREF OSVDB:66094
XREF OSVDB:66095
XREF OSVDB:66096
XREF OSVDB:66097
XREF OSVDB:66098
XREF OSVDB:66099
XREF OSVDB:66100
XREF OSVDB:66101
XREF OSVDB:66102
XREF OSVDB:66103
66
XREF OSVDB:66104
XREF OSVDB:66105
XREF OSVDB:66106
XREF OSVDB:66798
XREF OSVDB:66804
XREF OSVDB:66805
XREF Secunia:39675
XREF Secunia:40268
Plugin Information:
Ports
tcp/80
Version source : X-Powered-By: PHP/5.2.4-2ubuntu5.10

35067 - PHP < 5.2.8 Multiple Vulnerabilities

Synopsis
The remote web server uses a version of PHP that may be affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.2.8. As such, it is potentially
- PHP fails to properly sanitize error messages of arbitrary HTML or script code, would code allow for cross-site
scripting attacks if PHP's 'display_errors' setting is enabled. (CVE-2008-5814)
- Version 5.2.7 introduced a regression with regard to 'magic_quotes' functionality due to an incorrect fix to the filter
extension. As a result, the 'magic_quotes_gpc' setting remains off even if it is set to on. (CVE-2008-5844)
See Also
http://bugs.php.net/42718
Solution
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 32673
CVE CVE-2008-5814
CVE CVE-2008-5844
XREF OSVDB:50587
67
XREF OSVDB:53532
XREF CWE:16
Plugin Information:
Ports
tcp/80


Synopsis
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may be
affected by the following security issues :
- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)
- It is possible to create a denial of service condition by sending multiple, specially crafted requests containing
parameter values that cause hash collisions when computing the hash values for storage in a hash table.
(CVE-2011-4885)
- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read
arbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-
bit platforms. (CVE-2011-4566)
- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,
resulting in arbitrary code execution. (CVE-2012-0057)
- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a
NULL pointer. This causes the application to crash. (CVE-2012-0781)
- The 'PDORow' implementation contains an error that can cause application crashes when interacting with the
session feature. (CVE-2012-0788)
- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of
service attack via memory consumption.
(CVE-2012-0789)
See Also
https://www.tenable.com/security/research/tra-2012-01
http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_PHP5
http://www.php.net/archive/2012.php#id2012-01-11-1
http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
https://bugs.php.net/bug.php?id=55475
Solution
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
68
References
BID 49754
BID 50907
BID 51193
BID 51806
BID 51952
BID 51992
BID 52043
CVE CVE-2011-3379
CVE CVE-2011-4566
CVE CVE-2011-4885
CVE CVE-2012-0057
CVE CVE-2012-0781
CVE CVE-2012-0788
CVE CVE-2012-0789
XREF OSVDB:75713
XREF OSVDB:77446
XREF OSVDB:78115
XREF OSVDB:78571
XREF OSVDB:78676
XREF OSVDB:79016
XREF OSVDB:79332
XREF TRA:TRA-2012-01
Exploitable with
Core Impact (true)
Plugin Information:
Ports
tcp/80

35043 - PHP 5 < 5.2.7 Multiple Vulnerabilities

Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
69
According to its banner, the version of PHP installed on the remote host is prior to 5.2.7. It is, therefore, affected by
multiple vulnerabilities :
- There is a buffer overflow flaw in the bundled PCRE library that allows a denial of service attack.
(CVE-2008-2371)
- Multiple directory traversal vulnerabilities exist in functions such as 'posix_access', 'chdir', and 'ftok'
that allow a remote attacker to bypass 'safe_mode'
restrictions. (CVE-2008-2665 and CVE-2008-2666).
- A buffer overflow flaw in 'php_imap.c' may be triggered when processing long message headers due to the use of
obsolete API calls. This can be exploited to cause a denial of service or to execute arbitrary code.
(CVE-2008-2829)
- A buffer overflow in the 'imageloadfont' function in 'ext/gd/gd.c' can be triggered when a specially crafted font is
given. This can be exploited to cause a denial of service or to execute arbitrary code. (CVE-2008-3658)
- A buffer overflow flaw exists in PHP's internal function 'memnstr' which can be exploited by an attacker using the
delimiter argument to the 'explode' function. This can be used to cause a denial of service or to execute arbitrary code.
(CVE-2008-3659)
- When PHP is used as a FastCGI module, an attacker by requesting a file whose file name extension is preceded by
multiple dots can cause a denial of service.
(CVE-2008-3660)
- A heap-based buffer overflow flaw in the mbstring extension can be triggered via a specially crafted string containing
an HTML entity that is not handled during Unicode conversion. This can be exploited to execute arbitrary code.
(CVE-2008-5557)
- Improper initialization of global variables 'page_uid'
and 'page_gid' when PHP is used as an Apache module allows the bypassing of security restriction due to SAPI
'php_getuid' function overloading. (CVE-2008-5624)
- PHP does not enforce the correct restrictions when 'safe_mode' is enabled through a 'php_admin_flag'
setting in 'httpd.conf'. This allows an attacker, by placing a specially crafted 'php_value' entry in '.htaccess', to able to
write to arbitrary files.
(CVE-2008-5625)
- The 'ZipArchive::extractTo' function in the ZipArchive extension fails to filter directory traversal sequences from file
names. An attacker can exploit this to write to arbitrary files. (CVE-2008-5658)
- Under limited circumstances, an attacker can cause a file truncation to occur when calling the 'dba_replace'
function with an invalid argument. (CVE-2008-7068)
- A buffer overflow error exists in the function 'date_from_ISO8601' function within file 'xmlrpc.c'
because user-supplied input is improperly validated.
This can be exploited by a remote attacker to cause a denial of service or to execute arbitrary code.
(CVE-2014-8626)
See Also
http://cxsecurity.com/issue/WLB-2008110041
http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html
http://bugs.php.net/bug.php?id=42862
70
Solution
Note that version 5.2.7 has been removed from distribution because of a regression in that version that results in the
'magic_quotes_gpc'
setting remaining off even if it was set to on.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 29796
BID 29797
BID 29829
BID 30087
BID 30649
BID 31612
BID 32383
BID 32625
BID 32688
BID 32948
BID 70928
CVE CVE-2008-2371
CVE CVE-2008-2665
CVE CVE-2008-2666
CVE CVE-2008-2829
CVE CVE-2008-3658
CVE CVE-2008-3659
CVE CVE-2008-3660
CVE CVE-2008-5557
CVE CVE-2008-5624
CVE CVE-2008-5625
CVE CVE-2008-5658
CVE CVE-2008-7068
71
CVE CVE-2014-8626
XREF OSVDB:46584
XREF OSVDB:46638
XREF OSVDB:46639
XREF OSVDB:46641
XREF OSVDB:46690
XREF OSVDB:47796
XREF OSVDB:47797
XREF OSVDB:47798
XREF OSVDB:50480
XREF OSVDB:51477
XREF OSVDB:52205
XREF OSVDB:52206
XREF OSVDB:52207
XREF OSVDB:114250
XREF CWE:119
Plugin Information:
Ports
tcp/80

58988 - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution
Synopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such is
potentially affected by a remote code execution and information disclosure vulnerability.
An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server
or to potentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters as
command line arguments including switches such as '-s', '-d', and '-c'.
Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'
is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
72
Solution
Upgrade to PHP version 5.3.12 / 5.4.2 or later. A 'mod_rewrite'
workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
References
BID 53388
CVE CVE-2012-1823
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Ports
tcp/80

Fixed version : 5.3.12 / 5.4.2

Synopsis
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.11, and as such is
- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handled
properly. This can lower the difficulty for SQL injection attacks. (CVE-2012-0831)
- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated.
(CVE-2012-1172)
- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and
'readline_read_history'.
- The 'header()' function does not detect multi-line headers with a CR. (Bug #60227 / CVE-2011-1398)
See Also
http://www.nessus.org/u?e81d4026
http://marc.info/?l=oss-security&m=134626481806571&w=2
73
Solution
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 51954
BID 53403
BID 55297
CVE CVE-2011-1398
CVE CVE-2012-0831
CVE CVE-2012-1172
XREF OSVDB:79017
XREF OSVDB:81791
XREF OSVDB:85086
Plugin Information:
Ports
tcp/80


Synopsis
Description
According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be
affected by the following issues :
- A stack-based buffer overflow in FastCGI SAPI.
- An integer overflow in printf().
- An security issue arising from improper calculation of the length of PATH_TRANSLATED in cgi_main.c.
- A safe_mode bypass in cURL.
- Incomplete handling of multibyte chars inside escapeshellcmd().
- Issues in the bundled PCRE fixed by version 7.6.
See Also
74
Solution
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 27413
BID 28392
BID 29009
CVE CVE-2007-4850
CVE CVE-2007-6039
CVE CVE-2008-0599
CVE CVE-2008-1384
CVE CVE-2008-2050
CVE CVE-2008-2051
XREF OSVDB:43219
XREF OSVDB:44057
XREF OSVDB:44906
XREF OSVDB:44907
XREF OSVDB:44908
XREF OSVDB:45304
XREF OSVDB:45305
XREF Secunia:30048
XREF CWE:264
Plugin Information:
Ports
tcp/80


Synopsis
75
Description
affected by several security issues :
- An unspecified error occurs in certificate validation inside 'php_openssl_apply_verification_policy'.
- An unspecified input validation vulnerability affects the color index in 'imagecolortransparent()'.
- An unspecified input validation vulnerability affects exif processing.
- Calling 'popen()' with an invalid mode can cause a crash under Windows. (Bug #44683)
- An integer overflow in 'xml_utf8_decode()' can make it easier to bypass cross-site scripting and SQL injection
protection mechanisms using a specially crafted string with a long UTF-8 encoding. (Bug #49687)
- 'proc_open()' can bypass 'safe_mode_protected_env_vars'.
(Bug #49026)
See Also
http://news.php.net/php.internals/45597
Solution
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 36449
BID 44889
CVE CVE-2009-3291
CVE CVE-2009-3292
CVE CVE-2009-3293
CVE CVE-2009-3294
CVE CVE-2009-4018
CVE CVE-2009-5016
XREF OSVDB:58185
XREF OSVDB:58186
XREF OSVDB:58187
XREF OSVDB:58188
XREF OSVDB:60438
XREF OSVDB:69227
76
XREF Secunia:36791
XREF CWE:20
Plugin Information:
Ports
tcp/80

11213 - HTTP TRACE / TRACK Methods Allowed

Synopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that
are used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
4.3 (CVSS2#E:H/RL:OF/RC:C)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
77
XREF OSVDB:11408
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Plugin Information:
Ports
tcp/80
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2

support disabling the TRACE method natively via the 'TraceEnable'
directive.
Nessus sent the following TRACE request :
------------------------------ snip ------------------------------

TRACE /Nessus1305554577.html HTTP/1.1
Connection: Close
Host: 192.168.0.128
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
and received the following response from the remote server :
------------------------------ snip ------------------------------

HTTP/1.1 200 OK
Date: Mon, 06 Jun 2016 07:11:58 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http
TRACE /Nessus1305554577.html HTTP/1.1

Host: 192.168.0.128
Pragma: no-cache
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
64912 - Apache 2.2.x < 2.2.24 Multiple XSS Vulnerabilities

Synopsis
The remote web server is affected by multiple cross-site scripting vulnerabilities.
Description
potentially affected by the following cross-site scripting vulnerabilities :
78
- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp and
unescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)
- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scripting
attacks. (CVE-2012-4558)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 58165
CVE CVE-2012-3499
CVE CVE-2012-4558
XREF OSVDB:90556
XREF OSVDB:90557
XREF CWE:20
XREF CWE:74
XREF CWE:79
XREF CWE:442
XREF CWE:629
XREF CWE:711
XREF CWE:712
XREF CWE:722
XREF CWE:725
XREF CWE:750
XREF CWE:751
XREF CWE:800
XREF CWE:801
XREF CWE:809
XREF CWE:811
79
XREF CWE:864
XREF CWE:900
XREF CWE:928
XREF CWE:931
XREF CWE:990
Plugin Information:
Ports
tcp/80


Synopsis
Description
According to its banner, the version of Apache 2.2.x running on the remote host is a version prior to 2.2.27. It is,
therefore, potentially affected by the following vulnerabilities :
- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading white
space. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding.
(CVE-2013-6438)
- A flaw exists in 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. A
remote attacker with a specially crafted request can cause the service to crash. (CVE-2014-0098)
See Also
Solution
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
References
BID 66303
CVE CVE-2013-6438
CVE CVE-2014-0098
XREF OSVDB:104579
XREF OSVDB:104580
Plugin Information:
80
Ports
tcp/80


Synopsis
The remote web server may be affected by several issues.
Description
According to its banner, the version of Apache 2.2.x. running on the remote host is prior to 2.2.12. It is, therefore,
- A heap-based buffer underwrite flaw exists in the function 'apr_strmatch_precompile()' in the bundled copy of the
APR-util library, which could be triggered when parsing configuration data to crash the daemon.
(CVE-2009-0023)
- A flaw in the mod_proxy_ajp module in version 2.2.11 only may allow a remote attacker to obtain sensitive response
data intended for a client that sent an earlier POST request with no request body.
(CVE-2009-1191)
- The server does not limit the use of directives in a .htaccess file as expected based on directives such as
'AllowOverride' and 'Options' in the configuration file, which could enable a local user to bypass security restrictions.
(CVE-2009-1195)
- Failure to properly handle an amount of streamed data that exceeds the Content-Length value allows a remote
attacker to force a proxy process to consume CPU time indefinitely when mod_proxy is used in a reverse proxy
configuration. (CVE-2009-1890)
- Failure of mod_deflate to stop compressing a file when the associated network connection is closed may allow a
remote attacker to consume large amounts of CPU if there is a large (>10 MB) file available that has mod_deflate
enabled. (CVE-2009-1891)
- Using a specially crafted XML document with a large number of nested entities, a remote attacker may be able to
consume an excessive amount of memory due to a flaw in the bundled expat XML parser used by the mod_dav and
mod_dav_svn modules. (CVE-2009-1955)
- There is an off-by-one overflow in the function 'apr_brigade_vprintf()' in the bundled copy of the APR-util library in the
way it handles a variable list of arguments, which could be leveraged on big-endian platforms to perform information
disclosure or denial of service attacks. (CVE-2009-1956)
Note that Nessus has relied solely on the version in the Server response header and did not try to check for the issues
themselves or even whether the affected modules are in use.
See Also
Solution
Upgrade to Apache version 2.2.12 or later. Alternatively, ensure that the affected modules / directives are not in use.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVSS Temporal Score
References
BID 34663
BID 35115
BID 35221
BID 35251
BID 35253
BID 35565
81
BID 35623
CVE CVE-2009-0023
CVE CVE-2009-1191
CVE CVE-2009-1195
CVE CVE-2009-1890
CVE CVE-2009-1891
CVE CVE-2009-1955
CVE CVE-2009-1956
XREF OSVDB:53921
XREF OSVDB:54733
XREF OSVDB:55057
XREF OSVDB:55058
XREF OSVDB:55059
XREF OSVDB:55553
XREF OSVDB:55782
XREF CWE:119
Plugin Information:
Ports
tcp/80


Synopsis
Description
According to its banner, the version of Apache 2.2.x installed on the remote host is prior to 2.2.22. It is, therefore,
- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could cause
the web server to proxy requests to arbitrary hosts.
This could allow a remote attacker to indirectly send requests to intranet servers.
(CVE-2011-3368, CVE-2011-4317)
- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf'
directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)
- A format string handling error can allow the server to be crashed via maliciously crafted cookies.
(CVE-2012-0021)
- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown.
(CVE-2012-0031)
- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious use
of either long or malformed HTTP headers. (CVE-2012-0053)
- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time to
respond could lead to a temporary denial of service. (CVE-2012-4557)
Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
82
See Also
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 49957
BID 50494
BID 50802
BID 51407
BID 51705
BID 51706
BID 56753
CVE CVE-2011-3368
CVE CVE-2011-3607
CVE CVE-2011-4317
CVE CVE-2012-0021
CVE CVE-2012-0031
CVE CVE-2012-0053
CVE CVE-2012-4557
XREF OSVDB:76079
XREF OSVDB:76744
XREF OSVDB:77310
XREF OSVDB:78293
XREF OSVDB:78555
XREF OSVDB:78556
XREF OSVDB:89275
Plugin Information:
Ports
83
tcp/80

33477 - Apache 2.2.x < 2.2.9 Multiple Vulnerabilities (DoS, XSS)

Synopsis
Description
affected by multiple vulnerabilities :
- Improper handling of excessive forwarded interim responses may cause denial of service conditions in
mod_proxy_http. (CVE-2008-2364)
- A cross-site request forgery vulnerability in the balancer-manager interface of mod_proxy_balancer.
(CVE-2007-6420)
Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine
whether the affected modules are in use or to check for the issues themselves.
See Also
https://archive.apache.org/dist/httpd/CHANGES_2.2
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 27236
BID 29653
CVE CVE-2007-6420
CVE CVE-2008-2364
CVE CVE-2007-6423
XREF OSVDB:42937
XREF OSVDB:46085
XREF Secunia:30621
XREF CWE:399
Plugin Information:
Ports
tcp/80

84
Synopsis
Description
- A denial of service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)
- An information disclosure vulnerability in mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeout
conditions. Note that this issue only affects Apache on Windows, Netware, and OS/2. (CVE-2010-2068)
Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine
whether the affected modules are in use or to check for the issues themselves.
See Also
http://www.nessus.org/u?ce8ac446
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 40827
BID 41963
CVE CVE-2010-1452
CVE CVE-2010-2068
XREF OSVDB:65654
XREF OSVDB:66745
XREF Secunia:40206
Plugin Information:
Ports
tcp/80

56216 - Apache 2.2.x < 2.2.21 mod_proxy_ajp DoS

Synopsis
The remote web server is affected by a denial of service vulnerability.
Description
85
potentially affected by a denial of service vulnerability. An error exists in the 'mod_proxy_ajp' module that can allow
specially crafted HTTP requests to cause a backend server to temporarily enter an error state. This vulnerability only
occurs when 'mod_proxy_ajp' is used along with 'mod_proxy_balancer'.
Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.
See Also
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 49616
CVE CVE-2011-3348
XREF OSVDB:75647
Plugin Information:
Ports
tcp/80

53896 - Apache 2.2.x < 2.2.18 APR apr_fnmatch DoS

Synopsis
The remote web server may be affected by a denial of service vulnerability.
Description
affected by a denial of service vulnerability due to an error in the apr_fnmatch() function of the bundled APR library.
If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can
cause high CPU usage with a specially crafted request.
Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine
whether the affected module is in use or to check for the issue itself.
See Also
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18
http://securityreason.com/achievement_securityalert/98
Solution
Upgrade to Apache version 2.2.18 or later. Alternatively, ensure that the 'IndexOptions' configuration option is set to
'IgnoreClient'.
Risk Factor
Medium
86
CVSS Base Score
CVSS Temporal Score
References
BID 47820
CVE CVE-2011-0419
XREF OSVDB:73388
XREF Secunia:44574
Plugin Information:
Ports
tcp/80


Synopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,
making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)
- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.
(CVE-2013-1896)
See Also
http://www.nessus.org/u?f050c342
Solution
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
3.6 (CVSS2#E:U/RL:OF/RC:UR)
References
BID 59826
BID 61129
CVE CVE-2013-1862
CVE CVE-2013-1896
87
XREF OSVDB:93366
XREF OSVDB:95498
Plugin Information:
Ports
tcp/80


Synopsis
Description
- Errors exist in the bundled expat library that may allow an attacker to crash the server when a buffer is over- read
when parsing an XML document. (CVE-2009-3720 and CVE-2009-3560)
- An error exists in the 'apr_brigade_split_line' function in the bundled APR-util library. Carefully timed bytes in
requests result in gradual memory increases leading to a denial of service. (CVE-2010-1623) Note that the remote
web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected
modules are in use or to check for the issues themselves.
See Also
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 37203
BID 36097
BID 43673
CVE CVE-2009-3560
CVE CVE-2009-3720
CVE CVE-2010-1623
XREF OSVDB:59737
XREF OSVDB:60797
XREF OSVDB:68327
88
XREF Secunia:41701
XREF CWE:119
Plugin Information:
Ports
tcp/80


Synopsis
Description
- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'
file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),
leading to arbitrary code execution.
(CVE-2012-0883)
- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-
site scripting attacks.
(CVE-2012-2687)
Note that Nessus has not tested for these flaws but has instead relied on the version in the server's banner.
See Also
Solution
Risk Factor
Medium
CVSS Base Score
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
References
BID 53046
BID 55131
CVE CVE-2012-0883
CVE CVE-2012-2687
XREF OSVDB:81359
XREF OSVDB:84818
XREF CWE:20
XREF CWE:74
89
XREF CWE:79
XREF CWE:442
XREF CWE:629
XREF CWE:711
XREF CWE:712
XREF CWE:722
XREF CWE:725
XREF CWE:750
XREF CWE:751
XREF CWE:800
XREF CWE:801
XREF CWE:809
XREF CWE:811
XREF CWE:864
XREF CWE:900
XREF CWE:928
XREF CWE:931
XREF CWE:990
Plugin Information:
Ports
tcp/80

44921 - PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities

Synopsis
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.2 / 5.2.13. Such versions
may be affected by several security issues :
- Directory paths not ending with '/' may not be correctly validated inside 'tempnam()' in 'safe_mode' configuration.
- It may be possible to bypass the 'open_basedir'/ 'safe_mode' configuration restrictions due to an error in session
extensions.
- An unspecified vulnerability affects the LCG entropy.
See Also
http://securityreason.com/achievement_securityalert/82
http://securityreason.com/securityalert/7008
90
Solution
Upgrade to PHP version 5.3.2 / 5.2.13 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 38182
BID 38430
BID 38431
CVE CVE-2010-1128
CVE CVE-2010-1129
CVE CVE-2010-1130
XREF OSVDB:62582
XREF OSVDB:62583
XREF OSVDB:63323
XREF Secunia:38708
Plugin Information:
Ports
tcp/80


Synopsis
Description
- It is possible to bypass the 'safe_mode' configuration setting using 'tempnam()'. (CVE-2009-3557)
- It is possible to bypass the 'open_basedir' configuration setting using 'posix_mkfifo()'. (CVE-2009-3558)
- Provided file uploading is enabled (it is by default), an attacker can upload files using a POST request with
'multipart/form-data' content even if the target script doesn't actually support file uploads per se. By supplying a large
number (15,000+) of files, an attacker could cause the web server to stop responding while it processes the file list.
(CVE-2009-4017)
- Missing protection for '$_SESSION' from interrupt corruption and improved 'session.save_path' check.
91
(CVE-2009-4143)
- Insufficient input string validation in the 'htmlspecialchars()' function. (CVE-2009-4142)
See Also
http://www.nessus.org/u?57f2d08f
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 37389
BID 37390
CVE CVE-2009-3557
CVE CVE-2009-3558
CVE CVE-2009-4017
CVE CVE-2009-4142
CVE CVE-2009-4143
XREF OSVDB:60434
XREF OSVDB:60435
XREF OSVDB:60451
XREF OSVDB:61208
XREF OSVDB:61209
XREF Secunia:37821
XREF CWE:264
Plugin Information:
Ports
tcp/80


Synopsis
92
Description
According to its banner, the version of PHP installed on the remote host is older than 5.2.10. Such versions are
reportedly affected by multiple vulnerabilities :
- Sufficient checks are not performed on fields reserved for offsets in function 'exif_read_data()'. Successful
exploitation of this issue could result in a denial of service condition. (bug 48378)
- Provided 'safe_mode_exec_dir' is not set (not set by default), it may be possible to bypass 'safe_mode' restrictions
by preceding a backslash in functions such as 'exec()', 'system()', 'shell_exec()', 'passthru()' and 'popen()' on a system
running PHP on Windows. (bug 45997)
See Also
Solution
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
4.8 (CVSS2#E:F/RL:U/RC:C)
References
BID 35440
BID 35435
CVE CVE-2009-2687
XREF OSVDB:55222
XREF OSVDB:55223
XREF OSVDB:55224
XREF Secunia:35441
XREF CWE:20
Plugin Information:
Ports
tcp/80

73289 - PHP PHP_RSHUTDOWN_FUNCTION Security Bypass

Synopsis
The remote web server uses a version of PHP that is potentially affected by a security bypass vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is 5.x prior to 5.3.11 or 5.4.x prior to 5.4.1
and thus, is potentially affected by a security bypass vulnerability.
93
An error exists related to the function 'PHP_RSHUTDOWN_FUNCTION' in the libxml extension and the 'stream_close'
method that could allow a remote attacker to bypass 'open_basedir' protections and obtain sensitive information.
Note that this plugin has not attempted to exploit this issue, but has instead relied only on PHP's self-reported version
number.
See Also
http://www.nessus.org/u?bcc428c2
Solution
Upgrade to PHP version 5.3.11 / 5.4.1 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 65673
CVE CVE-2012-1171
XREF OSVDB:104201
Plugin Information:
Ports
tcp/80


Synopsis
Description
affected by various issues, including but not limited to several buffer overflows.
See Also
Solution
Risk Factor
Medium
CVSS Base Score
4.4 (CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
References
BID 26403
94
BID 69246
CVE CVE-2007-3996
CVE CVE-2007-4782
CVE CVE-2007-4783
CVE CVE-2007-4784
CVE CVE-2007-4825
CVE CVE-2007-4840
CVE CVE-2007-4887
CVE CVE-2007-4889
CVE CVE-2007-5447
CVE CVE-2007-5653
CVE CVE-2007-5898
CVE CVE-2007-5899
CVE CVE-2007-5900
CVE CVE-2008-2107
CVE CVE-2008-2108
CVE CVE-2008-4107
XREF OSVDB:36870
XREF OSVDB:37784
XREF OSVDB:38680
XREF OSVDB:38681
XREF OSVDB:38682
XREF OSVDB:38683
XREF OSVDB:38684
XREF OSVDB:38685
XREF OSVDB:38686
XREF OSVDB:38687
XREF OSVDB:38688
XREF OSVDB:38916
XREF OSVDB:38917
XREF OSVDB:38918
95
XREF OSVDB:41708
XREF OSVDB:41775
XREF OSVDB:44909
XREF OSVDB:44910
XREF OSVDB:45902
XREF OSVDB:49561
XREF CWE:264
Plugin Information:
Ports
tcp/80


Synopsis
Description
- Background color is not correctly validated with a non true color image in function 'imagerotate()'. (CVE-2008-5498)
- A denial of service condition can be triggered by trying to extract zip files that contain files with relative paths in file or
directory names.
- Function 'explode()' is affected by an unspecified vulnerability.
- It may be possible to trigger a segfault by passing a specially crafted string to function 'json_decode()'.
- Function 'xml_error_string()' is affected by a flaw which results in messages being off by one.
See Also
http://news.php.net/php.internals/42762
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 33002
BID 33927
CVE CVE-2008-5498
96
CVE CVE-2009-1271
CVE CVE-2009-1272
XREF OSVDB:51031
XREF OSVDB:52486
XREF OSVDB:53440
XREF Secunia:34081
XREF CWE:200
Plugin Information:
Ports
tcp/80

51139 - PHP 5.2 < 5.2.15 Multiple Vulnerabilities

Synopsis
Description
According to its banner, the version of PHP 5.2 installed on the remote host is older than 5.2.15. Such versions may
be affected by several security issues :
- A crash in the zip extract method.
- A possible double free exists in the imap extension.
(CVE-2010-4150)
- An unspecified flaw exists in 'open_basedir'. (CVE-2010-3436)
- A possible crash could occur in 'mssql_fetch_batch()'.
- A NULL pointer dereference exists in 'ZipArchive::getArchiveComment'. (CVE-2010-3709)
- A crash exists if anti-aliasing steps are invalid.
(Bug #53492)
- A crash exists in pdo_firebird getAttribute(). (Bug #53323)
- A user-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called
can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)
- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /
CVE-2010-4698)
- The extract function does not prevent use of the EXTR_OVERWRITE parameter to overwrite the GLOBALS
superglobal array and the 'this' variable, which allows attackers to bypass intended access restrictions.
(CVE-2011-0752)
See Also
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
97
BID 44718
BID 44723
BID 45335
BID 45952
BID 46448
CVE CVE-2010-3436
CVE CVE-2010-3709
CVE CVE-2010-4150
CVE CVE-2010-4697
CVE CVE-2010-4698
CVE CVE-2011-0752
XREF OSVDB:68597
XREF OSVDB:69109
XREF OSVDB:69110
XREF OSVDB:69660
XREF OSVDB:70607
XREF OSVDB:70608
XREF OSVDB:74728
Plugin Information:
Ports
tcp/80

51439 - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS
Synopsis
The remote web server uses a version of PHP that is affected by a denial of service vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.17 or 5.3.5.
Such versions may experience a crash while performing string to double conversion for certain numeric values. Only
x86 32-bit PHP processes are known to be affected by this issue regardless of whether the system running PHP is 32-
bit or 64-bit.
See Also
http://www.php.net/distributions/test_bug53632.txt
98
Solution
Upgrade to PHP 5.2.17/5.3.5 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 45668
CVE CVE-2010-4645
XREF OSVDB:70370
Plugin Information:
Ports
tcp/80

Fixed version : 5.2.17/5.3.5
10056 - /doc Directory Browsable

Synopsis
The remote web server is affected by an information disclosure vulnerability.
Description
The /doc directory is browsable. /doc shows the contents of the /usr/doc directory, which reveals not only which
programs are installed but also their versions.
See Also
http://projects.webappsec.org/Directory-Indexing
Solution
Use access restrictions for the /doc directory.
If you use Apache you might use this in your access.conf :
<Directory /usr/doc>
AllowOverride None order deny,allow deny from all allow from localhost </Directory>
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
4.2 (CVSS2#E:U/RL:U/RC:ND)
References
BID 318
CVE CVE-1999-0678
XREF OSVDB:48
Plugin Information:
Ports
99
tcp/80
88099 - Web Server HTTP Header Information Disclosure
Synopsis
The remote web server discloses information via HTTP headers.
Description
The HTTP headers sent by the remote web server disclose information that can aid an attacker, such as the server
version and languages used by the web server.
Solution
Modify the HTTP headers of the web server to not disclose detailed information about the underlying web server.
Risk Factor
Medium
CVSS Base Score
Plugin Information:
Ports
tcp/80
Server type : Apache

Server version : 2.2.8
Source : 2.2.8
Additional data : X-Powered-By: PHP/5.2.4-2ubuntu5.10
40984 - Browsable Web Directories

Synopsis
Some directories on the remote web server are browsable.
Description
Miscellaneous Nessus plugins identified directories on this web server that are browsable.
See Also
http://www.nessus.org/u?0a35179e
Solution
Make sure that browsable directories do not leak confidential informative or give access to sensitive resources.
Additionally, use access restrictions or disable directory indexing for any that do.
Risk Factor
Medium
CVSS Base Score
Plugin Information:
Ports
tcp/80
The following directories are browsable :
http://192.168.0.128/doc/
34433 - Apache mod_proxy_ftp Directory Component Wildcard Character Globbing XSS

Synopsis
The remote web server is vulnerable to a cross-site scripting attack.
Description
The mod_proxy_ftp module in the version of Apache running on the remote host fails to properly sanitize user-
supplied URL input before using it to generate dynamic HTML output. Using specially crafted requests for FTP URLs
100
with globbing characters (such as asterisk, tilde, opening square bracket, etc), an attacker may be able to leverage
this issue to inject arbitrary HTML and script code into a user's browser to be executed within the security context of
the affected site.
See Also
http://www.rapid7.com/advisories/R7-0033
https://archive.apache.org/dist/httpd/CHANGES_2.2
Solution
Upgrade to Apache version 2.2.10 or later. Alternatively, disable the affected module.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 30560
CVE CVE-2008-2939
XREF OSVDB:47474
XREF CWE:79
Plugin Information:
Ports
tcp/80
Apache version 2.2.8 appears to be running on the remote host based

on the following Server response header :
Note that Nessus tried but failed to exploit the issue and instead has
relied only on a banner check. There may be several reasons why the
exploit failed :
- The remote web server is not configured to use

mod_proxy_ftp or to proxy requests in general.
- The remote web server is configured such that the Nessus

scanning host is not allowed to use the proxy.
- The plugin did not know of an anonymous FTP server that

it could use for testing.
57792 - Apache HTTP Server httpOnly Cookie Information Disclosure

Synopsis
The web server running on the remote host is affected by an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host is affected by an information disclosure vulnerability.
Sending a request with HTTP headers long enough to exceed the server limit causes the web server to respond with
an HTTP 400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in
conjunction with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
101
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Ports
tcp/80
Nessus verified this by sending a request with a long Cookie header :
GET / HTTP/1.1
Host: 192.168.0.128
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
Pragma: no-cache
Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

Synopsis
Description
102
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/80

Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/80
A web server is running on this port.
43111 - HTTP Methods Allowed (per directory)

Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.
As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'
is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives
a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any security
vulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/80
Based on tests of each method :
- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :
103
11919 - HMAP Web Server Fingerprinting
Synopsis
HMAP fingerprints the remote HTTP server.
Description
By sending several valid and invalid HTTP requests, it may be possible to identify the remote web server type. In
some cases, its version can also be approximated, as well as some options.
An attacker may use this tool to identify the kind of the remote web server and gain further knowledge about this host.
Suggestions for defense against fingerprinting are presented in http://acsac.org/2002/abstracts/96.html
See Also
http://www.nessus.org/u?05d4ce87
http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf
http://projects.webappsec.org/w/page/13246925/Fingerprinting
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/80
This web server was fingerprinted as : Apache/2.0.50-2.2.14 (Linux)

which is consistent with the displayed banner : Apache/2.2.8 (Ubuntu) DAV/2
10107 - HTTP Server Type and Version

Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/80
The remote web server type is :
Apache/2.2.8 (Ubuntu) DAV/2
You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
11424 - WebDAV Detection

Synopsis
The remote server is running with WebDAV enabled.
Description
WebDAV is an industry standard extension to the HTTP specification.
It adds a capability for authorized users to remotely add and manage the content of a web server.
104
If you do not use this extension, you should disable it.
Solution
http://support.microsoft.com/default.aspx?kbid=241520
Risk Factor
None
Plugin Information:
Ports
tcp/80
48243 - PHP Version
Synopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/80
Nessus was able to identify the following PHP version information :
Version : 5.2.4-2ubuntu5.10
Source : X-Powered-By: PHP/5.2.4-2ubuntu5.10
24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/80
Protocol version : HTTP/1.1

SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :
Date: Mon, 06 Jun 2016 07:12:31 GMT

X-Powered-By: PHP/5.2.4-2ubuntu5.10
Keep-Alive: timeout=15, max=100
105
Transfer-Encoding: chunked
Content-Type: text/html
111/tcp
Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/111
53335 - RPC portmapper (TCP)

Synopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.
The portmapper allows someone to get the port number of each RPC service running on the remote host by sending
either multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/111
11111 - RPC Services Enumeration
Synopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the
remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
106
tcp/111
The following RPC services are available on TCP port 111 :
- program: 100000 (portmapper), version: 2
111/udp
10223 - RPC portmapper Service Detection
Synopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.
The portmapper allows someone to get the port number of each RPC service running on the remote host by sending
either multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
References
CVE CVE-1999-0632
Plugin Information:
Ports
udp/111
Synopsis
Description
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
udp/111
The following RPC services are available on UDP port 111 :
- program: 100000 (portmapper), version: 2
137/udp
10150 - Windows NetBIOS / SMB Remote Host Information Disclosure
Synopsis
It was possible to obtain the network name of the remote host.
Description
The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB requests.
Note that this plugin gathers information to be used in other plugins, but does not itself generate a report.
Solution
107
n/a
Risk Factor
None
Plugin Information:
Ports
udp/137
The following 5 NetBIOS names have been gathered :
METASPLOITABLE = Computer name

METASPLOITABLE = Messenger Service
METASPLOITABLE = File Server Service
WORKGROUP = Workgroup / Domain name
WORKGROUP = Browser Service Elections
This SMB server seems to be a Samba server - its MAC address is NULL.
139/tcp
10204 - Microsoft Windows NT SCM Malformed Resource Enumeration Request DoS
Synopsis
The remote host is vulnerable to a denial of service.
Description
An 'rfpoison' packet has been sent to the remote host. This packet is supposed to crash the 'services.exe' process,
making the system unstable.
See Also
http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP
Solution
Apply NT4 last service pack, or better, upgrade to Windows last version.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 754
CVE CVE-1999-0980
XREF OSVDB:11264
Plugin Information:
Ports
tcp/139
11011 - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
108
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/139
An SMB server is running on this port.

Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/139
445/tcp
25217 - Samba < 3.0.25 Multiple Vulnerabilities
Synopsis
The remote Samba server is affected by multiple vulnerabilities.
Description
According to its banner, the version of the Samba server installed on the remote host is affected by multiple buffer
overflow and remote command injection vulnerabilities, which can be exploited remotely, as well as a local privilege
escalation bug.
See Also
http://www.samba.org/samba/security/CVE-2007-2444.html
Solution
Upgrade to Samba version 3.0.25 or later.
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
9.5 (CVSS2#E:F/RL:ND/RC:ND)
References
109
BID 23972
BID 23973
BID 23974
BID 24195
BID 24196
BID 24197
BID 24198
CVE CVE-2007-2444
CVE CVE-2007-2446
CVE CVE-2007-2447
XREF OSVDB:34698
XREF OSVDB:34699
XREF OSVDB:34700
XREF OSVDB:34731
XREF OSVDB:34732
XREF OSVDB:34733
Exploitable with
Plugin Information:
Ports
tcp/445
76314 - Samba Unsupported Version Detection
Synopsis
The remote host contains an unsupported version of Samba.
Description
According to its banner, the version of Samba on the remote host is no longer supported.
See Also
https://wiki.samba.org/index.php/Samba_Release_Planning
Solution
Upgrade to a currently supported version of Samba.
Risk Factor
Critical
CVSS Base Score
Plugin Information:
110
Ports
tcp/445
Installed version : 3.0.20-Debian

EOL date : 2009/08/05
EOL URL : https://wiki.samba.org/index.php/Samba_Release_Planning
Supported version : 4.1.x / 4.2.x / 4.3.x / 4.4.x
58662 - Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows
Synopsis
The remote Samba server is affected by multiple buffer overflow vulnerabilities.
Description
According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.6.4 / 3.5.14 / 3.4.16. It
is, therefore, affected by multiple heap-based buffer overflow vulnerabilities.
An error in the DCE/RPC IDL (PIDL) compiler causes the RPC handling code it generates to contain multiple heap-
based buffer overflow vulnerabilities. This generated code can allow a remote, unauthenticated attacker to use
malicious RPC calls to crash the application and possibly execute arbitrary code as the root user.
Note that Nessus has not actually tried to exploit this issue or otherwise determine if one of the associated patches
has been applied.
See Also
https://www.samba.org/samba/security/CVE-2012-1182
http://www.samba.org/samba/history/samba-3.6.4.html
http://www.samba.org/samba/history/security.html
Solution
Either install the appropriate patch referenced in the project's advisory or upgrade to 3.6.4 / 3.5.14 / 3.4.16 or later.
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
References
BID 52973
111
CVE CVE-2012-1182
XREF OSVDB:81303
Exploitable with
Plugin Information:
Ports
tcp/445

Fixed version : 3.6.4 / 3.5.14 / 3.4.16
90508 - Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities
(Badlock)
Synopsis
Description
The version of Samba running on the remote host is 3.x or 4.2.x prior to 4.2.10, 4.3.x prior to 4.3.7, or 4.4.x prior to
4.4.1. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists in the DCE-RPC client when handling specially crafted DCE-RPC packets. A man-in-the-middle (MitM)
attacker can exploit this to downgrade the connection security, cause a denial of service through resource exhaustion,
or potentially execute arbitrary code. (CVE-2015-5370)
- A flaw exists in the implementation of NTLMSSP authentication. A MitM attacker can exploit this to clear the
NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL settings, take over the connections, cause traffic
to be sent unencrypted, or have other unspecified impact. (CVE-2016-2110)
- A flaw exists in NETLOGON due to a failure to properly establish a secure channel connection. A MitM attacker can
exploit this to spoof the computer names of a secure channel's endpoints, potentially gaining session information.
(CVE-2016-2111)
- A flaw exists in the integrity protection mechanisms that allows a MitM attacker to downgrade a secure LDAP
connection to an insecure version. (CVE-2016-2112)
- A flaw exists due to improper validation of TLS certificates for the LDAP and HTTP protocols. A MitM attacker can
exploit this, via a crafted certificate, to spoof a server, resulting in the disclosure or manipulation of the transmitted
traffic. (CVE-2016-2113)
- A flaw exists due to a failure to enforce the 'server signing = mandatory' option in smb.conf for clients using the
SMB1 protocol. A MitM attacker can exploit this to conduct spoofing attacks.
(CVE-2016-2114)
- A flaw exists due to a failure to perform integrity checking for SMB client connections. A MitM attacker can exploit
this to conduct spoofing attacks since the protection mechanisms for DCERPC communication sessions are inherited
from the underlying SMB connection.
(CVE-2016-2115)
- A flaw, known as Badlock, exists in the Security Account Manager (SAM) and Local Security Authority (Domain
Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC)
channels. A MitM attacker who is able to able to intercept the traffic between a client and a server hosting a SAM
database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary
Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the
Active Directory (AD) database or disabling critical services.
(CVE-2016-2118)
See Also
https://www.samba.org/samba/security/CVE-2015-5370.html
112
http://badlock.org
Solution
Upgrade to Samba version 4.2.10 / 4.3.7 / 4.4.1 or later.
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
STIG Severity
I
References
CVE CVE-2015-5370
CVE CVE-2016-2110
CVE CVE-2016-2111
CVE CVE-2016-2112
CVE CVE-2016-2113
CVE CVE-2016-2114
CVE CVE-2016-2115
CVE CVE-2016-2118
XREF OSVDB:136339
XREF OSVDB:136989
XREF OSVDB:136990
XREF OSVDB:136991
XREF OSVDB:136992
XREF OSVDB:136993
XREF OSVDB:136994
XREF OSVDB:136995
Plugin Information:
113
Ports
tcp/445

24685 - Samba < 3.0.24 Multiple Flaws

Synopsis
The remote Samba server is affected by several vulnerabilities that could lead to remote code execution
Description
According to its version number, the remote Samba server is affected by several flaws :
- A denial of service issue occuring if an authenticated attacker sends a large number of CIFS session requests which
will cause an infinite loop to occur in the smbd daemon, thus utilizing CPU resources and denying access to legitimate
users ;
- A remote format string vulnerability that could be exploited by an attacker with write access to a remote share by
sending a malformed request to the remote service (this issue only affects installations sharing an AFS file system
when the afsacl.so VFS module is loaded)
- A remote buffer overflow vulnerability affecting the NSS lookup capability of the remote winbindd daemon
Solution
Upgrade to Samba 3.0.24 or newer
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 22395
BID 22403
BID 22410
CVE CVE-2007-0452
CVE CVE-2007-0453
CVE CVE-2007-0454
XREF OSVDB:33098
XREF OSVDB:33100
XREF OSVDB:33101
Plugin Information:
Ports
tcp/445
32476 - Samba < 3.0.30 receive_smb_raw Function Remote Buffer Overflow
Synopsis
The remote Samba server may be affected by a buffer overflow vulnerability.
Description
According to its banner, the version of the Samba server on the remote host is reportedly affected by a boundary
error in 'nmbd' within the 'receive_smb_raw' function in 'lib/util_sock.c' when parsing SMB packets received in a client
114
context. By sending specially crafted packets to an 'nmbd' server configured as a local or domain master browser,
an attacker can leverage this issue to produce a heap-based buffer overflow and execute arbitrary code with system
privileges.
Note that Nessus has not actually tried to exploit this issue, verify the remote 'nmbd' server's configuration, or
determine if the fix has been applied.
See Also
http://secunia.com/secunia_research/2008-20/advisory/
Solution
Upgrade to Samba version 3.0.30 or later or apply the patch referenced in the project's advisory.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 29404
CVE CVE-2008-1105
XREF OSVDB:45657
XREF Secunia:30228
XREF CWE:119
Plugin Information:
Ports
tcp/445
The remote Samba server appears to be :
Samba 3.0.20-Debian
47036 - Samba 3.x < 3.3.13 SMB1 Packet Chaining Memory Corruption
Synopsis
The remote service is affected by a memory corruption vulnerability.
Description
According to its banner, the version of Samba running on the remote host is a version of 3.x before 3.3.13. Such
versions are affected by a memory corruption vulnerability when handling specially crafted SMB1 packets.
By exploiting this flaw, a remote, unauthenticated attacker could crash the affected service or potentially execute
arbitrary code subject to the privileges of the user running the affected application.
See Also
http://www.samba.org/samba/history/security.html
Solution
Upgrade to Samba 3.3.13 or later.
Risk Factor
115
High
CVSS Base Score
CVSS Temporal Score
References
BID 40884
CVE CVE-2010-2063
XREF OSVDB:65518
XREF Secunia:40145
Exploitable with
Metasploit (true)
Plugin Information:
Ports
tcp/445
Samba 3.0.20-Debian
49228 - Samba 3.x < 3.5.5 / 3.4.9 / 3.3.14 sid_parse Buffer Overflow
Synopsis
The remote Samba server is affected by a buffer overflow vulnerability.
Description
According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.5.5. The 'sid_parse()'
and related 'dom_sid_parse()' functions in such versions fail to correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID).
An attacker who is able to get a connection to a file share, either authenticated or via a guest connection, can
leverage this issue to launch a stack-based buffer overflow attack against the affected smbd service and possibly
execute arbitrary code.
Note that Nessus has not actually tried to exploit this issue or determine if one of the patches has been applied.
See Also
https://bugzilla.samba.org/show_bug.cgi?id=7669
Solution
Either apply one of the patches referenced in the project's advisory or upgrade to 3.5.5 / 3.4.9 / 3.3.14 or later.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
116
References
BID 43212
CVE CVE-2010-3069
XREF OSVDB:67994
XREF Secunia:41354
Plugin Information:
Ports
tcp/445

Fixed version : 3.5.5 / 3.4.9 / 3.3.14
29253 - Samba < 3.0.28 send_mailslot Function Remote Buffer Overflow

Synopsis
The remote Samba server may be affected by a buffer overflow vulnerability.
Description
According to its banner, the version of the Samba server on the remote host is reportedly affected by a boundary error
in 'nmbd' within the 'send_mailslot' function. Provided the 'domain logons' option is enabled in 'smb.conf', an attacker
can leverage this issue to produce a stack-based buffer overflow using a 'SAMLOGON' domain logon packet in which
the username string is placed at an odd offset and is followed by a long 'GETDC' string.
Note that Nessus has not actually tried to exploit this issue nor verify whether the 'domain logons' option has been
enabled on the remote host.
See Also
http://us3.samba.org/samba/security/CVE-2007-6015.html
Solution
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 26791
CVE CVE-2007-6015
XREF OSVDB:39191
XREF CWE:119
Plugin Information:
Ports
tcp/445
28228 - Samba < 3.0.27 Multiple Vulnerabilities
Synopsis
117
The remote Samba server may be affected one or more vulnerabilities.
Description
According to its banner, the version of the Samba server on the remote host contains a boundary error in the
'reply_netbios_packet()'
function in 'nmbd/nmbd_packets.c' when sending NetBIOS replies.
Provided the server is configured to run as a WINS server, a remote attacker can exploit this issue by sending multiple
specially crafted WINS 'Name Registration' requests followed by a WINS 'Name Query'
request, leading to a stack-based buffer overflow. This could also allow for the execution of arbitrary code.
There is also a stack buffer overflow in nmbd's logon request processing code that can be triggered by means of
specially crafted GETDC mailslot requests when the affected server is configured as a Primary or Backup Domain
Controller. Note that the Samba security team currently does not believe this particular issue can be exploited to
execute arbitrary code remotely.
See Also
http://www.securityfocus.com/archive/1/483744
Solution
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 26454
BID 26455
CVE CVE-2007-4572
CVE CVE-2007-5398
XREF OSVDB:39179
XREF OSVDB:39180
XREF CWE:119
Plugin Information:
Ports
tcp/445
55733 - Samba 3.x < 3.3.16 / 3.4.14 / 3.5.10 Multiple Vulnerabilities
Synopsis
Description
118
According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.3.16 / 3.4.14 / 3.5.10.
As such, it is potentially affected by several vulnerabilities in the Samba Web Administration Tool (SWAT) :
- A cross-site scripting vulnerability exists because of a failure to sanitize input to the username parameter of the
'passwd' program. (Issue #8289)
- A cross-site request forgery (CSRF) vulnerability can allow SWAT to be manipulated when a user who is logged in
as root is tricked into clicking specially crafted URLs sent by an attacker. (Issue #8290)
Note that these issues are only exploitable when SWAT it enabled, and it is not enabled by default.
Also note that Nessus has relied only on the self-reported version number and has not actually determined whether
SWAT is enabled, tried to exploit these issues, or determine if the associated patches have been applied.
See Also
http://samba.org/samba/security/CVE-2011-2522
http://samba.org/samba/security/CVE-2011-2694
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 48899
BID 48901
CVE CVE-2011-2522
CVE CVE-2011-2694
XREF OSVDB:74071
XREF OSVDB:74072
XREF EDB-ID:17577
XREF Secunia:45393
Plugin Information:
Ports
tcp/445

Fixed version : 3.3.16 / 3.4.14 / 3.5.10
69276 - Samba 3.x < 3.5.22 / 3.6.x < 3.6.17 / 4.0.x < 4.0.8 read_nttrans_ea_lis DoS
Synopsis
119
The remote Samba server is affected by a denial of service vulnerability.
Description
According to its banner, the version of Samba running on the remote host is 3.x prior to 3.5.22, 3.6.x prior to 3.6.17 or
4.0.x prior to 4.0.8. It is, therefore, potentially affected by a denial of service vulnerability.
An integer overflow error exists in the function 'read_nttrans_ea_lis'
in the file 'nttrans.c' that could allow denial of service attacks to be carried out via specially crafted network traffic.
Note if 'guest' connections are allowed, this issue can be exploited by a remote, unauthenticated attacker.
Further note that Nessus has relied only on the self-reported version number and has not actually tried to exploit this
issue or determine if the associated patch has been applied.
See Also
http://www.samba.org/samba/security/CVE-2013-4124
http://www.nessus.org/u?402dfe4d
Solution
Either install the patch referenced in the project's advisory, or upgrade to version 3.5.22 / 3.6.17 / 4.0.8 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 61597
CVE CVE-2013-4124
XREF OSVDB:95969
XREF EDB-ID:27778
Plugin Information:
Ports
tcp/445

Fixed version : 3.5.22 / 3.6.17 / 4.0.8
52503 - Samba 3.x < 3.3.15 / 3.4.12 / 3.5.7 'FD_SET' Memory Corruption
Synopsis
The remote Samba server is affected by a memory corruption vulnerability.
Description
According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.3.15 / 3.4.12 / 3.5.7. An
error exists in the range checks on file descriptors in the 'FD_SET' macro that allows stack corruption. This corruption
can cause Samba to crash or to continually try selecting on an improper descriptor set.
An attacker who is able to get a connection to a file share, either authenticated or via a guest connection, can
leverage this issue to launch a denial of service attack against the affected smbd service.
Note the possibility of arbitrary code execution exists with this type of vulnerability but has not been confirmed.
Also note that Nessus has not actually tried to exploit this issue or otherwise determine if one of the patches has been
applied.
120
See Also
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 46597
CVE CVE-2011-0719
XREF OSVDB:71268
XREF Secunia:43512
Plugin Information:
Ports
tcp/445

Fixed version : 3.3.15 / 3.4.12 / 3.5.7
64459 - Samba < 3.5.21 / 3.6.12 / 4.0.2 SWAT Multiple Vulnerabilities

Synopsis
Description
According to its banner, the version of Samba running on the remote host is 3.x earlier than 3.5.21 or 3.6.12 or is 4.x
earlier than 4.0.1, and is, therefore, potentially affected by the following vulnerabilities :
- An error exists in the SWAT interface that could allow 'clickjacking' attacks. (CVE-2013-0213, Issue #9576)
- An error exists in the SWAT interface that could allow cross-site request forgery (CSRF) attacks.
(CVE-2013-0214, Issue #9577)
Note that these issues are only exploitable when SWAT is enabled and it is not enabled by default.
Also note that Nessus has relied only on the self-reported version number and has not actually determined whether
SWAT is enabled, tried to exploit these issues, or determine if the associated patches have been applied.
See Also
Solution
Either install the patch referenced in the project's advisory or upgrade to 3.5.21 / 3.6.12 / 4.0.2 or later.
121
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 57631
CVE CVE-2013-0213
CVE CVE-2013-0214
XREF OSVDB:89626
XREF OSVDB:89627
Plugin Information:
Ports
tcp/445

Fixed version : 3.5.21 / 3.6.12 / 4.0.2
41970 - Samba < 3.0.37 / 3.2.15 / 3.3.8 / 3.4.2 Multiple Vulnerabilities

Synopsis
The remote Samba server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Samba server on the remote host is earlier than 3.0.37 / 3.2.15 / 3.3.8 / 3.4.2.
Such versions are potentially affected by multiple issues :
- If a user in '/etc/passwd' is misconfigured to have an empty home directory, then connecting to the home share of
this user will use the root of the file system as the home directory. (CVE-2009-2813)
- Specially crafted SMB requests on authenticated SMB connections can send smbd into a 100% loop, causing a
denial of service. (CVE-2009-2906)
- When 'mount.cifs' is installed as a setuid program, a user can pass it a credential or password path to which he or
she does not have access and then use the '--verbose' option to view the first line of that file.
(CVE-2009-2948)
See Also
Solution
Upgrade to Samba 3.0.37 / 3.2.15 / 3.3.8 / 3.4.2 or later.
Risk Factor
Medium
CVSS Base Score
6.0 (CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P)
CVSS Temporal Score
References
BID 36572
122
BID 36573
CVE CVE-2009-2813
CVE CVE-2009-2906
CVE CVE-2009-2948
XREF OSVDB:57955
XREF OSVDB:58519
XREF OSVDB:58520
XREF CWE:264
Plugin Information:
Ports
tcp/445
Samba 3.0.20-Debian
90509 - Samba Badlock Vulnerability

Synopsis
An SMB server running on the remote host is affected by the Badlock vulnerability.
Description
The version of Samba, a CIFS/SMB server for Linux and Unix, running on the remote host is affected by a flaw, known
as Badlock, that exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD)
protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A man-in-
the-middle attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database
can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba
network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active
Directory (AD) database or disabling critical services.
See Also
http://badlock.org
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
STIG Severity
I
References
CVE CVE-2016-2118
XREF OSVDB:136339
123
Plugin Information:
Ports
tcp/445
Nessus detected that the Samba Badlock patch has not been applied.
11011 - Microsoft Windows SMB Service Detection

Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/445
A CIFS server is running on this port.
25240 - Samba Server Detection

Synopsis
An SMB server is running on the remote host.
Description
The remote host is running Samba, a CIFS/SMB server for Linux and Unix.
See Also
http://www.samba.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/445
10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
Synopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to obtain the remote operating system name and version (Windows and/or Samba) by sending an
authentication request to port 139 or 445. This script requires SMB1 enabled on the host.
Solution
n/a
Risk Factor
124
None
Plugin Information:
Ports
tcp/445
The remote Operating System is : Unix
The remote native lan manager is : Samba 3.0.20-Debian
The remote SMB Domain Name is : METASPLOITABLE
10394 - Microsoft Windows SMB Log In Possible

Synopsis
It was possible to log into the remote host.
Description
The remote host is running a Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was
possible to log into it using one of the following accounts :
- NULL session
- Guest account
- Supplied credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/445
- NULL sessions are enabled on the remote host.

Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/445
10397 - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure

Synopsis
It is possible to obtain network information.
125
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Ports
tcp/445
Here is the browse list of the remote host :
METASPLOITABLE ( os : 0.0 )
512/tcp
10245 - rsh Service Detection
Synopsis
The rsh service is running on the remote host.
Description
The rsh service is running on the remote host. This service is vulnerable since data is passed between the rsh client
and server in cleartext. A man-in-the-middle attacker can exploit this to sniff logins and passwords. Also, it may allow
poorly authenticated logins without passwords. If the host is vulnerable to TCP sequence number guessing (from any
network) or IP spoofing (including ARP hijacking on a local network) then it may be possible to bypass authentication.
Finally, rsh is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv files.
Solution
Comment out the 'rsh' line in /etc/inetd.conf and restart the inetd process. Alternatively, disable this service and use
SSH instead.
Risk Factor
High
CVSS Base Score
References
CVE CVE-1999-0651
XREF OSVDB:193
Exploitable with
Metasploit (true)
Plugin Information:
Ports
tcp/512
Synopsis
Description
126
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/512
513/tcp
10205 - rlogin Service Detection
Synopsis
The rlogin service is running on the remote host.
Description
The rlogin service is running on the remote host. This service is vulnerable since data is passed between the rlogin
client and server in cleartext. A man-in-the-middle attacker can exploit this to sniff logins and passwords. Also, it may
allow poorly authenticated logins without passwords. If the host is vulnerable to TCP sequence number guessing
(from any network) or IP spoofing (including ARP hijacking on a local network) then it may be possible to bypass
authentication.
Finally, rlogin is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv files.
Solution
Comment out the 'login' line in /etc/inetd.conf and restart the inetd process. Alternatively, disable this service and use
SSH instead.
Risk Factor
High
CVSS Base Score
References
CVE CVE-1999-0651
XREF OSVDB:193
Exploitable with
Metasploit (true)
Plugin Information:
Ports
tcp/513
Synopsis
Description
Solution
Risk Factor
127
None
Plugin Information:
Ports
tcp/513
514/tcp
10245 - rsh Service Detection
Synopsis
The rsh service is running on the remote host.
Description
The rsh service is running on the remote host. This service is vulnerable since data is passed between the rsh client
and server in cleartext. A man-in-the-middle attacker can exploit this to sniff logins and passwords. Also, it may allow
poorly authenticated logins without passwords. If the host is vulnerable to TCP sequence number guessing (from any
network) or IP spoofing (including ARP hijacking on a local network) then it may be possible to bypass authentication.
Finally, rsh is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv files.
Solution
Comment out the 'rsh' line in /etc/inetd.conf and restart the inetd process. Alternatively, disable this service and use
SSH instead.
Risk Factor
High
CVSS Base Score
References
CVE CVE-1999-0651
XREF OSVDB:193
Exploitable with
Metasploit (true)
Plugin Information:
Ports
tcp/514
Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/514
128
1099/tcp
Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/1099
22227 - RMI Registry Detection

Synopsis
An RMI registry is listening on the remote host.
Description
The remote host is running an RMI registry, which acts as a bootstrap naming service for registering and retrieving
remote objects with simple names in the Java Remote Method Invocation (RMI) system.
See Also
http://docs.oracle.com/javase/1.5.0/docs/guide/rmi/spec/rmiTOC.html
http://www.nessus.org/u?eb68319f
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/1099
1524/tcp
51988 - Rogue Shell Backdoor Detection
Synopsis
The remote host may have been compromised.
Description
A shell is listening on the remote port, without any authentication. An attacker may use it by connecting to the remote
port and sending commands directly.
Solution
Verify if the remote host has been compromised, and reinstall the system if necessary.
Risk Factor
Critical
CVSS Base Score
129
Plugin Information:
Ports
tcp/1524
The command 'id' returns :
root@metasploitable:/# uid=0(root) gid=0(root) groups=0(root)

root@metasploitable:/#

Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/1524

Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/1524
A shell server (Metasploitable) is running on this port.
2049/tcp
42256 - NFS Shares World Readable
Synopsis
The remote NFS server exports world-readable shares.
Description
The remote NFS server is exporting one or more shares without restricting access (based on hostname, IP, or IP
range).
See Also
http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
130
Solution
Place the appropriate restrictions on all NFS shares.
Risk Factor
Medium
CVSS Base Score
References
XREF OSVDB:339
Plugin Information:
Ports
tcp/2049
The following shares have no access restrictions :
/ *

Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/2049

Synopsis
Description
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/2049
131
- program: 100003 (nfs), version: 2
10437 - NFS Share Export List

Synopsis
The remote NFS server exports a list of shares.
Description
This plugin retrieves the list of NFS exported shares.
See Also
http://www.tldp.org/HOWTO/NFS-HOWTO/security.html
Solution
Ensure each share is intended to be exported.
Risk Factor
None
References
CVE CVE-1999-0554
XREF OSVDB:339
Plugin Information:
Ports
tcp/2049
Here is the export list of 192.168.0.128 :
/ *
2049/udp
11356 - NFS Exported Share Information Disclosure
Synopsis
It is possible to access NFS shares on the remote host.
Description
At least one of the NFS shares exported by the remote server could be mounted by the scanning host. An attacker
may be able to leverage this to read (and possibly write) files on remote host.
Solution
Configure NFS on the remote host so that only authorized hosts can mount its remote shares.
Risk Factor
Medium
CVSS Base Score
References
CVE CVE-1999-0170
CVE CVE-1999-0211
CVE CVE-1999-0554
XREF OSVDB:339
XREF OSVDB:8750
132
XREF OSVDB:11516
Exploitable with
Metasploit (true)
Plugin Information:
Ports
udp/2049
The following NFS shares could be mounted :
+ /
+ Contents of / :
- .
- ..
- 1
- bin
- boot
- cdrom
- dev
- etc
- harshi.txt
- hme
- home
- initrd
- initrd.img
- lib
- lost+found
- media
- mnt
- opt
- proc
- root
- sbin
- srv
- sss
- sys
- tmp
- usr
- var
- vmlinuz

Synopsis
Description
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
udp/2049

133
2121/tcp
51366 - ProFTPD < 1.3.3d 'mod_sql' Buffer Overflow
Synopsis
The remote FTP server is affected by a heap-based buffer overflow vulnerability.
Description
The remote host is using ProFTPD, a free FTP server for Unix and Linux.
According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.3d. Such versions
are reportedly affected by a heap-based buffer overflow vulnerability in the function 'sql_prepare_where()' in the file
'contrib/mod_sql.c'. An unauthenticated, remote attacker may be able to exploit this in combination with an earlier SQL
injection vulnerability (CVE-2009-0542) to execute arbitrary code with root privileges.
Note that Nessus did not actually test for the flaw but instead has relied on the version in ProFTPD's banner.
See Also
http://phrack.org/issues.html?issue=67&id=7#article
http://bugs.proftpd.org/show_bug.cgi?id=3536
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.3d
Solution
Upgrade to ProFTPD version 1.3.3d or later.
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
References
BID 44933
CVE CVE-2010-4652
XREF OSVDB:70782
Plugin Information:
Ports
tcp/2121
Version source : 220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.0.128]

Fixed version : 1.3.3d
50544 - ProFTPD < 1.3.3c Multiple Vulnerabilities

Synopsis
The remote FTP server is affected by multiple vulnerabilities.
Description
According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.3c. Such versions are
reportedly affected by the following vulnerabilities :
- When ProFTPD is compiled with 'mod_site_misc' and a directory is writable, a user can use 'mod_site_misc'
to create or delete a directory outside the writable directory, create a symlink located outside the writable directory, or
change the time of a file located outside the writable directory. (Bug #3519)
- A stack-based buffer overflow exists in the server's 'pr_netio_telnet_gets()' function, which can be triggered by when
reading user input containing a TELNET_IAC escape sequence. (Bug #3521)
Note that Nessus did not actually test for the flaws but instead has relied on the version in ProFTPD's banner so this
may be a false positive.
See Also
134
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.3c
Solution
Upgrade to ProFTPD version 1.3.3c or later.
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
References
BID 44562
CVE CVE-2010-3867
CVE CVE-2010-4221
XREF OSVDB:68985
XREF OSVDB:68988
XREF EDB-ID:15449
XREF Secunia:42052
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Ports
tcp/2121

Fixed version : 1.3.3c
56956 - ProFTPD < 1.3.3g / 1.3.4 Response Pool Use-After-Free Code Execution
Synopsis
The remote FTP server is affected by a code execution vulnerability.
Description
According to its banner, the version of ProFTPD installed on the remote host is earlier than 1.3.3g or 1.3.4. As such, it
is potentially affected by a code execution vulnerability due to how the server manages the response pool that is used
to send responses from the server to the client. A remote, authenticated attacker could could leverage this issue to
execute arbitrary code on the remote host, subject to the privileges of the user running the affected application.
Note that Nessus did not actually test for the flaw but instead has relied on the version in ProFTPD's banner.
See Also
135
http://www.proftpd.org/docs/NEWS-1.3.3g
http://www.proftpd.org/docs/NEWS-1.3.4
Solution
Upgrade to ProFTPD version 1.3.3g / 1.3.4 or later.
Risk Factor
High
CVSS Base Score
9.0 (CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Temporal Score
References
BID 50631
CVE CVE-2011-4130
XREF OSVDB:77004
Plugin Information:
Ports
tcp/2121

Fixed version : 1.3.3g / 1.3.4
34265 - ProFTPD Command Truncation Cross-Site Request Forgery

Synopsis
The remote FTP server is prone to a cross-site request forgery attack.
Description
The version of ProFTPD running on the remote host splits an overly long FTP command into a series of shorter ones
and executes each in turn. If an attacker can trick a ProFTPD administrator into accessing a specially-formatted HTML
link, arbitrary FTP commands could be executed in the context of the affected application with the administrator's
privileges.
See Also
Solution
Apply the patch included in the bug report or upgrade to the latest version in CVS.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 31289
136
CVE CVE-2008-4242
XREF OSVDB:48411
XREF CWE:352
Plugin Information:
Ports
tcp/2121
66970 - ProFTPD FTP Command Handling Symlink Arbitrary File Overwrite
Synopsis
The remote FTP server is affected by an arbitrary file overwrite vulnerability.
Description
The remote host is using ProFTPD, a free FTP server for Unix and Linux. According to its banner, the version of
ProFTPD installed on the remote host earlier than 1.3.4c. As such, it is potentially affected by a race condition error
that does not securely create temporary files related to symlinks and newly created directories. A local, attacker could
leverage this issue to overwrite arbitrary files and elevate privileges.
Note that Nessus did not actually test for the flaw but has instead relied on the version in ProFTPD's banner.
See Also
http://proftpd.org/docs/RELEASE_NOTES-1.3.4c
http://proftpd.org/docs/RELEASE_NOTES-1.3.5rc1
Solution
Upgrade to 1.3.4c / 1.3.5rc1 or apply the patch from the vendor.
Risk Factor
Low
CVSS Base Score
1.2 (CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
References
BID 57172
CVE CVE-2012-6095
XREF OSVDB:89051
Plugin Information:
Ports
tcp/2121

Fixed version : 1.3.4c / 1.3.5rc1

Synopsis
Description
137
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/2121

Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/2121
An FTP server is running on this port.
10092 - FTP Server Detection

Synopsis
An FTP server is listening on a remote port.
Description
It is possible to obtain the banner of the remote FTP server by connecting to a remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/2121
The remote FTP banner is :
220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.0.128]
3306/tcp
57558 - MySQL Unsupported Version Detection
Synopsis
The remote host is running an unsupported version of a database server.
Description
138
According to its version, the installation of MySQL on the remote host is no longer supported.
See Also
https://www.mysql.com/support/supportedplatforms/database.html
https://www.mysql.com/support/eol-notice.html
Solution
Upgrade to a version of MySQL that is currently supported.
Risk Factor
Critical
CVSS Base Score
Plugin Information:
Ports
tcp/3306
Installed version : 5.0.51a-3ubuntu5

End of support date : January 9, 2012
17804 - MySQL < 5.0.83 Denial of Service

Synopsis
The remote database server is prone to a denial of service attack.
Description
The version of MySQL installed on the remote host is earlier than 5.0.83 and thus reportedly allows a remote user to
crash the server and possibly have other impacts.
See Also
Solution
Upgrade to MySQL version 5.0.83 or later.
Risk Factor
High
CVSS Base Score
8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score
6.7 (CVSS2#E:POC/RL:OF/RC:ND)
References
BID 35609
CVE CVE-2009-2446
XREF OSVDB:55734
XREF CWE:134
Plugin Information:
Ports
tcp/3306
139
17814 - yaSSL 1.7.5 Buffer Overflow

Synopsis
Arbitrary code can be executed on the remote database server.
Description
The version of MySQL installed on the remote host reportedly allows a remote user to execute arbitrary code by
exploiting a buffer overflow in yaSSL 1.7.5 or earlier.
See Also
http://bugs.mysql.com/bug.php?id=33814
http://www.securityfocus.com/archive/1/archive/1/485810/100/0/threaded
Solution
Upgrade to MySQL version 5.0.54a, 5.1.23, 6.0.4 or later.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 27140
CVE CVE-2008-0226
CVE CVE-2008-0227
XREF OSVDB:41195
XREF OSVDB:41196
XREF OSVDB:41197
XREF OSVDB:41935
XREF CWE:119
Exploitable with
Plugin Information:
Ports
tcp/3306

34159 - MySQL Community Server 5.0 < 5.0.67 Multiple Vulnerabilities

Synopsis
The remote database server is affected by several issues.
Description
The version of MySQL Community Server 5.0 installed on the remote host is before 5.0.66. Such versions are
reportedly affected by the following issues :
140
- When using a FEDERATED table, a local server could be forced to crash if the remote server returns a result with
fewer columns than expected (Bug #29801).
- ALTER VIEW retains the original DEFINER value, even when altered by another user, which could allow that user to
gain the access rights of the view (Bug #29908).
- A local user can circumvent privileges through creation of MyISAM tables using the 'DATA DIRECTORY' and 'INDEX
DIRECTORY' options to overwrite existing table files in the application's data directory (Bug #32167).
- RENAME TABLE against a table with DATA/INDEX DIRECTORY overwrites the file to which the symlink points (Bug
#32111).
- It was possible to force an error message of excessive length, which could lead to a buffer overflow (Bug #32707).
- Three vulnerabilities in yaSSL versions 1.7.5 and earlier as used in MySQL could allow an unauthenticated remote
attacker to crash the server or to execute arbitrary code provided yaSSL is enabled and the server allows TCP
connections (Bug #33814).
- An empty bit-string literal (b'') used in a SQL statement could result in a server crash (Bug #35658).
See Also
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-67.html
http://lists.mysql.com/announce/542
Solution
Upgrade to MySQL Community Server version 5.0.67.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 26765
BID 27140
BID 29106
CVE CVE-2007-5969
CVE CVE-2008-0226
CVE CVE-2008-0227
CVE CVE-2008-2079
CVE CVE-2008-3963
CVE CVE-2008-4098
XREF OSVDB:41195
XREF OSVDB:41196
XREF OSVDB:41197
XREF OSVDB:41935
XREF OSVDB:42608
XREF OSVDB:44937
XREF OSVDB:48021
141
XREF CWE:264
Exploitable with
Plugin Information:
Ports
tcp/3306
The remote MySQL Community Server's version is :
5.0.51a-3ubuntu5
17835 - MySQL < 5.0.90 / 5.1.43 / 5.5.0-m2 Multiple Buffer Overflows

Synopsis
The remote database server is affected by several buffer overflow vulnerabilities.
Description
The version of MySQL installed on the remote host is older than 5.0.90, 5.1.43 or 5.5.0-m2. Such versions use yaSSL
prior to 1.9.9, that is vulnerable to multiple buffer overflows. These overflows allow a remote attacker to crash the
server.
See Also
http://www.nessus.org/u?409fbf00
http://www.nessus.org/u?d46c3ad9
http://www.nessus.org/u?8426d86b
http://lists.mysql.com/commits/96697
https://isc.sans.edu//diary.html?storyid=7900
Solution
Upgrade to MySQL version 5.0.90 / 5.1.43 / 5.5.0-m2 or later.
Risk Factor
High
CVSS Base Score
CVSS Temporal Score
References
BID 37640
BID 37943
BID 37974
CVE CVE-2009-4484
XREF OSVDB:61956
142
XREF CWE:119
Exploitable with
Plugin Information:
Ports
tcp/3306

57604 - MySQL 5.0 < 5.0.95 Multiple Vulnerabilities

Synopsis
The remote database server is affected by multiple vulnerabilities.
Description
The version of MySQL 5.0 installed on the remote host is earlier than 5.0.95. Such versions are affected by multiple
vulnerabilities. Details are not public yet.
See Also
http://www.nessus.org/u?7ebfd596
http://www.nessus.org/u?abcc17ed
Solution
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVSS Temporal Score
References
BID 51502
BID 51505
BID 51509
BID 51515
BID 51520
BID 51524
BID 51526
CVE CVE-2012-0075
CVE CVE-2012-0087
CVE CVE-2012-0101
CVE CVE-2012-0102
CVE CVE-2012-0114
143
CVE CVE-2012-0484
CVE CVE-2012-0490
XREF OSVDB:78372
XREF OSVDB:78373
XREF OSVDB:78374
XREF OSVDB:78377
XREF OSVDB:78378
XREF OSVDB:78379
XREF OSVDB:78388
Plugin Information:
Ports
tcp/3306

64503 - MySQL Binary Log SQL Injection

Synopsis
The database server running on the remote host has multiple SQL injection vulnerabilities.
Description
The version of MySQL installed on the remote host is earlier than 5.5.33 / 5.6.x earlier than 5.6.13 and is, therefore,
potentially affected by multiple SQL injection vulnerabilities. User-supplied identifiers are not properly quoted before
being written into the binary log. An attacker with a valid account and privileges to modify data could exploit this to
modify tables that they should not have access to.
See Also
http://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-33.html
http://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-13.html
https://mariadb.atlassian.net/browse/MDEV-382
http://www.nessus.org/u?f8d7daf3
Solution
Upgrade to MySQL version 5.5.33 / 5.6.13 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 55498
CVE CVE-2012-4414
144
XREF OSVDB:89050
Plugin Information:
Ports
tcp/3306

Fixed version : 5.5.33 / 5.6.13
17833 - MySQL < 5.0.54 / 5.1.23 / 6.0.4 Denial of Service

Synopsis
The remote database is vulnerable to a denial fo service attack.
Description
The version of MySQL installed on the remote host is older than 5.0.54, 5.1.23 or 6.0.4.
A remote attacker could crash the server by exploiting a flaw in InnoDB code.
See Also
Solution
Upgrade to MySQL version 5.0.54 / 5.1.23 / 6.0.4 or later.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P)
CVSS Temporal Score
References
BID 26353
CVE CVE-2007-5925
XREF OSVDB:51171
XREF CWE:20
Plugin Information:
Ports
tcp/3306

17834 - MySQL < 5.0.92 Multiple Denial of Service

Synopsis
The remote database server is vulnerable to multiple denial of service attacks.
Description
The version of MySQL installed on the remote host is older than 5.0.92. As such, it reportedly is prone to multiple
denial of service attacks :
- The improper handling of type errors during argument evaluation in extreme-value functions, e.g., 'LEAST()'
or 'GREATEST()' causes server crashes. (CVE-2010-3833)
- Remote authenticated attackers could crash the server.
(CVE-2010-3834 & CVE-2010-3836)
- The use of 'GROUP_CONCAT()' and 'WITH ROLLUP' caused server crashes. (CVE-2010-3837)
145
- The use of an intermediate temporary table and queries containing calls to 'GREATEST()' or 'LEAST()', having a list
of both numeric and 'LONGBLOB' arguments, caused server crashes. (CVE-2010-3838)
See Also
https://bugzilla.redhat.com/show_bug.cgi?id=640751
Solution
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 43676
CVE CVE-2010-3833
CVE CVE-2010-3834
CVE CVE-2010-3836
CVE CVE-2010-3837
CVE CVE-2010-3838
XREF OSVDB:69390
XREF OSVDB:69395
XREF OSVDB:69387
XREF OSVDB:69392
XREF OSVDB:69393
Plugin Information:
Ports
tcp/3306

42899 - MySQL 5.0 < 5.0.88 Multiple Vulnerabilities

Synopsis
Description
The version of MySQL 5.0 installed on the remote host is earlier than 5.0.88. It is, therefore, potentially affected by the
following vulnerabilities :
146
- MySQL clients linked against OpenSSL are vulnerable to man-in-the-middle attacks. (Bug #47320)
- The GeomFromWKB() function can be manipulated to cause a denial of service. (Bug #47780)
- Specially crafted SELECT statements containing sub- queries in the WHERE clause can cause the server to crash.
(Bug #48291)
- It is possible to bypass access restrictions when the data directory contains a symbolic link to a different file system.
(Bug #39277)
See Also
Solution
Upgrade to MySQL 5.0.88 or later.
Risk Factor
Medium
CVSS Base Score
5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
References
BID 37076
BID 37297
BID 38043
CVE CVE-2012-4452
CVE CVE-2009-4019
CVE CVE-2009-4028
CVE CVE-2008-7247
XREF OSVDB:60487
XREF OSVDB:60488
XREF OSVDB:60489
XREF OSVDB:60664
XREF OSVDB:60665
XREF Secunia:37372
XREF CWE:20
Plugin Information:
Ports
tcp/3306
147
46702 - MySQL Community Server < 5.1.47 / 5.0.91 Multiple Vulnerabilities

Synopsis
Description
The version of MySQL Community Server installed on the remote host is earlier than 5.1.47 / 5.0.91 and is, therefore,
- The server may continue reading packets indefinitely if it receives a packet larger than the maximum size of one
packet, which could allow an unauthenticated, remote attacker to consume a high level of CPU and bandwidth. (Bug
#50974)
- Using an overly long table name argument to the 'COM_FIELD_LIST' command, an authenticated user can overflow
a buffer and execute arbitrary code on the affected host. (Bug #53237)
- Using a specially crafted table name argument to 'COM_FIELD_LIST', an authenticated user can bypass almost all
forms of checks for privileges and table- level grants. (Bug #53371)
See Also
Solution
Upgrade to MySQL Community Server 5.1.47 / 5.0.91 or later.
Risk Factor
Medium
CVSS Base Score
CVSS Temporal Score
References
BID 40100
BID 40106
BID 40109
CVE CVE-2010-1848
CVE CVE-2010-1849
CVE CVE-2010-1850
XREF OSVDB:64586
XREF OSVDB:64587
XREF OSVDB:64588
Exploitable with
CANVAS (true)
Plugin Information:
148
Ports
tcp/3306

17812 - MySQL < 5.0.88 / 5.1.42 / 5.5.0 / 6.0.14 MyISAM CREATE TABLE Privilege Check Bypass
Synopsis
The remote database server allows a local user to circumvent privileges.
Description
The version of MySQL installed on the remote host is earlier than 5.0.88 / 5.1.42 / 5.5.0 / 6.0.14 and thus reportedly
allows a local user to circumvent privileges through creation of MyISAM tables using the 'DATA DIRECTORY' and
'INDEX DIRECTORY' options to overwrite existing table files in the application's data directory. This is the same flaw
as CVE-2008-2079, which was not completely fixed.
See Also
http://bugs.mysql.com/bug.php?id=32167?
Solution
Upgrade to MySQL version 5.0.88 / 5.1.42 / 5.5.0 / 6.0.14 or later.
Risk Factor
Medium
CVSS Base Score
4.6 (CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P)
CVSS Temporal Score
References
BID 29106
CVE CVE-2008-4097
XREF OSVDB:44937
XREF CWE:264
Plugin Information:
Ports
tcp/3306

17811 - MySQL < 5.0.89 / 5.1.42 / 5.4.2 / 5.5.1 / 6.0.14 Client XSS
Synopsis
A remote database client have a cross-site scripting vulnerability.
Description
The version of MySQL installed on the remote host is earlier than 5.0.89 / 5.1.42 / 5.4.2 / 5.5.1 / 6.0.14 and thus does
not properly encode angle brackets when 'mysql --html' option is used. Depending on how the output of the mysql
client command is processed, the user may be vulnerable to cross-site scripting attacks.
See Also
Solution
Upgrade to MySQL version 5.0.89 / 5.1.42 / 5.4.2 / 5.5.1 / 6.0.14 or later.
Risk Factor
149
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
References
BID 31486
CVE CVE-2008-4456
XREF OSVDB:48710
XREF CWE:79
Plugin Information:
Ports
tcp/3306


Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/3306
11153 - Service Detection (HELP Request)

Synopsis
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
a 'HELP'
request.
Solution
n/a
Risk Factor
None
Plugin Information:
150
Ports
tcp/3306
A MySQL server is running on this port.
10719 - MySQL Server Detection

Synopsis
A database server is listening on the remote port.
Description
The remote host is running MySQL, an open source database server.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/3306
Version : 5.0.51a-3ubuntu5
Protocol : 10
Server Status : SERVER_STATUS_AUTOCOMMIT
Server Capabilities :
CLIENT_LONG_FLAG (Get all column flags)
CLIENT_CONNECT_WITH_DB (One can specify db on connect)
CLIENT_COMPRESS (Can use compression protocol)
CLIENT_PROTOCOL_41 (New 4.1 protocol)
CLIENT_SSL (Switch to SSL after handshake)
CLIENT_TRANSACTIONS (Client knows about transactions)
CLIENT_SECURE_CONNECTION (New 4.1 authentication)
3632/tcp
Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/3632
5432/tcp
Synopsis
Description
151
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/5432
26024 - PostgreSQL Server Detection

Synopsis
A database service is listening on the remote host.
Description
The remote service is a PostgreSQL database server, or a derivative such as EnterpriseDB.
See Also
http://www.postgresql.org/
Solution
Limit incoming traffic to this port if desired.
Risk Factor
None
Plugin Information:
Ports
tcp/5432
5900/tcp
61708 - VNC Server 'password' Password
Synopsis
A VNC server running on the remote host is secured with a weak password.
Description
The VNC server running on the remote host is secured with a weak password. Nessus was able to login using VNC
authentication and a password of 'password'. A remote, unauthenticated attacker could exploit this to take control of
the system.
Solution
Secure the VNC service with a strong password.
Risk Factor
Critical
CVSS Base Score
Plugin Information:
Ports
tcp/5900
Nessus logged in using a password of "password".

Synopsis
152
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/5900

Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/5900
A vnc server is running on this port.
10342 - VNC Software Detection

Synopsis
The remote host is running a remote display software (VNC).
Description
The remote host is running VNC (Virtual Network Computing), which uses the RFB (Remote Framebuffer) protocol to
provide remote access to graphical user interfaces and thus permits a console on the remote host to be displayed on
another.
See Also
http://en.wikipedia.org/wiki/Vnc
Solution
Make sure use of this software is done in accordance with your organization's security policy and filter incoming traffic
to this port.
Risk Factor
None
Plugin Information:
Ports
tcp/5900
153
The highest RFB protocol version supported by the server is :
3.3
19288 - VNC Server Security Type Detection

Synopsis
A VNC server is running on the remote host.
Description
This script checks the remote VNC server protocol version and the available 'security types'.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/5900
The remote VNC server chose security type #2 (VNC authentication)
65792 - VNC Server Unencrypted Communication Detection

Synopsis
A VNC server with one or more unencrypted 'security-types' is running on the remote host.
Description
This script checks the remote VNC server protocol version and the available 'security types' to determine if any
unencrypted 'security-types' are in use or available.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/5900
The remote VNC server supports the following security type

which does not perform full data communication encryption :
2 (VNC authentication)
6000/tcp
10407 - X Server Detection
Synopsis
An X11 server is listening on the remote host
Description
The remote host is running an X11 server. X11 is a client-server protocol that can be used to display graphical
applications running on a given host on a remote client.
Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection.
Solution
Restrict access to this port. If the X11 client/server facility is not used, disable TCP support in X11 entirely (-nolisten
tcp).
Risk Factor
Low
154
CVSS Base Score
Plugin Information:
Ports
tcp/6000
X11 Version : 11.0

Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/6000
6667/tcp
46882 - UnrealIRCd Backdoor Detection
Synopsis
The remote IRC server contains a backdoor.
Description
The remote IRC server is a version of UnrealIRCd with a backdoor that allows an attacker to execute arbitrary code on
the affected host.
See Also
http://seclists.org/fulldisclosure/2010/Jun/277
http://seclists.org/fulldisclosure/2010/Jun/284
http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt
Solution
Re-download the software, verify it using the published MD5 / SHA1 checksums, and re-install it.
Risk Factor
Critical
CVSS Base Score
CVSS Temporal Score
References
BID 40820
CVE CVE-2010-2075
155
XREF OSVDB:65445
Exploitable with
CANVAS (true)Metasploit (true)
Plugin Information:
Ports
tcp/6667
The remote IRC server is running as :
uid=0(root) gid=0(root)

Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/6667

Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/6667
An IRC server is running on this port.
11156 - IRC Daemon Version Detection

Synopsis
The remote host is an IRC server.
Description
This plugin determines the version of the IRC daemon.
Solution
156
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/6667
The IRC server version is : Unreal3.2.8.1. FhiXOoE [*=2309]
8009/tcp
Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
Ports
tcp/8009
21186 - AJP Connector Detection

Synopsis
There is an AJP connector listening on the remote host.
Description
The remote host is running an AJP (Apache JServ Protocol) connector, a service by which a standalone web server
such as Apache communicates over TCP with a Java servlet container such as Tomcat.
See Also
http://tomcat.apache.org/connectors-doc/
http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/8009
The connector listing on this port supports the ajp13 protocol.
8180/tcp
34460 - Unsupported Web Server Detection
Synopsis
157
The remote web server is obsolete / unsupported.
Description
According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.
Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it may
contain security vulnerabilities.
Solution
Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to another
server.
Risk Factor
High
CVSS Base Score
Plugin Information:
Ports
tcp/8180
Product : Tomcat
Installed version : 5.5
Support ended : 2012-09-30
Additional information : http://tomcat.apache.org/tomcat-55-eol.html
88490 - Web Server Error Page Information Disclosure

Synopsis
The remote web server discloses information via a default error page.
Description
The default error page sent by the remote web server discloses information that can aid an attacker, such as the
server version and languages used by the web server.
Solution
Modify the web server to not disclose detailed information about the underlying web server, or use a custom error
page instead.
Risk Factor
Medium
CVSS Base Score
Plugin Information:
Ports
tcp/8180
Server Type : Apache Tomcat

Server Version : 5.5
Source : http://192.168.0.128:8180/Pjup1gWD

Synopsis
Description
Solution
158
Risk Factor
None
Plugin Information:
Ports
tcp/8180

Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/8180
A web server is running on this port.
11422 - Web Server Unconfigured - Default Install Page Present

Synopsis
The remote web server is not configured or is improperly configured.
Description
The remote web server uses its default welcome page. Therefore, it's probable that this server is not used at all or is
serving content that is meant to be hidden.
Solution
Risk Factor
None
References
XREF OSVDB:3233
Plugin Information:
Ports
tcp/8180
The default welcome page is from Tomcat.
43111 - HTTP Methods Allowed (per directory)

Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.
As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'
is set to 'yes'
159
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives
a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any security
vulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/8180
Based on tests of each method :
- HTTP methods GET HEAD OPTIONS POST are allowed on :
11919 - HMAP Web Server Fingerprinting

Synopsis
HMAP fingerprints the remote HTTP server.
Description
By sending several valid and invalid HTTP requests, it may be possible to identify the remote web server type. In
some cases, its version can also be approximated, as well as some options.
An attacker may use this tool to identify the kind of the remote web server and gain further knowledge about this host.
Suggestions for defense against fingerprinting are presented in http://acsac.org/2002/abstracts/96.html
See Also
http://www.nessus.org/u?05d4ce87
http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf
http://projects.webappsec.org/w/page/13246925/Fingerprinting
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/8180
Nessus was not able to exactly identify this server. It might be :
Apache-Coyote/1.1 [Tomcat 5.5 or 6.0]

Apache-Coyote/1.1 [BlackBerry Mobile Data Service Connection Service]
Apache-Coyote/1.1
The fingerprint differs from the known signatures on 1 point(s).
If you know what this server is and if you are using an up to date version
of this script, please send this signature to www-signatures@nessus.org :
HTM:HTM:200:505:505:505:---:---:---:400:400:400:404:403:403:405:501:501:200:404:::Apache-
Coyote/1.1 [L]
Try to provide as much information as you can - software & operating

system release, sub-version, patch numbers, and specific configuration
160
options, if any.
10107 - HTTP Server Type and Version

Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/8180
The remote web server type is :
Coyote HTTP/1.1 Connector
24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/8180
Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Headers :
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Date: Mon, 06 Jun 2016 07:12:31 GMT
Connection: close
39446 - Apache Tomcat Default Error Page Version Detection

Synopsis
The remote web server reports its version number on error pages.
Description
Apache Tomcat is running on the remote host and is reporting its version number on the default error pages. A remote
attacker can exploit this information to mount further attacks.
See Also
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q6
161
http://jcp.org/en/jsr/detail?id=315
Solution
Replace the default error pages with custom error pages to hide the version number. Refer to the Apache wiki or the
Java Servlet Specification for more information.
Risk Factor
None
Plugin Information:
Ports
tcp/8180
Nessus found the following version information on an Apache Tomcat

404 page or in the HTTP Server header :
Source : <title>Apache Tomcat/5.5

Version : 5.5
20108 - Web Server / Application favicon.ico Vendor Fingerprinting

Synopsis
The remote web server contains a graphic image that is prone to information disclosure.
Description
The 'favicon.ico' file found on the remote web server belongs to a popular web server. This may be used to fingerprint
the web server.
Solution
Remove the 'favicon.ico' file or create a custom one for your site.
Risk Factor
None
References
XREF OSVDB:39272
Plugin Information:
Ports
tcp/8180
MD5 fingerprint : 4644f2d45601037b8423d45e13194c93

Web server : Apache Tomcat or Alfresco Community
8787/tcp
Synopsis
Description
Solution
Risk Factor
None
Plugin Information:
162
Ports
tcp/8787
11154 - Unknown Service Detection: Banner Retrieval

Synopsis
There is an unknown service running on the remote host.
Description
Nessus was unable to identify a service on the remote host even though it returned a banner of some type.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/8787
If you know what this service is and think the banner could be used to
identify it, please send a description of the service along with the
following output to svc-signatures@nessus.org :
Port : 8787
Type : get_http
Banner :
0x0000: 00 00 00 03 04 08 46 00 00 03 A1 04 08 6F 3A 16 ......F......o:.
0x0010: 44 52 62 3A 3A 44 52 62 43 6F 6E 6E 45 72 72 6F DRb::DRbConnErro
0x0020: 72 07 3A 07 62 74 5B 17 22 2F 2F 75 73 72 2F 6C r.:.bt[."//usr/l
0x0030: 69 62 2F 72 75 62 79 2F 31 2E 38 2F 64 72 62 2F ib/ruby/1.8/drb/
0x0040: 64 72 62 2E 72 62 3A 35 37 33 3A 69 6E 20 60 6C drb.rb:573:in `l
0x0050: 6F 61 64 27 22 37 2F 75 73 72 2F 6C 69 62 2F 72 oad'"7/usr/lib/r
0x0060: 75 62 79 2F 31 2E 38 2F 64 72 62 2F 64 72 62 2E uby/1.8/drb/drb.
0x0070: 72 62 3A 36 31 32 3A 69 6E 20 60 72 65 63 76 5F rb:612:in `recv_
0x0080: 72 65 71 75 65 73 74 27 22 37 2F 75 73 72 2F 6C request'"7/usr/l
0x0090: 69 62 2F 72 75 62 79 2F 31 2E 38 2F 64 72 62 2F ib/ruby/1.8/drb/
0x00A0: 64 72 62 2E 72 62 3A 39 31 31 3A 69 6E 20 60 72 drb.rb:911:in `r
0x00B0: 65 63 76 5F 72 65 71 75 65 73 74 27 22 3C 2F 75 ecv_request'"</u
0x00C0: 73 72 2F 6C 69 62 2F 72 75 62 79 2F 31 2E 38 2F sr/lib/ruby/1.8/
0x00D0: 64 72 62 2F 64 72 62 2E 72 62 3A 31 35 33 30 3A drb/drb.rb:1530:
0x00E0: 69 6E 20 60 69 6E 69 74 5F 77 69 74 68 5F 63 6C in `init_with_cl
0x00F0: 69 65 6E 74 27 22 39 2F 75 73 72 2F 6C 69 62 2F ient'"9/usr/lib/
0x0100: 72 75 62 79 2F 31 2E 38 2F 64 72 62 2F 64 72 62 ruby/1.8/drb/drb
0x0110: 2E 72 62 3A 31 35 34 32 3A 69 6E 20 60 73 65 74 .rb:1542:in `set
0x0120: 75 70 5F 6D 65 73 73 61 67 65 27 22 33 2F 75 73 up_message'"3/us
0x0130: 72 2F 6C 69 62 2F 72 75 62 79 2F 31 2E 38 2F 64 r/lib/ruby/1.8/d
0x0140: 72 62 2F 64 72 62 2E 72 62 3A 31 34 39 34 [...]
34683/tcp
Synopsis
Description
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
163
Ports
tcp/34683
- program: 100021 (nlockmgr), version: 1

38077/tcp
Synopsis
Description
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
tcp/38077
- program: 100024 (status), version: 1
39540/udp
Synopsis
Description
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
udp/39540

39772/udp
164
Synopsis
Description
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
udp/39772
- program: 100005 (mountd), version: 1

45284/udp
Synopsis
Description
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Ports
udp/45284
- program: 100024 (status), version: 1
46015/tcp
Synopsis
Description
the remote port.
Solution
n/a
Risk Factor
165
None
Plugin Information:
Ports
tcp/46015

166
Remediations
Suggested Remediations
Taking the following actions across 1 hosts would resolve 79% of the vulnerabilities on the network:
Action to take Vulns Hosts
PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution: Upgrade to PHP version 5.3.12 / 5.4.2 or later. A 64 1
'mod_rewrite' workaround is available as well.
Apache 2.2.x < 2.2.28 Multiple Vulnerabilities: Upgrade to Apache version 2.2.29 or later. Note that 42 1
version 2.2.28 was never officially released.
Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities (Badlock): 23 1
ISC BIND 9 resolver.c / db.c DNAME Resource Record Signature Handling DoS: Upgrade to ISC BIND 16 1
version 9.9.8-P4 / 9.9.8-S6 / 9.10.3-P4 or later. Note that version 9.9.8-S6 is a preview version of BIND
provided exclusively to ISC Support customers.
ISC BIND 9 sexpr.c / alist.c Control Channel Packet Handling DoS: Upgrade to ISC BIND version 9.9.8- 16 1
P4 / 9.9.8-S6 / 9.10.3-P4 or later. Note that version 9.9.8-S6 is a preview version of BIND provided
exclusively to ISC Support customers.
Samba Badlock Vulnerability: Upgrade to Samba version 4.2.11 / 4.3.8 / 4.4.2 or later. 16 1
MySQL 5.0 < 5.0.95 Multiple Vulnerabilities: Upgrade to MySQL version 5.0.95 or later. 15 1
OpenSSH < 7.2p2 X11Forwarding xauth Command Injection: Upgrade to OpenSSH version 7.2p2 or 12 1
later.
OpenSSL 'ChangeCipherSpec' MiTM Potential Vulnerability: OpenSSL 0.9.8 SSL/TLS users (client and/or 7 1
server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade
to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
ProFTPD FTP Command Handling Symlink Arbitrary File Overwrite: Upgrade to 1.3.4c / 1.3.5rc1 or apply 5 1
the patch from the vendor.
MySQL Binary Log SQL Injection: Upgrade to MySQL version 5.5.33 / 5.6.13 or later. 1 1
UnrealIRCd Backdoor Detection: Re-download the software, verify it using the published MD5 / SHA1 0 1
checksums, and re-install it.
168

Linux Report

Uploaded by

Copyright:

Available Formats

Linux Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Linux Report

Uploaded by

Copyright:

Available Formats

Nessus Report

Nessus Scan Report

End time: Mon Jun 6 12:52:31 2016

MAC Address: 08:00:27:99:57:da

OS: Linux Kernel 2.6 on Ubuntu 8.04 (hardy)

12264 - Record Route

Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).

For more information, see : https://wiki.ubuntu.com/Releases

12213 - TCP/IP Sequence Prediction Blind Reset Spoofing DoS

The following card manufacturers were identified :

08:00:27:99:57:da : Cadmus Computer Systems

14788 - IP Protocols Scan

18261 - Apache Banner Linux Distribution Disclosure

The Linux distribution detected was :

Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)

45590 - Common Platform Enumeration (CPE)

The remote operating system matched the following CPE :

Following application CPE's matched on the remote system :

cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7

54615 - Device Type

66334 - Patch Report

. You need to take the following 12 actions :

[ Apache 2.2.x < 2.2.28 Multiple Vulnerabilities (77531) ]

+ Action to take : Upgrade to Apache version 2.2.29 or later.

Note that version 2.2.28 was never officially released.

Nessus version : 6.7.0

22964 - Service Detection

10092 - FTP Server Detection

The remote FTP banner is :

220 (vsFTPd 2.3.4)

52703 - vsftpd Detection

Source : 220 (vsFTPd 2.3.4)

Version source : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

Installed version : 4.7p1

84638 - OpenSSH < 6.9 Multiple Vulnerabilities

Version source : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

Installed version : 4.7p1

86328 - SSH Diffie-Hellman Modulus <= 1024 Bits (Logjam)

It supports diffie-hellman-group1-sha1 key

Note that only an attacker with nation-state level resources

44079 - OpenSSH < 4.9 'ForceCommand' Directive Bypass

Version source : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

Installed version : 4.7p1

Version source : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

Installed version : 4.7p1

44065 - OpenSSH < 5.2 CBC Plaintext Disclosure

Installed version : 4.7p1

90023 - OpenSSH < 7.2p2 X11Forwarding xauth Command Injection

Version source : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

Installed version : 4.7p1

73079 - OpenSSH < 6.6 Multiple Vulnerabilities

Version source : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

Installed version : 4.7p1

90317 - SSH Weak Algorithms Supported

The following weak client-to-server encryption algorithms are supported :

31737 - OpenSSH X11 Forwarding Session Hijacking

The remote OpenSSH server returned the following banner :

67140 - OpenSSH LoginGraceTime / MaxStartups DoS

Version source : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

Installed version : 4.7p1