dradis-qualys 3.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +9 -0
- data/.rspec +2 -0
- data/CONTRIBUTING.md +3 -0
- data/Gemfile +23 -0
- data/LICENSE +339 -0
- data/README.md +28 -0
- data/Rakefile +1 -0
- data/dradis-qualys.gemspec +34 -0
- data/lib/dradis-qualys.rb +8 -0
- data/lib/dradis/plugins/qualys.rb +11 -0
- data/lib/dradis/plugins/qualys/engine.rb +13 -0
- data/lib/dradis/plugins/qualys/field_processor.rb +42 -0
- data/lib/dradis/plugins/qualys/gem_version.rb +19 -0
- data/lib/dradis/plugins/qualys/importer.rb +134 -0
- data/lib/dradis/plugins/qualys/version.rb +13 -0
- data/lib/qualys/element.rb +110 -0
- data/lib/tasks/thorfile.rb +40 -0
- data/spec/.keep +0 -0
- data/spec/fixtures/files/no_result.xml +91 -0
- data/spec/fixtures/files/simple.xml +215 -0
- data/spec/fixtures/files/two_hosts_common_issue.xml +375 -0
- data/spec/qualys/element_spec.rb +5 -0
- data/spec/qualys/importer_spec.rb +190 -0
- data/spec/spec_helper.rb +10 -0
- data/templates/element.fields +16 -0
- data/templates/element.sample +35 -0
- data/templates/element.template +35 -0
- data/templates/evidence.fields +6 -0
- data/templates/evidence.sample +35 -0
- data/templates/evidence.template +11 -0
- metadata +166 -0
@@ -0,0 +1,215 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8" ?>
|
2
|
+
|
3
|
+
<!DOCTYPE SCAN SYSTEM "https://qualysguard.qualys.de/scan-1.dtd">
|
4
|
+
<SCAN value="scan/1327124089.959">
|
5
|
+
|
6
|
+
<HEADER>
|
7
|
+
<KEY value="USERNAME">dradispro</KEY>
|
8
|
+
<KEY value="COMPANY"><![CDATA[Security Roots]]></KEY>
|
9
|
+
<KEY value="DATE">2011-12-20T12:00:00Z</KEY>
|
10
|
+
<KEY value="TITLE"><![CDATA[Sample_Test_Scan]]></KEY>
|
11
|
+
<KEY value="TARGET">10.0.155.157,10.0.155.160</KEY>
|
12
|
+
<KEY value="DURATION">03:42:36</KEY>
|
13
|
+
<KEY value="SCAN_HOST">62.210.136.186 (Scanner 4.14.30-1,Web 6.0 FR6 [build 6.3.94-1],Vulnsigs 1.22.62-1)</KEY>
|
14
|
+
<KEY value="NBHOST_ALIVE">2</KEY>
|
15
|
+
<KEY value="NBHOST_TOTAL">2</KEY>
|
16
|
+
<KEY value="REPORT_TYPE">Scheduled</KEY>
|
17
|
+
<KEY value="OPTIONS">Full TCP scan, Standard Password Brute Forcing, Load balancer detection OFF, Overall Performance: Custom, Hosts to Scan in Parallel - External Scanners: 1, Hosts to Scan in Parallel - Scanner Appliances: 1, Total Processes to Run in Parallel: 1, HTTP Processes to Run in Parallel: 1, Packet (Burst) Delay: Maximum</KEY>
|
18
|
+
<KEY value="STATUS">FINISHED</KEY>
|
19
|
+
<OPTION_PROFILE>
|
20
|
+
<OPTION_PROFILE_TITLE option_profile_default="0"><![CDATA[Payment Card Industry (PCI) Options]]></OPTION_PROFILE_TITLE>
|
21
|
+
</OPTION_PROFILE>
|
22
|
+
</HEADER>
|
23
|
+
|
24
|
+
<IP value="10.0.155.160" name="No registered hostname">
|
25
|
+
<OS><![CDATA[Linux 2.4-2.6]]></OS>
|
26
|
+
<INFOS>
|
27
|
+
<CAT value="Information gathering">
|
28
|
+
<INFO number="6" severity="1">
|
29
|
+
<TITLE><![CDATA[DNS Host Name]]></TITLE>
|
30
|
+
<LAST_UPDATE><![CDATA[1997-12-31T09:01:00Z]]></LAST_UPDATE>
|
31
|
+
<PCI_FLAG>0</PCI_FLAG>
|
32
|
+
<DIAGNOSIS><![CDATA[The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.]]></DIAGNOSIS>
|
33
|
+
<RESULT format="table"><![CDATA[IP address Host name
|
34
|
+
10.0.155.160 No registered hostname]]></RESULT>
|
35
|
+
</INFO>
|
36
|
+
<INFO number="45038" severity="1">
|
37
|
+
<TITLE><![CDATA[Host Scan Time]]></TITLE>
|
38
|
+
<LAST_UPDATE><![CDATA[2004-11-19T02:46:12Z]]></LAST_UPDATE>
|
39
|
+
<PCI_FLAG>0</PCI_FLAG>
|
40
|
+
<DIAGNOSIS>
|
41
|
+
<![CDATA[The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.
|
42
|
+
<P>
|
43
|
+
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.]]>
|
44
|
+
</DIAGNOSIS>
|
45
|
+
<CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
|
46
|
+
<SOLUTION><![CDATA[N/A]]></SOLUTION>
|
47
|
+
<RESULT><![CDATA[Scan duration: 5445 seconds
|
48
|
+
|
49
|
+
Start time: Fri, Dec 20 2011, 17:38:59 GMT
|
50
|
+
|
51
|
+
End time: Fri, Dec 20 2011, 19:09:44 GMT]]></RESULT>
|
52
|
+
</INFO>
|
53
|
+
</CAT>
|
54
|
+
</INFOS>
|
55
|
+
<SERVICES>
|
56
|
+
<CAT value="TCP/IP">
|
57
|
+
<SERVICE number="82023" severity="1">
|
58
|
+
<TITLE><![CDATA[Open TCP Services List]]></TITLE>
|
59
|
+
<PCI_FLAG>0</PCI_FLAG>
|
60
|
+
<DIAGNOSIS><![CDATA[The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections.]]></DIAGNOSIS>
|
61
|
+
<CONSEQUENCE><![CDATA[Unauthorized users can exploit this information to test vulnerabilities in each of the open services.]]></CONSEQUENCE>
|
62
|
+
<SOLUTION><![CDATA[Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the <A HREF="http://www.cert.org" TARGET="_blank">CERT Web site</A>.]]></SOLUTION>
|
63
|
+
<RESULT format="table"><![CDATA[Port IANA Assigned Ports/Services Description Service Detected OS On Redirected Port
|
64
|
+
80 www World Wide Web HTTP http]]></RESULT>
|
65
|
+
</SERVICE>
|
66
|
+
</CAT>
|
67
|
+
<CAT value="Web server" port="80" protocol="tcp">
|
68
|
+
<SERVICE number="86000" severity="1">
|
69
|
+
<TITLE><![CDATA[Web Server Version]]></TITLE>
|
70
|
+
<LAST_UPDATE><![CDATA[1997-12-31T09:01:00Z]]></LAST_UPDATE>
|
71
|
+
<PCI_FLAG>0</PCI_FLAG>
|
72
|
+
<RESULT format="table"><![CDATA[Server Version Server Banner
|
73
|
+
Apache 1.3 Apache]]></RESULT>
|
74
|
+
</SERVICE>
|
75
|
+
</CAT>
|
76
|
+
</SERVICES>
|
77
|
+
<VULNS>
|
78
|
+
<CAT value="TCP/IP">
|
79
|
+
<VULN number="82054" severity="2" cveid="CVE-2004-0230">
|
80
|
+
<TITLE><![CDATA[TCP Sequence Number Approximation Based Denial of Service]]></TITLE>
|
81
|
+
<LAST_UPDATE><![CDATA[2007-12-20T22:53:15Z]]></LAST_UPDATE>
|
82
|
+
<CVSS_BASE>5</CVSS_BASE>
|
83
|
+
<CVSS_TEMPORAL>4.2</CVSS_TEMPORAL>
|
84
|
+
<PCI_FLAG>0</PCI_FLAG>
|
85
|
+
<CVE_ID_LIST>
|
86
|
+
<CVE_ID>
|
87
|
+
<ID><![CDATA[CVE-2004-0230]]></ID>
|
88
|
+
<URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230]]></URL>
|
89
|
+
</CVE_ID>
|
90
|
+
</CVE_ID_LIST>
|
91
|
+
<BUGTRAQ_ID_LIST>
|
92
|
+
<BUGTRAQ_ID>
|
93
|
+
<ID><![CDATA[10183]]></ID>
|
94
|
+
<URL><![CDATA[http://www.securityfocus.com/bid/10183]]></URL>
|
95
|
+
</BUGTRAQ_ID>
|
96
|
+
</BUGTRAQ_ID_LIST>
|
97
|
+
<DIAGNOSIS>
|
98
|
+
<![CDATA[TCP provides stateful communications between hosts on a network. TCP sessions are established by a three-way handshake and use random 32-bit sequence and acknowledgement numbers to ensure the validity of traffic. A vulnerability was reported that may permit TCP sequence numbers to be more easily approximated by remote attackers. This issue affects products released by multiple vendors.
|
99
|
+
<P>
|
100
|
+
The cause of the vulnerability is that affected implementations will accept TCP sequence numbers within a certain range, known as the acknowledgement range, of the expected sequence number for a packet in the session. This is determined by the TCP window size, which is negotiated during the three-way handshake for the session. Larger TCP window sizes may be set to allow for more throughput, but the larger the TCP window size, the more probable it is to guess a TCP sequence number that falls within an acceptable range. It was initially thought that guessing an acceptable sequence number was relatively difficult for most implementations given random distribution, making this type of attack impractical. However, some implementations may make it easier to successfully approximate an acceptable TCP sequence number, making these attacks possible with a number of protocols and implementations.
|
101
|
+
<P>
|
102
|
+
This is further compounded by the fact that some implementations may support the use of the TCP Window Scale Option, as described in RFC 1323, to extend the TCP window size to a maximum value of 1 billion.
|
103
|
+
<P>
|
104
|
+
This vulnerability will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP address and TCP port.
|
105
|
+
<P>
|
106
|
+
There are a few factors that may present viable target implementations, such as those which depend on long-lived TCP connections, those that have known or easily guessed IP address endpoints and those implementations with easily guessed TCP source ports. It has been noted that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack, due to the use of long-lived TCP sessions and the possibility that some implementations may use the TCP Window Scale Option. As a result, this issue is likely to affect a number of routing platforms.
|
107
|
+
<P>
|
108
|
+
Another factor to consider is the relative difficulty of injecting packets into TCP sessions, as a number of receiving implementations will reassemble packets in order, dropping any duplicates. This may make some implementations more resistant to attacks than others.
|
109
|
+
<P>
|
110
|
+
It should be noted that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.]]>
|
111
|
+
</DIAGNOSIS>
|
112
|
+
<CONSEQUENCE><![CDATA[Successful exploitation of this issue could lead to denial of service attacks on the TCP based services of target hosts. Other consequences may also result, such as man-in-the-middle attacks.]]></CONSEQUENCE>
|
113
|
+
<SOLUTION>
|
114
|
+
<![CDATA[Please first check the results section below for the port number on which this vulnerability was detected. If that port number is known to be used for port-forwarding, then it is the backend host that is really vulnerable.
|
115
|
+
<P>
|
116
|
+
Various implementations and products including Check Point, Cisco, Cray Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks, NEC, Polycom, and Yamaha are currently undergoing review. Contact the vendors to obtain more information about affected products and fixes. <A HREF="http://packetstormsecurity.org/0404-advisories/246929.html" TARGET="_blank">NISCC Advisory 236929 - Vulnerability Issues in TCP</A> details the vendor patch status as of the time of the advisory, and identifies resolutions and workarounds.
|
117
|
+
<P>
|
118
|
+
The Internet Engineering Task Force (IETF) has developed an Internet-Draft titled <A HREF="http://www3.ietf.org/proceedings/05mar/slides/tcpm-4.pdf" TARGET="_blank">Transmission Control Protocol Security Considerations</A> that addresses this issue.
|
119
|
+
<P>
|
120
|
+
Workaround:
|
121
|
+
<P>
|
122
|
+
The following BGP-specific workaround information has been provided.
|
123
|
+
<P>
|
124
|
+
For BGP implementations that support it, the TCP MD5 Signature Option should be enabled. Passwords that the MD5 checksum is applied to should be set to strong values and changed on a regular basis.
|
125
|
+
<P>
|
126
|
+
Secure BGP configuration instructions have been provided for Cisco and Juniper at these locations:
|
127
|
+
<BR>
|
128
|
+
<A HREF="http://www.cymru.com/Documents/secure-bgp-template.html" TARGET="_blank">http://www.cymru.com/Documents/secure-bgp-template.html</A>
|
129
|
+
<BR>
|
130
|
+
<A HREF="http://www.qorbit.net/documents/junos-bgp-template.pdf" TARGET="_blank">http://www.qorbit.net/documents/junos-bgp-template.pdf</A>
|
131
|
+
]]>
|
132
|
+
</SOLUTION>
|
133
|
+
<RESULT><![CDATA[Tested on port 80 with an injected SYN/RST offset by 16 bytes.]]></RESULT>
|
134
|
+
</VULN>
|
135
|
+
</CAT>
|
136
|
+
<CAT value="Web server" port="80" protocol="tcp">
|
137
|
+
<VULN number="86821" severity="3" cveid="CVE-2006-3918">
|
138
|
+
<TITLE><![CDATA[Apache 1.3 HTTP Server Expect Header Cross-Site Scripting]]></TITLE>
|
139
|
+
<LAST_UPDATE><![CDATA[2008-09-25T22:26:09Z]]></LAST_UPDATE>
|
140
|
+
<CVSS_BASE source="service">4.3</CVSS_BASE>
|
141
|
+
<CVSS_TEMPORAL>3.4</CVSS_TEMPORAL>
|
142
|
+
<PCI_FLAG>1</PCI_FLAG>
|
143
|
+
<VENDOR_REFERENCE_LIST>
|
144
|
+
<VENDOR_REFERENCE>
|
145
|
+
<ID><![CDATA[Apache 1.3]]></ID>
|
146
|
+
<URL><![CDATA[http://httpd.apache.org/security/vulnerabilities_13.html]]></URL>
|
147
|
+
</VENDOR_REFERENCE>
|
148
|
+
</VENDOR_REFERENCE_LIST>
|
149
|
+
<CVE_ID_LIST>
|
150
|
+
<CVE_ID>
|
151
|
+
<ID><![CDATA[CVE-2006-3918]]></ID>
|
152
|
+
<URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918]]></URL>
|
153
|
+
</CVE_ID>
|
154
|
+
</CVE_ID_LIST>
|
155
|
+
<DIAGNOSIS><![CDATA[A vulnerability exists in Apache HTTP Server Versions 1.3.3 to 1.3.34. This issue occurs due to handling of invalid Expect headers.]]></DIAGNOSIS>
|
156
|
+
<CONSEQUENCE><![CDATA[An attacker can exploit this vulnerability to perform a cross-site scripting attack.]]></CONSEQUENCE>
|
157
|
+
<SOLUTION><![CDATA[Upgrade to the latest version of Apache, which is available for download from the <A HREF="http://www.apache.org/" TARGET="_blank">Apache Web site</A>.]]></SOLUTION>
|
158
|
+
<RESULT><![CDATA[HTTP/1.1 417 Expectation Failed
|
159
|
+
Date: Fri, 20 Dec 2011 19:05:57 GMT
|
160
|
+
Server: Apache
|
161
|
+
Keep-Alive: timeout=15, max=100
|
162
|
+
Connection: Keep-Alive
|
163
|
+
Transfer-Encoding: chunked
|
164
|
+
Content-Type: text/html; charset=iso-8859-1
|
165
|
+
|
166
|
+
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|
167
|
+
<HTML><HEAD>
|
168
|
+
<TITLE>417 Expectation Failed</TITLE>
|
169
|
+
</HEAD><BODY>
|
170
|
+
<H1>Expectation Failed</H1>
|
171
|
+
The expectation given in the Expect request-header
|
172
|
+
field could not be met by this server.<P>
|
173
|
+
The client sent<PRE>
|
174
|
+
Expect: <script>alert(document.domain)</script>
|
175
|
+
</PRE>
|
176
|
+
but we only allow the 100-continue expectation.
|
177
|
+
</BODY></HTML>
|
178
|
+
-CR-]]></RESULT>
|
179
|
+
</VULN>
|
180
|
+
<VULN number="86477" severity="1">
|
181
|
+
<TITLE><![CDATA[Apache Web Server ETag Header Information Disclosure Weakness]]></TITLE>
|
182
|
+
<LAST_UPDATE><![CDATA[2007-10-18T18:42:10Z]]></LAST_UPDATE>
|
183
|
+
<CVSS_BASE source="service">4.3</CVSS_BASE>
|
184
|
+
<CVSS_TEMPORAL>3.5</CVSS_TEMPORAL>
|
185
|
+
<PCI_FLAG>0</PCI_FLAG>
|
186
|
+
<BUGTRAQ_ID_LIST>
|
187
|
+
<BUGTRAQ_ID>
|
188
|
+
<ID><![CDATA[6939]]></ID>
|
189
|
+
<URL><![CDATA[http://www.securityfocus.com/bid/6939]]></URL>
|
190
|
+
</BUGTRAQ_ID>
|
191
|
+
</BUGTRAQ_ID_LIST>
|
192
|
+
<DIAGNOSIS>
|
193
|
+
<![CDATA[The Apache HTTP Server is a popular, open-source HTTP server for multiple platforms, including Windows, Unix, and Linux.
|
194
|
+
<P>
|
195
|
+
A cache management feature for Apache makes use of an entity tag (ETag) header. When this option is enabled and a request is made for a document relating to a file, an ETag response header is returned containing various file attributes for caching purposes. ETag information allows subsequent file requests to contain specific information, such as the file's inode number.
|
196
|
+
<P>
|
197
|
+
A weakness has been found in the generation of ETag headers under certain configurations implementing the FileETag directive. Among the file attributes included in the header is the file inode number that is returned to a client. In Apache Versions 1.3.22 and earlier, it's not possible to disable inodes in in ETag headers. In later versions, the default behavior is to release this sensitive information.]]>
|
198
|
+
</DIAGNOSIS>
|
199
|
+
<CONSEQUENCE><![CDATA[This vulnerability poses a security risk, as the disclosure of inode information may aid in launching attacks against other network-based services. For instance, NFS uses inode numbers to generate file handles.]]></CONSEQUENCE>
|
200
|
+
<SOLUTION>
|
201
|
+
<![CDATA[OpenBSD has released a <A HREF="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch" TARGET="_blank">patch</A> that fixes this vulnerability. After installing the patch, inode numbers returned from the server are encoded using a private hash to avoid the release of sensitive information.
|
202
|
+
<P>
|
203
|
+
Customers are advised to upgrade to the latest version of Apache. In Apache Version <A HREF="http://httpd.apache.org/docs/1.3/mod/core.html#fileetag" TARGET="_blank">1.3.23</A> and later, it's possible to configure the FileETag directive to generate ETag headers without inode information.
|
204
|
+
To do so, include "FileETag -INode" in the Apache server configuration file for a specific subdirectory.<P>
|
205
|
+
In order to fix this vulnerability globally, for the Web server, use the option "FileETag None". Use the option "FileETag
|
206
|
+
MTime Size" if you just want to remove the Inode information.
|
207
|
+
]]>
|
208
|
+
</SOLUTION>
|
209
|
+
<RESULT><![CDATA["3bee-4f12-00794aef"]]></RESULT>
|
210
|
+
</VULN>
|
211
|
+
</CAT>
|
212
|
+
</VULNS>
|
213
|
+
</IP>
|
214
|
+
</SCAN>
|
215
|
+
<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2008, Qualys, Inc. //-->
|
@@ -0,0 +1,375 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8" ?>
|
2
|
+
|
3
|
+
<!DOCTYPE SCAN SYSTEM "https://qualysguard.qualys.de/scan-1.dtd">
|
4
|
+
<SCAN value="scan/1327124089.959">
|
5
|
+
|
6
|
+
<HEADER>
|
7
|
+
<KEY value="USERNAME">dradispro</KEY>
|
8
|
+
<KEY value="COMPANY"><![CDATA[Security Roots]]></KEY>
|
9
|
+
<KEY value="DATE">2011-12-20T12:00:00Z</KEY>
|
10
|
+
<KEY value="TITLE"><![CDATA[Sample_Test_Scan]]></KEY>
|
11
|
+
<KEY value="TARGET">10.0.155.157,10.0.155.160</KEY>
|
12
|
+
<KEY value="DURATION">03:42:36</KEY>
|
13
|
+
<KEY value="SCAN_HOST">62.210.136.186 (Scanner 4.14.30-1,Web 6.0 FR6 [build 6.3.94-1],Vulnsigs 1.22.62-1)</KEY>
|
14
|
+
<KEY value="NBHOST_ALIVE">2</KEY>
|
15
|
+
<KEY value="NBHOST_TOTAL">2</KEY>
|
16
|
+
<KEY value="REPORT_TYPE">Scheduled</KEY>
|
17
|
+
<KEY value="OPTIONS">Full TCP scan, Standard Password Brute Forcing, Load balancer detection OFF, Overall Performance: Custom, Hosts to Scan in Parallel - External Scanners: 1, Hosts to Scan in Parallel - Scanner Appliances: 1, Total Processes to Run in Parallel: 1, HTTP Processes to Run in Parallel: 1, Packet (Burst) Delay: Maximum</KEY>
|
18
|
+
<KEY value="STATUS">FINISHED</KEY>
|
19
|
+
<OPTION_PROFILE>
|
20
|
+
<OPTION_PROFILE_TITLE option_profile_default="0"><![CDATA[Payment Card Industry (PCI) Options]]></OPTION_PROFILE_TITLE>
|
21
|
+
</OPTION_PROFILE>
|
22
|
+
</HEADER>
|
23
|
+
|
24
|
+
<IP value="10.0.155.157" name="smtp.example.com">
|
25
|
+
<OS><![CDATA[Linux 2.4-2.6]]></OS>
|
26
|
+
<INFOS>
|
27
|
+
<CAT value="Information gathering">
|
28
|
+
<INFO number="45039" severity="1">
|
29
|
+
<TITLE><![CDATA[Host Names Found]]></TITLE>
|
30
|
+
<LAST_UPDATE><![CDATA[2005-02-14T21:01:44Z]]></LAST_UPDATE>
|
31
|
+
<PCI_FLAG>0</PCI_FLAG>
|
32
|
+
<DIAGNOSIS><![CDATA[The following host names were discovered for this computer using various methods such as DNS look up, NetBIOS query, and SQL server name query.]]></DIAGNOSIS>
|
33
|
+
<CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
|
34
|
+
<SOLUTION><![CDATA[N/A]]></SOLUTION>
|
35
|
+
<RESULT format="table"><![CDATA[Host Name Source
|
36
|
+
smtp.example.com FQDN]]></RESULT>
|
37
|
+
</INFO>
|
38
|
+
<INFO number="45038" severity="1">
|
39
|
+
<TITLE><![CDATA[Host Scan Time]]></TITLE>
|
40
|
+
<LAST_UPDATE><![CDATA[2004-11-19T02:46:12Z]]></LAST_UPDATE>
|
41
|
+
<PCI_FLAG>0</PCI_FLAG>
|
42
|
+
<DIAGNOSIS>
|
43
|
+
<![CDATA[The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.
|
44
|
+
<P>
|
45
|
+
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.]]>
|
46
|
+
</DIAGNOSIS>
|
47
|
+
<CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
|
48
|
+
<SOLUTION><![CDATA[N/A]]></SOLUTION>
|
49
|
+
<RESULT><![CDATA[Scan duration: 7850 seconds
|
50
|
+
|
51
|
+
Start time: Fri, Dec 20 2011, 12:28:09 GMT
|
52
|
+
|
53
|
+
End time: Fri, Dec 21 2011, 14:38:59 GMT]]></RESULT>
|
54
|
+
</INFO>
|
55
|
+
</CAT>
|
56
|
+
<CAT value="TCP/IP">
|
57
|
+
<INFO number="82063" severity="2">
|
58
|
+
<TITLE><![CDATA[Host Uptime Based on TCP TimeStamp Option]]></TITLE>
|
59
|
+
<LAST_UPDATE><![CDATA[2007-05-29T18:56:36Z]]></LAST_UPDATE>
|
60
|
+
<PCI_FLAG>0</PCI_FLAG>
|
61
|
+
<DIAGNOSIS>
|
62
|
+
<![CDATA[The TCP/IP stack on the host supports the TCP TimeStamp (kind 8) option. Typically the timestamp used is the host's uptime (since last reboot) in various units (e.g., one hundredth of second, one tenth of a second, etc.). Based on this, we can obtain the host's uptime. The result is given in the Result section below.
|
63
|
+
<P>
|
64
|
+
Some operating systems (e.g., MacOS, OpenBSD) use a non-zero, probably random, initial value for the timestamp. For these operating systems, the uptime obtained does not reflect the actual uptime of the host; the former is always larger than the latter.
|
65
|
+
]]>
|
66
|
+
</DIAGNOSIS>
|
67
|
+
<CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
|
68
|
+
<SOLUTION><![CDATA[N/A]]></SOLUTION>
|
69
|
+
<RESULT><![CDATA[Based on TCP timestamps obtained via port 25, the host's uptime is 42 days, 10 hours, and 16 minutes.
|
70
|
+
The TCP timestamps from the host are in units of 1 milliseconds.]]></RESULT>
|
71
|
+
</INFO>
|
72
|
+
</CAT>
|
73
|
+
</INFOS>
|
74
|
+
<SERVICES>
|
75
|
+
<CAT value="Information gathering">
|
76
|
+
<SERVICE number="45017" severity="2">
|
77
|
+
<TITLE><![CDATA[Operating System Detected]]></TITLE>
|
78
|
+
<LAST_UPDATE><![CDATA[2005-02-09T19:06:45Z]]></LAST_UPDATE>
|
79
|
+
<PCI_FLAG>0</PCI_FLAG>
|
80
|
+
<DIAGNOSIS>
|
81
|
+
<![CDATA[Several different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report.
|
82
|
+
<P>
|
83
|
+
1) <B>TCP/IP Fingerprint</B>: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this "fingerprinting" technique, the OS version is among those listed below.
|
84
|
+
<P>
|
85
|
+
Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that for the firewall instead of for the host being scanned.
|
86
|
+
<P>
|
87
|
+
2) <B>NetBIOS</B>: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB).
|
88
|
+
<P>
|
89
|
+
3) <B>PHP Info</B>: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information.
|
90
|
+
<P>
|
91
|
+
4) <B>SNMP</B>: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include "MIB_II.system.sysDescr" for the operating system.
|
92
|
+
]]>
|
93
|
+
</DIAGNOSIS>
|
94
|
+
<CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
|
95
|
+
<SOLUTION><![CDATA[N/A]]></SOLUTION>
|
96
|
+
<RESULT format="table"><![CDATA[Operating System Technique ID
|
97
|
+
Linux 2.4-2.6 TCP/IP Fingerprint U1723:25]]></RESULT>
|
98
|
+
</SERVICE>
|
99
|
+
</CAT>
|
100
|
+
<CAT value="Firewall">
|
101
|
+
<SERVICE number="34011" severity="1">
|
102
|
+
<TITLE><![CDATA[Firewall Detected]]></TITLE>
|
103
|
+
<LAST_UPDATE><![CDATA[2001-10-16T22:36:36Z]]></LAST_UPDATE>
|
104
|
+
<PCI_FLAG>0</PCI_FLAG>
|
105
|
+
<DIAGNOSIS>
|
106
|
+
<![CDATA[A packet filtering device protecting this IP was detected. This is likely to be a firewall or a router using access control lists (ACLs).
|
107
|
+
]]>
|
108
|
+
</DIAGNOSIS>
|
109
|
+
<RESULT><![CDATA[Some of the ports filtered by the firewall are: 20, 21, 22, 23, 53, 111, 135, 139, 443, 445.]]></RESULT>
|
110
|
+
</SERVICE>
|
111
|
+
</CAT>
|
112
|
+
<CAT value="Web server" port="80" protocol="tcp">
|
113
|
+
<SERVICE number="86000" severity="1">
|
114
|
+
<TITLE><![CDATA[Web Server Version]]></TITLE>
|
115
|
+
<LAST_UPDATE><![CDATA[1997-12-31T09:01:00Z]]></LAST_UPDATE>
|
116
|
+
<PCI_FLAG>0</PCI_FLAG>
|
117
|
+
<RESULT format="table"><![CDATA[Server Version Server Banner
|
118
|
+
Apache Apache]]></RESULT>
|
119
|
+
</SERVICE>
|
120
|
+
</CAT>
|
121
|
+
</SERVICES>
|
122
|
+
<VULNS>
|
123
|
+
<CAT value="TCP/IP">
|
124
|
+
<VULN number="82054" severity="2" cveid="CVE-2004-0230">
|
125
|
+
<TITLE><![CDATA[TCP Sequence Number Approximation Based Denial of Service]]></TITLE>
|
126
|
+
<LAST_UPDATE><![CDATA[2007-12-20T22:53:15Z]]></LAST_UPDATE>
|
127
|
+
<CVSS_BASE>5</CVSS_BASE>
|
128
|
+
<CVSS_TEMPORAL>4.2</CVSS_TEMPORAL>
|
129
|
+
<PCI_FLAG>0</PCI_FLAG>
|
130
|
+
<CVE_ID_LIST>
|
131
|
+
<CVE_ID>
|
132
|
+
<ID><![CDATA[CVE-2004-0230]]></ID>
|
133
|
+
<URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230]]></URL>
|
134
|
+
</CVE_ID>
|
135
|
+
</CVE_ID_LIST>
|
136
|
+
<BUGTRAQ_ID_LIST>
|
137
|
+
<BUGTRAQ_ID>
|
138
|
+
<ID><![CDATA[10183]]></ID>
|
139
|
+
<URL><![CDATA[http://www.securityfocus.com/bid/10183]]></URL>
|
140
|
+
</BUGTRAQ_ID>
|
141
|
+
</BUGTRAQ_ID_LIST>
|
142
|
+
<DIAGNOSIS>
|
143
|
+
<![CDATA[TCP provides stateful communications between hosts on a network. TCP sessions are established by a three-way handshake and use random 32-bit sequence and acknowledgement numbers to ensure the validity of traffic. A vulnerability was reported that may permit TCP sequence numbers to be more easily approximated by remote attackers. This issue affects products released by multiple vendors.
|
144
|
+
<P>
|
145
|
+
The cause of the vulnerability is that affected implementations will accept TCP sequence numbers within a certain range, known as the acknowledgement range, of the expected sequence number for a packet in the session. This is determined by the TCP window size, which is negotiated during the three-way handshake for the session. Larger TCP window sizes may be set to allow for more throughput, but the larger the TCP window size, the more probable it is to guess a TCP sequence number that falls within an acceptable range. It was initially thought that guessing an acceptable sequence number was relatively difficult for most implementations given random distribution, making this type of attack impractical. However, some implementations may make it easier to successfully approximate an acceptable TCP sequence number, making these attacks possible with a number of protocols and implementations.
|
146
|
+
<P>
|
147
|
+
This is further compounded by the fact that some implementations may support the use of the TCP Window Scale Option, as described in RFC 1323, to extend the TCP window size to a maximum value of 1 billion.
|
148
|
+
<P>
|
149
|
+
This vulnerability will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP address and TCP port.
|
150
|
+
<P>
|
151
|
+
There are a few factors that may present viable target implementations, such as those which depend on long-lived TCP connections, those that have known or easily guessed IP address endpoints and those implementations with easily guessed TCP source ports. It has been noted that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack, due to the use of long-lived TCP sessions and the possibility that some implementations may use the TCP Window Scale Option. As a result, this issue is likely to affect a number of routing platforms.
|
152
|
+
<P>
|
153
|
+
Another factor to consider is the relative difficulty of injecting packets into TCP sessions, as a number of receiving implementations will reassemble packets in order, dropping any duplicates. This may make some implementations more resistant to attacks than others.
|
154
|
+
<P>
|
155
|
+
It should be noted that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.]]>
|
156
|
+
</DIAGNOSIS>
|
157
|
+
<CONSEQUENCE><![CDATA[Successful exploitation of this issue could lead to denial of service attacks on the TCP based services of target hosts. Other consequences may also result, such as man-in-the-middle attacks.]]></CONSEQUENCE>
|
158
|
+
<SOLUTION>
|
159
|
+
<![CDATA[Please first check the results section below for the port number on which this vulnerability was detected. If that port number is known to be used for port-forwarding, then it is the backend host that is really vulnerable.
|
160
|
+
<P>
|
161
|
+
Various implementations and products including Check Point, Cisco, Cray Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks, NEC, Polycom, and Yamaha are currently undergoing review. Contact the vendors to obtain more information about affected products and fixes. <A HREF="http://packetstormsecurity.org/0404-advisories/246929.html" TARGET="_blank">NISCC Advisory 236929 - Vulnerability Issues in TCP</A> details the vendor patch status as of the time of the advisory, and identifies resolutions and workarounds.
|
162
|
+
<P>
|
163
|
+
The Internet Engineering Task Force (IETF) has developed an Internet-Draft titled <A HREF="http://www3.ietf.org/proceedings/05mar/slides/tcpm-4.pdf" TARGET="_blank">Transmission Control Protocol Security Considerations</A> that addresses this issue.
|
164
|
+
<P>
|
165
|
+
Workaround:
|
166
|
+
<P>
|
167
|
+
The following BGP-specific workaround information has been provided.
|
168
|
+
<P>
|
169
|
+
For BGP implementations that support it, the TCP MD5 Signature Option should be enabled. Passwords that the MD5 checksum is applied to should be set to strong values and changed on a regular basis.
|
170
|
+
<P>
|
171
|
+
Secure BGP configuration instructions have been provided for Cisco and Juniper at these locations:
|
172
|
+
<BR>
|
173
|
+
<A HREF="http://www.cymru.com/Documents/secure-bgp-template.html" TARGET="_blank">http://www.cymru.com/Documents/secure-bgp-template.html</A>
|
174
|
+
<BR>
|
175
|
+
<A HREF="http://www.qorbit.net/documents/junos-bgp-template.pdf" TARGET="_blank">http://www.qorbit.net/documents/junos-bgp-template.pdf</A>
|
176
|
+
]]>
|
177
|
+
</SOLUTION>
|
178
|
+
<RESULT><![CDATA[Tested on port 25 with an injected SYN/RST offset by 16 bytes.
|
179
|
+
Tested on port 80 with an injected SYN/RST offset by 16 bytes.]]></RESULT>
|
180
|
+
</VULN>
|
181
|
+
</CAT>
|
182
|
+
</VULNS>
|
183
|
+
</IP>
|
184
|
+
<IP value="10.0.155.160" name="No registered hostname">
|
185
|
+
<OS><![CDATA[Linux 2.4-2.6]]></OS>
|
186
|
+
<INFOS>
|
187
|
+
<CAT value="Information gathering">
|
188
|
+
<INFO number="6" severity="1">
|
189
|
+
<TITLE><![CDATA[DNS Host Name]]></TITLE>
|
190
|
+
<LAST_UPDATE><![CDATA[1997-12-31T09:01:00Z]]></LAST_UPDATE>
|
191
|
+
<PCI_FLAG>0</PCI_FLAG>
|
192
|
+
<DIAGNOSIS><![CDATA[The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.]]></DIAGNOSIS>
|
193
|
+
<RESULT format="table"><![CDATA[IP address Host name
|
194
|
+
10.0.155.160 No registered hostname]]></RESULT>
|
195
|
+
</INFO>
|
196
|
+
<INFO number="45038" severity="1">
|
197
|
+
<TITLE><![CDATA[Host Scan Time]]></TITLE>
|
198
|
+
<LAST_UPDATE><![CDATA[2004-11-19T02:46:12Z]]></LAST_UPDATE>
|
199
|
+
<PCI_FLAG>0</PCI_FLAG>
|
200
|
+
<DIAGNOSIS>
|
201
|
+
<![CDATA[The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.
|
202
|
+
<P>
|
203
|
+
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.]]>
|
204
|
+
</DIAGNOSIS>
|
205
|
+
<CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
|
206
|
+
<SOLUTION><![CDATA[N/A]]></SOLUTION>
|
207
|
+
<RESULT><![CDATA[Scan duration: 5445 seconds
|
208
|
+
|
209
|
+
Start time: Fri, Dec 20 2011, 17:38:59 GMT
|
210
|
+
|
211
|
+
End time: Fri, Dec 20 2011, 19:09:44 GMT]]></RESULT>
|
212
|
+
</INFO>
|
213
|
+
</CAT>
|
214
|
+
</INFOS>
|
215
|
+
<SERVICES>
|
216
|
+
<CAT value="TCP/IP">
|
217
|
+
<SERVICE number="82023" severity="1">
|
218
|
+
<TITLE><![CDATA[Open TCP Services List]]></TITLE>
|
219
|
+
<PCI_FLAG>0</PCI_FLAG>
|
220
|
+
<DIAGNOSIS><![CDATA[The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections.]]></DIAGNOSIS>
|
221
|
+
<CONSEQUENCE><![CDATA[Unauthorized users can exploit this information to test vulnerabilities in each of the open services.]]></CONSEQUENCE>
|
222
|
+
<SOLUTION><![CDATA[Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the <A HREF="http://www.cert.org" TARGET="_blank">CERT Web site</A>.]]></SOLUTION>
|
223
|
+
<RESULT format="table"><![CDATA[Port IANA Assigned Ports/Services Description Service Detected OS On Redirected Port
|
224
|
+
80 www World Wide Web HTTP http]]></RESULT>
|
225
|
+
</SERVICE>
|
226
|
+
</CAT>
|
227
|
+
<CAT value="Web server" port="80" protocol="tcp">
|
228
|
+
<SERVICE number="86000" severity="1">
|
229
|
+
<TITLE><![CDATA[Web Server Version]]></TITLE>
|
230
|
+
<LAST_UPDATE><![CDATA[1997-12-31T09:01:00Z]]></LAST_UPDATE>
|
231
|
+
<PCI_FLAG>0</PCI_FLAG>
|
232
|
+
<RESULT format="table"><![CDATA[Server Version Server Banner
|
233
|
+
Apache 1.3 Apache]]></RESULT>
|
234
|
+
</SERVICE>
|
235
|
+
</CAT>
|
236
|
+
</SERVICES>
|
237
|
+
<VULNS>
|
238
|
+
<CAT value="TCP/IP">
|
239
|
+
<VULN number="82054" severity="2" cveid="CVE-2004-0230">
|
240
|
+
<TITLE><![CDATA[TCP Sequence Number Approximation Based Denial of Service]]></TITLE>
|
241
|
+
<LAST_UPDATE><![CDATA[2007-12-20T22:53:15Z]]></LAST_UPDATE>
|
242
|
+
<CVSS_BASE>5</CVSS_BASE>
|
243
|
+
<CVSS_TEMPORAL>4.2</CVSS_TEMPORAL>
|
244
|
+
<PCI_FLAG>0</PCI_FLAG>
|
245
|
+
<CVE_ID_LIST>
|
246
|
+
<CVE_ID>
|
247
|
+
<ID><![CDATA[CVE-2004-0230]]></ID>
|
248
|
+
<URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230]]></URL>
|
249
|
+
</CVE_ID>
|
250
|
+
</CVE_ID_LIST>
|
251
|
+
<BUGTRAQ_ID_LIST>
|
252
|
+
<BUGTRAQ_ID>
|
253
|
+
<ID><![CDATA[10183]]></ID>
|
254
|
+
<URL><![CDATA[http://www.securityfocus.com/bid/10183]]></URL>
|
255
|
+
</BUGTRAQ_ID>
|
256
|
+
</BUGTRAQ_ID_LIST>
|
257
|
+
<DIAGNOSIS>
|
258
|
+
<![CDATA[TCP provides stateful communications between hosts on a network. TCP sessions are established by a three-way handshake and use random 32-bit sequence and acknowledgement numbers to ensure the validity of traffic. A vulnerability was reported that may permit TCP sequence numbers to be more easily approximated by remote attackers. This issue affects products released by multiple vendors.
|
259
|
+
<P>
|
260
|
+
The cause of the vulnerability is that affected implementations will accept TCP sequence numbers within a certain range, known as the acknowledgement range, of the expected sequence number for a packet in the session. This is determined by the TCP window size, which is negotiated during the three-way handshake for the session. Larger TCP window sizes may be set to allow for more throughput, but the larger the TCP window size, the more probable it is to guess a TCP sequence number that falls within an acceptable range. It was initially thought that guessing an acceptable sequence number was relatively difficult for most implementations given random distribution, making this type of attack impractical. However, some implementations may make it easier to successfully approximate an acceptable TCP sequence number, making these attacks possible with a number of protocols and implementations.
|
261
|
+
<P>
|
262
|
+
This is further compounded by the fact that some implementations may support the use of the TCP Window Scale Option, as described in RFC 1323, to extend the TCP window size to a maximum value of 1 billion.
|
263
|
+
<P>
|
264
|
+
This vulnerability will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP address and TCP port.
|
265
|
+
<P>
|
266
|
+
There are a few factors that may present viable target implementations, such as those which depend on long-lived TCP connections, those that have known or easily guessed IP address endpoints and those implementations with easily guessed TCP source ports. It has been noted that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack, due to the use of long-lived TCP sessions and the possibility that some implementations may use the TCP Window Scale Option. As a result, this issue is likely to affect a number of routing platforms.
|
267
|
+
<P>
|
268
|
+
Another factor to consider is the relative difficulty of injecting packets into TCP sessions, as a number of receiving implementations will reassemble packets in order, dropping any duplicates. This may make some implementations more resistant to attacks than others.
|
269
|
+
<P>
|
270
|
+
It should be noted that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.]]>
|
271
|
+
</DIAGNOSIS>
|
272
|
+
<CONSEQUENCE><![CDATA[Successful exploitation of this issue could lead to denial of service attacks on the TCP based services of target hosts. Other consequences may also result, such as man-in-the-middle attacks.]]></CONSEQUENCE>
|
273
|
+
<SOLUTION>
|
274
|
+
<![CDATA[Please first check the results section below for the port number on which this vulnerability was detected. If that port number is known to be used for port-forwarding, then it is the backend host that is really vulnerable.
|
275
|
+
<P>
|
276
|
+
Various implementations and products including Check Point, Cisco, Cray Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks, NEC, Polycom, and Yamaha are currently undergoing review. Contact the vendors to obtain more information about affected products and fixes. <A HREF="http://packetstormsecurity.org/0404-advisories/246929.html" TARGET="_blank">NISCC Advisory 236929 - Vulnerability Issues in TCP</A> details the vendor patch status as of the time of the advisory, and identifies resolutions and workarounds.
|
277
|
+
<P>
|
278
|
+
The Internet Engineering Task Force (IETF) has developed an Internet-Draft titled <A HREF="http://www3.ietf.org/proceedings/05mar/slides/tcpm-4.pdf" TARGET="_blank">Transmission Control Protocol Security Considerations</A> that addresses this issue.
|
279
|
+
<P>
|
280
|
+
Workaround:
|
281
|
+
<P>
|
282
|
+
The following BGP-specific workaround information has been provided.
|
283
|
+
<P>
|
284
|
+
For BGP implementations that support it, the TCP MD5 Signature Option should be enabled. Passwords that the MD5 checksum is applied to should be set to strong values and changed on a regular basis.
|
285
|
+
<P>
|
286
|
+
Secure BGP configuration instructions have been provided for Cisco and Juniper at these locations:
|
287
|
+
<BR>
|
288
|
+
<A HREF="http://www.cymru.com/Documents/secure-bgp-template.html" TARGET="_blank">http://www.cymru.com/Documents/secure-bgp-template.html</A>
|
289
|
+
<BR>
|
290
|
+
<A HREF="http://www.qorbit.net/documents/junos-bgp-template.pdf" TARGET="_blank">http://www.qorbit.net/documents/junos-bgp-template.pdf</A>
|
291
|
+
]]>
|
292
|
+
</SOLUTION>
|
293
|
+
<RESULT><![CDATA[Tested on port 80 with an injected SYN/RST offset by 16 bytes.]]></RESULT>
|
294
|
+
</VULN>
|
295
|
+
</CAT>
|
296
|
+
<CAT value="Web server" port="80" protocol="tcp">
|
297
|
+
<VULN number="86821" severity="3" cveid="CVE-2006-3918">
|
298
|
+
<TITLE><![CDATA[Apache 1.3 HTTP Server Expect Header Cross-Site Scripting]]></TITLE>
|
299
|
+
<LAST_UPDATE><![CDATA[2008-09-25T22:26:09Z]]></LAST_UPDATE>
|
300
|
+
<CVSS_BASE source="service">4.3</CVSS_BASE>
|
301
|
+
<CVSS_TEMPORAL>3.4</CVSS_TEMPORAL>
|
302
|
+
<PCI_FLAG>1</PCI_FLAG>
|
303
|
+
<VENDOR_REFERENCE_LIST>
|
304
|
+
<VENDOR_REFERENCE>
|
305
|
+
<ID><![CDATA[Apache 1.3]]></ID>
|
306
|
+
<URL><![CDATA[http://httpd.apache.org/security/vulnerabilities_13.html]]></URL>
|
307
|
+
</VENDOR_REFERENCE>
|
308
|
+
</VENDOR_REFERENCE_LIST>
|
309
|
+
<CVE_ID_LIST>
|
310
|
+
<CVE_ID>
|
311
|
+
<ID><![CDATA[CVE-2006-3918]]></ID>
|
312
|
+
<URL><![CDATA[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3918]]></URL>
|
313
|
+
</CVE_ID>
|
314
|
+
</CVE_ID_LIST>
|
315
|
+
<DIAGNOSIS><![CDATA[A vulnerability exists in Apache HTTP Server Versions 1.3.3 to 1.3.34. This issue occurs due to handling of invalid Expect headers.]]></DIAGNOSIS>
|
316
|
+
<CONSEQUENCE><![CDATA[An attacker can exploit this vulnerability to perform a cross-site scripting attack.]]></CONSEQUENCE>
|
317
|
+
<SOLUTION><![CDATA[Upgrade to the latest version of Apache, which is available for download from the <A HREF="http://www.apache.org/" TARGET="_blank">Apache Web site</A>.]]></SOLUTION>
|
318
|
+
<RESULT><![CDATA[HTTP/1.1 417 Expectation Failed
|
319
|
+
Date: Fri, 20 Dec 2011 19:05:57 GMT
|
320
|
+
Server: Apache
|
321
|
+
Keep-Alive: timeout=15, max=100
|
322
|
+
Connection: Keep-Alive
|
323
|
+
Transfer-Encoding: chunked
|
324
|
+
Content-Type: text/html; charset=iso-8859-1
|
325
|
+
|
326
|
+
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|
327
|
+
<HTML><HEAD>
|
328
|
+
<TITLE>417 Expectation Failed</TITLE>
|
329
|
+
</HEAD><BODY>
|
330
|
+
<H1>Expectation Failed</H1>
|
331
|
+
The expectation given in the Expect request-header
|
332
|
+
field could not be met by this server.<P>
|
333
|
+
The client sent<PRE>
|
334
|
+
Expect: <script>alert(document.domain)</script>
|
335
|
+
</PRE>
|
336
|
+
but we only allow the 100-continue expectation.
|
337
|
+
</BODY></HTML>
|
338
|
+
-CR-]]></RESULT>
|
339
|
+
</VULN>
|
340
|
+
<VULN number="86477" severity="1">
|
341
|
+
<TITLE><![CDATA[Apache Web Server ETag Header Information Disclosure Weakness]]></TITLE>
|
342
|
+
<LAST_UPDATE><![CDATA[2007-10-18T18:42:10Z]]></LAST_UPDATE>
|
343
|
+
<CVSS_BASE source="service">4.3</CVSS_BASE>
|
344
|
+
<CVSS_TEMPORAL>3.5</CVSS_TEMPORAL>
|
345
|
+
<PCI_FLAG>0</PCI_FLAG>
|
346
|
+
<BUGTRAQ_ID_LIST>
|
347
|
+
<BUGTRAQ_ID>
|
348
|
+
<ID><![CDATA[6939]]></ID>
|
349
|
+
<URL><![CDATA[http://www.securityfocus.com/bid/6939]]></URL>
|
350
|
+
</BUGTRAQ_ID>
|
351
|
+
</BUGTRAQ_ID_LIST>
|
352
|
+
<DIAGNOSIS>
|
353
|
+
<![CDATA[The Apache HTTP Server is a popular, open-source HTTP server for multiple platforms, including Windows, Unix, and Linux.
|
354
|
+
<P>
|
355
|
+
A cache management feature for Apache makes use of an entity tag (ETag) header. When this option is enabled and a request is made for a document relating to a file, an ETag response header is returned containing various file attributes for caching purposes. ETag information allows subsequent file requests to contain specific information, such as the file's inode number.
|
356
|
+
<P>
|
357
|
+
A weakness has been found in the generation of ETag headers under certain configurations implementing the FileETag directive. Among the file attributes included in the header is the file inode number that is returned to a client. In Apache Versions 1.3.22 and earlier, it's not possible to disable inodes in in ETag headers. In later versions, the default behavior is to release this sensitive information.]]>
|
358
|
+
</DIAGNOSIS>
|
359
|
+
<CONSEQUENCE><![CDATA[This vulnerability poses a security risk, as the disclosure of inode information may aid in launching attacks against other network-based services. For instance, NFS uses inode numbers to generate file handles.]]></CONSEQUENCE>
|
360
|
+
<SOLUTION>
|
361
|
+
<![CDATA[OpenBSD has released a <A HREF="ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/008_httpd.patch" TARGET="_blank">patch</A> that fixes this vulnerability. After installing the patch, inode numbers returned from the server are encoded using a private hash to avoid the release of sensitive information.
|
362
|
+
<P>
|
363
|
+
Customers are advised to upgrade to the latest version of Apache. In Apache Version <A HREF="http://httpd.apache.org/docs/1.3/mod/core.html#fileetag" TARGET="_blank">1.3.23</A> and later, it's possible to configure the FileETag directive to generate ETag headers without inode information.
|
364
|
+
To do so, include "FileETag -INode" in the Apache server configuration file for a specific subdirectory.<P>
|
365
|
+
In order to fix this vulnerability globally, for the Web server, use the option "FileETag None". Use the option "FileETag
|
366
|
+
MTime Size" if you just want to remove the Inode information.
|
367
|
+
]]>
|
368
|
+
</SOLUTION>
|
369
|
+
<RESULT><![CDATA["3bee-4f12-00794aef"]]></RESULT>
|
370
|
+
</VULN>
|
371
|
+
</CAT>
|
372
|
+
</VULNS>
|
373
|
+
</IP>
|
374
|
+
</SCAN>
|
375
|
+
<!-- CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2008, Qualys, Inc. //-->
|