Summary Report Including Detailed Trending

Summary of Vulnerabilities

Vulnerabilities Total:

174

Overall Trend:

+ 5

Security Risk

5.0

by Status
Status	Vulnerabilities
New	12
Active	162
Re-Opened	0
Fixed	52
Changed	64

by Severity
Severity	Vulnerabilities	Trend
5	33	+ 4
4	23	+ 6
3	49	+ 6
2	24	- 6
1	45	- 5

5 Biggest Categories
Category	Vulnerabilities	Trend
Web server	26	+ 1
TCP/IP	25	+ 4
General remote services	24	+ 1
RPC	24	+ 2
Information gathering	20	+ 2

Number of Vulnerabilities by Severity

Your network had:
	33	Severity 5 (Urgent)
	23	Severity 4 (Critical)
	49	Severity 3 (Serious)
	24	Severity 2 (Medium)
	45	Severity 1 (Minimal)
	174 Total

Operating Systems Detected

Services Detected

64.41.134.59 (No registered hostname)

Linux 2.4

Vulnerabilities Total:

Overall Trend:

- 4

Security Risk

5.0

by Status
Status	Vulnerabilities
New	4
Active	47
Re-Opened	0
Fixed	20
Changed	24

by Severity
Severity	Vulnerabilities	Trend
5	6	- 3
4	5	- 1
3	14	+ 2
2	9	- 4
1	17	+ 2

5 Biggest Categories
Category	Vulnerabilities	Trend
General remote services	17	+ 2
Web server	10	=20 0
TCP/IP	8	+ 1
Information gathering	7	=20 0
CGI	6	+ 2

Vulnerabilities (31)

=20

SSL S= erver Has SSLv2 Enabled Vulnerability

port:443

Active

QID:38139 Categ= ory:General remote services CV= E ID:N/A

First Detected:03/26/2003 at 12:21:53 = Last Detected:10/15/2003 at 11:35:40= Times Detected:5

DESCRIPTION:

The Secure Socket Layer (SSL) protocol = allows for secure communication between a client and a server.

There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker c= an force the communication to a less secure level and then attempt to break= the weak encryption. The attacker can also truncate encrypted messages.

These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including al= l popular web-servers, mail-servers, etc.) and clients (including Web-clien= ts like IE, Netscape Navigator and Mozilla and mail clients) support both S= SLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibi= lity.

The following links provide more information about this vulnerability:

CONSEQUENCES:

An attacker can exploit th= is vulnerability to read secure communications or maliciously modify messag= es.

SOLUTION:

Disable SSLv2.

Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the follo= wing lines:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

How to disable SSLv2 on IIS : Microsoft Knowledge Base = Article - 187498

RESULT:

Globa= l User List

Active

QID:45002 Categ= ory:Information gathering CVE = ID:N/A

First Detected:03/26/2003 at 12:21:53 &n= bsp;Last Detected:10/15/2003 at 11:35:40&n= bsp; Times Detected:5

DESCRIPTION:

This is the global system user list, whic= h was retrieved during the scan.=20 A malicious user can use these common account(s) to crack your system.

SOLUTION:

To prevent your host from being att= acked, do one or more of the following:

Remove (or rename) unnecessary accounts
Shutdown unnecessary network services
Ensure the passwords to these accounts are kept secret
Use a firewall to restrict access to your hosts from unauthorized domai= ns

RESULT:

= <= /tr>

User Name	Source Vulnerability
gdm	5001
operator	5001
postgres	5001
root	5001
root	38190
ftp	38190
games	38190
halt	38190
ident	38190
mail	38190
mysql	38190
news	38190
sync	38190

Smurf= Attack (ICMP Amplifier)

Active

QID:82002 Categ= ory:TCP/IP CVE ID:CVE-1999-0513

First Detected:03/26/2003 at = 12:21:53 Last Detected:10/15/2= 003 at 11:35:40 Times Detected:5

DESCRIPTION:

ICMP (Internet Control a= nd Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's= principal purpose is to provide a protocol layer that informs gateways of = the inter-connectivity and accessibility of other gateways or hosts. =20

Networks have a subnet mask that defines the type of sub-netting, as well a= s the network's broadcast address. Typically, a class C network (10.0.9.XXX= without sub-netting) will have a range of valid IP addresses from 10.0.9.1= to 10.0.9.254, and its broadcast address will be 10.0.9.255 (since the net= mask is 255.255.255.0). When a host on this class C network sends a packet = to the broadcast address, all the other hosts belonging to the same class C= will reply. It seems that one (or more) broadcast addresses in your class= C can be reached externally. Make sure that this broadcast address belong= s to your subnet before taking any action.

If you block or properly filter ICMP packets, then please disregard this vu= lnerability.

CONSEQUENCES:

If a malicious user= sends an ICMP echo-request packet to your network broadcast address, then = numerous ICMP echo-reply packets will be generated (since all live hosts on= the class C network will reply). By spoofing the source address of the ICM= P packet (i.e., a victim IP), a malicious user can flood the victim IP with= out difficulty by using the network as an amplifier (the destination IP wou= ld be your broadcast address). Since the source IP address was spoofed, it= 's difficult to trace the malicious user.=20

Typically, the malicious user would retain a huge list of network amplifier= s in order to flood a single server. This amount of traffic can cause a ser= ver to lose connectivity to the Internet or possibly crash.

SOLUTION:

We strongly advise that you prevent unauthorized us= ers from reaching broadcast address. To do so, filter these IP broadcast ad= dresses on your router or firewall (IP layer protocol). Note, that there co= uld be several broadcast addresses if you're using sub-netting on your netw= ork.

RESULT:

Broadcast address on ip 64.41.13= 4.16 (amplifier factor of 2)
Broadcast address on ip 64.41.134.31 (ampli= fier factor of 2)

SSL S= erver Supports Weak Encryption Vulnerability

port:443

Active

QID:38140 Categ= ory:General remote services CV= E ID:N/A

First Detected:03/26/2003 at 12:21:53 = Last Detected:10/15/2003 at 11:35:40= Times Detected:5

DESCRIPTION:

The Secure Socket Layer (SSL) protocol = allows for secure communication between a client and a server.

SSL encryption ciphers are classified based on encryption key length as fol= lows:

HIGH - key length larger than 128 bits
MEDIUM - key length equal to 128 bits
LOW - key length smaller than 128 bits

Messages encrypted with LOW encryption ciphers are easy to decrypt. Commerc= ial SSL servers should only support MEDIUM or HIGH strength ciphers to guar= antee transaction security.

The following links provide more information about this vulnerability:

Please note that this detection only checks for weak cipher support at the = SSL layer. Some servers may implement additional protection at the data lay= er. For example, some SSL servers and SSL proxies (such as SSL accelerators= ) allow cipher negotiation to complete but send back an error message and a= bort further communication on the secure channel. This vulnerability may no= t be exploitable for such configurations.

CONSEQUEN= CES:

An attacker can exploit this vulnerability to decrypt secure comm= unications without authorization.

SOLUTION:

Di= sable support for LOW encryption ciphers.

Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the follo= wing lines:
SSLProtocol: -ALL +SSLv3 +TLSv1
SSLCipherSuite: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

How to Control the Ciphers for SSL and TLS on IIS<= div class=3D"vuln_info">RESULT:

<= td class=3D"datalist" style=3D"font-size:8pt;">MD5LOW= RC4(56)DES(56)= <= /tr>RSA(512)

CIPHER	KEY-EX= CHANGE	AUTHENTICATION	MAC	ENCRYPTION(KEY-STRENGTH)	GRADE
		=
SSLv2 WEAK CIPHERS		&nbs= p;
EXP-RC4-MD5	RSA(512)	RSA	RC4(40)	LOW
EXP-RC2-CBC-MD5	RSA= (512)	RSA	MD5	RC2(40)	LOW
DES-= CBC-MD5	RSA	RSA	MD5	DES(56)	LOW
RC4-64-MD5	RSA	RSA	MD5	RC4(64)
.		&= nbsp;
SSLv3 WEAK CIPHERS		=
EXP1024-RC4-SHA	RSA(1024)	= RSA	SHA1	RC4(56)	LOW
EXP1024-DES-CBC-SHA	RSA(1024)	= RSA	SHA1	DES(56)	LOW
EXP1024-RC2-CBC-MD5	RSA(1024)	= RSA	MD5	RC2(56)	LOW
EXP1024-RC4-MD5	RSA(1024)	RSA<= /td>	MD5	RC4(56)	LOW
EDH-RSA-DES-CBC-SHA	DH	RSA	SHA1	DES(56)	LOW
DES-CBC-SHA	RSA	RSA	SHA1	DES(56)	LOW=
EXP-EDH-RSA-= DES-CBC-SHA	DH(512)	RSA	SHA1	DES(40)	LO= W
EXP-DES-CBC= -SHA	RSA(512)	RSA	SHA1	DES(40)	LOW
EXP-RC2-CBC-MD5	RSA(512)	RSA	MD5	RC2(40)	LOW
EXP-RC4-MD5	RSA(512)	RSA	MD5	RC4(40)	LOW
..
TLSv1 WEAK CIPHERS
EXP1024-RC4-SHA	RSA(1024)	RSA	SHA1	LOW
EXP1024-DES-CBC-SHA	RSA(1024)	RSA	SHA1	LOW
EXP1024-RC2-CBC-MD5	RSA(1024)	RSA	MD5	RC2(56)	LOW
EXP1024-RC4-MD5	RSA(1024)	RSA	MD5	RC4(56)	LOW
EDH-RSA-DES-CBC-SHA	DH	RSA	SHA1	DES(56)	LOW
DES-CBC-SHA	RSA=	RSA	SHA1	DES(56)	LOW
EXP-EDH= -RSA-DES-CBC-SHA	DH(512= )	RSA	SHA1	DES(40)	LOW
EXP-DE= S-CBC-SHA	RSA(512)	RSA	SHA1	DES(40)	LOW=
EXP-RC2-CBC-= MD5	RSA(512)	RSA	MD5	RC2(40)	LOW
EXP-RC4-MD5	RSA	MD5	RC4(40)=	LOW

Web S= erver HTTP Trace Method Support Cross Site Tracing Vulnerability

port: 80

Active

QID:86473 Categ= ory:Web server CVE ID:N= /A

First Detected:03/26/2003 at 12:21:53 Last Detected:10/15/2003 at 11:35:40 = Times Detected:5

DESCRIPTION:

A Web server was detected that supports the HTTP TRA= CE method. This method allows debugging and connection trace analysis for c= onnections from the client to the Web server. Per the HTTP specification, w= hen this method is used, the Web server echoes back the information sent to= it by the client unmodified and unfiltered.

A vulnerability related to this method was discovered. A malicious, active = component in a Web page can send Trace requests to a Web server that suppor= ts this Trace method. Usually, browser security disallows access to Web sit= es outside of the present site's domain. Although unlikely and difficult to= achieve, it's possible, in the presence of other browser vulnerabilities, = for the active HTML content to make external requests to arbitrary Web serv= ers beyond the hosting Web server. Since the chosen Web server then echoes = back the client request unfiltered, the response also includes cookie-based= or Web-based (if logged on) authentication credentials that the browser au= tomatically sent to the specified Web application on the specified Web serv= er.=20

The significance of the Trace capability in this vulnerability is that the = active component in the page visited by the victim user has no direct acces= s to this authentication information, but gets it after the target Web serv= er echoes it back as its Trace response.=20

Since this vulnerability exists as a support for a method required by the H= TTP protocol specification, most common Web servers are vulnerable.

CONSEQUENCES:

If this vulnerability is successfully e= xploited, users of the Web server may lose their authentication credentials= for the server and/or for the Web applications hosted by the server to an = attacker. This may be the case even if the Web applications are not vulnera= ble to cross site scripting attacks due to input validation errors.

SOLUTION:

Solutions for some of the common Web server= s are supplied below. For other Web servers, please check your vendor's doc= umentation.

Apache: Recent Apache versions have a Rewrite module that allows HTT= P requests to be rewritten or handled in a specific way. Compile the Apache= server with the mod_rewrite module. You might need to uncomment the 'AddMo= dule' and 'LoadModule' directives in the httpd.conf configuration file. Add= the following lines for each virtualhost in your configuration file:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

With this configuration, Apache catches all TRACE requests, and replies wit= h a page reporting the request as forbidden. None of the original request's= contents are echoed back.

A slightly tighter fix is to use:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$
RewriteRule .* - [F]

Microsoft IIS: Microsoft released = URLScan, which can be used to screen all incoming requests based on cus= tomized rulesets. URLScan can be used to sanitize or disable the TRACE requ= ests from the clients. Note that IIS aliases 'TRACK' to 'TRACE'. Therefore,= if URLScan is used to specfically block the TRACE method, the TRACK method= should also be added to the filter.

URLScan uses the 'urlscan.ini' configuration file, usually in \System32\Ine= tSrv\URLScan directory. In that, we have two sections - AllowVerbs and Deny= Verbs. The former is used if the UseAllowVerbs variable is set to 1, else (= if its set to 0), the DenyVerbs are used. Clearly, either can be used, depe= nding on whether we want a Default-Deny-Explicit-Allow or a Default-Allow-E= xplicit-Deny policy. To disallow TRACE and TRACK methods through URLScan, f= irst remove 'TRACK', 'TRACE' methods from the 'AllowVerbs' section and add = them to the 'DenyVerbs' section. With this, URLScan will disallow all 'TRAC= E' and 'TRACK' methods, and generate an error page for all requests using t= hat method. To enable the changes, restart the 'World Wide Web Publishing S= ervice' from the 'Services' Control Panel item.

Sun ONE/iPlanet Web Server: Here are the sun recommandations to disable the trace method.

For more details about other web servers : Cert Advisory.

RESULT:

TRACE / HTTP/1.1
Host: 64.41.134.59
Via: QualysTest

HTTP/1.1 200 OK
Date: Wed, 15 Oct 2003 18:16:54 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1= .5.2 mod_ssl/2.8.4
OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 m= od_throttle/3.1.2
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http

TRACE / HTTP/1.1
Host: 64.41.134.59
Via: QualysTest

-CR-

Ope= nSSH Key-Based Source IP Access Control Bypass Vulnerability

port:22

Active

QID:38069 Categ= ory:General remote services CV= E ID:N/A

First Detected:03/26/2003 at 12:21:53 = Last Detected:10/15/2003 at 11:35:40= Times Detected:5

DESCRIPTION:

OpenSSH is a secure remote access/co= mmand execution protocol.

One of the features offered by OpenSSH is the ability to implement acces= s control based on source IP per key. This feature contains a bug that may= allow for malicious users to bypass some access control and login from una= uthorized hosts.

CONSEQUENCES:

By exploiting t= his vulnerability, it may be possible for malicious users to bypass key-bas= ed access controls.

SOLUTION:

The OpenSSH deve= lopment team released an upgrade. They also released a source code patch, w= hich you can download from the following FTP link:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.1.tgz<= div class=3D"vuln_info">RESULT:

SSH-1.99-OpenSSH_2.9p2

Ope= nSSH-portable Enabled PAM Delay Information Disclosure Vulnerability

port:22

Active

QID:38190 Categ= ory:General remote services CV= E ID:CAN-2003-0190

First Detected:08/20/2003 at 15:33:42 Last Detect= ed:10/15/2003 at 11:35:40 Time= s Detected:2

DESCRIPTION:

OpenSSH= -portable with PAM support enabled is prone to an issue that results in th= e disclosure of sensitive information. This issue has been reported to exis= t only for OpenSSH-portable on Linux systems. Specifically, PAM support mus= t be enabled and fail to support the "nodelay" option.

A timing attack has been described in OpenSSH-portable that may assist a re= mote user in enumerating usernames. It has been demonstrated that analysis = of the response time during authentication may give a remote user some indi= cation as to whether or not the supplied username is valid. Exploitation is= possible because OpenSSH does not sufficiently randomize or pad response t= imes.

CONSEQUENCES:

An attacker can exploit th= is vulnerability to gather usernames, which can be used in further attacks = against the vulnerable machine.

SOLUTION:

This= vulnerability is fixed in OpenSSH Version 3.6.1p2. Upgrade to the latest v= ersion, which is available for download from OpenSSH's Web site.

A suggested workaround, which will mitigate but not completely eliminate th= e issue, is to add the "nodelay" option to the pam_unix.so auth configurati= on file.

RESULT:

Found using username root

Ope= nSSH Remote Root Authentication Timing Side-Channel Weakness

port:22

Active

QID:38191 Categ= ory:General remote services CV= E ID:N/A

First Detected:08/20/2003 at 15:33:42 = Last Detected:10/15/2003 at 11:35:40= Times Detected:2

DESCRIPTION:

OpenSSH-portable with PermitRootLogin d= isabled is prone to an issue that will result in the disclosure of sensitiv= e information.

A timing attack has been described in OpenSSH-portable that could assist a = remote user in guessing the administrative password. This issue has been re= ported to exist in OpenSSH-portable on Linux systems, though it may affect = other platforms and versions. Specifically, PermitRootLogin support must be= disabled, and the attacker must be able to reach the SSH daemon.

CONSEQUENCES:

An attacker can exploit this vulnerabilit= y to bruteforce the administrative password more intelligently.

SOLUTION:

This vulnerability is fixed in OpenSSH Versio= n 3.6.1p2. Upgrade to the latest version, which is available for download f= rom OpenSSH's Web sit= e.

RESULT:

Found using username root

UDP= Constant IP Identification Field Fingerprinting Vulnerability

Active

QID:82024 Categ= ory:TCP/IP CVE ID:CAN-2002-0510

First Detected:03/26/2003 at = 12:21:53 Last Detected:10/15/2= 003 at 11:35:40 Times Detected:5

DESCRIPTION:

The host transmits UDP p= ackets with a constant IP Identification field. This behavior may be exploi= ted to discover the operating system and approximate kernel version of the = vulnerable system.

Normally, the IP Identification field is intended to be a reasonably unique= value, and is used to reconstruct fragmented packets. It has been reported= that in some versions of the 2.4 Linux kernel IP stack implementation, UDP= packets are transmitted with a constant IP Identification field of 0.

CONSEQUENCES:

By exploiting this vulnerability, a = malicious user can discover the operating system and approximate kernel ver= sion of the host. This information can then be used in further attacks agai= nst the host.

SOLUTION:

We are not currently aware of any f= ixes for this issue.

RESULT:

IP_ID=3D0

SSL= Certificate - Self-Signed Certificate

port:443

Active

QID:38169 Categ= ory:General remote services CV= E ID:N/A

First Detected:03/26/2003 at 12:21:53 = Last Detected:10/15/2003 at 11:35:40= Times Detected:5

DESCRIPTION:

The client can trust that the Server Certificate belongs the server only if= it is signed by a mutually trusted third-party Certificate Authority (CA).= Self-signed certificates are created generally for testing purposes or to = avoid paying third-party CAs. These should not be used on any production or= critical servers.

By exploiting this vulnerability, an attacker can impersonate the server by= presenting a fake self-signed certificate. If the client knows that the se= rver does not have a trusted certificate, it will accept this spoofed certi= ficate and communicate with the remote server.

CONS= EQUENCES:

By exploiting this vulnerability, an attacker can launch a m= an-in-the-middle attack.

SOLUTION:

Please inst= all a server certificate signed by a trusted third-party Certificate Author= ity.

RESULT:

Certificate #0

SSL= Certificate - Subject Common Name Does Not Match Server FQDN

port:443

Active

QID:38170 Categ= ory:General remote services CV= E ID:N/A

First Detected:03/26/2003 at 12:21:53 = Last Detected:10/15/2003 at 11:35:40= Times Detected:5

DESCRIPTION:

A certificate whose Subject commonName or subjectAltName does not match the= server FQDN offers only encryption without authentication.

CONSEQUENCES:

A man-in-the-middle attacker can exploit this v= ulnerability in tandem with a DNS cache poisoning attack to lure the client= to another server, and then steal all the encryption communication.

SOLUTION:

Please install a server certificate whose = Subject commonName or subjectAltName matches the server FQDN.

RESULT:

Certificate #0
(localhost.localdomain) does not = resolve.

SSL= Certificate - Signature Verification Failed Vulnerability

port:443

Active

QID:38173 Categ= ory:General remote services CV= E ID:N/A

First Detected:03/26/2003 at 12:21:53 = Last Detected:10/15/2003 at 11:35:40= Times Detected:5

DESCRIPTION:

An SSL Certificate associates an entity= (person, organization, host, etc.) with a Public Key. In an SSL connection= , the client authenticates the remote server using the server's Certificate= and extracts the Public Key in the Certificate to establish the secure con= nection. The authentication is done by verifying that the public key in the= certificate is signed by a trusted third-party Certificate Authority.

If a client is unable to verify the certificate, it can abort communication= or prompt the user to continue the communication without authentication. <= div class=3D"vuln_info">CONSEQUENCES:

By exploiting this vulnerability= , man-in-the-middle attacks in tandem with DNS cache poisoning can occur.

Exception:
If the server communicates only with a restricted set of clients who have t= he server certificate or the trusted CA certificate, then the server or CA = certificate may not be available publicly, and the scan will be unable to v= erify the signature.

SOLUTION:

Please install = a server certificate signed by a trusted third-party Certificate Authority.=

RESULT:

Certificate #0
self signed certifi= cate

SSL= Certificate - Improper Usage Vulnerability

port:443

Active

QID:38172 Categ= ory:General remote services CV= E ID:N/A

First Detected:03/26/2003 at 12:21:53 = Last Detected:10/15/2003 at 11:35:40= Times Detected:5

DESCRIPTION:

The basicConstraints section of the certificate may specify if it is a Cert= ificate Authority (CA) certificate. Also, the keyUsage field in the X509v3 = extensions section of the certificate, if present, may restrict the usage o= f the certificate.

In general, a server public key should not be used for Certificate or CRL s= igning and a client or CA certificate should be not used as a server certif= icate.

CONSEQUENCES:

If the keyUsage or the ba= sicConstraint field is designated as a critical parameter in the certificat= e, the client may abort the communication if the usage validation fails.SOLUTION:

Please install a server certificate wi= th correct usage.

RESULT:

Certificate #0

Web= Server Brute Force Discovery of Unix Account Names Vulnerability

port: 80

Active

QID:5001 Catego= ry:Brute Force Attack CVE ID:<= /span>CAN-2001-1013

First Detected:03/= 26/2003 at 12:21:53 Last Detected:10/15/2003 at 11:35:40 Times Dete= cted:5

DESCRIPTION:

When a reques= t for a user is made (http://your.host/~user), certain servers (such as Apa= che Versions 1.3.12 and 1.3.9) return a different reply depending on whethe= r the account user exists on the host or not.

If a request is made for an account that exists on the host, a 403 error is= returned. If a request is made for a non-existent account, then a 404 erro= r is returned.

CONSEQUENCES:

Unauthorized remo= te users can implement brute force attacks on the Web server to guess a val= id account name on the server. Even though they may be successful in obtai= ning a valid account, they will still have to guess the password. However,= if user passwords are weak, some services may also be brute forced.

SOLUTION:

Disable the default-enabled "UserDir" dir= ective. To do so, add the following line to the httpd.conf file:

UserDir Disabled

Apache Versions 1.3.9 and 1.3.12 are vulnerable. Other Web servers may also= be vulnerable. There are currently no patches available. We strongly advi= se you to upgrade to a later version of Apache.

RE= SULT:

Account

N. Server

gdm

operator

postgres

root

Web= Server Brute Force Discovery of Unix Account Names Vulnerability

port: 443

Active

QID:5001 Catego= ry:Brute Force Attack CVE ID:<= /span>CAN-2001-1013

First Detected:03/= 26/2003 at 12:21:53 Last Detected:10/15/2003 at 11:35:40 Times Dete= cted:5

DESCRIPTION:

If a request is made for an account that exists on the host, a 403 error is= returned. If a request is made for a non-existent account, then a 404 erro= r is returned.

CONSEQUENCES:

SOLUTION:

Disable the default-enabled "UserDir" dir= ective. To do so, add the following line to the httpd.conf file:

UserDir Disabled

Apache Versions 1.3.9 and 1.3.12 are vulnerable. Other Web servers may also= be vulnerable. There are currently no patches available. We strongly advi= se you to upgrade to a later version of Apache.

RE= SULT:

Account

N. Server

gdm

operator

postgres

root

ICM= P Timestamp Request

Active

QID:82003 Categ= ory:TCP/IP CVE ID:CAN-1999-0524

First Detected:03/26/2003 at = 12:21:53 Last Detected:10/15/2= 003 at 11:35:40 Times Detected:5

DESCRIPTION:

ICMP (Internet Control a= nd Error Message Protocol) is a protocol encapsulated in IP packets. It's p= rincipal purpose is to provide a protocol layer able to inform gateways of = the inter-connectivity and accessibility of other gateways or hosts. "ping"= is a well-known program for determining if a host is up or down. It uses I= CMP echo packets. ICMP timestamp packets are used to synchronize clocks bet= ween hosts.

CONSEQUENCES:

Unauthorized users c= an obtain information about your network by sending ICMP timestamp packets.= For example, the internal systems clock should not be disclosed since some= internal daemons use this value to calculate ID or sequence numbers (i.e.,= on SunOS servers).

SOLUTION:

You can filter = ICMP messages of type "Timestamp" and "Timestamp Reply" at the firewall lev= el. Some system administrators choose to filter most types of ICMP messages= for various reasons. For example, they may want to protect their internal = hosts from ICMP-based Denial Of Service attacks, such as the Ping of Dea= th or Smurf attacks.=20

However, you should never filter ALL ICMP messages, as some of them = ("Don't Fragment", "Destination Unreachable", "Source Quench", etc) are nec= essary for proper behavior of Operating System TCP/IP stacks.

It may be wiser to contact your network consultants for advice, since this = issue impacts your overall network reliability and security.=20

RESULT:

time stamp of host: 18:15:44 GMT
<= /div>

Apa= che Web Server ETag Header Information Disclosure Weakness

port: 80

Active

QID:86477 Categ= ory:Web server CVE ID:N= /A

First Detected:05/16/2003 at 13:10:40 Last Detected:10/15/2003 at 11:35:40 = Times Detected:4

DESCRIPTION:

The Apache HTTP Server is a popular, open-source HTT= P server for multiple platforms, including Windows, Unix, and Linux.

A cache management feature for Apache makes use of an entity tag (ETag) hea= der. When this option is enabled and a request is made for a document relat= ing to a file, an ETag response header is returned containing various file = attributes for caching purposes. ETag information allows subsequent file re= quests to contain specific information, such as the file's inode number.

A weakness has been found in the generation of ETag headers under certain c= onfigurations implementing the FileETag directive. Among the file attribute= s included in the header is the file inode number that is returned to a cli= ent. In Apache Versions 1.3.22 and earlier, it's not possible to disable in= odes in in ETag headers. In later versions, the default behavior is to rele= ase this sensitive information.

CONSEQUENCES:

= This vulnerability poses a security risk, as the disclosure of inode inform= ation may aid in launching attacks against other network-based services. Fo= r instance, NFS uses inode numbers to generate file handles.

SOLUTION:

OpenBSD has released a pat= ch that fixes this vulnerability. After installing the patch, inode num= bers returned from the server are encoded using a private hash to avoid the= release of sensitive information.

In Apache Version 1.3.23 and later, it's possible to configure the FileETag= directive to generate ETag headers without inode information.=20 To do so, include "FileETag -INode" in the Apache server configuration file= for a specific subdirectory.

In order to fix this vulnerability globally, for the Web server, use the op= tion "FileTag None". Use the option "FileTage MTime Size" if you just want to remove the Inode information.

RESULT:

"41812c-b4a-3db6f019"

Apa= che Web Server ETag Header Information Disclosure Weakness

port: 443

Active

QID:86477 Categ= ory:Web server CVE ID:N= /A

First Detected:05/16/2003 at 13:10:40 Last Detected:10/15/2003 at 11:35:40 = Times Detected:4

DESCRIPTION:

The Apache HTTP Server is a popular, open-source HTT= P server for multiple platforms, including Windows, Unix, and Linux.

CONSEQUENCES:

SOLUTION:

In order to fix this vulnerability globally, for the Web server, use the op= tion "FileTag None". Use the option "FileTage MTime Size" if you just want to remove the Inode information.

RESULT:

"41812c-b4a-3db6f019"

Ope= nSSL SSLv2 Malformed Client Key Remote Buffer Overflow Vulnerability

port:443

Fixed

QID:38123 Categ= ory:General remote services CV= E ID:CAN-2002-0656

First Detected:03/26/2003 at 12:21:53 Last Detect= ed:06/12/2003 at 12:54:53 Time= s Detected:3

DESCRIPTION:

OpenSSL= is a widely deployed, open-source implementation of the Secure Sockets Lay= er (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as = a full-strength general purpose cryptography library. The SSL and TLS proto= cols are used to provide a secure connection between a client and a server = for higher level protocols, such as HTTP.

Versions of OpenSSL servers prior to 0.9.6e and pre-release version 0.9.7-b= eta2 contain a remotely exploitable buffer overflow vulnerability. This vul= nerability can be exploited by a client using a malformed key during the ha= ndshake process with an SSL server connection. Note that only SSLv2-support= ed sessions are affected by this issue.

Please refer to the OpenSSL advisory for more information.

NOTE
Apache users should not rely on the OpenSSL version reported in the Server = header field. This just indicates the version of OpenSSL that the Apache so= urce code was compiled with. At runtime, Apache may link against a vulnerab= le version of OpenSSL installed on the server machine.

CONSEQUENCES:

By exploiting this buffer overflow vulnerability, a = remote attacker can execute arbitrary code on a vulnerable server or cause = a denial of service condition.

SOLUTION:

This issue has been resolved in OpenSSL 0.9.6g an= d OpenSSL 0.9.7.

See available patches below:
Patch for OpenSSL 0.9.6d
Patch for OpenSSL 0.9.7 beta 2

RESULT:

No results available

Apa= che Chunked-Encoding Memory Corruption Vulnerability

port: 80

Fixed

QID:86352 Categ= ory:Web server CVE ID:<= a href=3D"http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2002-0392" ta= rget=3D"cve_id">CVE-2002-0392

First Detected:03/26/2003= at 12:21:53 Last Detected:06/= 12/2003 at 12:54:53 Times Detected:3

DESCRIPTION:

Apache is a freely a= vailable Web server for Unix and Linux variants, as well as Microsoft opera= ting systems. Various products, such as StrongHold, Oracle 9iAS and IBM Web= sphere, use or bundle Apache.

The HTTP protocol specifies a method of data coding called 'Chunked Encodin= g', designed to facilitate fragmentation of HTTP requests in transit. A vul= nerability has been discovered in the Apache implementation of 'Chunked Enc= oding'. When processing requests coded with the 'Chunked Encoding' mechanis= m, Apache fails to properly calculate required buffer sizes. This is due to= improper (signed) interpretation of an unsigned integer value.

On Windows and Netware platforms, Apache uses threads within a single serve= r process to handle concurrent connections. Causing the server process to c= rash on these platforms may result in a denial of service.

CONSEQUENCES:

This vulnerability can be exploited by an attack= er to cause a Denial of Service and even execute arbitrary code on the vuln= erable machine.

SOLUTION:

This vulnerability h= as been fixed in Apache 1.3.26 and Apache 2.0.37. Please upgrade to the latest vers= ion.

An efix (via APAR PQ62369) is available for IHS from t= he IBM HTTP Server Downloads webpage.

A complete list of vendor status and fixes can be found in CERT advisory = CA-2002-17

RESULT:

No results available

Apa= che Chunked-Encoding Memory Corruption Vulnerability

port: 443

Fixed

QID:86352 Categ= ory:Web server CVE ID:<= a href=3D"http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2002-0392" ta= rget=3D"cve_id">CVE-2002-0392

First Detected:03/26/2003= at 12:21:53 Last Detected:06/= 12/2003 at 12:54:53 Times Detected:3

DESCRIPTION:

CONSEQUENCES:

This vulnerability can be exploited by an attack= er to cause a Denial of Service and even execute arbitrary code on the vuln= erable machine.

SOLUTION:

This vulnerability h= as been fixed in Apache 1.3.26 and Apache 2.0.37. Please upgrade to the latest vers= ion.

An efix (via APAR PQ62369) is available for IHS from t= he IBM HTTP Server Downloads webpage.

A complete list of vendor status and fixes can be found in CERT advisory = CA-2002-17

RESULT:

No results available

WU-= FTPd File Globbing Heap Corruption Vulnerability

port:21

Fixed

QID:27126 Categ= ory:File Transfer Protocol CVE= ID:CVE-2001-0550

First Detected:03/26/2003 at 12:21:53 Last Detecte= d:03/26/2003 at 12:21:53 Times= Detected:1

DESCRIPTION:

WU-FTPd = is a popular Unix FTP server. It's based on the BSD FTPd, which is maintain= ed by Washington University.=20

WU-FTPd allows clients to organize files for FTP actions based on "file glo= bbing" patterns. File globbing is also used by various shells. The implem= entation of file globbing included in WU-FTPd contains a heap corruption vu= lnerability that may allow a malicious remote user to execute arbitrary cod= e on a server. =20

During the processing of a globbing pattern, the WU-FTPd implementation cre= ates a list of the files that match. The memory where this data is stored = is on the heap, allocated using malloc(). The globbing function simply ret= urns a pointer to the list. It is up to the calling functions to free the = allocated memory.=20 If an error occurs processing the pattern, memory will not be allocated and= a variable indicating this should be set. The calling functions must chec= k the value of this variable before attempting to use the globbed filenames= (and later freeing the memory). =20

Under certain circumstances, the globbing function does not set this variab= le when an error occurs. As a result of this, WU-FTPd will eventually atte= mpt to free uninitialized memory. If this region of memory contained user-= controllable data before the free call, it may be possible to have an arbit= rary word in memory overwritten with an arbitrary value. This can lead to = execution of arbitrary code if function pointers or return addresses are ov= erwritten.

If anonymous FTP is not enabled, then valid user credentials are required t= o exploit this vulnerability.

CONSEQUENCES:

I= f successfully exploited, a remote malicious user may be able to execute ar= bitrary code with the privileges of WU-FTPd, typically root.

SOLUTION:

Do any of the following:

Apply the patch supplied by your vendor. Alternatively, apply the patch= provided by WU-FTPd.
Block or restrict access to the port used by WU-FTPd, typically 21/tcp.= It may be possible to use TCP Wrapper or a similar technology to provide i= mproved access control and logging. Additionally, an application-level fire= wall may be able to filter requests made to WU-FTPd.
Disable anonymous FTP access.
Disable WU-FTPd until a patch can be applied.

RESULT:

No results available

Ope= nSSL ASN.1 Parsing Error Denial of Service Vulnerability

port:443

Fixed

QID:38124 Categ= ory:General remote services CV= E ID:CAN-2002-0659

First Detected:03/26/2003 at 12:21:53 Last Detect= ed:06/12/2003 at 12:54:53 Time= s Detected:3

DESCRIPTION:

OpenSSL= is a widely deployed, open source implementation of the Secure Sockets Lay= er (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a= full-strength general purpose cryptography library. The SSL and TLS protoc= ols are used to provide a secure connection between a client and a server f= or higher level protocols such as HTTP.

The ASN.1 library used by OpenSSL has various encoding errors that allow m= alformed certificate encodings to be parsed incorrectly. Exploitation of th= is vulnerability can lead to remote denial-of-service issues. Routines affe= cted include those supporting SSL and TLS applications, as well as those su= pporting S/MIME, PKCS#7, and certificate creation.

Please refer the OpenSSL advisory for more information.

CONSEQUENCES:

Exploitation of the ASN.1 encoding errors ca= n lead to a denial of service.

SOLUTION:

This issue has been resolved in OpenSSL 0= .9.6e and OpenSSL 0.9.7 beta3

Patches for OpenSSL 0.9.6d:
http://www.openssl.org/news/patch_20020730_0_9_6d.txt
Patches for OpenSSL 0.9.7 beta 2:
http://www.openssl.org/news/patch_20020730_0_9_7.txt

RESULT:

No results available

Ope= nSSL ASCII Representation Of Integers Buffer Overflow Vulnerability

port:443

Fixed

QID:38125 Categ= ory:General remote services CV= E ID:CAN-2002-0655

First Detected:03/26/2003 at 12:21:53 Last Detect= ed:06/12/2003 at 12:54:53 Time= s Detected:3

DESCRIPTION:

OpenSSL= is an open-source implementation of the SSL protocol. It is used by a numb= er of other projects, including but not restricted to Apache, Sendmail, and= Bind. It is commonly found on Linux and Unix based systems.

Remotely exploitable buffer overflow conditions have been reported in OpenS= SL. This issue is due to insufficient checking of bounds with regards to AS= CII representations of integers on 64-bit platforms. It is possible to over= flow these buffers on a vulnerable system if overly large values are submit= ted by a malicious user.

CONSEQUENCES:

Exploit= ation of this vulnerability may allow execution of arbitrary code with the = privileges of the vulnerable application, service, or client.

SOLUTION:

This issue was resolved in OpenSSL 0.9.6= e and OpenSSL 0.9.7 beta3.

Patches for OpenSSL 0.9.6d:
http://www.openssl.org/news/patch_20020730_0_9_6d.txt

Patches for OpenSSL 0.9.7 beta 2:
http://www.openssl.org/news/patch_20020730_0_9_7.txt

RESULT:

No results available

Web= Server HTTP Trace Method Support Cross Site Tracing Vulnerability

port: 443

Fixed