Your Company Vulnerability Descriptions - April 2003

Vulnerability Statistics

12 17 24 7	High risk vulnerabilities found. Medium risk vulnerabilities found. Low risk vulnerabilities found. New vulnerabilities found.	7 4 1 12 7	Hosts (37%) had high risk vulnerabilities. Hosts (21%) had medium risk vulnerabilities. Hosts (5%) had low risk vulnerabilities. Hosts (63%) had vulnerabilities. Hosts (37%) had no vulnerabilities.	Scan Type Start Date End Date Hosts Scanned New Hosts	Enterprise 13-Apr-03 11:30 13-Apr-03 16:43 19 1

Key	Increase	No change	Decrease	High Risk	Medium Risk	Low Risk	None Found

Vulnerability	10264	SNMP Default Community Names	3 Servers	High Risk

Description	The SNMP agent on the remote host uses one or more default or easily guessable community strings. This enables an attacker to extract a lot of useful information, and possibly make configuration changes to the server. A sample of the information that can be extracted: [For specific url or description click server link below.]
Solution	Change the community strings to something unguessable
References	CAN-1999-0517 CAN-1999-0254 CAN-1999-0516 CAN-1999-0186

Servers	dns0.example.com (192.168.0.110) [Feb 2003]	www.your_company.fr (192.168.0.105)
Servers	www.your_company.nl (192.168.0.103) [Jul 2002]

Vulnerability	10481	Unpassworded MySQL	1 Servers	High Risk

Description	The MySQL server has no password allowing remote users to execute arbitrary SQL as the databases admin user.
Solution	Add a password or restrict access to the port trusted hosts.

Servers	sql1.manc.yourcompany.com (192.168.1.52) [Apr 2003]

Vulnerability	10605	BIND < 8.2.3 TSIG Overflow	1 Servers	High Risk

Description	According to its version number, the remote BIND server contains a vulnerability in its transaction signature (TSIG) code. A remote attacker with no authentication can use this to crash the server, and execute arbitrary code with the same permissions as the name service.
Solution	Upgrade to an unaffected version, or apply a patch.
References	CVE-2001-0010 CVE-2001-0011 CVE-2001-0013 CVE-2001-0012

Servers	dns0.example.com (192.168.0.110) [Mar 2003]

Vulnerability	11030	Apache < 1.3.25 Chunked Encoding Vulnerability	1 Servers	High Risk

Description	The remote host is running a version of Apache that is older than 1.3.25 or 2.0.37. This version is vulnerable to a buffer overflow, which can crash the server. Remote users with no special permissions may be able to execute arbitrary code with the permissions of the web server.
Solution	Upgrade to an unaffected version
References	CVE-2002-0392 Apache Security Alert CERT Advisory CA-2002-17

Servers	www.example.com (192.168.0.112) [Oct 2002]

Vulnerability	11039	mod_ssl < 2.8.10 off by one Vulnerability	1 Servers	High Risk

Description	The remote host is using a version of mod_ssl which is older than 2.8.10. This version is vulnerable to an "off by one" buffer overflow. Remote users with no special privileges can use this to crash the server. Users who also have write access to .htaccess files may be able to execute abritrary code with the permissions of the web server.
Solution	Upgrade to version 2.8.10 or newer
References	CVE-2002-0653 Securiteam advisory

Servers	www.example.com (192.168.0.112) [Oct 2002]

Vulnerability	11299	MySQL < 3.23.55 Double Free	1 Servers	High Risk

Description	According to its banner, the MySQL service on this host is vulnerable to a double free bug. This allows a remote attacker with a valid login to crash the server, and may allow them to execute arbitrary commands as the owner of the process.
Solution	Upgrade to 3.23.55 or newer, or apply a patch
References	CAN-2003-0150 CVE-2003-0073

Servers	sql2.manc.yourcompany.com (192.168.1.53) [Nov 0002]

Vulnerability	11316	Sendmail < 8.12.8 Header Buffer Overflow	1 Servers	High Risk

Description	According to its banner, the remote sendmail server is vulnerable to a buffer overflow in its header parsing code. This allows remote users to crash the service, and may allow them to execute arbitrary commands as the owner of the sendmail process, usually root. It may also be vulnerable to a flaw in smrsh which allows local users to escalate their privileges.
Solution	Upgrade to 8.12.8 or newer, or apply a patch
References	CVE-2001-1349 CVE-2002-1337 CAN-2002-1165

Servers	mail.example.com (192.168.0.111) [Nov 2002]

Vulnerability	11378	MySQL < 3.23.56 Privilege Escalation	2 Servers	High Risk

Description	According to its banner, this MySQL server is running a version older than 3.23.56. This allows any database user (local or remote) to overwrite arbitrary files using "SELECT INTO OUTFILE". This can be used to overwrite configuration files and hence escalate privileges.
Solution	Upgrade to an unaffected version, or apply a patch.
References	CAN-2003-0150

Servers	sql1.manc.yourcompany.com (192.168.1.52) [Mar 2002]	sql2.manc.yourcompany.com (192.168.1.53) [Dec 0002]

Vulnerability	11424	IIS WebDAV Buffer Overrun	1 Servers	High Risk

Description	The remote web server is an IIS server running WebDAV. This may be vulnerable to a buffer overrun when a malicious WebDAV request is sent. When running on an unpatched Windows 2000 server, a remote attacker with no authentication could use this to crash the server and execute arbitrary code. Note: This may be a false positive as it is not possible to determine remotely if the patch has been applied.
Solution	Apply the patch from Microsoft. In addition we suggest you edit registry to disable WebDAV, following these instructions. If you do not disable WebDAV then this vulnerability will continue appearing until you stoplist it.
References	Microsoft Security Bulletin MS03-007 CAN-2003-0109 CERT Advisory CA-2003-09

Servers	www.your_company.nl (192.168.0.103) [May 2002]

Vulnerability	10249	SMTP Server Allows VRFY/EXPN	1 Servers	Medium Risk

Description	The remote SMTP server allows the VRFY and/or EXPN commands. These can be used to check the validity of accounts, find the delivery address of mail aliases, or even determine the full name of a recipient. An attacker could use this information to focus their attacks, or aid social engineering. This leakage is unnecessary so you should turn off these commands.
Solution	If you are using sendmail, add the configuration directive 'PrivacyOptions=goaway'. For other mail daemons, consult the documentation.
References	CAN-1999-0531

Servers	mail.example.com (192.168.0.111) [Mar 2003]

Vulnerability	10539	Useable Remote Name Server	2 Servers	Medium Risk

Description	The remote name server allows recursive queries to be performed by one of our test machines. This allows anyone to use it to resolve third parties names. Remote users can also extract information about your name lookup patterns, and may be able to perform DNS cache poisoning attacks.
Solution	Restrict recursive queries to trusted addresses. For servers running BIND, use the allow-recursion or allow-query directives.
References	CVE-1999-0024

Servers	www.your_company.fr (192.168.0.105)	www.yourcompany.net (192.168.0.102) [May 2002]

Vulnerability	10595	DNS Zone Transfer	1 Servers	Medium Risk

Description	The remote name server allows DNS zone transfers to be performed. This information can be of great use to an attacker trying to learn the topology of your network. This configuration may be intentional, but it's usual practice to restrict zone transfers. Here is a sample of the data that can be extracted: [For specific url or description click server link below.]
Solution	Restrict zone transfers to trusted addresses, usually just your slave name servers
References	CAN-1999-0532

Servers	dns0.example.com (192.168.0.110) [Mar 2003]

Vulnerability	10629	Lotus Domino Anonymous Database Access	1 Servers	Medium Risk

Description	We were able to read the following Domino databases from the web server, without any authentication: [For specific url or description click server link below.] This usually represents a security risk as the information contained is accessible to anyone on the internet.
Solution	Reconfigure Domino to require authentication for these databases.
References	CAN-2002-0664 CAN-2000-0021

Servers	www.yourcompany.com.my (192.168.0.106) [Feb 2003]

Vulnerability	10661	.printer ISAPI Filter Enabled	1 Servers	Medium Risk

Description	The remote IIS server has the .printer (Internet Printing Protocol) filter enabled. At least one remote vulnerability has been discovered in this filter. To avoid crashing your server, we have not directly tested for the vulnerability and this may not be a real hole. However, as the filter is not usually required, you should turn it off as a matter of good practice.
Solution	If you don't require this filter, disable it. If it is required, make sure the latest patches are applied.
References	Microsoft Security Bulletin MS01-023 CVE-2001-0241

Servers	www.your_company.nl (192.168.0.103) [Feb 2003]

Vulnerability	10809	Sendmail -bt option	1 Servers	Medium Risk

Description	According to its banner, the remote sendmail server may be vulnerable to the -bt overflow attack which allows any local user to execute arbitrary commands as root. Note: This vulnerability is local only
Solution	Upgrade to an unaffected version, or apply a patch.

Servers	mail.example.com (192.168.0.111) [Feb 2003]

Vulnerability	10815	Web Server Cross Site Scripting	1 Servers	Medium Risk

Description	The remote web server appears to be vulnerable to Cross Site Scripting (XSS) attacks. Certain error or redirect pages include the requested URL, and special characters are not escaped. The vulnerability allows an attacker to insert their own JavaScript/HTML code, which will run at the same trust level as the server. This may enable them to steal session cookies, form details, etc. The cause of this may either be bugs in your webserver software, or errors in your dynamic pages and configuration e.g custom error pages. An example of a URL which causes such an attack is: [For specific url or description click server link below.]
Solution	Either fix your dynamic pages and configuration, or upgrade your web server to an unaffected version. Patches : Allaire/Macromedia Jrun, Allaire/Macromedia, Microsoft IIS, Apache, ColdFusion
References	General Info XSS Anatomy CERT Advisory CA-2000-02 CVE-2002-1060

Servers	www.yourcompany.net (192.168.0.102) [Dec 2002]

Vulnerability	10991	IIS global.asa Accessible	1 Servers	Medium Risk

Description	This web server allows retrieval of the /global.asa file, which may contain sensitive information such as database passwords, physical paths and configuration options. This vulnerability may be caused by a missing ISAPI map of the .asa extension to asp.dll. A sample of your global.asa file: [For specific url or description click server link below.]
Solution	Restore the .asa map

Servers	www.your_company.nl (192.168.0.103) [Mar 2003]

Vulnerability	11137	Apache < 1.3.27 multiple vulnerablities	2 Servers	Medium Risk

Description	According to its banner, the remote web server is running a version of Apache older than 1.3.27. This contains a cross site scripting flaw through the Host: header, if UseCanonicalName is Off. There is also a buffer overrun in the ApacheBench module - if this is enabled, it may allow arbitrary code execution. A further vulnerability exists in the shared memory scoreboard, but this is only exploitable by a local user.
Solution	Upgrade to 1.3.27 or higher. Workaround : Set UseCanonicalName to On and disable ApacheBench
References	CAN-2002-0839 CVE-2002-0840 CAN-2002-0843

Servers	www.example.com (192.168.0.112) [Oct 2002]	www.yourcompany.co.uk (192.168.0.100) [Nov 2002]

Vulnerability	11574	Portable OpenSSH PAM timing attack	1 Servers	Medium Risk

Description	When using PAM for authentication versions of portable OpenSSH < 3.6.1p2 are vulnerable to a timing attack. This attack allows a remote user to brute force passwords. Note: it is not possible to remotely determine if PAM is in use, so this may be a false positive.
Solution	Upgrade to a non-affected version.
References	CAN-2003-0190 CAN-2003-0190

Servers	mail.example.com (192.168.0.111) [Mar 2003]

Vulnerability	11718	Lotus Domino Database Lock DoS	1 Servers	Medium Risk

Description	According to its banner, this host is running a vulnerable version of Lotus Domino. It is possible to lock out some databases by requesting them through the web interface with a carefully crafted URL.
Solution	Upgrade to an unaffected version, or apply a patch.
References	CVE-2001-0954

Servers	www.yourcompany.com.my (192.168.0.106) [Jan 0003]

Vulnerability	11842	MySQL < 3.23.58, 4.0.15 Password Overflow	2 Servers	Medium Risk

Description	You are running a version of MySQL which is older than version 4.0.15. This contains a buffer overflow flaw in the password handling code. Any user who has credentials to connect to this server can change their password to a carefully crafted overly long value, and execute arbitrary code with the priviliges of the database user.
Solution	Upgrade to MySQL 3.23.58 or 4.0.15
References	CAN-2003-0780

Servers	sql1.manc.yourcompany.com (192.168.1.52) [Mar 2002]	sql2.manc.yourcompany.com (192.168.1.53) [Feb 2003]

Vulnerability	12110	OpenSSL < 0.9.6j, 0.9.7d Denial of Service	1 Servers	Medium Risk

Description	According to its banner, the remote OpenSSL service is vulnerable to a denial of service attack. A remote attacker with no authentication can crash the service by conducting a deliberately invalid SSL/TLS handshake.
Solution	Upgrade to OpenSSL 0.9.6j or 0.9.7d to apply a patch.
References	CAN-2004-0081 CAN-2004-0112 Bugtraq 9899 CAN-2004-0079

Servers	apollo.example.com (192.168.0.81) [Dec 2002]

Vulnerability	12280	Apache < 1.3.31, 2.0.49 Connection Blocking DoS	1 Servers	Medium Risk

Description	The remote host is running a version of Apache that is older than 1.3.31 or 2.0.49. This version is vulnerable to a denial of service attack where a remote attacker can block new connections to the server by connecting to a listening socket on a rarely accessed port. This version also vulnerable to an input validation error that may allow escape character sequences to be injected into apache log files.
Solution	Upgrade to Apache 1.3.31 or 2.0.49 or newer
References	CVE-2003-0020 Buqtraq_9921 CAN-2004-0174 Buqtraq_9930

Servers	www.example.com (192.168.0.112) [Feb 2003]

Vulnerability	10028	BIND Version Information Leakage	1 Servers	Low Risk

Description	It is possible to determine the remote name server's type and version by issuing this query: dig version.bind. txt chaos @server An attacker can use this information to focus their attack strategy.
Solution	Use the "version" configuration directive to change this to "unknown"

Servers	dns0.example.com (192.168.0.110) [Mar 2003]

Vulnerability	10077	Microsoft Frontpage Extensions Installed	1 Servers	Low Risk

Description	The remote web server appears to be running the Microsoft Frontpage extensions. These have had a history of insecurity, so you should carefully check that you have the latest patches applied. It is also common for Frontpage extentions to be insecure because they are misconfigured.
Solution	If you do not require FP extensions, disable them. If they are required, make sure the latest patches are applied.
References	CAN-2000-0114 Microsoft Security Bulletin MS02-018 Microsoft Knowledge Base Q813380 Microsoft Knowledge Base Q813379

Servers	www.your_company.nl (192.168.0.103) [May 2002]

Vulnerability	10092	FTP Server type and version detected	1 Servers	Low Risk

Description	The remote FTP server reveals its type and version in the banner, or in response to SYST. This gives potential attackers additional information about the system, which may help them choose an effective strategy. Versions and types should be omitted where possible.
Solution	Change the login banner to something generic.

Servers	www.example.com (192.168.0.112)

Vulnerability	10114	Host Responded to ICMP Timestamp Request	3 Servers	Low Risk

Description	The target host responded to an ICMP timestamp request. This allows an attacker to determine the exact time and date set on your server. This information could be used in attacks against time-based authentication protocols.
Solution	Either disable timestamp replies, or filter them at your firewall.
References	CAN-1999-0524

Servers	dns0.example.com (192.168.0.110)	mail.example.com (192.168.0.111)
Servers	www.your_company.nl (192.168.0.103)

Vulnerability	10622	PPTP Information Leakage	1 Servers	Low Risk

Description	The host appears to be running a PPTP (VPN) service. In it's default configuration, the PPTP service leaks information such as hostname and PPTP version number. An attacker can use this information to focus their attack strategy.
Solution	Replace the version strings with "unknown"

Servers	www.yourcompany.com.my (192.168.0.106) [Feb 2003]

Vulnerability	10719	MySQL Server version	2 Servers	Low Risk

Description	The remote MySQL service reveals its version number. This information may help an attacker choose an effective strategy. Versions should be omitted where possible.
Solution	Change the version number to something generic

Servers	sql1.manc.yourcompany.com (192.168.1.52) [Mar 2002]	sql2.manc.yourcompany.com (192.168.1.53) [Feb 2003]

Vulnerability	10759	Private IP Address Leakage	1 Servers	Low Risk

Description	The remote web server returned headers containing an RFC 1918 private IP address. This exposes an internal IP address that would usually be masked by a proxy or NAT firewall. The information may be useful to an attacker trying to remotely map your network. The private IP address is: [For specific url or description click server link below.]
Solution	For IIS issue "adsutil set w3svc/UseHostName True" and restart
References	Bugtraq ID 1499 CAN-2000-0649 Microsoft Knowledge Base Q218180

Servers	www.yourcompany.co.uk (192.168.0.100) [Mar 2003]

Vulnerability	10766	Apache UserDir information leak	1 Servers	Low Risk

Description	An information leak occurs on Apache based web servers whenever the UserDir module is enabled. A request to a non-existant user (e.g. http://server.com/~notauser/) returns a 404 code. A similar request to a user with no web page returns a 403 code. This allows an attacker to determine which user accounts exist.
Solution	mod_rewrite provides a way to get the UserDir functionality without the leak
References	SecuriTeam advisory CAN-2001-1013

Servers	apollo.example.com (192.168.0.81) [Dec 2002]

Vulnerability	10882	SSH Protocol Version 1 Enabled	2 Servers	Low Risk

Description	The remote SSH daemon allows connections using version 1.33 or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. They allow a passive eavesdropper to extract information, including the lengths of passwords and commands, and the ciphers being used.
Solution	OpenSSH : Set the 'Protocol' option to '2' SSH.com : Set the 'Ssh1Compatibility' option to 'no'
References	CAN-2001-0572

Servers	mail.example.com (192.168.0.111) [Nov 2002]	www.yourcompany.net (192.168.0.102) [Jan 2003]

Vulnerability	10884	NTP Information Leakage	1 Servers	Low Risk

Description	It is possible to determine various details about the remote host by querying the NTP variables. This includes the OS, upstream NTP server and detailed clock information. An attacker can use this information to focus their attack strategy.
Solution	Use a firewall to restrict NTP to trusted addresses, or configure ntpd to ignore info packets.

Servers	www.yourcompany.com (192.168.0.101)

Vulnerability	11213	Webserver Supports TRACE or TRACK Methods	3 Servers	Low Risk

Description	Your webserver supports the TRACE and/or TRACK methods. These increase the exploitability of any cross-site scripting vulnerabilities that may exist in your site. As they are primarily intended for debugging, they can be turned off without reduction of service.
Solution	Disable these methods on production servers IIS : Use the IIS Lockdown Wizard Apache : Use mod_rewrite to redirect unallowed verbs to the forbidden target
References	WhiteHat Advisory CERT VU#867593

Servers	www.example.com (192.168.0.112) [Mar 2003]	www.yourcompany.co.uk (192.168.0.100) [May 2002]
Servers	www.yourcompany.net (192.168.0.102) [Dec 2002]

Vulnerability	11229	Script Calling phpinfo() Detected	1 Servers	Low Risk

Description	PHP contains a function called phpinfo() that dumps a significant amount of system and configuration information that may be useful to an attacker. An unprotected script that calls this function has been detected. You can see the information using the following URL: [For specific url or description click server link below.]
Solution	Remove this script, or protect it with some kind of authentication.

Servers	apollo.example.com (192.168.0.81) [Dec 2002]

Vulnerability	11915	Apache < 1.3.29 Multiple Local Flaws	2 Servers	Low Risk

Description	According to its banner (or an analysis of its behaviour), this web server is running a version of Apache earlier than 1.3.29. These contain buffer overruns in mod_alias and mod_rewrite, which can be exploited by a local user to escalate their privileges.
Solution	Upgrade to an unaffected version, or apply a patch.
References	Bugtraq CAN-2003-0542

Servers	www.example.com (192.168.0.112) [Jan 2003]	www.yourcompany.co.uk (192.168.0.100) [Nov 2002]

Vulnerability	12217	DNS Cache Snooping	1 Servers	Low Risk

Description	It is possible for remote attackers to see what domains have been queried through this nameserver, by issuing queries with the "no recursion" bit set. The server responds differently for hosts that have been recently resolved and are cached.
Solution	Restrict access to DNS caches to local users.
References	SideStep

Servers	www.yourcompany.net (192.168.0.102) [Mar 2003]

Vulnerability	90001	Holes Detected in Firewall Configuration	3 Servers	Low Risk

Description	This host is protected by a firewall. Incoming TCP connections to most ports are blocked, however some ports were discovered where the firewall allows connections, but no service is running. This often indicates a firewall configuration error. The affected ports are: [For specific url or description click server link below.]
Solution	Reconfigure your firewall to block all ports that you are not running services on.
References	Firewalls FAQ

Servers	mail.example.com (192.168.0.111) [Mar 2003]	www.example.com (192.168.0.112) [Nov 2002]
Servers	www.your_company.nl (192.168.0.103) [Mar 2003]

Scans by Clearview Systems