Your Company System Detail - April 2010

Reference:
YC 201135
System 192.168.0.103 ( http://www.your_company.nl )   SANS
Criticality
Scan Type Enterprise
Start Date 13-Apr-10 11:54
End Date 13-Apr-10 12:54
Customer Ref YC103
Groups EMEA, Microsoft
Contact E-mail Role
janebloggs@yourcompany.com business

Ports: 7 (High:0 Low:7)

  Port Protocol Service Details  
  53 tcp domain Closed Immediately with TCP FIN  
  80 tcp http Microsoft-IIS 5.0  
 NEW 161 tcp snmp uptime 278411121 centiseconds  
  443 tcp https Microsoft-IIS 5.0  
  53 udp dns Responce Received  
 NEW 0 icmp echo reply Response Received  
 NEW 14 icmp timestamp reply Timestamp is 10:46:03  

Ports Closed Since Last Month: 1 (High:0 Low:1)

  Port Protocol Service Details  
  3053 udp dsom-server Response received  


Vulnerabilities: 13 (High:5 Medium:5 Low:3)

Vulnerability 90052 Administration Interface with Weak Password   NEW High Risk
Description This host is exposing an administration interface to the Internet with a default or easily guessable password. This allows a remote attacker full access to modify settings or content. The login details are:
http://www.your_company.nl/tightcms/login.aspx

Username: builtin
Password: builtin
 
Solution Set a stronger password and/or ensure this interface is not accessible from the Internet. 
Category Hosting or infrastructure flaw.
CVE Reference CVE-1999-0508 CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
First Found 13 April 2010 Port 443/tcp Last 6 Months

Vulnerability 90027 High Risk Ports Open   NEW High Risk
Description The following high risk ports are open:
PORT      SERVICE
161/udp   snmp
It is generally not recommended to expose these ports to the internet as they may be used as attack vectors. If access to these services from remote sites is required, tunnelling or a VPN would be recommended instead of exposing these ports.

Note: Even if the ports are immediately closed after being opened, this is still a security risk as packets are reaching the destination host. It is recommended to completely drop packets from untrusted sources instead. 

Solution Ensure that the ports are filtered by your router or firewall or close the ports on the affected systems. 
Category Hosting or infrastructure flaw.
CVE Reference CVE-MAP-NOMATCH CVSS2 6.4 (Medium) (AV:N/AC:L/Au:N/C:P/I:P/A:N)
First Found 13 May 2009 Port 161/tcp Last 6 Months

Vulnerability 10993 IIS ASP.NET Application Trace Enabled   NEW High Risk
Description This web server has an ASP.NET application running with application tracing enabled. This allows an attacker to view detailed information on recent HTTP requests. Sensitive information revealed includes physical paths and even session IDs. An example URL you can use to exploit this is:
http://www.your_company.nl/recruitment/apply/trace.axd

This was found to reveal sensitive information about users. For example:

Firstname: John
Lastname: Smith
Previous Employer: Widgets Corporation
Tertiary Education: University of Wallamaloo  
Gender:	Male
DOB: 1/1/1985
postcode: 2444
country	Australia
state	NSW
street	134 Dribble Creek Road
mobile	0403453656
email	jsmith@private.com.au
 
Solution Set 'trace enabled=false' in web.config 
Category Hosting or infrastructure flaw.
References ASP.Net Tracing Overview    How to: Enable Tracing for an ASP.NET Application    Tracing    How to: Enable Tracing for an ASP.NET Page   
CVE Reference CVE-MAP-NOMATCH CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
First Found 13 April 2010 Port 80/tcp,443/tcp Last 6 Months

Vulnerability 11424 IIS WebDAV Buffer Overrun High Risk
Description This system is an IIS server running WebDAV. This may be vulnerable to a buffer overrun when a malicious WebDAV request is sent. When running on an unpatched Windows 2000 server, a remote attacker could use this to crash the service or take control of the system.
Note: This may be a false positive as it is not possible to determine remotely if the patch has been applied. 
Solution Apply the patch from Microsoft. In addition we suggest you edit registry to disable WebDAV, following these instructions. If you do not disable WebDAV then this vulnerability will continue appearing until you stoplist it. 
Category Hosting or infrastructure flaw.
References Microsoft Security Bulletin MS03-007    CERT Advisory CA-2003-09    Microsoft Knowledge Base Q241520   
CVE Reference CVE-2003-0109 CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
First Found 13 May 2009 Port 80/tcp Last 6 Months

Vulnerability 10264 SNMP Default Community Names   SANS High Risk
Description This system is running an SNMP agent which uses an easily guessable community string. This enables an attacker to extract a large amount of useful information. If a writeable community string is guessable, an attacker could make configuration changes to the server. Here is a sample of the information that can be extracted:
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.1 = "System Idle Process"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.8 = "System"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.168 = "SMSS.EXE"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.192 = "CSRSS.EXE"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.212 = "WINLOGON.EXE"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.240 = "SERVICES.EXE"
 
Solution Disable SNMP, or change the community string to something unguessable. 
Category Hosting or infrastructure flaw.
CVE References CVE-1999-0517 CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
  CVE-1999-0254 CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  CVE-1999-0516 CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
  CVE-2010-1574 CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  CVE-1999-0186 CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  CVE-2004-0311 CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  CVE-2004-1474 CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
First Found 13 July 2009 Port 161/tcp Last 6 Months

Vulnerability 10815 Cross-Site Scripting   NEW Medium Risk
Description This system is running a web server or web application which is vulnerable to Cross-Site Scripting (XSS) attacks. Certain pages include user-supplied input in the response and HTML special characters are not escaped. An attacker could use this to inject malicious JavaScript or HTML code, which will run at the same trust level as the server. This may enable them to steal session cookies, form details, etc. An example that demonstrates this is:
http://www.your_company.nl/tightcms/login.aspx?lang="><img src="" 
onerror="alert(/Vulnerable/.source)" />
This is simply an example that illustrates the problem, you should fix the underlying issue rather than attempting to prevent this exploit from working.

Note: This vulnerability must be addressed server-side. Adding JavaScript (client-side) validation on form fields does not offer any protection against Cross-Site Scripting or other attacks. 

Solution Recode your web application to ensure all user supplied input is escaped when displayed, or contact your web application vendor for a patch. Any JavaScript-based fix will not be effective. 
Category Application or content flaw.
References CERT Advisory CA-2000-02    PHP htmlspecialchars Quoting Function    General Info    XSS Anatomy    How To: Prevent Cross-Site Scripting in ASP.NET    OWASP XSS Prevention Cheat Sheet   
CVE References CVE-2003-1543 CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
  CVE-2006-1681 CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
  CVE-2002-1060 CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
  CVE-2005-2453 CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
First Found 13 April 2010 Port 80/tcp Last 6 Months

Vulnerability 10539 Globally Useable Name Server   SANS   NEW Medium Risk
Description This system is running a name server that allows any system on the Internet to perform recursive queries and resolve third-party domain names. A remote attacker could use this to extract information about your name lookup patterns, and may be able to perform DNS cache poisoning attacks. 
Solution Restrict recursive queries to trusted addresses. For servers running BIND, use the allow-recursion or allow-query directives. 
Category Hosting or infrastructure flaw.
References Securing Windows Server 2003 Domain Controllers   
CVE Reference CVE-1999-0024 CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
First Found 13 March 2010 Port 53/udp Last 6 Months

Vulnerability 10991 IIS global.asa Accessible Medium Risk
Description This system is running IIS and allows retrieval of the /global.asa file. This is a global configuation file which may contain sensitive information such as database passwords, physical paths and configuration options. This vulnerability may be caused by a missing ISAPI map of the .asa extension to asp.dll. Here is a sample of your global.asa file:

vti_encoding:SR|utf8-nl RealmName:fteap-gtrrss03a InheritPermissions:false PasswordDir:D:\\inetpub\\wwwroot\\huy\\_vti_pvt

 
Solution Restore the .asa map. Alternatively, use a filter program such as URLScan to explicity forbid such requests. 
Category Hosting or infrastructure flaw.
CVE Reference CVE-MAP-NOMATCH CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
First Found 13 March 2010 Port 80/tcp Last 6 Months

Vulnerability 10661 IIS .printer ISAPI Filter Enabled Medium Risk
Description This system is running IIS and has the .printer ISAPI filter enabled. Some versions of this filter contain a buffer overrun vulnerability. A remote attacker could use this to crash the service or take control of the system.
Note: To avoid crashing your server, we have not directly tested for the vulnerability and this may not be a real hole. However, as the filter is not usually required, you should turn it off as a matter of good practice. 
Solution If you don't require this filter, disable it. If it is required, make sure the latest patches are applied. 
Category Hosting or infrastructure flaw.
References Microsoft Security Bulletin MS01-023   
CVE Reference CVE-2001-0241 CVSS2 10.0 (High) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
First Found 13 February 2010 Port 80/tcp Last 6 Months

Vulnerability 90110 Weak or Ineffective Authentication Mechanism   NEW Medium Risk
Description The remote server attempts to protect content through a mechanism which is ineffective, or can be trivially circumvented. The issue can be demonstrated as follows:
The following script appears to form part of the extranet_global application 
which is password protected. However, http://www.your_company.nl/extranet_global/forms.asp 
can be accessed without any authentication.
 
Solution Recode your application to use a stronger authentication mechanism. 
Category Application or content flaw.
CVE Reference CVE-MAP-NOMATCH CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
First Found 13 April 2010 Port 80/tcp Last 6 Months

Vulnerability 12217 DNS Cache Snooping   NEW Low Risk
Description This system is running a DNS server that accepts queries from any address (although recursive queries may be disabled). The name server responds differently for domains that have recently been looked-up. A remote attacker could use this to determine if certain sites have been visited by users of this nameserver. 
Solution Restrict access to DNS caches to local users. For Bind, use the "AllowQuery" directive. 
Category Hosting or infrastructure flaw.
References DNS Cache Snooping   
CVE Reference CVE-MAP-NOMATCH CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
First Found 13 March 2010 Port 53/udp Last 6 Months

Vulnerability 90001 Holes Detected in Firewall Configuration Low Risk
Description This system is protected by a firewall which blocks access to TCP ports in inconsistent ways. Incoming TCP connections to most ports are simply dropped, however some ports were discovered where the connection is actively refused, for example with a TCP RST. This often indicates a firewall configuration error, and commonly occurs when the configuration has not been altered in line with changing system configuration behind the firewall. For example when a service such as a mail server is removed, but the corresponding firewall rule is not.

The TCP ports which actively refuse connections are: 81,82 

Solution Reconfigure your firewall to completely drop all connections on ports that you are not running services on. 
Category Hosting or infrastructure flaw.
References Firewalls FAQ   
CVE Reference CVE-MAP-NOMATCH CVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:P/I:N/A:N)
First Found 13 March 2010 Port general/tcp Last 6 Months

Vulnerability 10077 Microsoft Frontpage Extensions Installed Low Risk
Description This system is running Microsoft Frontpage extensions. These have had a history of insecurity, so you should carefully check that you have the latest patches applied. It is also common for Frontpage extensions to be insecure because they are misconfigured.
Frontpage also reveals the name of the IIS anonymous user IISUSER which could help focus attacks.
 
Solution If you do not require Frontpage extensions, disable them. If they are required, make sure the latest patches are applied. 
Category Hosting or infrastructure flaw.
References Microsoft Knowledge Base Q813380    Microsoft Security Bulletin MS02-018    Microsoft Knowledge Base Q813379   
CVE Reference CVE-2000-0114 CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
First Found 13 May 2009 Port No information available Last 6 Months


Vulnerabilities Fixed Since Last Month: 1 (High:0 Medium:0 Low:1)

Vulnerability 10759 Private IP Address Leakage Low Risk
Description This system exposes its RFC 1918 private IP address. This is the internal IP address of the system, that would usually be masked by a proxy or NAT firewall. This information may be useful to an attacker trying to remotely map your network or prepare an attack. The private IP address is:
172.258.236.2
 
Solution Update your web server configuration. For IIS, issue "adsutil set w3svc/UseHostName True" and restart. On Apache, ensure that ServerName in httpd.conf is set to a hostname. 
Category Hosting or infrastructure flaw.
References Microsoft Knowledge Base Q218180    Bugtraq ID 1499   
CVE Reference CVE-2000-0649 CVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:P/I:N/A:N)
First Found 13 March 2010 Port 443/tcp Last 6 Months


Historical Information

Scans by RatwareUK