| Home |
This test was against Solaris 6 on a Sparc 5 platform.
Solaris 6 was installed with all default options.
The results for this Operating System were not surprising since the
OS has been out for many years and SUN Solaris installs with many services
active like Telnet, RPC and FTP. Nessus
reported the following:
Nessus Scan Report
--------------------------------------------------------------------------------
Number of hosts which were alive during the test : 1
Number of security holes found : 5
Number of security warnings found : 26
Number of security notes found : 5
List of the tested hosts :
10.10.10.10 (Security holes found)
--------------------------------------------------------------------------------
10.10.10.10 :
echo (7/tcp) (Security warnings found)
discard (9/tcp)
daytime (13/tcp) (Security warnings found)
chargen (19/tcp) (Security warnings found)
ftp (21/tcp) (Security notes found)
telnet (23/tcp) (Security warnings found)
smtp (25/tcp) (Security warnings found)
time (37/tcp)
finger (79/tcp) (Security warnings found)
sunrpc (111/tcp)
exec (512/tcp) (Security warnings found)
login (513/tcp) (Security warnings found)
shell (514/tcp) (Security warnings found)
printer (515/tcp)
uucp (540/tcp)
unknown (1103/tcp)
unknown (4045/tcp)
x11 (6000/tcp)
unknown (6112/tcp)
xfs (7100/tcp)
general/tcp (Security notes found)
general/udp (Security notes found)
snmp (161/udp) (Security hole found)
unknown (32777/udp) (Security warnings found)
unknown (32775/tcp) (Security warnings found)
unknown (32776/udp) (Security warnings found)
unknown (32772/udp) (Security hole found)
unknown (32775/udp) (Security warnings found)
unknown (32778/udp) (Security warnings found)
unknown (32773/udp) (Security warnings found)
unknown (4045/udp) (Security warnings found)
unknown (32779/udp) (Security hole found)
general/icmp (Security warnings found)
echo (7/udp) (Security warnings found)
daytime (13/udp) (Security warnings found)
chargen (19/udp) (Security warnings found)
Warning found on port echo (7/tcp)
The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low.
Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
Warning found on port chargen (19/tcp)
The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.
When contacted, chargen responds with some random (something like all
the characters in the alphabet in row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a packet between two machines
running chargen. They will commence spewing characters at each other,
slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
It is possible to determine the existence of a
user on the remote system by issuing the command
CWD ~<username>, even before logging in.
Ie:
telnet target 21
CWD ~root
530 Please login with USER and PASS.
CWD ~nonexistinguser
530 Please login with USER and PASS.
550 Unknown user name after ~
A cracker may use this to determine the existence of
known to be vulnerable accounts (like guest) or to
determine which system you are running.
Solution : inform your vendor, and ask for a
patch, or
change your FTP server
Risk factor : Low
Information found on port ftp (21/tcp)
Remote FTP server banner :
sunmgr38 ftp server (sunos 5.8) ready.
Warning found on port telnet (23/tcp)
The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
Information found on port telnet (23/tcp)
Remote telnet banner :
SunOS 5.8
Vulnerability found on port smtp (25/tcp)
The remote SMTP server did not complain when issued the
command :
MAIL FROM: |testing
This probably means that it is possible to send mail
that will be bounced to a program, which is
a serious threat, since this allows anyone to execute
arbitrary command on this host.
NOTE : ** This security hole might be a false
positive, since
some MTAs will not complain to this test, but
instead
just drop the message silently **
Solution : upgrade your MTA or change it.
Risk factor : High
CVE :
CAN-1999-0203
Warning found on port smtp (25/tcp)
The remote SMTP server
answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to
use any of these commands, because it gives
them too much informations.
Solution : if you are using sendmail,
add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE :
CAN-1999-0531
Warning found on port smtp (25/tcp)
The remote SMTP server is vulnerable to a redirection
attack. That is, if a mail is sent to :
user@hostname1@victim
Then the remote SMTP server (victim) will happily send the
mail to :
user@hostname1
Using this flaw, an attacker may route a message
through your firewall, in order to exploit other
SMTP servers that can not be reached from the
outside.
*** THIS WARNING MAY BE A FALSE POSITIVE, SINCE
SOME SMTP SERVERS LIKE POSTFIX WILL NOT
COMPLAIN BUT DROP THIS MESSAGE ***
Solution : if you are using sendmail, then at
the top
of ruleset 98, in /etc/sendmail.cf,
insert :
R$*@$*@$* $#error $@ 5.7.1 $: '551 Sorry, no redirections.'
Risk factor : Low
Warning found on port smtp (25/tcp)
The remote SMTP server allows the relaying. This means
that
it allows spammers to use your mail server to send their mails to
the world, thus wasting your network bandwidth.
Risk factor : Low/Medium
Solution : configure your SMTP server so that it can't be used as a relay
any more.
CVE
: CAN-1999-0512
Information found on port smtp (25/tcp)
Remote SMTP server banner :
firewall. Sendmail SMI-8.6/SMI-SVR4 ready at
Tue, 1 Jan 2002 21:39:23 -0500
214-Commands:214- HELO MAIL RCPT DATA RSET
214- NOOP QUIT HELP VRFY EXPN
214-For more info use "HELP <topic>".
214-smtp
214-To report bugs in the implementation contact Sun Microsystems
214-Technical Support.
214-For local information contact postmaster at this site.
214 End of HELP info
Warning found on port finger (79/tcp)
The remote finger daemon accepts
to redirect requests. That is, users can perform
requests like :
finger user@host@victim
This allows crackers to use your computer
as a relay to gather informations on another
network, making the other network think you
are making the requests.
Solution: disable your finger daemon (comment out
the finger line in /etc/inetd.conf) or
install a more secure one.
Risk factor : Low
CVE :
CAN-1999-0105
Warning found on port finger (79/tcp)
The 'finger' service provides useful informations
to crackers, since it allow them to gain usernames, check if a machine
is being used, and so on...
Risk factor : Low.
Solution : comment out the 'finger' line in
/etc/inetd.conf
CVE :
CVE-1999-0612
Warning found on port exec (512/tcp)
The rexecd service is open.
Because rexecd does not provide any good
means of authentification, it can be
used by crackers to scan a third party
host, giving you troubles or bypassing
your firewall.
Solution : comment out the 'exec' line
in /etc/inetd.conf.
Risk factor : Medium
CVE :
CAN-1999-0618
Warning found on port login (513/tcp)
The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.
You should disable this service and use openssh
instead
(www.openssh.com)
Solution : Comment out the 'rlogin' line in /etc/inetd.conf.
Risk factor : Low
CVE :
CAN-1999-0651
Warning found on port shell (514/tcp)
The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.
You should disable this service and use ssh
instead.
Solution : Comment out the 'rsh'
line in /etc/inetd.conf.
Risk factor : Low
CVE :
CAN-1999-0651
Information found on port general/tcp
Nmap found that this host is running Solaris 2.6 - 2.7
Information found on port general/udp
For your information, here is the traceroute
to 10.10.10.10 :
10.10.10.10
Vulnerability found on port snmp (161/udp)
SNMP Agent responded as expected with community name:
public
CVE
: CAN-1999-0517
Vulnerability found on port snmp (161/udp)
SNMP Agent responded as expected with community name:
private
CVE
: CAN-1999-0517
Warning found on port unknown (32777/udp)
The walld RPC service is
running.
It is usually used by the administrator
to tell something to the users of a
network by making a message appear
on their screen.
Since this service lacks any kind
of authentification, a cracker
may use it to trick users into
doing something (change their password,
leave the console, or worse), by sending
a message which would appear to be
written by the administrator.
It can also be used as a denial of service
attack, by continually sending garbage
to the users screens, preventing them
from working properly.
Solution : Deactivate this service.
Risk factor : Medium
CVE :
CVE-1999-0181
Warning found on port unknown (32775/tcp)
The tooltalk RPC service is
running.
An possible implementation fault in the
ToolTalk object database server may allow a
cracker to execute arbitrary commands as
root.
** This warning may be a false
positive since the presence
of the bug was not tested **
Solution : Disable this service.
See also : CERT Advisory CA-98.11
Risk factor : High
CVE :
CVE-1999-0003
Warning found on port unknown (32774/udp)
The statd RPC service is
running.
This service has a long history of
security holes, so you should really
know what you are doing if you decide
to let it run.
* NO SECURITY HOLE REGARDING THIS
PROGRAM HAVE BEEN TESTED, SO
THIS MIGHT BE A FALSE POSITIVE *
We suggest you to disable this
service.
Risk factor : High
CVE :
CVE-1999-0018
Warning found on port unknown (32776/udp)
The sprayd RPC service is
running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.
Risk factor : Low
CVE :
CAN-1999-0613
Vulnerability found on port unknown (32772/udp)
The sadmin RPC service is
running.
There is a bug in Solaris versions of
this service that allow an intruder to
execute arbitrary commands on your system.
Solution : disable this service
Risk factor : High
Warning found on port unknown (32775/udp)
The rusersd RPC service is
running.
It provides an attacker interesting
informations such as how often the
system is being used, the names of
the users, and so on.
It usually not a good idea to let this
service open.
Risk factor : Low
CVE :
CVE-1999-0626
Warning found on port unknown (32778/udp)
The rstatd RPC service is
running.
It provides an attacker interesting
informations such as :
- the CPU usage
- the system uptime
- its network usage
- and more
It usually not a good idea to let this
service open
Risk factor : Low
CVE :
CAN-1999-0624
Warning found on port unknown (32773/udp)
The rquotad RPC service is
running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.
Risk factor : Low
CVE :
CAN-1999-0625
Warning found on port unknown (4045/udp)
The nlockmgr RPC service is
running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.
Risk factor : Low
CVE :
CAN-2000-0508
Vulnerability found on port unknown (32779/udp)
The cmsd RPC service is
running.
This service has a long history of
security holes, so you should really
know what you are doing if you decide
to let it run.
* NO SECURITY HOLE REGARDING THIS
PROGRAM HAS BEEN TESTED, SO
THIS MIGHT BE A FALSE POSITIVE *
We suggest you to disable this
service.
Risk factor : High
CVE :
CVE-1999-0320
Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp
timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE :
CAN-1999-0524
Warning found on port general/icmp
The remote host answered to an ICMP_MASKREQ
query and sent us its netmask.
An attacker can use this information to
understand how your network is set up
and how the routing is done. This may
help him to bypass your filters.
Solution : reconfigure the remote host so
that it does not answer to those requests.
Set up filters that deny ICMP packets of
type 17.
Risk factor : Low
CVE :
CAN-1999-0524
Warning found on port echo (7/udp)
The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low.
Solution : comment out 'echo' in /etc/inetd.conf
CVE :
CVE-1999-0103
Warning found on port daytime (13/udp)
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE :
CVE-1999-0103
Warning found on port chargen (19/udp)
The chargen service is
running.
The 'chargen' service should only be enabled
when testing the machine.
When contacted, chargen responds with some
random (something like all
the characters in the alphabet in row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a
packet between two machines
running chargen. They will commence spewing
characters at each other, slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE :
CVE-1999-0103
| Privacy
Policy Site Map |
All images, content & text
(unless other ownership applies) are © copyrighted 2002,Infosecwriters.com. All rights reserved. Comments are property of the
respective posters.
|