| Home |
This test was against Solaris 8 Release 4/01 on a Sparc Ultra 10platform.
We installed the latest cluster_patch from the Sun Solve directory that
was downloaded in January 2002. This test demonstrated little change from
the original default scan. This prompted us to research this a little
deeper to understand exactly what has happened here. We will be providing
a special document. Nessus reported the following:
Nessus Scan Report
--------------------------------------------------------------------------------
Number of hosts which were alive during the test : 1
Number of security holes found : 2
Number of security warnings found : 24
Number of security notes found : 6
List of the tested hosts :
151.108.233.165 (Security holes found)
--------------------------------------------------------------------------------
151.108.233.165 :
echo (7/tcp) (Security warnings found)
discard (9/tcp)
daytime (13/tcp) (Security warnings found)
chargen (19/tcp) (Security warnings found)
ftp (21/tcp) (Security notes found)
telnet (23/tcp) (Security warnings found)
smtp (25/tcp) (Security warnings found)
time (37/tcp)
finger (79/tcp) (Security warnings found)
sunrpc (111/tcp)
exec (512/tcp) (Security warnings found)
login (513/tcp) (Security warnings found)
shell (514/tcp) (Security warnings found)
printer (515/tcp)
uucp (540/tcp)
submission (587/tcp) (Security warnings found)
unknown (4045/tcp)
x11 (6000/tcp)
unknown (6112/tcp)
xfs (7100/tcp)
general/tcp (Security notes found)
general/udp (Security notes found)
unknown (32777/udp) (Security warnings found)
unknown (32773/tcp) (Security warnings found)
unknown (32772/udp) (Security warnings found)
unknown (32776/udp) (Security warnings found)
unknown (32773/udp) (Security hole found)
unknown (32775/udp) (Security warnings found)
unknown (32778/udp) (Security warnings found)
unknown (32774/udp) (Security warnings found)
unknown (4045/udp) (Security warnings found)
unknown (32779/udp) (Security hole found)
general/icmp (Security warnings found)
echo (7/udp) (Security warnings found)
daytime (13/udp) (Security warnings found)
chargen (19/udp) (Security warnings found)
Warning found on port echo (7/tcp)
The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low.
Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Warning found on port daytime (13/tcp)
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
Warning found on port chargen (19/tcp)
The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.
When contacted, chargen responds with some random (something like all
the characters in the alphabet in row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a packet between two machines
running chargen. They will commence spewing characters at each other,
slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
Information found on port ftp (21/tcp)
Remote FTP server banner :
sunmgr38 ftp server (sunos 5.8) ready.
Warning found on port telnet (23/tcp)
The Telnet service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the telnet client
and the telnet server. This includes logins
and passwords.
You should disable this service and use OpenSSH instead.
(www.openssh.com)
Solution : Comment out the 'telnet' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0619
Information found on port telnet (23/tcp)
Remote telnet banner :
SunOS 5.8
Warning found on port smtp (25/tcp)
The remote SMTP server
answers to the EXPN and/or VRFY commands.
The EXPN command can be used to find
the delivery address of mail aliases, or
even the full name of the recipients, and
the VRFY command may be used to check the
validity of an account.
Your mailer should not allow remote users to
use any of these commands, because it gives
them too much informations.
Solution : if you are using sendmail, add the
option
O PrivacyOptions=goaway
in /etc/sendmail.cf.
Risk factor : Low
CVE : CAN-1999-0531
Information found on port smtp (25/tcp)
Remote SMTP server banner :
sunmgr38 ESMTP Sendmail 8.10.2+Sun/8.10.2
Fri, 11 Jan 2002 14:57:49 -0500 (EST)
214-2.0.0 This is sendmail version 8.10.2+Sun214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation contact Sun Microsystems
214-2.0.0 Technical Support.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
Warning found on port finger (79/tcp)
The remote finger daemon accepts
to redirect requests. That is, users can perform
requests like :
finger user@host@victim
This allows crackers to use your computer
as a relay to gather informations on another
network, making the other network think you
are making the requests.
Solution: disable your finger daemon (comment out
the finger line in /etc/inetd.conf) or
install a more secure one.
Risk factor : Low
CVE : CAN-1999-0105
Warning found on port finger (79/tcp)
The 'finger' service provides useful informations
to crackers, since it allow them to gain usernames, check if a machine
is being used, and so on...
Risk factor : Low.
Solution : comment out the 'finger' line in /etc/inetd.conf
CVE : CVE-1999-0612
Warning found on port exec (512/tcp)
The rexecd service is open.
Because rexecd does not provide any good
means of authentification, it can be
used by crackers to scan a third party
host, giving you troubles or bypassing
your firewall.
Solution : comment out the 'exec' line
in /etc/inetd.conf.
Risk factor : Medium
CVE : CAN-1999-0618
Warning found on port login (513/tcp)
The rlogin service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rlogin client
and the rlogin server. This includes logins
and passwords.
You should disable this service and use openssh instead
(www.openssh.com)
Solution : Comment out the 'rlogin' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
Warning found on port shell (514/tcp)
The rsh service is running.
This service is dangerous in the sense that
it is not ciphered - that is, everyone can sniff
the data that passes between the rsh client
and the rsh server. This includes logins
and passwords.
You should disable this service and use ssh instead.
Solution : Comment out the 'rsh' line in /etc/inetd.conf.
Risk factor : Low
CVE : CAN-1999-0651
Warning found on port submission (587/tcp)
a SMTP server is running on this port.
Here is its banner :
220 sunmgr38 esmtp sendmail 8.10.2+sun/8.10.2
fri, 11 jan 2002 14:51:14 -0500 (est)
Information found on port submission (587/tcp)
Remote SMTP server banner :
sunmgr38 ESMTP Sendmail 8.10.2+Sun/8.10.2
Fri, 11 Jan 2002 14:57:52 -0500 (EST)
214-2.0.0 This is sendmail version 8.10.2+Sun214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation contact Sun Microsystems
214-2.0.0 Technical Support.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
Information found on port general/tcp
Nmap found that this host is running Sun Solaris 8 early acces beta through actual release
Information found on port general/udp
For your information, here is the traceroute to 151.108.233.165 :
151.108.233.165
Warning found on port unknown (32777/udp)
The walld RPC service is running.
It is usually used by the administrator
to tell something to the users of a
network by making a message appear
on their screen.
Since this service lacks any kind
of authentification, a cracker
may use it to trick users into
doing something (change their password,
leave the console, or worse), by sending
a message which would appear to be
written by the administrator.
It can also be used as a denial of service
attack, by continually sending garbage
to the users screens, preventing them
from working properlly.
Solution : Deactivate this service.
Risk factor : Medium
CVE : CVE-1999-0181
Warning found on port unknown (32773/tcp)
The tooltalk RPC service is running.
An possible implementation fault in the
ToolTalk object database server may allow a
cracker to execute arbitrary commands as
root.
** This warning may be a false
positive since the presence
of the bug was not tested **
Solution : Disable this service.
See also : CERT Advisory CA-98.11
Risk factor : High
CVE : CVE-1999-0003
Warning found on port unknown (32772/udp)
The statd RPC service is running.
This service has a long history of
security holes, so you should really
know what you are doing if you decide
to let it run.
* NO SECURITY HOLE REGARDING THIS
PROGRAM HAVE BEEN TESTED, SO
THIS MIGHT BE A FALSE POSITIVE *
We suggest you to disable this
service.
Risk factor : High
CVE : CVE-1999-0018
Warning found on port unknown (32776/udp)
The sprayd RPC service is running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.
Risk factor : Low
CVE : CAN-1999-0613
Vulnerability found on port unknown (32773/udp)
The sadmin RPC service is running.
There is a bug in Solaris versions of
this service that allow an intruder to
execute arbitrary commands on your system.
Solution : disable this service
Risk factor : High
Warning found on port unknown (32775/udp)
The rusersd RPC service is running.
It provides an attacker interesting
informations such as how often the
system is being used, the names of
the users, and so on.
It usually not a good idea to let this
service open.
Risk factor : Low
CVE : CVE-1999-0626
Warning found on port unknown (32778/udp)
The rstatd RPC service is running.
It provides an attacker interesting
informations such as :
- the CPU usage
- the system uptime
- its network usage
- and more
It usually not a good idea to let this
service open
Risk factor : Low
CVE : CAN-1999-0624
Warning found on port unknown (32774/udp)
The rquotad RPC service is running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.
Risk factor : Low
CVE : CAN-1999-0625
Warning found on port unknown (4045/udp)
The nlockmgr RPC service is running.
If you do not use this service, then
disable it as it may become a security
threat in the future, if a vulnerability
is discovered.
Risk factor : Low
CVE : CAN-2000-0508
Vulnerability found on port unknown (32779/udp)
The cmsd RPC service is running.
This service has a long history of
security holes, so you should really
know what you are doing if you decide
to let it run.
* NO SECURITY HOLE REGARDING THIS
PROGRAM HAS BEEN TESTED, SO
THIS MIGHT BE A FALSE POSITIVE *
We suggest you to disable this
service.
Risk factor : High
CVE : CVE-1999-0320
Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Warning found on port general/icmp
The remote host answered to an ICMP_MASKREQ
query and sent us its netmask.
An attacker can use this information to
understand how your network is set up
and how the routing is done. This may
help him to bypass your filters.
Solution : reconfigure the remote host so
that it does not answer to those requests.
Set up filters that deny ICMP packets of
type 17.
Risk factor : Low
CVE : CAN-1999-0524
Warning found on port echo (7/udp)
The 'echo' port is open. This port is
not of any use nowadays, and may be a source of problems,
since it can be used along with other ports to perform a denial
of service. You should really disable this service.
Risk factor : Low.
Solution : comment out 'echo' in /etc/inetd.conf
CVE : CVE-1999-0103
Warning found on port daytime (13/udp)
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
Warning found on port chargen (19/udp)
The chargen service is running.
The 'chargen' service should only be enabled when testing the machine.
When contacted, chargen responds with some random (something like all
the characters in the alphabet in row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a packet between two machines
running chargen. They will commence spewing characters at each other,
slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
| Privacy
Policy Site Map |
All images, content & text
(unless other ownership applies) are © copyrighted 2002, Infosecwriters.com. All rights reserved. Comments are property of the
respective posters.
|