Your Company System Detail - April 2011

Reference:: YC 201135

System	192.168.0.102 ( http://www.yourcompany.net )
Criticality
Scan Type	Enterprise
Start Date	13-Apr-11 11:54
End Date	13-Apr-11 12:54
Customer Ref
Groups	US, Unix

Contact E-mail	Role
janebloggs@yourcompany.com	business
johndoe@yoursecurity.co.uk	Technical

Ports: 2 (High:0 Low:2)

	Port	Protocol	Service	Details
	100	tcp	unknown	Apache
	200	tcp	unknown	SSH-2.0-OpenSSH_2.9p2

Ports Closed Since Last Month: 3 (High:3 Low:0)

	Port	Protocol	Service	Details
	135	tcp	msrpc	No banner found
	137	tcp	netbios-ns	8 names found
	139	tcp	netbios-ssn	Close Immediately with TCP RST

Vulnerabilities: 5 (High:0 Medium:3 Low:2)

Vulnerability	10815	Cross-Site Scripting	Medium Risk

Description	This system is running a web server or web application which is vulnerable to Cross-Site Scripting (XSS) attacks. Certain pages include user-supplied input in the response and HTML special characters are not escaped. An attacker could use this to inject malicious JavaScript or HTML code, which will run at the same trust level as the server. This may enable them to steal session cookies, form details, etc. An example that demonstrates this is: https://192.168.0.102/x/<script>alert("vulnerable!")</script> This is simply an example that illustrates the problem, you should fix the underlying issue rather than attempting to prevent this exploit from working. Note: This vulnerability must be addressed server-side. Adding JavaScript (client-side) validation on form fields does not offer any protection against Cross-Site Scripting or other attacks.
Solution	Recode your web application to ensure all user supplied input is escaped when displayed, or contact your web application vendor for a patch. Any JavaScript-based fix will not be effective.
Category	Application or content flaw.
References	CERT Advisory CA-2000-02 PHP htmlspecialchars Quoting Function General Info XSS Anatomy How To: Prevent Cross-Site Scripting in ASP.NET OWASP XSS Prevention Cheat Sheet
CVE References	CVE-2003-1543	CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
	CVE-2006-1681	CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
	CVE-2002-1060	CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
	CVE-2005-2453	CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
First Found	13 December 2010	Port	80/tcp	Last 6 Months

Vulnerability	10539	Globally Useable Name Server	Medium Risk

Description	This system is running a name server that allows any system on the Internet to perform recursive queries and resolve third-party domain names. A remote attacker could use this to extract information about your name lookup patterns, and may be able to perform DNS cache poisoning attacks.
Solution	Restrict recursive queries to trusted addresses. For servers running BIND, use the allow-recursion or allow-query directives.
Category	Hosting or infrastructure flaw.
References	Securing Windows Server 2003 Domain Controllers
CVE Reference	CVE-1999-0024	CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
First Found	13 May 2010	Port	53/udp	Last 6 Months

Vulnerability	10882	SSH Protocol Version 1 Enabled	Medium Risk

Description	This system is running an SSH service with SSH protocol version 1 enabled. This version of the protocols is not completely cryptographically secure. A passive eavesdropper could use these weaknesses to extract information such as the lengths of passwords and commands.
Solution	Configure your SSH service to only use protocol version 2. For OpenSSH, set the 'Protocol' option to '2'.
Category	Hosting or infrastructure flaw.
References	US-CERT VU#596827 OSVDB ID 2116
CVE References	CVE-2001-0361	CVSS2 4.0 (Medium) (AV:N/AC:H/Au:N/C:P/I:P/A:N)
	CVE-2001-0572	CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
First Found	13 January 2011	Port	22/tcp	Last 6 Months

Vulnerability	12217	DNS Cache Snooping	Low Risk

Description	This system is running a DNS server that accepts queries from any address (although recursive queries may be disabled). The name server responds differently for domains that have recently been looked-up. A remote attacker could use this to determine if certain sites have been visited by users of this nameserver.
Solution	Restrict access to DNS caches to local users. For Bind, use the "AllowQuery" directive.
Category	Hosting or infrastructure flaw.
References	DNS Cache Snooping
CVE Reference	CVE-MAP-NOMATCH	CVSS2 4.3 (Medium) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
First Found	13 March 2011	Port	53/udp	Last 6 Months

Vulnerability	11213	TRACE and/or TRACK Methods Enabled	Low Risk

Description	This system supports the HTTP TRACE and/or TRACK methods. These increase the exploitability of any cross-site scripting vulnerabilities that may exist in your site. As they are primarily intended for debugging, they can be turned off without reduction of service.
Solution	Disable these methods on production servers. IIS6, IIS7: Use the URLScan Security tool IIS5: Use the IIS Lockdown tool Apache: Use mod_rewrite to redirect unallowed verbs to the forbidden target, or with newer versions use the configuration option 'TraceEnable off'.
Category	Hosting or infrastructure flaw.
References	UrlScan Security Tool US-CERT VU#867593 IIS Lockdown Tool Apache TraceEnable Directive
CVE References	CVE-2004-2320	CVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:N/I:P/A:N)
	CVE-2003-1567	CVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:N/I:P/A:N)
	CVE-2010-0386	CVSS2 2.6 (Low) (AV:N/AC:H/Au:N/C:N/I:P/A:N)
First Found	13 December 2010	Port	100/tcp	Last 6 Months

Vulnerabilities Fixed Since Last Month: 3 (High:1 Medium:2 Low:0)

Vulnerability	90027	High Risk Ports Open	High Risk

Description	The following high risk ports are open: PORT SERVICE 135/tcp msrpc 137/tcp netbios-ns 139/tcp netbios-ssn It is generally not recommended to expose these ports to the internet as they may be used as attack vectors. If access to these services from remote sites is required, tunnelling or a VPN would be recommended instead of exposing these ports. Note: Even if the ports are immediately closed after being opened, this is still a security risk as packets are reaching the destination host. It is recommended to completely drop packets from untrusted sources instead.
Solution	Ensure that the ports are filtered by your router or firewall or close the ports on the affected systems.
Category	Hosting or infrastructure flaw.
CVE Reference	CVE-MAP-NOMATCH	CVSS2 6.4 (Medium) (AV:N/AC:L/Au:N/C:P/I:P/A:N)
First Found	13 May 2010	Port	general	Last 6 Months

Vulnerability	11793	Apache < 1.3.28 Multiple flaws	Medium Risk

Description	According to its banner, this web server is running a version of Apache older than 1.3.28. This version contains fixes for multiple minor denial of service flaws. Although these are not exploitable in all configurations, it is recommended that you upgrade to the latest version.
Solution	Upgrade to an unaffected version.
Category	Hosting or infrastructure flaw.
References	Apache Announcement
CVE References	CVE-2002-0061	CVSS2 7.5 (High) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
	CVE-2003-0460	CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
First Found	13 March 2011	Port	No information available	Last 6 Months

Vulnerability	10736	DCE Services Enumeration	Medium Risk

Description	It is possible for any remote user to connect to port 135 on this host and enumerate the available DCE services. The information leaked is relatively low risk, although an attacker could use it to focus their strategy. However, the vulnerability is more worrying because it shows that Windows file sharing (NetBIOS) is accessible over the internet, which is considered unwise.
Solution	Use a firewall to restrict access to Windows file sharing ports to trusted addresses.
Category	Hosting or infrastructure flaw.
CVE Reference	CVE-MAP-NOMATCH	CVSS2 5.0 (Medium) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
First Found	13 March 2011	Port	135/tcp	Last 6 Months

Historical Information

Scans by Westpoint Ltd