Your Company System Detail - April 2010

System 192.168.0.110 ( http://dns0.example.com )   SANS   OVERDUE
Criticality
Scan Type Enterprise
Start Date 13-Apr-10 11:54
End Date 13-Apr-10 15:51
Customer Ref
Groups Asia, Unix
PCI Status COMPONENT FAILED
Contact E-mail Role
manager@yourcompany.com Business
janebloggs@yourcompany.com business
joe.bloggs@technicians.com Technical

Ports: 5 (High:1 Low:4)

  Port Protocol Service Details  
  53 tcp domain None  
  53 udp domain version.bind TXT "8.2.2-P6"  
  161 udp snmp uptime 347844596 centiseconds  
 NEW 0 icmp echo reply Response Received  
 NEW 14 icmp timestamp reply Timestamp is 15:47:32  

Ports Closed Since Last Month: 1 (High:1 Low:0)

  Port Protocol Service Details  
  23 tcp telnet Response Received  


Vulnerabilities: 4 (High:3 Medium:1 Low:0)

Vulnerability 90027 High Risk Ports Open High Risk
Description The following high risk ports are open: 
PORT      SERVICE
161/udp   snmp
It is generally not recommended to expose these ports to the internet as they may be used as attack vectors. If access to these services from remote sites is required, tunnelling or a VPN would be recommended instead of exposing these ports.

Note: Even if the ports are immediately closed after being opened, this is still a security risk as packets are reaching the destination host. It is recommended to completely drop packets from untrusted sources instead. 

Solution Ensure that the ports are filtered by your router or firewall or close the ports on the affected systems. 
Category Hosting or infrastructure flaw.
First Found 13 October 2009 Port general Last 6 Months

Vulnerability 10605 BIND < 8.2.3 Buffer Overrun   SANS   OVERDUE High Risk
Description This system is running a vulnerable version of BIND, according to its banner. There is a buffer overrun vulnerability in code related to transaction signatures (TSIG). A remote attacker could use this to crash the service and take control of the system. 
Solution Upgrade to an unaffected version, or apply a patch. 
References CVE-2001-0011    CVE-2001-0012    CVE-2001-0013    CVE-2001-0010   
Deadline 13 August 2009
First Found 13 March 2010 Port 53/udp Last 6 Months

Vulnerability 10264 SNMP Default Community Names   SANS High Risk
Description This system is running an SNMP agent which uses an easily guessable community string. This enables an attacker to extract a large amount of useful information. If a writeable community string is guessable, an attacker could make configuration changes to the server. Here is a sample of the information that can be extracted: 
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.1 = "System Idle Process"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.8 = "System"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.168 = "SMSS.EXE"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.192 = "CSRSS.EXE"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.212 = "WINLOGON.EXE"
host.hrSWRun.hrSWRunTable.hrSWRunEntry.hrSWRunName.240 = "SERVICES.EXE"
 
Solution Disable SNMP, or change the community string to something unguessable. 
Category Hosting or infrastructure flaw.
References CVE-1999-0186    CVE-1999-0254    CVE-1999-0516    CVE-1999-0517   
CVSS Score 7.5  (AV:N/AC:L/Au:N/C:P/I:P/A:P) 
First Found 13 February 2010 Port 161/udp Last 6 Months

Vulnerability 10595 DNS Zone Transfer   OVERDUE Medium Risk
Description This system is running a name server that allows DNS zone transfers to be performed. This information could be useful to an attacker trying to map your network. The configuration may be intentional, but it's usual practice to restrict zone transfers. Here is a sample of the data that can be extracted: 
mailer2.example.com.  10800   IN      A       192.168.0.110
mailer3.example.com.  10800   IN      A       192.168.0.111
mailer4.example.com.  10800   IN      A       192.168.0.113
ntp0.example.com.     10800   IN      A       192.168.0.114
 
Solution Restrict zone transfers to trusted addresses, usually just your slave name servers 
Category Hosting or infrastructure flaw.
References CVE-1999-0532   
Deadline 13 February 2010
First Found 13 March 2010 Port 53/tcp Last 6 Months


Historical Information


Stoplisted Vulnerabilities for this Host: 1

Vulnerability 90001 Holes Detected in Firewall Configuration Low Risk
Description This system is protected by a firewall which blocks access to TCP ports in inconsistent ways. Incoming TCP connections to most ports are simply dropped, however some ports were discovered where the connection is actively refused, for example with a TCP RST. This often indicates a firewall configuration error, and commonly occurs when the configuration has not been altered in line with changing system configuration behind the firewall. For example when a service such as a mail server is removed, but the corresponding firewall rule is not.

The TCP ports which actively refuse connections are: 443, 10000 

Solution Reconfigure your firewall to completely drop all connections on ports that you are not running services on. 
Category Hosting or infrastructure flaw.
References Firewalls FAQ   
CVSS Score 2.6  (AV:N/AC:H/Au:N/C:P/I:N/A:N) 
First Found 13 March 2010 Port general/tcp Last 6 Months
Stopped By: manager@yourcompany.com     From: 12 March 2003     To: 12 March 2013
Reason None specified

Scans by Westpoint Ltd