Audit Report

Faux System

Audited on June 26 2012

Reported on June 26 2012

1 Executive Summary

This report represents a security audit performed by Hacker Vaccine. It contains confidential information about the state of your network. Access to this information by unauthorized personnel may allow them to compromise your network.

Site Name

Start Time

End Time

Total Time

Status

Faux Systems

June 26, 2012 13:01, CDT

June 26, 2012 13:45, CDT

44 minutes

Success

There is not enough historical data to display overall asset trend.

The audit was performed on one system which was found to be active and was scanned.

Vulnerabilities by Severity

There were 6 vulnerabilities found during this scan. No critical vulnerabilities were found. Critical vulnerabilities require immediate attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 4 vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems. There were 2 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.

Most Common Vulnerabilities

There were 1 occurrences of the certificate-common-name-mismatch, ssl-weak-ciphers, sslv2-and-up-enabled, ssl-self-signed-certificate, generic-tcp-timestamp and http-generic-webdav-enabled vulnerabilities, making them the most common vulnerabilities.

Highest Risk Vulnerabilities

The certificate-common-name-mismatch vulnerability poses the highest risk to the organization with a risk score of 50. Vulnerability risk scores are calculated by looking at the likelihood of attack and impact, based upon CVSS metrics. The impact and likelihood are then multiplied by the number of instances of the vulnerability to come up with the final risk score.

One operating system was identified during this scan.

There were 3 services found to be running during this scan.

Most Common Services

The HTTPS and SSH services were found on 1 systems, making them the most common services.

2 Discovered Systems

Node

Operating System

Risk

Aliases

87.230.87.158

Linux 2.6.39

2,718
  • testphp.vulnweb.com

3 Discovered and Potential Vulnerabilities

3.1 Critical Vulnerabilities

No critical vulnerabilities were reported.

3.2 Severe Vulnerabilities

3.2.1 X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)

Description:

The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.

Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by "https://www.example.com/", the CN should be "www.example.com".

In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN, that should match the name of the entity (hostname).

A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being conducted.

Affected Nodes:

Affected Nodes:

Additional Information:

87.230.87.158:8443

The subject common name found in the X.509 certificate ('CN=lvps83-169-53-201.dedicated.hosteurope.de') does not seem to match the scan target 'testphp.vulnweb.com':

  • Subject CN 'lvps83-169-53-201.dedicated.hosteurope.de' does not match node name 'testphp.vulnweb.com'
  • Subject CN 'lvps83-169-53-201.dedicated.hosteurope.de' does not match DNS name '87.230.87.158'
  • Subject CN's resolved IP address 'lvps83-169-53-201.dedicated.hosteurope.de/83.169.53.201' differs from node IP address 'testphp.vulnweb.com/87.230.87.158'

References:

None

Vulnerability Solution:

The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server.

3.2.2 TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)

Description:

The TLS/SSL server supports cipher suites based on weak algorithms. This may enable an attacker to launch man-in-the-middle attacks and monitor or tamper with sensitive data. In general, the following ciphers are considered weak:

  • So called "null" ciphers, because they do not encrypt data.
  • Export ciphers using secret key lengths restricted to 40 bits. This is usually indicated by the word EXP/EXPORT in the name of the cipher suite.
  • Obsolete encryption algorithms with secret key lengths considered short by today's standards, eg. DES or RC4 with 56-bit keys.

Affected Nodes:

Affected Nodes:

Additional Information:

87.230.87.158:8443

testphp.vulnweb.com/87.230.87.158:8443 negotiated the SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA cipher suite

References:

None

Vulnerability Solution:

Configure the server to disable support for weak ciphers.

For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 ( http://support.microsoft.com/kb/245030/ ) for instructions on disabling weak ciphers.

For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:

SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For other servers, refer to the respective vendor documentation to disable the weak ciphers

3.2.3 TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)

Description:

Although the server accepts clients using TLS or SSLv3, it also accepts clients using SSLv2. SSLv2 is an older implementation of the Secure Sockets Layer protocol. It suffers from a number of security flaws allowing attackers to capture and alter information passed between a client and the server, including the following weaknesses:

  • No protection from against man-in-the-middle attacks during the handshake.
  • Weak MAC construction and MAC relying solely on the MD5 hash function.
  • Exportable cipher suites unnecessarily weaken the MACs
  • Same cryptographic keys used for message authentication and encryption.
  • Vulnerable to truncation attacks by forged TCP FIN packets

SSLv2 has been deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard, which governs cryptographic modules for use in federal information systems. Only the newer TLS (Transport Layer Security) protocol meets FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host is deemed a failure by the PCI (Payment Card Industry) Data Security Standard.

Note that this vulnerability will be reported when the remote server supports SSLv2 regardless of whether TLS or SSLv3 are also supported.

Affected Nodes:

Affected Nodes:

Additional Information:

87.230.87.158:8443

SSLv2 is supported

References:

Source

Reference

URL

 http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm ( http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm )

URL

 https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf ( https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf )

Vulnerability Solution:

Configure the server to require clients to use at least SSLv3 or TLS.

For Microsoft IIS web servers, see Microsoft Knowledgebase article Q187498 ( http://support.microsoft.com/?id=187498 ) for instructions on disabling SSL 2.0.

For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2

The ! (exclamation point) before SSLv2 is what disables this protocol.

3.2.4 Self-signed TLS/SSL certificate (ssl-self-signed-certificate)

Description:

The server's TLS/SSL certificate is self-signed. Self-signed certificates cannot be trusted by default, especially because TLS/SSL man-in-the-middle attacks typically use self-signed certificates to eavesdrop on TLS/SSL connections.

Affected Nodes:

Affected Nodes:

Additional Information:

87.230.87.158:8443

TLS/SSL certificate is self-signed.

References:

None

Vulnerability Solution:

Obtain a new TLS/SSL server certificate that is NOT self-signed and install it on the server. The exact instructions for obtaining a new certificate depend on your organization's requirements. Generally, you will need to generate a certificate request and save the request as a file. This file is then sent to a Certificate Authority (CA) for processing. Your organization may have its own internal Certificate Authority. If not, you may have to pay for a certificate from a trusted external Certificate Authority, such as Thawte ( http://www.thawte.com ) or Verisign ( http://www.verisign.com ) .

3.3 Moderate Vulnerabilities

3.3.1 TCP timestamp response (generic-tcp-timestamp)

Description:

The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP timestamps.

Affected Nodes:

Affected Nodes:

Additional Information:

87.230.87.158

Apparent system boot time: Fri Jun 22 19:31:30 CDT 2012

References:

Source

Reference

URL

 http://www.forensicswiki.org/wiki/TCP_timestamps ( http://www.forensicswiki.org/wiki/TCP_timestamps )

URL

 http://www.ietf.org/rfc/rfc1323.txt ( http://www.ietf.org/rfc/rfc1323.txt )

URL

 http://uptime.netcraft.com ( http://uptime.netcraft.com )

Vulnerability Solution:

  • Cisco

    Disable TCP timestamp responses on Cisco

    Run the following command to disable TCP timestamps: 

          no ip tcp timestamp

  • FreeBSD

    Disable TCP timestamp responses on FreeBSD

    Set the value of net.inet.tcp.rfc1323 to 0 by running the following command: 

          sysctl -w net.inet.tcp.rfc1323=0

    Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf: 

          net.inet.tcp.rfc1323=0

  • Linux

    Disable TCP timestamp responses on Linux

    Set the value of net.ipv4.tcp_timestamps to 0 by running the following command: 

          sysctl -w net.ipv4.tcp_timestamps=0

    Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf: 

          net.ipv4.tcp_timestamps=0

  • OpenBSD

    Disable TCP timestamp responses on OpenBSD

    Set the value of net.inet.tcp.rfc1323 to 0 by running the following command: 

          sysctl -w net.inet.tcp.rfc1323=0

    Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf: 

          net.inet.tcp.rfc1323=0

  • Microsoft Windows

    Disable TCP timestamp responses on Windows

    Set the Tcp1323Opts value in the following key to 1: 

          HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

3.3.2 WebDAV Extensions are Enabled (http-generic-webdav-enabled)

Description:

WebDAV is a set of extensions to the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. Many web servers enable WebDAV extensions by default, even when they are not needed. Because of its added complexity, it is considered good practice to disable WebDAV if it is not currently in use.

Affected Nodes:

Affected Nodes:

Additional Information:

87.230.87.158:8443

Running vulnerable HTTPS service: Apache.

References:

None

Vulnerability Solution:

  • IIS, PWS, Microsoft-IIS, Internet Information Services, Internet Information Services, Microsoft-PWS

    Disable WebDAV for IIS

    For Microsoft IIS, follow Microsoft's instructions ( http://support.microsoft.com/default.aspx?kbid=241520 ) to disable WebDAV for the entire server.

  • Apache

    Disable WebDAV for Apache

    Make sure the mod_dav module is disabled, or ensure that authentication is required on directories where DAV is required.

  • Apache Tomcat, Tomcat, Tomcat Web Server

    Disable WebDAV for Apache Tomcat

    Disable the WebDAV Servlet for all web applications found on the web server. This can be done by removing the servlet definition for WebDAV (the org.apache.catalina.servlets.WebdavServlet class) and remove all servlet mappings referring to the WebDAV servlet.

  • Java System Web Server, iPlanet, SunONE WebServer, Sun-ONE-Web-Server

    Disable WebDAV for iPlanet/Sun ONE

    Disable WebDAV on the web server. This can be done by disabling WebDAV for the server instance and for all virtual servers.

    To disable WebDAV for the server instance, enter the Server Manager and uncheck the "Enable WebDAV Globally" checkbox then click the "OK" button.

    To disable WebDAV for each virtual server, enter the Class Manager and uncheck the "Enable WebDAV Globally" checkbox next to each server instance then click the "OK" button.

4 Discovered Services

4.1 <unknown>

4.1.1 Discovered Instances of this Service

Device

Protocol

Port

Vulnerabilities

Additional Information

87.230.87.158

tcp

80

0

4.2 HTTPS

HTTPS, the HyperText Transfer Protocol over TLS/SSL, is used to exchange multimedia content on the World Wide Web using encrypted (TLS/SSL) connections. Once the TLS/SSL connection is established, the standard HTTP protocol is used. The multimedia files commonly used with HTTP include text, sound, images and video.

4.2.1 Discovered Instances of this Service

Device

Protocol

Port

Vulnerabilities

Additional Information

87.230.87.158

tcp

8443

3
  • Apache
  • WebDAV:
  • http.banner: Apache
  • http.banner.server: Apache
  • ssl: true
  • ssl.cert.issuer.dn: ST=VA, C=US, L=Herndon, EMAILADDRESS=info@parallels.com, OU=Herndon, O="Parallels, Inc.", CN=lvps83-169-53-201.dedicated.hosteurope.de
  • ssl.cert.key.alg.name: RSA
  • ssl.cert.key.rsa.modulusBits: 2048
  • ssl.cert.not.valid.after: Tue, 25 Jun 2013 05:30:23 CDT
  • ssl.cert.not.valid.before: Mon, 25 Jun 2012 05:30:23 CDT
  • ssl.cert.selfsigned: true
  • ssl.cert.serial.number: 17582204596996349069
  • ssl.cert.sig.alg.name: SHA1withRSA
  • ssl.cert.subject.dn: ST=VA, C=US, L=Herndon, EMAILADDRESS=info@parallels.com, OU=Herndon, O="Parallels, Inc.", CN=lvps83-169-53-201.dedicated.hosteurope.de
  • ssl.cert.validsignature: true
  • ssl.version.ssl20: true

4.3 SSH

SSH, or Secure SHell, is designed to be a replacement for the aging Telnet protocol. It primarily adds encryption and data integrity to Telnet, but can also provide superior authentication mechanisms such as public key authentication.

4.3.1 Discovered Instances of this Service

Device

Protocol

Port

Vulnerabilities

Additional Information

87.230.87.158

tcp

22

0

5 Discovered Users and Groups

No user or group information was discovered during the scan.

6 Discovered Databases

No database information was discovered during the scan.

7 Discovered Files and Directories

No file or directory information was discovered during the scan.

8 Policy Evaluations

No policy evaluations were performed.

9 Spidered Web Sites

No web sites were spidered during the scan.