Tls ssl server supports rc4 cipher algorithms cve 2013 2566

Scan Report

April 7, 2020

Summary

This document reports on the results of an automatic security scan. All dates are dis-

played using the timezone �Coordinated Universal Time�, which is abbreviated �UTC�. The

task was �Immediate scan of IP 192.168.1.99�. The scan started at Tue Apr 7 02:57:18 2020

UTC and ended at . The report ˝rst summarises the results found. Then, for each host,

the report describes every issue found. Please consider the advice given in each description,

in order to rectify the issue.

Contents

1 Result Overview 2

2 Results per Host 2

2.1 192.168.1.99 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.1.1 High 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.1.2 High general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1.3 Medium 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.1.4 Medium 21/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.1.5 Medium 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.1.6 Medium 6667/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

2.1.7 Medium 5432/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2.1.8 Low 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

2.1.9 Low 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.1.10 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

1

2 RESULTS PER HOST 2

1 Result Overview

Host High Medium Low Log False Positive

192.168.1.99 4 19 3 0 0

Total: 1 4 19 3 0 0

Vendor security updates are not trusted. Overrides are on. When a result has an override, this report uses the threat of the override. Information on overrides is included in the report. Notes are included in the report. This report might not show details of all issues that were found. It only lists hosts that produced issues. Issues with the threat level �Log� are not shown. Issues with the threat level �Debug� are not shown. Issues with the threat level �False Positive� are not shown. Only results with a minimum QoD of 70 are shown.

This report contains all 26 results selected by the ˝ltering described above. Before ˝ltering there were 302 results.

2 Results per Host

2.1 192.168.1.99

Host scan start Tue Apr 7 02:57:38 2020 UTC Host scan end

Service (Port) Threat Level

80/tcp High general/tcp High 80/tcp Medium 21/tcp Medium 22/tcp Medium 6667/tcp Medium 5432/tcp Medium 80/tcp Low 22/tcp Low general/tcp Low

2.1.1 High 80/tcp

. . . continues on next page . . .

http:192.168.1.99
2 RESULTS PER HOST 3

. . . continued from previous page . . .

High (CVSS: 10.0) NVT: TWiki XSS and Command Execution Vulnerabilities

Summary The host is running TWiki and is prone to Cross-Site Scripting (XSS) and Command Execution Vulnerabilities.

Vulnerability Detection Result Installed version: 01.Feb.2003 Fixed version: 4.2.4

Impact Successful exploitation could allow execution of arbitrary script code or commands. This could let attackers steal cookie-based authentication credentials or compromise the a˙ected application.

Solution Solution type: VendorFix Upgrade to version 4.2.4 or later.

A˙ected Software/OS TWiki, TWiki version prior to 4.2.4.

Vulnerability Insight The ˛aws are due to, - %URLPARAM}}% variable is not properly sanitized which lets attackers conduct cross-site scripting attack. - %SEARCH}}% variable is not properly sanitised before being used in an eval() call which lets the attackers execute perl code through eval injection attack.

Vulnerability Detection Method Details: TWiki XSS and Command Execution Vulnerabilities OID:1.3.6.1.4.1.25623.1.0.800320 Version used: $Revision: 12952 $

References CVE: CVE-2008-5304, CVE-2008-5305 BID:32668, 32669 Other:

URL:http://twiki.org/cgi-bin/view/Codev.SecurityAlert-CVE-2008-5304 URL:http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2008-5305

High (CVSS: 7.5) NVT: phpinfo() output Reporting

Summary . . . continues on next page . . .

2 RESULTS PER HOST 4

. . . continued from previous page . . . Many PHP installation tutorials instruct the user to create a ˝le called phpinfo.php or similar containing the phpinfo() statement. Such a ˝le is often left back in the webserver directory.

Vulnerability Detection Result The following files are calling the function phpinfo() which disclose potentiall ,→y sensitive information: http://192.168.1.99/mutillidae/phpinfo.php http://192.168.1.99/phpinfo.php

Impact Some of the information that can be gathered from this ˝le includes: The username of the user running the PHP process, if it is a sudo user, the IP address of the host, the web server version, the system version (Unix, Linux, Windows, ...), and the root directory of the web server.

Solution Solution type: Workaround Delete the listed ˝les or restrict access to them.

Vulnerability Detection Method Details: phpinfo() output Reporting OID:1.3.6.1.4.1.25623.1.0.11229 Version used: $Revision: 11992 $

High (CVSS: 7.5) NVT: Tiki Wiki CMS Groupware < 4.2 Multiple Unspeci˝ed Vulnerabilities

Summary Tiki Wiki CMS Groupware is prone to multiple unspeci˝ed vulnerabilities, including: - An unspeci˝ed SQL-injection vulnerability - An unspeci˝ed authentication-bypass vulnerability - An unspeci˝ed vulnerability

Vulnerability Detection Result Installed version: 1.9.5 Fixed version: 4.2

Impact Exploiting these issues could allow an attacker to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and gain unauthorized access to the a˙ected application. Other attacks are also possible.

Solution Solution type: VendorFix The vendor has released an advisory and ˝xes. Please see the references for details.

. . . continues on next page . . .

2 RESULTS PER HOST 5

. . . continued from previous page . . . A˙ected Software/OS Versions prior to Tiki Wiki CMS Groupware 4.2 are vulnerable.

Vulnerability Detection Method Details: Tiki Wiki CMS Groupware < 4.2 Multiple Unspecified Vulnerabilities OID:1.3.6.1.4.1.25623.1.0.100537 Version used: $Revision: 13960 $

References CVE: CVE-2010-1135, CVE-2010-1134, CVE-2010-1133, CVE-2010-1136 BID:38608 Other:

URL:http://www.securityfocus.com/bid/38608 URL:http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=247

,→34 URL:http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=250

,→46 URL:http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=254

,→24 URL:http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=254

,→35 URL:http://info.tikiwiki.org/article86-Tiki-Announces-3-5-and-4-2-Releases URL:http://info.tikiwiki.org/tiki-index.php?page=homepage

[ return to 192.168.1.99 ]

2.1.2 High general/tcp

High (CVSS: 10.0) NVT: OS End Of Life Detection

Summary OS End Of Life Detection The Operating System on the remote host has reached the end of life and should not be used anymore.

Vulnerability Detection Result The "Ubuntu" Operating System on the remote host has reached the end of life. CPE: cpe:/o:canonical:ubuntu_linux:8.04 Installed version, build or SP: 8.04 EOL date: 2013-05-09 EOL info: https://wiki.ubuntu.com/Releases

Solution Solution type: Mitigation

. . . continues on next page . . .

-

2 RESULTS PER HOST 6

. . . continued from previous page . . .

Vulnerability Detection Method Details: OS End Of Life Detection OID:1.3.6.1.4.1.25623.1.0.103674 Version used: $Revision: 8927 $

[ return to 192.168.1.99 ]

2.1.3 Medium 80/tcp

Medium (CVSS: 6.8) NVT: TWiki Cross-Site Request Forgery Vulnerability Sep10

Summary The host is running TWiki and is prone to Cross-Site Request Forgery vulnerability.

Vulnerability Detection Result Installed version: 01.Feb.2003 Fixed version: 4.3.2

Impact Successful exploitation will allow attacker to gain administrative privileges on the target appli- cation and can cause CSRF attack.

Solution Solution type: VendorFix Upgrade to TWiki version 4.3.2 or later.

A˙ected Software/OS TWiki version prior to 4.3.2

Vulnerability Insight Attack can be done by tricking an authenticated TWiki user into visiting a static HTML page on another side, where a Javascript enabled browser will send an HTTP POST request to TWiki, which in turn will process the request as the TWiki user.

Vulnerability Detection Method Details: TWiki Cross-Site Request Forgery Vulnerability - Sep10 OID:1.3.6.1.4.1.25623.1.0.801281 Version used: $Revision: 12952 $

References CVE: CVE-2009-4898 Other:

URL:http://www.openwall.com/lists/oss-security/2010/08/03/8 URL:http://www.openwall.com/lists/oss-security/2010/08/02/17

. . . continues on next page . . .

2 RESULTS PER HOST 7

. . . continued from previous page . . . URL:http://twiki.org/cgi-bin/view/Codev/SecurityAuditTokenBasedCsrfFix URL:http://twiki.org/cgi-bin/view/Codev/DownloadTWiki

Medium (CVSS: 6.5) NVT: Tiki Wiki CMS Groupware < 17.2 SQL Injection Vulnerability

Summary In Tiki the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter.

Vulnerability Detection Result Installed version: 1.9.5 Fixed version: 17.2

Solution Solution type: VendorFix Upgrade to version 17.2 or later.

A˙ected Software/OS Tiki Wiki CMS Groupware prior to version 17.2.

Vulnerability Detection Method Checks if a vulnerable version is present on the target host. Details: Tiki Wiki CMS Groupware < 17.2 SQL Injection Vulnerability OID:1.3.6.1.4.1.25623.1.0.141885 Version used: $Revision: 13115 $

References CVE: CVE-2018-20719 Other:

URL:https://blog.ripstech.com/2018/scan-verify-patch-security-issues-in-minute ,→s/

Medium (CVSS: 6.0) NVT: TWiki Cross-Site Request Forgery Vulnerability

Summary The host is running TWiki and is prone to Cross-Site Request Forgery Vulnerability.

Vulnerability Detection Result Installed version: 01.Feb.2003 Fixed version: 4.3.1

Impact . . . continues on next page . . .

2 RESULTS PER HOST 8

. . . continued from previous page . . . Successful exploitation will allow attacker to gain administrative privileges on the target appli- cation and can cause CSRF attack.

Solution Solution type: VendorFix Upgrade to version 4.3.1 or later.

A˙ected Software/OS TWiki version prior to 4.3.1

Vulnerability Insight Remote authenticated user can create a specially crafted image tag that, when viewed by the target user, will update pages on the target system with the privileges of the target user via HTTP requests.

Vulnerability Detection Method Details: TWiki Cross-Site Request Forgery Vulnerability OID:1.3.6.1.4.1.25623.1.0.800400 Version used: $Revision: 12952 $

References CVE: CVE-2009-1339 Other:

URL:http://secunia.com/advisories/34880 URL:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526258 URL:http://twiki.org/p/pub/Codev/SecurityAlert-CVE-2009-1339/TWiki-4.3.0-c-di

,→ff-cve-2009-1339.txt

Medium (CVSS: 5.8) NVT: HTTP Debugging Methods (TRACE/TRACK) Enabled

Summary Debugging functions are enabled on the remote web server. The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

Vulnerability Detection Result The web server has the following HTTP methods enabled: TRACE

Impact An attacker may use this ˛aw to trick your legitimate web users to give him their credentials.

Solution Solution type: Mitigation Disable the TRACE and TRACK methods in your web server con˝guration. Please see the manual of your web server or the references for more information.

. . . continues on next page . . .

2 RESULTS PER HOST 9

. . . continued from previous page . . .

A˙ected Software/OS Web servers with enabled TRACE and/or TRACK methods.

Vulnerability Insight It has been shown that web servers supporting this methods are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses in browsers.

Vulnerability Detection Method Details: HTTP Debugging Methods (TRACE/TRACK) Enabled OID:1.3.6.1.4.1.25623.1.0.11213 Version used: $Revision: 10828 $

References CVE: CVE-2003-1567, CVE-2004-2320, CVE-2004-2763, CVE-2005-3398, CVE-2006-4683, ,→CVE-2007-3008, CVE-2008-7253, CVE-2009-2823, CVE-2010-0386, CVE-2012-2223, CVE ,→-2014-7883 BID:9506, 9561, 11604, 15222, 19915, 24456, 33374, 36956, 36990, 37995 Other:

URL:http://www.kb.cert.org/vuls/id/288308 URL:http://www.kb.cert.org/vuls/id/867593 URL:http://httpd.apache.org/docs/current/de/mod/core.html#traceenable URL:https://www.owasp.org/index.php/Cross_Site_Tracing

Medium (CVSS: 5.0) NVT: Tiki Wiki CMS Groupware Input Sanitation Weakness Vulnerability

Summary The host is installed with Tiki Wiki CMS Groupware and is prone to input sanitation weakness vulnerability.

Vulnerability Detection Result Installed version: 1.9.5 Fixed version: 2.2

Impact Successful exploitation could allow arbitrary code execution in the context of an a˙ected site.

Solution Solution type: VendorFix Upgrade to version 2.2 or later.

A˙ected Software/OS Tiki Wiki CMS Groupware version prior to 2.2 on all running platform

. . . continues on next page . . .

2 RESULTS PER HOST 10

. . . continued from previous page . . . Vulnerability Insight The vulnerability is due to input validation error in tiki-error.php which fails to sanitise before being returned to the user.

Vulnerability Detection Method Details: Tiki Wiki CMS Groupware Input Sanitation Weakness Vulnerability OID:1.3.6.1.4.1.25623.1.0.800315 Version used: $Revision: 14010 $

References CVE: CVE-2008-5318, CVE-2008-5319 Other:

URL:http://secunia.com/advisories/32341 URL:http://info.tikiwiki.org/tiki-read_article.php?articleId=41

Medium (CVSS: 5.0) NVT: /doc directory browsable

Summary The /doc directory is browsable. /doc shows the content of the /usr/doc directory and therefore it shows which programs and - important! - the version of the installed programs.

Vulnerability Detection Result Vulnerable url: http://192.168.1.99/doc/

Solution Solution type: Mitigation Use access restrictions for the /doc directory. If you use Apache you might use this in your access.conf: AllowOverride None order deny, allow deny from all allow from localhost

Vulnerability Detection Method Details: /doc directory browsable OID:1.3.6.1.4.1.25623.1.0.10056 Version used: $Revision: 14336 $

References CVE: CVE-1999-0678 BID:318

Medium (CVSS: 5.0) NVT: Tiki Wiki CMS Groupware '˝xedURLData' Local File Inclusion Vulnerability

Summary . . . continues on next page . . .

2 RESULTS PER HOST 11

. . . continued from previous page . . . The host is installed with Tiki Wiki CMS Groupware and is prone to a local ˝le inclusion vulnerability.

Vulnerability Detection Result Installed version: 1.9.5 Fixed version: 12.11

Impact Successful exploitation will allow an user having access to the admin backend to gain access to arbitrary ˝les and to compromise the application.

Solution Solution type: VendorFix Upgrade to Tiki Wiki CMS Groupware version 12.11 LTS, 15.4 or later.

A˙ected Software/OS Tiki Wiki CMS Groupware versions: - below 12.11 LTS - 13.x, 14.x and 15.x below 15.4

Vulnerability Insight The Flaw is due to improper sanitization of input passed to the '˝xedURLData' parameter of the 'display_banner.php' script.

Vulnerability Detection Method Checks if a vulnerable version is present on the target host. Details: Tiki Wiki CMS Groupware 'fixedURLData' Local File Inclusion Vulnerability OID:1.3.6.1.4.1.25623.1.0.108064 Version used: 2019-05-10T14:24:23+0000

References CVE: CVE-2016-10143 Other:

URL:http://tiki.org/article445-Security-updates-Tiki-16-2-15-4-and-Tiki-12-11-

,→released URL:https://sourceforge.net/p/tikiwiki/code/60308/ URL:https://tiki.org

Medium (CVSS: 4.8) NVT: Cleartext Transmission of Sensitive Information via HTTP

Summary The host / application transmits sensitive information (username, passwords) in cleartext via HTTP.

Vulnerability Detection Result . . . continues on next page . . .

2 RESULTS PER HOST 12

. . . continued from previous page . . . The following input fields where identified (URL:input name): http://192.168.1.99/phpMyAdmin/:pma_password http://192.168.1.99/phpMyAdmin/?D=A:pma_password http://192.168.1.99/tikiwiki/tiki-install.php:pass http://192.168.1.99/twiki/bin/view/TWiki/TWikiUserAuthentication:oldpassword

Impact An attacker could use this situation to compromise or eavesdrop on the HTTP communication between the client and the server using a man-in-the-middle attack to get access to sensitive data like usernames or passwords.

Solution Solution type: Workaround Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally make sure the host / application is redirecting all users to the secured SSL/TLS connection before allowing to input sensitive data into the mentioned functions.

A˙ected Software/OS Hosts / applications which doesn't enforce the transmission of sensitive data via an encrypted SSL/TLS connection.

Vulnerability Detection Method Evaluate previous collected information and check if the host / application is not enforcing the transmission of sensitive data via an encrypted SSL/TLS connection. The script is currently checking the following: - HTTP Basic Authentication (Basic Auth) - HTTP Forms (e.g. Login) with input ˝eld of type 'password' Details: Cleartext Transmission of Sensitive Information via HTTP OID:1.3.6.1.4.1.25623.1.0.108440 Version used: $Revision: 10726 $

References Other:

URL:https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_S ,→ession_Management

URL:https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure URL:https://cwe.mitre.org/data/definitions/319.html

Medium (CVSS: 4.3) NVT: TWiki < 6.1.0 XSS Vulnerability

Summary bin/statistics in TWiki 6.0.2 allows XSS via the webs parameter.

Vulnerability Detection Result Installed version: 01.Feb.2003 . . . continues on next page . . .

2 RESULTS PER HOST 13

. . . continued from previous page . . . Fixed version: 6.1.0

Solution Solution type: VendorFix Update to version 6.1.0 or later.

A˙ected Software/OS TWiki version 6.0.2 and probably prior.

Vulnerability Detection Method Checks if a vulnerable version is present on the target host. Details: TWiki < 6.1.0 XSS Vulnerability OID:1.3.6.1.4.1.25623.1.0.141830 Version used: 2019-03-26T08:16:24+0000

References CVE: CVE-2018-20212 Other:

URL:https://seclists.org/fulldisclosure/2019/Jan/7 URL:http://twiki.org/cgi-bin/view/Codev/DownloadTWiki

[ return to 192.168.1.99 ]

2.1.4 Medium 21/tcp

Medium (CVSS: 6.4) NVT: Anonymous FTP Login Reporting

Summary Reports if the remote FTP Server allows anonymous logins.

Vulnerability Detection Result It was possible to login to the remote FTP service with the following anonymous ,→account(s): anonymous:anonymous@example.com ftp:anonymous@example.com

Impact Based on the ˝les accessible via this anonymous FTP login and the permissions of this account an attacker might be able to: - gain access to sensitive ˝les - upload or delete ˝les.

Solution Solution type: Mitigation If you do not want to share ˝les, you should disable anonymous logins.

. . . continues on next page . . .

2 RESULTS PER HOST 14

. . . continued from previous page . . .

Vulnerability Insight A host that provides an FTP service may additionally provide Anonymous FTP access as well. Under this arrangement, users do not strictly need an account on the host. Instead the user typically enters 'anonymous' or 'ftp' when prompted for username. Although users are commonly asked to send their email address as their password, little to no veri˝cation is actually performed on the supplied data.

Vulnerability Detection Method Details: Anonymous FTP Login Reporting OID:1.3.6.1.4.1.25623.1.0.900600 Version used: $Revision: 12030 $

References Other:

URL:https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0497

Medium (CVSS: 4.8) NVT: FTP Unencrypted Cleartext Login

Summary The remote host is running a FTP service that allows cleartext logins over unencrypted connec- tions.

Vulnerability Detection Result The remote FTP service accepts logins without a previous sent 'AUTH TLS' command ,→. Response(s): Anonymous sessions: 331 Please specify the password. Non-anonymous sessions: 331 Please specify the password.

Impact An attacker can uncover login names and passwords by sni°ng tra°c to the FTP service.

Solution Solution type: Mitigation Enable FTPS or enforce the connection via the 'AUTH TLS' command. Please see the manual of the FTP service for more information.

Vulnerability Detection Method Tries to login to a non FTPS enabled FTP service without sending a 'AUTH TLS' command ˝rst and checks if the service is accepting the login without enforcing the use of the 'AUTH TLS' command. Details: FTP Unencrypted Cleartext Login OID:1.3.6.1.4.1.25623.1.0.108528 Version used: $Revision: 13611 $

2 RESULTS PER HOST 15

[ return to 192.168.1.99 ]

2.1.5 Medium 22/tcp

Medium (CVSS: 4.3) NVT: SSH Weak Encryption Algorithms Supported

Summary The remote SSH server is con˝gured to allow weak encryption algorithms.

Vulnerability Detection Result The following weak client-to-server encryption algorithms are supported by the r ,→emote service: 3des-cbc aes128-cbc aes192-cbc aes256-cbc arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se The following weak server-to-client encryption algorithms are supported by the r ,→emote service: 3des-cbc aes128-cbc aes192-cbc aes256-cbc arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se

Solution Solution type: Mitigation Disable the weak encryption algorithms.

Vulnerability Insight The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems with weak keys, and should not be used anymore. The `none` algorithm speci˝es that no encryption is to be done. Note that this method provides no con˝dentiality protection, and it is NOT RECOMMENDED to use it. . . . continues on next page . . .

2 RESULTS PER HOST 16

. . . continued from previous page . . . A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.

Vulnerability Detection Method Check if remote ssh service supports Arcfour, none or CBC ciphers. Details: SSH Weak Encryption Algorithms Supported OID:1.3.6.1.4.1.25623.1.0.105611 Version used: $Revision: 13581 $

References Other:

URL:https://tools.ietf.org/html/rfc4253#section-6.3 URL:https://www.kb.cert.org/vuls/id/958563

[ return to 192.168.1.99 ]

2.1.6 Medium 6667/tcp

Medium (CVSS: 6.8) NVT: UnrealIRCd Authentication Spoo˝ng Vulnerability

Summary This host is installed with UnrealIRCd and is prone to authentication spoo˝ng vulnerability.

Vulnerability Detection Result Installed version: 3.2.8.1 Fixed version: 3.2.10.7

Impact Successful exploitation of this vulnerability will allows remote attackers to spoof certi˝cate ˝n- gerprints and consequently log in as another user.

Solution Solution type: VendorFix Upgrade to UnrealIRCd 3.2.10.7, or 4.0.6, or later.

A˙ected Software/OS UnrealIRCd before 3.2.10.7 and 4.x before 4.0.6.

Vulnerability Insight The ˛aw exists due to an error in the 'm_authenticate' function in 'modules/m_sasl.c' script.

Vulnerability Detection Method Checks if a vulnerable version is present on the target host. Details: UnrealIRCd Authentication Spoofing Vulnerability OID:1.3.6.1.4.1.25623.1.0.809883 . . . continues on next page . . .

2 RESULTS PER HOST 17

. . . continued from previous page . . . Version used: $Revision: 11874 $

References CVE: CVE-2016-7144 BID:92763 Other:

URL:http://seclists.org/oss-sec/2016/q3/420 URL:http://www.openwall.com/lists/oss-security/2016/09/05/8 URL:https://github.com/unrealircd/unrealircd/commit/f473e355e1dc422c4f019dbf8

,→6bc50ba1a34a766 URL:https://bugs.unrealircd.org/main_page.php

[ return to 192.168.1.99 ]

2.1.7 Medium 5432/tcp

Medium (CVSS: 5.0) NVT: SSL/TLS: Certi˝cate Expired

Summary The remote server's SSL/TLS certi˝cate has already expired.

Vulnerability Detection Result The certificate of the remote service expired on 2010-04-16 14:07:45. Certificate details: subject ...: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F6 ,→3616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of ,→Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outsid ,→e US,C=XX subject alternative names (SAN): None issued by .: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F6 ,→3616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of ,→Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outsid ,→e US,C=XX serial ....: 00FAF93A4C7FB6B9CC valid from : 2010-03-17 14:07:45 UTC valid until: 2010-04-16 14:07:45 UTC fingerprint (SHA-1): ED093088706603BFD5DC237399B498DA2D4D31C6 fingerprint (SHA-256): E7A7FA0D63E457C7C4A59B38B70849C6A70BDA6F830C7AF1E32DEE436 ,→DE813CC

Solution Solution type: Mitigation Replace the SSL/TLS certi˝cate by a new one.

. . . continues on next page . . .

2 RESULTS PER HOST 18

. . . continued from previous page . . .

Vulnerability Insight This script checks expiry dates of certi˝cates associated with SSL/TLS-enabled services on the target and reports whether any have already expired.

Vulnerability Detection Method Details: SSL/TLS: Certificate Expired OID:1.3.6.1.4.1.25623.1.0.103955 Version used: $Revision: 11103 $

Medium (CVSS: 4.3) NVT: SSL/TLS: Report Weak Cipher Suites

Summary This routine reports all Weak SSL/TLS cipher suites accepted by a service. NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are con˝gured for this service the alternative would be to fall back to an even more insecure cleartext communication.

Vulnerability Detection Result 'Weak' cipher suites accepted by this service via the SSLv3 protocol: TLS_RSA_WITH_RC4_128_SHA 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol: TLS_RSA_WITH_RC4_128_SHA

Solution Solution type: Mitigation The con˝guration of this services should be changed so that it does not accept the listed weak cipher suites anymore. Please see the references for more resources supporting you with this task.

Vulnerability Insight These rules are applied for the evaluation of the cryptographic strength: - RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808). - Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak (CVE-2015-4000). - 1024 bit RSA authentication is considered to be insecure and therefore as weak. - Any cipher considered to be secure for only the next 10 years is considered as medium - Any other cipher is considered as strong

Vulnerability Detection Method Details: SSL/TLS: Report Weak Cipher Suites OID:1.3.6.1.4.1.25623.1.0.103440 Version used: $Revision: 11135 $

References CVE: CVE-2013-2566, CVE-2015-2808, CVE-2015-4000 . . . continues on next page . . .

2 RESULTS PER HOST 19

. . . continued from previous page . . . Other:

URL:https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/warnmeldung_cb-k16-

,→1465_update_6.html URL:https://bettercrypto.org/ URL:https://mozilla.github.io/server-side-tls/ssl-config-generator/

Medium (CVSS: 4.3) NVT: SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection

Summary It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.

Vulnerability Detection Result In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 proto ,→col and supports one or more ciphers. Those supported ciphers can be found in ,→the 'SSL/TLS: Report Weak and Supported Ciphers' (OID: 1.3.6.1.4.1.25623.1.0.8 ,→02067) NVT.

Impact An attacker might be able to use the known cryptographic ˛aws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection.

Solution Solution type: Mitigation It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the TLSv1+ protocols. Please see the references for more information.

A˙ected Software/OS All services providing an encrypted communication using the SSLv2 and/or SSLv3 protocols.

Vulnerability Insight The SSLv2 and SSLv3 protocols containing known cryptographic ˛aws like: - Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566) - Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016-0800)

Vulnerability Detection Method Check the used protocols of the services provided by this system. Details: SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection OID:1.3.6.1.4.1.25623.1.0.111012 Version used: $Revision: 5547 $

References CVE: CVE-2016-0800, CVE-2014-3566 Other: . . . continues on next page . . .

http:URL:https://bettercrypto.org
20

Medium (CVSS: 4.3) NVT: SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability (POO- DLE)

Summary This host is prone to an information disclosure vulnerability.

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

Impact Successful exploitation will allow a man-in-the-middle attackers gain access to the plain text data stream.

Solution Solution type: Mitigation Possible Mitigations are: - Disable SSLv3 - Disable cipher suites supporting CBC cipher modes - Enable TLS_FALLBACK_SCSV if the service is providing TLSv1.0+

Vulnerability Insight The ˛aw is due to the block cipher padding not being deterministic and not covered by the Message Authentication Code

Vulnerability Detection Method Evaluate previous collected information about this service. Details: SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure ,→.. OID:1.3.6.1.4.1.25623.1.0.802087 Version used: $Revision: 11402 $

References CVE: CVE-2014-3566 BID:70574 Other:

URL:https://www.openssl.org/~bodo/ssl-poodle.pdf URL:https://www.imperialviolet.org/2014/10/14/poodle.html URL:https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html URL:http://googleonlinesecurity.blogspot.in/2014/10/this-poodle-bites-exploit

. . . continues on next page . . .

2 RESULTS PER HOST

. . . continued from previous page . . . URL:https://www.enisa.europa.eu/activities/identity-and-trust/library/delivera

,→bles/algorithms-key-sizes-and-parameters-report URL:https://bettercrypto.org/ URL:https://mozilla.github.io/server-side-tls/ssl-config-generator/ URL:https://drownattack.com/ URL:https://www.imperialviolet.org/2014/10/14/poodle.html

Vulnerability .

http:URL:https://drownattack.com
http:URL:https://bettercrypto.org
21

Medium (CVSS: 4.0) NVT: SSL/TLS: Di°e-Hellman Key Exchange Insu°cient DH Group Strength Vulnerability

Summary The SSL/TLS service uses Di°e-Hellman groups with insu°cient strength (key size < 2048).

Vulnerability Detection Result Server Temporary Key Size: 1024 bits

Impact An attacker might be able to decrypt the SSL/TLS communication o˜ine.

Solution Solution type: Workaround Deploy (Ephemeral) Elliptic-Curve Di°e-Hellman (ECDHE) or use a 2048-bit or stronger Di°e- Hellman group (see the references). For Apache Web Servers: Beginning with version 2.4.7, mod_ssl will use DH parameters which include primes with lengths of more than 1024 bits.

Vulnerability Insight The Di°e-Hellman group are some big numbers that are used as base for the DH computations. They can be, and often are, ˝xed. The security of the ˝nal secret depends on the size of these parameters. It was found that 512 and 768 bits to be weak, 1024 bits to be breakable by really powerful attackers like governments.

Vulnerability Detection Method Checks the DHE temporary public key size. Details: SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength ,→.. OID:1.3.6.1.4.1.25623.1.0.106223 Version used: $Revision: 12865 $

References Other:

URL:https://weakdh.org/ URL:https://weakdh.org/sysadmin.html

2 RESULTS PER HOST

. . . continued from previous page . . . ,→ing-ssl-30.html

Vulnerabili.

Medium (CVSS: 4.0) NVT: SSL/TLS: Certi˝cate Signed Using A Weak Signature Algorithm

Summary The remote service is using a SSL/TLS certi˝cate in the certi˝cate chain that has been signed using a cryptographically weak hashing algorithm.

. . . continues on next page . . .

2 RESULTS PER HOST 22

. . . continued from previous page . . .

Vulnerability Detection Result The following certificates are part of the certificate chain but using insecure ,→signature algorithms: Subject: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173 ,→652E6C6F63616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complic ,→ation of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thi ,→ng outside US,C=XX Signature Algorithm: sha1WithRSAEncryption

Solution Solution type: Mitigation Servers that use SSL/TLS certi˝cates signed with a weak SHA-1, MD5, MD4 or MD2 hashing algorithm will need to obtain new SHA-2 signed SSL/TLS certi˝cates to avoid web browser SSL/TLS certi˝cate warnings.

Vulnerability Insight The following hashing algorithms used for signing SSL/TLS certi˝cates are considered crypto- graphically weak and not secure enough for ongoing use: - Secure Hash Algorithm 1 (SHA-1) - Message Digest 5 (MD5) - Message Digest 4 (MD4) - Message Digest 2 (MD2) Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft and Google will begin warning users when visiting web sites that use SHA-1 signed Secure Socket Layer (SSL) certi˝cates. NOTE: The script preference allows to set one or more custom SHA-1 ˝ngerprints of CA certi˝- cates which are trusted by this routine. The ˝ngerprints needs to be passed comma-separated and case-insensitive: Fingerprint1 or ˝ngerprint1,Fingerprint2

Vulnerability Detection Method Check which hashing algorithm was used to sign the remote SSL/TLS certi˝cate. Details: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm OID:1.3.6.1.4.1.25623.1.0.105880 Version used: $Revision: 11524 $

References Other:

URL:https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with ,→-sha-1-based-signature-algorithms/

[ return to 192.168.1.99 ]

2.1.8 Low 80/tcp

2 RESULTS PER HOST 23

Low (CVSS: 3.5) NVT: Tiki Wiki CMS Groupware XSS Vulnerability

Summary An XSS vulnerability (via an SVG image) in Tiki allows an authenticated user to gain adminis- trator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/˝legals/˝legallib.php.

Vulnerability Detection Result Installed version: 1.9.5 Fixed version: 18.0

Solution Solution type: VendorFix Upgrade to version 18.0 or later.

A˙ected Software/OS Tiki Wiki CMS Groupware prior to version 18.0.

Vulnerability Detection Method Checks if a vulnerable version is present on the target host. Details: Tiki Wiki CMS Groupware XSS Vulnerability OID:1.3.6.1.4.1.25623.1.0.140797 Version used: $Revision: 12116 $

References CVE: CVE-2018-7188 Other:

URL:http://openwall.com/lists/oss-security/2018/02/16/1

[ return to 192.168.1.99 ]

2.1.9 Low 22/tcp

Low (CVSS: 2.6) NVT: SSH Weak MAC Algorithms Supported

Summary The remote SSH server is con˝gured to allow weak MD5 and/or 96-bit MAC algorithms.

Vulnerability Detection Result The following weak client-to-server MAC algorithms are supported by the remote ,→ervice: hmac-md5 hmac-md5-96 hmac-sha1-96 The following weak server-to-client MAC algorithms are supported by the remote

s

s . . . continues on next page . . .

2 RESULTS PER HOST 24

. . . continued from previous page . . . ,→ervice: hmac-md5 hmac-md5-96 hmac-sha1-96

Solution Solution type: Mitigation Disable the weak MAC algorithms.

Vulnerability Detection Method Details: SSH Weak MAC Algorithms Supported OID:1.3.6.1.4.1.25623.1.0.105610 Version used: $Revision: 13581 $

[ return to 192.168.1.99 ]

2.1.10 Low general/tcp

Low (CVSS: 2.6) NVT: TCP timestamps

Summary The remote host implements TCP timestamps and therefore allows to compute the uptime.

Vulnerability Detection Result It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Packet 1: 57293 Packet 2: 57401

Impact A side e˙ect of this feature is that the uptime of the remote host can sometimes be computed.

Solution Solution type: Mitigation To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See the references for more information.

A˙ected Software/OS TCP/IPv4 implementations that implement RFC1323.

. . . continues on next page . . .

2 RESULTS PER HOST 25

. . . continued from previous page . . .

Vulnerability Insight The remote host implements TCP timestamps, as de˝ned by RFC1323.

Vulnerability Detection Method Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps OID:1.3.6.1.4.1.25623.1.0.80091 Version used: $Revision: 14310 $

References Other:

URL:http://www.ietf.org/rfc/rfc1323.txt URL:http://www.microsoft.com/en-us/download/details.aspx?id=9152

[ return to 192.168.1.99 ]

This ˝le was automatically generated.

Result Overview
Results per Host