Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test 1
Number of security holes found 4
Number of security warnings found 13


Host List
Host(s) Possible Issue
192.168.1.14 Security hole(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
192.168.1.14 general/tcp Security warning(s) found
192.168.1.14 echo (7/tcp) Security warning(s) found
192.168.1.14 echo (7/udp) Security warning(s) found
192.168.1.14 discard (9/tcp) Security warning(s) found
192.168.1.14 daytime (13/tcp) Security warning(s) found
192.168.1.14 daytime (13/udp) Security warning(s) found
192.168.1.14 chargen (19/tcp) Security notes found
192.168.1.14 chargen (19/udp) No Information
192.168.1.14 ftp (21/tcp) Security hole found
192.168.1.14 ssh (22/tcp) Security hole found
192.168.1.14 telnet (23/tcp) Security notes found
192.168.1.14 time (37/tcp) Security notes found
192.168.1.14 time (37/udp) No Information
192.168.1.14 finger (79/tcp) Security warning(s) found
192.168.1.14 rpcbind (111/tcp) No Information
192.168.1.14 auth (113/tcp) Security warning(s) found
192.168.1.14 exec (512/tcp) No Information
192.168.1.14 login (513/tcp) No Information
192.168.1.14 shell (514/tcp) No Information
192.168.1.14 uucp (540/tcp) Security notes found
192.168.1.14 klogin (543/tcp) No Information
192.168.1.14 kshell (544/tcp) Security notes found
192.168.1.14 nfs (2049/tcp) No Information
192.168.1.14 eklogin (2105/tcp) No Information
192.168.1.14 cryptoadmin (624/tcp) No Information
192.168.1.14 unknown (1015/tcp) No Information
192.168.1.14 general/icmp Security hole found
192.168.1.14 general/udp Security notes found


Security Issues and Fixes: 192.168.1.14
Type Port Issue and Fix
Warning general/tcp
The remote host does not discard TCP SYN packets which
have the FIN flag set.

Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618
Warning general/tcp
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.

This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).

Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213
Informational general/tcp The remote host is up
Nessus ID : 10180
Informational general/tcp Nmap found that this host is running FreeBSD 4.6.2-RELEASE - 4.8-RELEASE, FreeBSD 4.7-RELEASE, FreeBSD 4.8-RELEASE through 4.9-STABLE, FreeBSD 4.8-STABLE - 4.9-PRERELEASE

Nessus ID : 10336
Informational general/tcp HTTP NIDS evasion functions are enabled.
You may get some false negative results
Nessus ID : 10890
Informational general/tcp The remote host is running one of these operating systems :
FreeBSD 4.9
FreeBSD 4.8
FreeBSD 4.7
Nessus ID : 11936
Warning echo (7/tcp)
The remote host is running the 'echo' service. This service
echoes any data which is sent to it.

This service is unused these days, so it is strongly advised that
you disable it, as it may be used by attackers to set up denial of
services attacks against this host.

Solution :

- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.


Risk factor : Low
CVE : CVE-1999-0103, CAN-1999-0635
Nessus ID : 10061
Informational echo (7/tcp) An echo server is running on this port
Nessus ID : 10330
Warning echo (7/udp)
The remote host is running the 'echo' service. This service
echoes any data which is sent to it.

This service is unused these days, so it is strongly advised that
you disable it, as it may be used by attackers to set up denial of
services attacks against this host.

Solution :

- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.


Risk factor : Low
CVE : CVE-1999-0103, CAN-1999-0635
Nessus ID : 10061
Warning discard (9/tcp)
The remote host is running a 'discard' service. This service
typically sets up a listening socket and will ignore all the
data which it receives.

This service is unused these days, so it is advised that you
disable it.


Solution :

- Under Unix systems, comment out the 'discard' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.


Risk factor : Low
CVE : CAN-1999-0636
Nessus ID : 11367
Warning daytime (13/tcp)
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.



The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.

In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.

Solution :

- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Warning daytime (13/udp)
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.



The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.

In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.

Solution :

- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Informational chargen (19/tcp) Chargen is running on this port
Nessus ID : 10330
Vulnerability ftp (21/tcp)
It was possible to kill the service by sending a single long
text line.
A cracker may be able to use this flaw to crash your software
or even execute arbitrary code on your system.

Risk factor : High
Nessus ID : 11175
Vulnerability ftp (21/tcp)
It was possible to disable the remote FTP server
by connecting to it about 3000 times, with
one connection at a time.

If the remote server is running from within [x]inetd, this
is a feature and the FTP server should automatically be back
in a couple of minutes.

An attacker may use this flaw to prevent this
service from working properly.

Solution : If the remote server is GoodTech ftpd server,
download the newest version from http://www.goodtechsys.com.
BID : 2270
Risk factor : High
CVE : CAN-2001-0188
BID : 2270
Nessus ID : 10690
Informational ftp (21/tcp) An unknown service is running on this port.
It is usually reserved for FTP
Nessus ID : 10330
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH which is older than 3.7.1

Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on this
host.

An exploit for this issue is rumored to exist.


Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.

If you are running a RedHat host, make sure that the command :
rpm -q openssh-server

Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)

Solution : Upgrade to OpenSSH 3.7.1
See also : http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
Nessus ID : 11837
Warning ssh (22/tcp)
You are running OpenSSH-portable 3.6.1 or older.

There is a flaw in this version which may allow an attacker to
bypass the access controls set by the administrator of this server.

OpenSSH features a mechanism which can restrict the list of
hosts a given user can log from by specifying a pattern
in the user key file (ie: *.mynetwork.com would let a user
connect only from the local network).

However there is a flaw in the way OpenSSH does reverse DNS lookups.
If an attacker configures his DNS server to send a numeric IP address
when a reverse lookup is performed, he may be able to circumvent
this mechanism.

Solution : Upgrade to OpenSSH 3.6.2 when it comes out
Risk factor : Low
CVE : CAN-2003-0386
BID : 7831
Nessus ID : 11712
Warning ssh (22/tcp)
You are running OpenSSH-portable 3.6.1p1 or older.

If PAM support is enabled, an attacker may use a flaw in this version
to determine the existence or a given login name by comparing the times
the remote sshd daemon takes to refuse a bad password for a non-existent
login compared to the time it takes to refuse a bad password for a
valid login.

An attacker may use this flaw to set up a brute force attack against
the remote host.

*** Nessus did not check whether the remote SSH daemon is actually
*** using PAM or not, so this might be a false positive

Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer
Risk factor : Low
CVE : CAN-2003-0190
BID : 7342, 7467, 7482
Other references : RHSA:RHSA-2003:222-01
Nessus ID : 11574
Warning ssh (22/tcp)
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.

These protocols are not completely cryptographically
safe so they should not be used.

Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'

Risk factor : Low
Nessus ID : 10882
Informational ssh (22/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational ssh (22/tcp) Remote SSH version : SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924

Nessus ID : 10267
Informational ssh (22/tcp) The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.33
. 1.5
. 1.99
. 2.0


SSHv1 host key fingerprint : 8a:44:5a:fd:bf:8e:44:e6:7b:a2:5e:16:02:09:62:fa
SSHv2 host key fingerprint : f0:65:65:74:ad:ab:52:c6:77:93:ad:10:b8:1e:04:a8

Nessus ID : 10881
Informational telnet (23/tcp) An unknown service is running on this port.
It is usually reserved for Telnet
Nessus ID : 10330
Informational time (37/tcp) A time server seems to be running on this port
Nessus ID : 10330
Warning finger (79/tcp)
The 'finger' service provides useful information to attackers, since it allows
them to gain usernames, check if a machine is being used, and so on...

Here is the output we obtained for 'root' :

Login: root Name: Charlie Root
Directory: /root Shell: /bin/csh
Never logged in.
No Mail.
No Plan.


Solution : comment out the 'finger' line in /etc/inetd.conf
Risk factor : Low
CVE : CVE-1999-0612
Nessus ID : 10068
Informational finger (79/tcp) A finger server seems to be running on this port
Nessus ID : 10330
Warning auth (113/tcp)
The remote host is running an ident (also known as 'auth') daemon.

The 'ident' service provides sensitive information to potential
attackers. It mainly says which accounts are running which services.
This helps attackers to focus on valuable services (those
owned by root). If you do not use this service, disable it.

Solution : Under Unix systems, comment out the 'auth' or 'ident'
line in /etc/inetd.conf and restart inetd

Risk factor : Low
CVE : CAN-1999-0629
Nessus ID : 10021
Informational auth (113/tcp) An identd server is running on this port
Nessus ID : 10330
Informational uucp (540/tcp) An UUCP server seems to be running on this port
Nessus ID : 10330
Informational kshell (544/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Vulnerability general/icmp
The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.

Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.

See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : High
CVE : CAN-2003-0001
BID : 6535
Nessus ID : 11197
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Informational general/icmp Here is the route recorded between 192.168.1.3 and 192.168.1.14 :
192.168.1.14.

Nessus ID : 12264
Informational general/udp For your information, here is the traceroute to 192.168.1.14 :
192.168.1.3
192.168.1.14

Nessus ID : 10287

This file was generated by Nessus, the open-sourced security scanner.