[LugBS] vulnerabilità siti
Nicola Gatta
nicola.gatta a gmail.com
Mar 22 Dic 2020 10:37:41 UTC
Ciao,
Classico report automatizzato con uno dei vari tool di Vulnerability
assessment.
Le due vulnerabilità di livello 3 non sono particolarmente gravi e nessuna
di esse può portare a esecuzione di codice remoto o disclosure di dati.
A livello tecnico la seconda si risolve con un lavoro banale di
configurazione di TLS/SSL sul web server (apache, iis, o altro)
La prima sembrerebbe un firewall che sia configurato in modo non stateful,
ma andrebbe un attimo verificato (potrebbe essere un falso positivo)
Anche qui nulla di trascendentale o grave.
Se siete in hosting presso Aruba, cmq è materia per Aruba (al contrario se
la "macchina" è presso Aruba ma gestita da te, te la devi smazzare tu)
Non ti so dire nulla per la parte legale riguardante ammende e non ho
seguito la faccenda Rosseuau, certamente la lettera è un po' FUD.
L'ultima parte della lettera invece non è sbagliata: se su quel sito hai
una webapp, un wordpress, etc.. potrebbe essere utile fare una verifica di
pentesting su quella parte.
Che è quello che credo possa interessarti di più, ossia se c'è modo di
abusare della webapp per accedere a dati confidenziali.
Just my 2 cent
On Mon, Dec 21, 2020 at 7:03 PM info a antonellofacchetti.it <
info a antonellofacchetti.it> wrote:
>
> Il DPO della mia scuola ci ha mandato il controllo di vulnerabilità
> riguardante il nostro sito che vi allego con susseguente lettera
> accompagnatoria (che allego pure).
> Ora, data una lettura veloce mi pare che siano questioni che riguardano
> il nostro isp (nel caso Aruba) per cui io non saprei bene che fare. Ora,
> visto il tenore della lettera accompagnatoria (sembra tanto una campagna
> FUD fear uncertainty and doubt) che pare tanto essere propedeutica a un
> "pagaci che ci pensiamo noi", ditemi... che fare? come rispondere?
> Qualcuno mi può delucidare sul contenuto dela relazione?
>
> lettera di accompagnamento
>
> Oggetto: possibile vulnerabilità sito istituzionale
> A seguito di test sul Vs sito istituzionale, svolto tramite software
> dedicato, sono state
> evidenziate alcune vulnerabilità.
> Risulta quindi fondamentale intervenire sulla piattaforma, per tramite
> della ditta/ente che si
> occupa della gestione del sito, al fine di rimuovere tali vulnerabilità,
> in modo tale da
> contenere e rendere accettabile il livello di rischio.
> Con l'occasione ricordiamo che per una problematica simile (per la
> precisione, per la
> piattaforma Rousseau, risultata essere poco sicura ), il Movimento 5
> Stelle ha
> recentemente ricevuto una sanzione di 50.000,00 Euro.
> È quindi evidente che alla questione va data la massima attenzione e
> priorità.
> Ci teniamo a sottolineare che test di questo genere rappresentano uno
> strumento
> indicativo, e che potrebbero rendersi necessari test più approfonditi
> con l’intervento di un
> tecnico specializzato. In tal caso rimaniamo a disposizione per fornire
> supporto.
> In attesa di un Vostro pronto riscontro porgiamo distinti saluti.
> Cordialmente,
>
> Ed ecco il test (lungo, ma quel che conta sono le prime 3 vulnerabilità,
> valore 3 in scala da 1 a 5)
>
> Scan Results
> December 04, 2020
> Report Summary
> User Name: Marco Piatti
> Login Name: stud5mp
> Company: Studio81
> User Role: Manager
> Address: Via del Carro 14B,
> Zip: 21017
> Country: Italy
> Created: 12/04/2020 at 18:32:51 (GMT+0100)
> Launch Date: 12/04/2020 at 17:34:34 (GMT+0100)
> Active Hosts: 1
> Total Hosts: 1
> Type: On demand
> Status: Finished
> Reference: scan/1607099674.18669
> External Scanners: 154.59.121.156 (Scanner 12.1.68-1, Vulnerability
> Signatures 2.5.48-4)
> Duration: 00:37:08
> Title: IC Rudiano
> Asset Groups: -
> IPs: 89.46.108.65
> Excluded IPs: -
> Options Profile: Initial Options
>
> Summary of Vulnerabilities
> Vulnerabilities Total
> 24
> Security Risk (Avg)
> 3.0
> by Severity
> Severity
> Confirmed Potential Information Gathered Total
> 5 0 0 0 0
> 4 0 0 0 0
> 3 2 2 0 4
> 2 0 0 0 0
> 1 0 0 20 20
> Total 2 2 20 24
> 5 Biggest Categories
> Category
> Confirmed Potential Information Gathered Total
> Information gathering 0 0 7 7
> General remote services 1 0 6 7
> Web server 0 2 4 6
> TCP/IP 0 0 2 2
> Firewall 1 0 1 2
> Total 2 2 20 24
>
> Detailed Results
> 89.46.108.65 (webx1321.aruba.it, -)
> Vulnerabilities (2)
> 3
> TCP Source Port Pass Firewall
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Scan Results
> 34000
> Firewall
> -
> -
> -
> 07/10/2017
> -
> page 2Edited:
> PCI Vuln:
> No
> Yes
> THREAT:
> Your firewall policy seems to let TCP packets with a specific source
> port pass through.
> IMPACT:
> Some types of requests can pass through the firewall. The port number
> listed in the results section of this vulnerability report is the source
> port that unauthorized users can use to bypass your firewall.
> SOLUTION:
> Make sure that all your filtering rules are correct and strict enough.
> If the firewall intends to deny TCP connections to a specific port, it
> should be configured to block all TCP SYN packets going to this port,
> regardless of the source port.
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> The host responded 3 times to 4 TCP SYN probes sent to destination port
> 8080 using source port 21. However, it did not respond at all to 4 TCP
> SYN probes sent to the same destination port using a random source port.
> 3
> SSL/TLS Server supports TLSv1.0
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 443/tcp over SSL
> 38628
> General remote services
> -
> -
> -
> 12/21/2018
> -
> No
> Yes
> THREAT:
> TLS is capable of using a multitude of ciphers (algorithms) to create
> the public and private key pairs.
> For example if TLSv1.0 uses either the RC4 stream cipher, or a block
> cipher in CBC mode.
> RC4 is known to have biases and the block cipher in CBC mode is
> vulnerable to the POODLE attack.
> TLSv1.0, if configured to use the same cipher suites as SSLv3, includes
> a means by which a TLS implementation can downgrade the connection to
> SSL v3.0, thus weakening security.
> A POODLE-type
> (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) attack
> could also be launched directly at TLS without negotiating a
> downgrade.
> This QID is an automatic PCI FAIL in accordance with the PCI standards.
> Further details can be found under:
> PCI: ASV Program Guide v3.1 (page 27)
> (https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v3.1.pdf
> )
> PCI: Use of SSL Early TLS and ASV Scans
> (
> https://www.pcisecuritystandards.org/documents/Use-of-SSL-Early-TLS-and-ASV-Scans.pdf
> )
> IMPACT:
> An attacker can exploit cryptographic flaws to conduct man-in-the-middle
> type attacks or to decryption communications.
> For example: An attacker could force a downgrade from the TLS protocol
> to the older SSLv3.0 protocol and exploit the POODLE vulnerability, read
> secure communications or maliciously modify messages.
> A POODLE-type
> (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) attack
> could also be launched directly at TLS without negotiating a
> downgrade.
> Scan Results
> page 3SOLUTION:
> Disable the use of TLSv1.0 protocol in favor of a cryptographically
> stronger protocol such as TLSv1.2.
> The following openssl commands can be used
> to do a manual test:
> openssl s_client -connect ip:port -tls1
> If the test is successful, then the target support TLSv1
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> TLSv1.0 is supported
> Potential Vulnerabilities (2)
> 3
> Web Server Stopped Responding
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 80/tcp
> 86476
> Web server
> -
> -
> -
> 02/28/2019
> -
> No
> Yes
> THREAT:
> The Web server stopped responding to 3 consecutive connection attempts
> and/or more than 3 consecutive HTTP / HTTPS requests. Consequently,
> the
> service aborted testing for HTTP / HTTPS vulnerabilities. The
> vulnerabilities already detected are still posted.
> IMPACT:
> The service was unable to complete testing for HTTP / HTTPS
> vulnerabilities since the Web server stopped responding.
> SOLUTION:
> Check the Web server status.
> If the Web server was crashed during the scan, please restart the
> server, report the incident to Customer Support and stop scanning the
> Web server
> until the issue is resolved.
> If the Web server is unable to process multiple concurrent HTTP / HTTPS
> requests, please lower the scan harshness level and launch another scan.
> If this vulnerability continues to be reported, please contact Customer
> Support.
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> The web server did not respond for 4 consecutive HTTP requests.
> After these, the service was still unable to connect to the web server 2
> minutes later.
> Scan Results
> page 43
> Web Server Stopped Responding
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 443/tcp over SSL
> 86476
> Web server
> -
> -
> -
> 02/28/2019
> -
> No
> Yes
> THREAT:
> The Web server stopped responding to 3 consecutive connection attempts
> and/or more than 3 consecutive HTTP / HTTPS requests. Consequently,
> the
> service aborted testing for HTTP / HTTPS vulnerabilities. The
> vulnerabilities already detected are still posted.
> IMPACT:
> The service was unable to complete testing for HTTP / HTTPS
> vulnerabilities since the Web server stopped responding.
> SOLUTION:
> Check the Web server status.
> If the Web server was crashed during the scan, please restart the
> server, report the incident to Customer Support and stop scanning the
> Web server
> until the issue is resolved.
> If the Web server is unable to process multiple concurrent HTTP / HTTPS
> requests, please lower the scan harshness level and launch another scan.
> If this vulnerability continues to be reported, please contact Customer
> Support.
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> The web server did not respond for 4 consecutive HTTP requests.
> After these, the service was still unable to connect to the web server 2
> minutes later.
> Information Gathered (20)
> 1
> DNS Host Name
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> 6
> Information gathering
> -
> -
> -
> 01/04/2018
> -
> No
> No
> THREAT:
> The fully qualified domain name of this host, if it was obtained from a
> DNS server, is displayed in the RESULT section.
> IMPACT:
> N/A
> Scan Results
> page 5SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> IP address Host name
> 89.46.108.65 webx1321.aruba.it
> 1
> Firewall Detected
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> 34011
> Firewall
> -
> -
> -
> 04/22/2019
> -
> No
> No
> THREAT:
> A packet filtering device protecting this IP was detected. This is
> likely to be a firewall or a router using access control lists (ACLs).
> IMPACT:
> N/A
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Some of the ports filtered by the firewall are: 20, 22, 23, 25, 53, 111,
> 135, 445, 1, 7.
> Listed below are the ports filtered by the firewall.
> No response has been received when any of these ports are probed.
> 1-3,5,7,9,11,13,15,17-20,22-25,27,29,31,33,35,37-39,41-79,81-223,242-246,
> 256-265,280-282,309,311,318,322-325,344-351,363,369-381,383-442,444-581,
> 587,592-593,598,600,606-620,624,627,631,633-637,666-674,700,704-705,707,
>
> 709-711,729-731,740-742,744,747-754,758-765,767,769-777,780-783,786,799-801,
> 860,873,886-888,900-901,911,950,954-955,990-993,995-1001,1008,1010-1011,
> 1015,1023-1100,1109-1112,1114,1123,1155,1167,1170,1207,1212,1214,1220-1222,
> 1234-1236,1241,1243,1245,1248,1269,1313-1314,1337,1344-1625,1636-1774,
> 1776-1815,1818-1824,1900-1909,1911-1920,1944-1951,1973,1981,1985-2028,
> 2030,2032-2036,2038,2040-2049,2053,2065,2067,2080,2097,2100,2102, and more.
> We have omitted from this list 700 higher ports to keep the report size
> manageable.
> Scan Results
> page 61
> Internet Service Provider
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> 45005
> Information gathering
> -
> -
> -
> 09/27/2013
> -
> No
> No
> THREAT:
> The information shown in the Result section was returned by the network
> infrastructure responsible for routing traffic from our cloud platform
> to the
> target network (where the scanner appliance is located).
> This information was returned from: 1) the WHOIS service, or 2) the
> infrastructure provided by the closest gateway server to our cloud
> platform. If
> your ISP is routing traffic, your ISP's gateway server returned this
> information.
> IMPACT:
> This information can be used by malicious users to gather more
> information about the network infrastructure that may aid in launching
> further
> attacks against it.
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> The ISP network handle is: RIPE-C3
> ISP Network description:
> RIPE Network Coordination Centre
> 1
> Traceroute
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> 45006
> Information gathering
> -
> -
> -
> 05/09/2003
> -
> No
> No
> THREAT:
> Traceroute describes the path in realtime from the scanner to the remote
> host being contacted. It reports the IP addresses of all the routers in
> between.
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> Scan Results
> page 7ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Hops IP Round Trip Time Probe 1 154.59.121.130 0.15ms ICMP 2
> 149.14.142.217 13.66ms ICMP 3 130.117.51.13 13.80ms ICMP 4 130.117.0.142
> 8.66ms ICMP 5 154.54.36.54 16.22ms ICMP 6 130.117.0.61 22.37ms ICMP 7
> 154.54.61.90 23.34ms ICMP 8 154.54.59.1 29.11ms ICMP 9 130.117.48.114
> 33.06ms ICMP 10 149.6.18.50 33.72ms UDP 80
> 11 62.149.185.27 33.12ms TCP 80
> 12 89.46.108.65 32.47ms ICMP
> 1
> Port
> Host Scan Time
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> 45038
> Information gathering
> -
> -
> -
> 03/18/2016
> -
> No
> No
> THREAT:
> The Host Scan Time is the period of time it takes the scanning engine to
> perform the vulnerability assessment of a single target host. The Host Scan
> Time for this host is reported in the Result section below.
> The Host Scan Time does not have a direct correlation to the Duration
> time as displayed in the Report Summary section of a scan results
> report. The
> Duration is the period of time it takes the service to perform a scan
> task. The Duration includes the time it takes the service to scan all
> hosts, which
> may involve parallel scanning. It also includes the time it takes for a
> scanner appliance to pick up the scan task and transfer the results back
> to the
> service's Secure Operating Center. Further, when a scan task is
> distributed across multiple scanners, the Duration includes the time it
> takes to
> perform parallel host scanning on all scanners.
> For host running the Qualys Windows agent this QID reports the time
> taken by the agent to collect the host metadata used for the most recent
> assessment scan.
> IMPACT:
> N/A
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Scan duration: 2226 seconds
> Start time: Fri, Dec 04 2020, 16:35:02 GMT
> Scan Results
> page 8End time: Fri, Dec 04 2020, 17:12:08 GMT
> 1
> Host Names Found
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> 45039
> Information gathering
> -
> -
> -
> 08/27/2020
> -
> No
> No
> THREAT:
> The following host names were discovered for this computer using various
> methods such as DNS look up, NetBIOS query, and SQL server name
> query.
> IMPACT:
> N/A
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Host Name Source
> webx1321.aruba.it FQDN
> 1
> Scan Activity per Port
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> 45426
> Information gathering
> -
> -
> -
> 06/24/2020
> -
> No
> No
> THREAT:
> Scan activity per port is an estimate of the amount of internal process
> time the scanner engine spent scanning a particular TCP or UDP port. This
> information can be useful to determine the reason for long scan times.
> The individual time values represent internal process time, not elapsed
> time, and can be longer than the total scan time because of internal
> parallelism. High values are often caused by slowly responding services or
> services on which requests time out.
> IMPACT:
> N/A
> Scan Results
> page 9SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Protocol Port Time
> TCP 80 2:16:27
> TCP 443 1:22:12
> 1
> Open TCP Services List
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> 82023
> TCP/IP
> -
> -
> -
> 06/15/2009
> -
> No
> No
> THREAT:
> The port scanner enables unauthorized users with the appropriate tools
> to draw a map of all services on this host that can be accessed from the
> Internet. The test was carried out with a "stealth" port scanner so that
> the server does not log real connections.
> The Results section displays the port number (Port), the default service
> listening on the port (IANA Assigned Ports/Services), the description of
> the
> service (Description) and the service that the scanner detected using
> service discovery (Service Detected).
> IMPACT:
> Unauthorized users can exploit this information to test vulnerabilities
> in each of the open services.
> SOLUTION:
> Shut down any unknown or unused service on the list. If you have
> difficulty figuring out which service is provided by which process or
> program,
> contact your provider's support team. For more information about
> commercial and open-source Intrusion Detection Systems available for
> detecting
> port scanners of this kind, visit the CERT Web site (http://www.cert.org).
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Port
> IANA Assigned Ports/Services Description Service Detected
> 80 www-http World Wide Web HTTP http
> 443 https http protocol over TLS/SSL http over ssl
> 1
> QID:
> Scan Results
> OS On Redirected Port
> ICMP Replies Received
> 82040
> page 10Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> TCP/IP
> -
> -
> -
> 01/16/2003
> -
> No
> No
> THREAT:
> ICMP (Internet Control and Error Message Protocol) is a protocol
> encapsulated in IP packets. ICMP's principal purpose is to provide a
> protocol layer
> that informs gateways of the inter-connectivity and accessibility of
> other gateways or hosts.
> We have sent the following types of packets to trigger the host to send
> us ICMP replies:
> Echo Request (to trigger Echo Reply)
> Timestamp Request (to trigger Timestamp Reply)
> Address Mask Request (to trigger Address Mask Reply)
> UDP Packet (to trigger Port Unreachable Reply)
> IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply)
> Listed in the "Result" section are the ICMP replies that we have received.
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> ICMP Reply Type Triggered By Additional Information
> Echo (type=0 code=0) Echo Request Echo Reply
> Unreachable (type=3 code=10) (Various) Destination Host Prohibited
> 1
> Microsoft IIS Server Detected
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 80/tcp
> 45104
> Information gathering
> -
> -
> -
> 11/26/2020
> -
> No
> No
> THREAT:
> Microsoft Internet Information Services (IIS) Web Server was detected on
> the target host.
> QID Detection Logic (authenticated):
> Operating System: Windows
> The QID checks for key "HKLM\SOFTWARE\Microsoft\InetStp SetupString"
> value "SetupString" to verify if IIS is present on the Host or not.
> IMPACT:
> N/A
> SOLUTION:
> N/A
> COMPLIANCE:
> Scan Results
> page 11Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Microsoft-IIS/4.0
> 1
> Web Server Version
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 80/tcp
> 86000
> Web server
> -
> -
> -
> 11/03/2020
> -
> No
> No
> THREAT:
> A web server is server software, or hardware dedicated to running this
> software, that can satisfy client requests on the World Wide Web.
> IMPACT:
> N/A
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Server Version Server Banner
> Microsoft-IIS/4.0 aruba-proxy
> 1
> List of Web Directories
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> Scan Results
> port 80/tcp
> 86672
> Web server
> -
> -
> -
> 09/11/2004
> -
> No
> No
> page 12THREAT:
> Based largely on the HTTP reply code, the following directories are most
> likely present on the host.
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Directory Source
> /cgi-bin/ brute force
> /test/ brute force
> /tmp/ brute force
> /CMS/ brute force
> 1
> SSL Server Information Retrieval
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 443/tcp over SSL
> 38116
> General remote services
> -
> -
> -
> 05/24/2016
> -
> No
> No
> THREAT:
> The following is a list of supported SSL ciphers.
> Note: If a cipher is included in this list it means that it was possible
> to establish a SSL connection using that cipher. There are some web servers
> setups that allow connections to be established using a LOW grade
> cipher, only to provide a web page stating that the URL is accessible only
> through a non-LOW grade cipher. In this case even though LOW grade
> cipher will be listed here QID 38140 will not be reported.
> IMPACT:
> N/A
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> CIPHER
> KEY-EXCHANGE
> AUTHENTICATION MAC
> ENCRYPTION(KEY-STRENGTH) GRADE
> AES(128) MEDIUM
> SSLv2 PROTOCOL IS DISABLED
> SSLv3 PROTOCOL IS DISABLED
> TLSv1 PROTOCOL IS ENABLED
> Scan Results
> TLSv1 COMPRESSION METHOD None
> ECDHE-RSA-AES128-SHA ECDH
> RSA
> SHA1
> page 13ECDHE-RSA-AES256-SHA
> ECDH
> RSA
> SHA1 AES(256) HIGH
> TLSv1.1 PROTOCOL IS ENABLED
> TLSv1.1 COMPRESSION METHOD None AES128-SHA RSA RSA SHA1 AES(128) MEDIUM
> AES256-SHA RSA RSA SHA1 AES(256) HIGH
> CAMELLIA128-SHA RSA RSA SHA1 Camellia(128) MEDIUM
> CAMELLIA256-SHA RSA RSA SHA1 Camellia(256) HIGH
> ECDHE-RSA-AES128-SHA ECDH RSA SHA1 AES(128) MEDIUM
> ECDHE-RSA-AES256-SHA ECDH RSA SHA1 AES(256) HIGH
> TLSv1.2 PROTOCOL IS ENABLED
> TLSv1.2 COMPRESSION METHOD None AES128-SHA RSA RSA SHA1 AES(128) MEDIUM
> AES256-SHA RSA RSA SHA1 AES(256) HIGH
> CAMELLIA128-SHA RSA RSA SHA1 Camellia(128) MEDIUM
> CAMELLIA256-SHA RSA RSA SHA1 Camellia(256) HIGH
> AES128-GCM-SHA256 RSA RSA AEAD AESGCM(128) MEDIUM
> AES256-GCM-SHA384 RSA RSA AEAD AESGCM(256) HIGH
> ECDHE-RSA-AES128-SHA ECDH RSA SHA1 AES(128) MEDIUM
> ECDHE-RSA-AES256-SHA ECDH RSA SHA1 AES(256) HIGH
> ECDHE-RSA-AES128-SHA256 ECDH RSA SHA256 AES(128) MEDIUM
> ECDHE-RSA-AES256-SHA384 ECDH RSA SHA384 AES(256) HIGH
> ECDHE-RSA-AES128-GCM-SHA256 ECDH RSA AEAD AESGCM(128) MEDIUM
> ECDHE-RSA-AES256-GCM-SHA384 ECDH RSA AEAD AESGCM(256) HIGH
> AES128-SHA256 RSA RSA SHA256 AES(128) MEDIUM
> AES256-SHA256 RSA RSA SHA256 AES(256) HIGH
> TLSv1.3 PROTOCOL IS DISABLED
> 1
> SSL Session Caching Information
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 443/tcp over SSL
> 38291
> General remote services
> -
> -
> -
> 03/19/2020
> -
> No
> No
> THREAT:
> SSL session is a collection of security parameters that are negotiated
> by the SSL client and server for each SSL connection. SSL session caching
> is
> targeted to reduce the overhead of negotiations in recurring SSL
> connections. SSL sessions can be reused to resume an earlier connection
> or to
> establish multiple simultaneous connections. The client suggests an SSL
> session to be reused by identifying the session with a Session-ID during
> SSL handshake. If the server finds it appropriate to reuse the session,
> then they both proceed to secure communication with already known security
> parameters.
> This test determines if SSL session caching is enabled on the host.
> IMPACT:
> SSL session caching is part of the SSL and TLS protocols and is not a
> security threat. The result of this test is for informational purposes
> only.
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> Scan Results
> page 14There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> TLSv1 session caching is enabled on the target.
> TLSv1.1 session caching is enabled on the target.
> TLSv1.2 session caching is enabled on the target.
> 1
> SSL/TLS invalid protocol version tolerance
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 443/tcp over SSL
> 38597
> General remote services
> -
> -
> -
> 01/29/2016
> -
> No
> No
> THREAT:
> SSL/TLS protocols have different version that can be supported by both
> the client and the server. This test attempts to send invalid protocol
> versions to the target in order to find out what is the target's
> behavior. The results section contains a table that indicates what was the
> target's response to each of our tests.
> IMPACT:
> N/A
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> my version target version
> 0304 0303
> 0399 0303
> 0400 rejected
> 0499 0303
> 1
> SSL/TLS Key Exchange Methods
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> Scan Results
> port 443/tcp over SSL
> 38704
> General remote services
> -
> -
> -
> 07/12/2018
> -
> No
> No
> page 15THREAT:
> The following is a list of SSL/TLS key exchange methods supported by the
> server, along with their respective key sizes and strengths.
> IMPACT:
> N/A
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> NAME
> GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH
> ECDHE secp256r1 256 yes 128 low
> ECDHE secp521r1 521 yes 260 low
> ECDHE brainpoolp512r1 512 yes 256 low
> ECDHE brainpoolp384r1 384 yes 192 low
> ECDHE secp384r1 384 yes 192 low
> ECDHE brainpoolp256r1 256 yes 128 low
> ECDHE secp256k1 256 yes 128 low
> ECDHE sect571r1 571 yes 285 low
> ECDHE sect571k1 571 yes 285 low
> ECDHE sect409k1 409 yes 204 low
> ECDHE sect409r1 409 yes 204 low
> ECDHE sect283k1 283 yes 141 low
> ECDHE sect283r1 283 yes 141 low
> TLSv1
> TLSv1.1
> RSA
> 2048 no 110 low
> ECDHE secp256r1 256 yes 128 low
> ECDHE secp521r1 521 yes 260 low
> ECDHE brainpoolp512r1 512 yes 256 low
> ECDHE brainpoolp384r1 384 yes 192 low
> ECDHE secp384r1 384 yes 192 low
> ECDHE brainpoolp256r1 256 yes 128 low
> ECDHE secp256k1 256 yes 128 low
> TLSv1.2
> RSA
> Scan Results
> 2048 no 110 low
> ECDHE secp256r1 256 yes 128 low
> ECDHE secp521r1 521 yes 260 low
> ECDHE brainpoolp512r1 512 yes 256 low
> ECDHE brainpoolp384r1 384 yes 192 low
> ECDHE secp384r1 384 yes 192 low
> ECDHE brainpoolp256r1 256 yes 128 low
> ECDHE secp256k1 256 yes 128 low
> page 161
> SSL/TLS Protocol Properties
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 443/tcp over SSL
> 38706
> General remote services
> -
> -
> -
> 07/12/2018
> -
> No
> No
> THREAT:
> The following is a list of detected SSL/TLS protocol properties.
> IMPACT:
> Items include:
> Extended Master Secret: indicates whether the extended_master_secret
> extension is supported or required by the server. This extension enhances
> security and is recommended. Applicable to TLSv1, TLSv1.1, TLSv1.2,
> DTLSv1, DTLSv1.2
> Encrypt Then MAC: indicates whether the encrypt_then_mac extension is
> supported or required by the server. This extension enhances the security
> of non-AEAD ciphers and is recommended. Applicable to TLSv1, TLSv1.1,
> TLSv1.2, DTLSv1, DTLSv1.2
> Heartbeat: indicates whether the heartbeat extension is supported. It is
> not recommended to enable this, except for DTLS. Applicable to TLSv1,
> TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1, DTLSv1.2
> Truncated HMAC: indicates whether the truncated_hmac extension is
> supported. This can degrade security and is not recommended. Applicable to
> TLSv1, TLSv1.1, TLSv1.2, DTLSv1, DTLSv1.2
> Cipher priority: indicates whether client, server or both determine the
> priority of ciphers. Having the server determine the priority is
> recommended.
> Applicable to SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3, DTLSv1, DTLSv1.2
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> NAME
> STATUS
> TLSv1
> Extended Master Secret no
> Encrypt Then MAC no
> Heartbeat yes
> Truncated HMAC no
> OCSP stapling no
> SCT extension no
> TLSv1.1
> Extended Master Secret no
> Encrypt Then MAC no
> Heartbeat yes
> Truncated HMAC no
> Cipher priority controlled by server
> OCSP stapling no
> SCT extension no
> TLSv1.2
> Extended Master Secret
> Scan Results
> no
> page 17Encrypt Then MAC no
> Heartbeat yes
> Truncated HMAC no
> Cipher priority controlled by server
> OCSP stapling no
> SCT extension no
> 1
> TLS Secure Renegotiation Extension Support Information
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 443/tcp over SSL
> 42350
> General remote services
> -
> -
> -
> 03/21/2016
> -
> No
> No
> THREAT:
> Secure Socket Layer (SSL) and Transport Layer Security (TLS)
> renegotiation are vulnerable to an attack in which the attacker forms a TLS
> connection with the target server, injects content of his choice, and
> then splices in a new TLS connection from a client. The server treats the
> client's initial TLS handshake as a renegotiation and thus believes that
> the initial data transmitted by the attacker is from the same entity as
> the subsequent client data. TLS protocol was extended to
> cryptographically tierenegotiations to the TLS connections they are
> being performed
> over. This is referred to as TLS secure renegotiation extension. This
> detection determines whether the TLS secure renegotiation extension is
> supported by the server or not.
> IMPACT:
> N/A
> SOLUTION:
> N/A
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> TLS Secure Renegotiation Extension Status: supported.
> 1
> SSL Web Server Version
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 443/tcp
> 86001
> Web server
> -
> -
> -
> 01/01/1999
> -
> No
> No
> COMPLIANCE:
> Scan Results
> page 18Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> RESULTS:
> Server Version Server Banner
> _ aruba-proxy
> 1
> List of Web Directories
> QID:
> Category:
> CVE ID:
> Vendor Reference:
> Bugtraq ID:
> Service Modified:
> User Modified:
> Edited:
> PCI Vuln:
> port 443/tcp
> 86672
> Web server
> -
> -
> -
> 09/11/2004
> -
> No
> No
> THREAT:
> Based largely on the HTTP reply code, the following directories are most
> likely present on the host.
> COMPLIANCE:
> Not Applicable
> EXPLOITABILITY:
> There is no exploitability information for this vulnerability.
> ASSOCIATED MALWARE:
> There is no malware information for this vulnerability.
> Scan Results
> RESULTS:
> Directory Source
> /cgi-bin/ brute force
> /test/ brute force
> /CMS/ brute force
> /tmp/ brute force
> page 19Appendix
> Hosts Scanned (IP)
> 89.46.108.65
> Target distribution across scanner appliances
> External : 89.46.108.65
> Options Profile
> Initial Options
> Scan Settings
> Ports:
> Scanned TCP Ports: Standard Scan
> Scanned UDP Ports: Standard Scan
> Scan Dead Hosts: Off
> Load Balancer Detection: Off
> Perform 3-way Handshake: Off
> Vulnerability Detection: Complete
> Password Brute Forcing:
> System: Disabled
> Custom: Disabled
> Authentication:
> Windows: Disabled
> Unix/Cisco: Disabled
> Oracle: Disabled
> Oracle Listener: Disabled
> SNMP: Disabled
> VMware: Disabled
> DB2: Disabled
> HTTP: Disabled
> MySQL: Disabled
> Tomcat Server: Disabled
> MongoDB: Disabled
> Palo Alto Networks Firewall: Disabled
> Jboss Server: Disabled
> Oracle WebLogic Server: Disabled
> MariaDB: Disabled
> InformixDB: Disabled
> MS Exchange Server: Disabled
> Oracle HTTP Server: Disabled
> MS SharePoint: Disabled
> Kubernetes: Disabled
> Overall Performance: Normal
> Authenticated Scan Certificate Discovery: Disabled
> Test Authentication:
> Disabled
> Hosts to Scan in Parallel:
> Use Appliance Parallel ML Scaling: Off
> External Scanners: 15
> Scanner Appliances: 30
> Scan Results
> page 20Processes to Run in Parallel:
> Total Processes: 10
> HTTP Processes: 10
> Packet (Burst) Delay: Medium
> Port Scanning and Host Discovery:
> Intensity:
> Normal
> Dissolvable Agent:
> Dissolvable Agent (for this profile): Disabled
> Windows Share Enumeration: Disabled
> Windows Directory Search: Disabled
> Lite OS Discovery: Disabled
> Host Alive Testing: Disabled
> Do Not Overwrite OS: Disabled
> Advanced Settings
> Host Discovery: TCP Standard Scan, UDP Standard Scan, ICMP On
> Ignore firewall-generated TCP RST packets: Off
> Ignore all TCP RST packets: Off
> Ignore firewall-generated TCP SYN-ACK packets: Off
> Do not send TCP ACK or SYN-ACK packets during host discovery: Off
> Report Legend
> Vulnerability Levels
> A Vulnerability is a design flaw or mis-configuration which makes your
> network (or a host on your network) susceptible to malicious attacks
> from local or
> remote users. Vulnerabilities can exist in several areas of your
> network, such as in your firewalls, FTP servers, Web servers, operating
> systems or CGI bins.
> Depending on the level of the security risk, the successful exploitation
> of a vulnerability can vary from the disclosure of information about the
> host to a
> complete compromise of the host.
> Severity
> Level Description
> 1 Minimal Intruders can collect information about the host (open ports,
> services, etc.) and may be
> able to use this information to find other vulnerabilities.
> 2 Medium Intruders may be able to collect sensitive information from the
> host, such as the
> precise version of software installed. With this information, intruders
> can easily
> exploit known vulnerabilities specific to software versions.
> 3 Serious Intruders may be able to gain access to specific information
> stored on the host,
> including security settings. This could result in potential misuse of
> the host by
> intruders. For example, vulnerabilities at this level may include
> partial disclosure of
> file contents, access to certain files on the host, directory browsing,
> disclosure of
> filtering rules and security mechanisms, denial of service attacks, and
> unauthorized use
> of services, such as mail-relaying.
> 4 Critical Intruders can possibly gain control of the host, or there may
> be potential leakage of
> highly sensitive information. For example, vulnerabilities at this level
> may include
> full read access to files, potential backdoors, or a listing of all the
> users on the
> host.
> 5 Urgent Intruders can easily gain control of the host, which can lead
> to the compromise of your
> entire network security. For example, vulnerabilities at this level may
> include full
> read and write access to files, remote execution of commands, and the
> presence of
> backdoors.
> Potential Vulnerability Levels
> A potential vulnerability is one which we cannot confirm exists. The
> only way to verify the existence of such vulnerabilities on your network
> would be to
> perform an intrusive scan, which could result in a denial of service.
> This is strictly against our policy. Instead, we urge you to investigate
> these potential
> vulnerabilities further.
> Severity
> 1
> Scan Results
> Level Description
> Minimal If this vulnerability exists on your system, intruders can
> collect information about the
> host (open ports, services, etc.) and may be able to use this
> information to find other
> vulnerabilities.
> page 21Severity
> Level
> Description
> 2 Medium If this vulnerability exists on your system, intruders may be
> able to collect sensitive
> information from the host, such as the precise version of software
> installed. With this
> information, intruders can easily exploit known vulnerabilities specific
> to software
> versions.
> 3 Serious If this vulnerability exists on your system, intruders may be
> able to gain access to
> specific information stored on the host, including security settings.
> This could result
> in potential misuse of the host by intruders. For example,
> vulnerabilities at this level
> may include partial disclosure of file contents, access to certain files
> on the host,
> directory browsing, disclosure of filtering rules and security
> mechanisms, denial of
> service attacks, and unauthorized use of services, such as mail-relaying.
> 4 Critical If this vulnerability exists on your system, intruders can
> possibly gain control of the
> host, or there may be potential leakage of highly sensitive information.
> For example,
> vulnerabilities at this level may include full read access to files,
> potential
> backdoors, or a listing of all the users on the host.
> 5 Urgent If this vulnerability exists on your system, intruders can
> easily gain control of the
> host, which can lead to the compromise of your entire network security.
> For example,
> vulnerabilities at this level may include full read and write access to
> files, remote
> execution of commands, and the presence of backdoors.
> Information Gathered
> Information Gathered includes visible information about the network
> related to the host, such as traceroute information, Internet Service
> Provider (ISP), or a
> list of reachable hosts. Information Gathered severity levels also
> include Network Mapping data, such as detected firewalls, SMTP banners,
> or a list of open
> TCP services.
> Severity
> Level Description
> 1 Minimal Intruders may be able to retrieve sensitive information
> related to the host, such as
> open UDP and TCP services lists, and detection of firewalls.
> 2 Medium Intruders may be able to determine the operating system running
> on the host, and view banner versions.
> 3 Serious Intruders may be able to detect highly sensitive data, such as
> global system user lists.
> CONFIDENTIAL AND PROPRIETARY INFORMATION.
> Qualys provides the QualysGuard Service "As Is," without any warranty of
> any kind. Qualys makes no warranty that the information contained in
> this report is
> complete or error-free. Copyright 2020, Qualys, Inc.
> Scan Results
> page 22
>
>
>
> --
> Info/Lamentele/Segnalazioni: andrea.gelmini a gmail.com
-------------- parte successiva --------------
Un allegato HTML è stato rimosso...
URL: <http://lugbs.linux.it/pipermail/lug/attachments/20201222/5057d19c/attachment-0001.html>
Maggiori informazioni sulla lista
Lug