22.4 Resolving Nessus Security Scan Issues

22.4.1 Port dns (53/tcp): DNS Server Zone Tranfer Information Disclosure (AXFR)

Nessus Plug in: 10595

Port: DNS service on port 53

Synopsis: The remote name server permits zone transfers.

Description: A zone transfer lets a remote attacker instantly populate a list of potential targets. In addition, companies often use a naming convention that can give hints as to a server’s primary application, for example, proxy.example.com, payroll.example.com, b2b.example.com, etc.

Information like this is of great use to an attacker, who may use it to gain information about the topology of the network and spot new targets.

Resolution: Limit DNS zone transfers to only the servers that need the information. The Security Chapter for DNS includes the required information to restrict zones, allow-update and queries and the security factors. See Security Considerations for DNS in the OES 2 SP3: Novell DNS/DHCP Administration Guide.

22.4.2 Port dns (53/udp):DNS Server Recursive Query Cache Poisoning Weakness

Nessus Plug in: 10539

Port: DNS on port 53

Synopsis: The remote name server allows recursive queries to be performed by the host running nessusd.

Description: It is possible to query the remote name server for third party names.

If this is your internal name server, then the attack vector may be limited to employees or guest access if allowed. If you are probing a remote name server, then it allows anyone to use it to resolve third party names, such as www.novell.com.This allows attackers to perform cache poisoning attacks against this name server.

If the host allows these recursive queries via UDP, then the host can be used to bounce denial-of-service attacks against another network or system.

Resolution: Restrict recursive queries to the hosts that should use this name server, such as those of the LAN connected to it.

The Security Chapter for Novell DNS includes the required information to restrict zones, allow-update and queries and the security factors. See Security Considerations for DNS in the OES 2 SP3: Novell DNS/DHCP Administration Guide.

22.4.3 Port dns (53/udp): DNS Server Cache Snooping Remote Information Disclosure

Nessus Plug in: 12217

Port: DNS on port 53

Synopsis: The remote DNS server is vulnerable to cache snooping attacks.

Description: The remote DNS server responds to queries for third-party domains  that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.

For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more.

NOTE:If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees, consultants, and potential users on a guest network or WiFi connection if supported.

Resolution: The Security Chapter for Novell DNS includes the required information to restrict zones, allow-update and queries and the security factors. See Security Considerations for DNS in the OES 2 SP3: Novell DNS/DHCP Administration Guide.

22.4.4 Port dns (53/udp): Multiple Vendor DNS Query ID Field Prediction Cache Poisoning

Nessus Plug in: 33447

Port: DNS on Port 53

Synopsis: The remote name resolver (or the server it uses upstream) may be vulnerable to DNS cache poisoning.

Description: The remote DNS resolver does not use random ports when making queries to third party DNS servers. This problem might be exploited by an attacker to poison the remote DNS server more easily, and therefore divert legitimate traffic to arbitrary sites.

Resolution: Nessus might report this if the OES server is configured to use a non-OES DNS server that has the above vulnerability. Configure DNS with Novell-DNS instead of the third-party server that is vulnerable.

22.4.5 Port ftp (21/tcp): Anonymous FTP Enabled

Nessus Plug in: 10079

Port: FTP service on port 21

Synopsis: Anonymous logins are allowed on the remote FTP server.

Description: This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing a password or unique credentials. This allows a user to access any files made available on the FTP server.

Resolution: Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is not available.

22.4.6 Port ftp (21/tcp):Multiple Vendor Embedded FTP Service Any Username Authentication Bypass

Nessus Plug in: 10990

Port: FTP service on port 21

Synopsis: A random username and password can be used to authenticate to the remote FTP server.

Description: The FTP server running on the remote host can be accessed using a random username and password. Nessus has enabled some countermeasures to prevent other plug ins from reporting vulnerabilities incorrectly because of this.

Resolution: Contact the FTP server's documentation so that the service handles authentication requests properly.

22.4.7 Port ldap: LDAP NULL BASE Search Access

Nessus Plugin: 10722

Port: LDAP on 389, DSfW LDAPS on 1636, msft-gc on 3268

Synopsis: The remote LDAP server may disclose sensitive information.

Description: The remote LDAP server supports search requests with a null, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool such as LdapMiner.

NOTE:There are valid reasons to allow queries with a null base. For example, it is required in version 3 of the LDAP protocol to provide access to the root DSA-Specific Entry (DSE), with information about the supported naming context, authentication types, and the like. It also means that legitimate users can find information in the directory without any a prior knowledge of its structure.

For these reasons, this finding may be a false-positive.

Resolution: If the remote LDAP server supports a version of the LDAP protocol before v3, consider whether to disable NULL BASE queries on your LDAP server LDAP NULL BASE search access might be required by many OES services.

For more details see, TID 7000737.

22.4.8 Port smb (139/tcp) : Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials

Neesus Plug in : 56210

Synopsis: It is possible to obtain the host SID for the remote host, without credentials.

Description: By emulating the call to LsaQueryInformationPolicy(), it is possible to obtain the host SID (Security Identifier), without credentials. The host SID can then be used to get the list of local users.

Resolution: Novell-Cifs sends a dummy response with an SID value of 0. Therefore, this is not a security vulnerability.

22.4.9 Port ssh (22/tcp): SSH Protocol Version 1 Session Key Retrieval

Nessus Plug in: 10882

Port: SSH service on port 22

Synopsis: The remote service offers an insecure cryptographic protocol.

Description: The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe, so they should not be used.

Resolution: Disable compatibility with SSH 1.x.

22.4.10 Port (524/tcp): Novell NetWare ncp Service NDS Object Enumeration

Nessus Plug in: 10988

Port: NCP server on port 524

Synopsis: Remote directory server leaks information.

Description: This host is a Novell NetWare (eDirectory) server, and has browse rights on the PUBLIC object. It is possible to enumerate all NDS objects, including users, with crafted queries. An attacker can use this to gain information about this host.

Resolution: This feature is required by many OES services for their normal operation.

If this is an external system, block Internet access to port 524.

22.4.11 Port www (443/tcp): SSL Certificate signed with an unknown Certificate Authority

Nessus Plug in: 51192

Port: Apache (443), LDAPS (636), DSfW LDAPS (1636), msft-gc-ssl (3269), wbem (5989), NRM (8009), iMonitor (8030)

Synopsis: The SSL certificate for this service is signed by an unknown certificate authority.       

Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL because anyone could establish a man-in-the-middle attack against the remote host.

Resolution: Purchase or generate a proper certificate for this service. For more information about generating certificates using the Novell Certificate Server, see Using eDirectory Certificates with External Applications in the Novell Certificate Server 3.3.4 Administration Guide.

22.4.12 Port www (443/tcp): SSL Version 2 (v2) Protocol Detection

Nessus Plug in: 20007

Port: Apache port www (443)

Synopsis: The remote service encrypts traffic using a protocol with known weaknesses.

Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

Resolution: Consult the Apache documentation to disable SSL 2.0 and use SSL3.0 or TLS 1.0 instead.

22.4.13 Port www (tcp): SSL Weak Cipher Suites Supported

Nessus Plug in: 26928

Port: Apache (443), NRM (8009), LDAPS (636), DSfW LDAPS (1636), msft-gc-ssl (3269)

Synopsis: The remote service supports the use of weak SSL ciphers.

Description: The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.

NOTE:This is considerably easier to exploit if the attacker is on the same physical network.

Resolution:

  1. Change the weak SSLCipherSuite setting for Apache in the /etc/apache2/vhosts.d/vhost-ssl.conf file from:

    • SSLCipherSuite
    • ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    to

    • SSLCipherSuite
    • ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:!MEDIUM:!LOW:+SSLv2:!EXP:!eNULL
  2. Restart Apache by entering the following at the terminal prompt:

    rcapache2 restart

22.4.14 Port www (tcp): SSL Medium Strength Cipher Suites Supported

Nessus Plug in: 42873

Port: Apache (443), NRM (8009), LDAPS (636), DSfW LDAPS (1636), msft-gc-ssl (3269)

Synopsis: The remote service supports the use of medium strength SSL ciphers.

Description: The remote host supports the use of SSL ciphers that offer medium-strength encryption (key lengths at least 56 bits and less than 112 bits).

NOTE:This is considerably easier to exploit if the attacker is on the same physical network.

Resolution: Open the /etc/opt/novell/httpstkd.conf file in a text editor, then do the following:

  1. Find the following section.

    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    ;    Cipher strength determines the bit strength for the SSL key 
    ;    that is required to access Novell Remote Manager(NRM). 
    ;       The default will be all 
    ;
    ;    If you modify the setting it will be necessary to restart NRM.
    ;
    ;       Options: all, low, medium, high
    ;
    ;       all - allows any negotiated encryption level.
    ;       low - allows less than 56-bit encryption
    ;       medium - allows 56-bit up to 112-bit encryption
    ;       high - allows 112-bit or greater encryption
    ;
    ;       Example:
    ;       cipher high
    ;
    ;
    ;
    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
    cipher all
    
  2. Change cipher all to cipher high.

  3. Save the file.

  4. Restart httpstkd by entering rcnovell-httpstkd restart at a terminal prompt.

22.4.15 Port/Service: smb (139/tcp)

Build: Oes2Sp3 server Jan'12 patch

Nessus Plug in: 56708

Plugin Name: SMB Signing Disabled

Synopsis: Signing is disabled on the remote SMB server.

Description: Signing is disabled on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.

Solution: Enforce message signing in the host's configuration. On Windows, this is found in the Local Security Policy. On Samba, the setting is called server signing.

See also, http://support.microsoft.com/kb/887429, http://technet.microsoft.com/en-us/library/cc786681%28WS.10%29.aspx, http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Risk Factor: Medium

CVSS Base Score: 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Vulnerability Publication Date: 2012/01/17

Plugin Publication Date: 2012/01/19

Plugin Last Modification Date: 2012/01/19

Risk factor : Medium

CVE: CVE-1999-0532

Other references: OSVDB:492

Nessus ID: 10595