Asset Report For 172.16.72.212

Audit Report
Asset report for 172.16.72.212 new
Audited on July 28, 2022
Reported on July 28, 2022

Audit Report
1. Executive Summary
This report represents a security audit performed by Nexpose from Rapid7 LLC. It contains confidential information about the state of
your network. Access to this information by unauthorized personnel may allow them to compromise your network.
Site Name Start Time End Time Total Time Status
DMZ July 28, 2022 02:00, ICT July 28, 2022 02:14, ICT 14 minutes Success
Overall Risk Trend
Assets Total Risk Average Risk Highest-Risk Asset
1 (was 0) 20,257 (was 0.0) 20,257 (was 0.0) STREAMING02

20,257 (was 0.0)
The audit was performed on one system which was found to be active and was scanned.
There were 57 vulnerabilities found during this scan. Of these, 7 were critical vulnerabilities. Critical vulnerabilities require immediate
attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 45
vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems.
Page 1
Audit Report
There were 5 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting
subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.
There were 2 occurrences of the cifs-smb-signing-disabled, cifs-smb-signing-not-required and cifs-smb1-deprecated vulnerabilities,

making them the most common vulnerabilities. There were 50 vulnerability instances in the Web category, making it the most common
vulnerability category.
The cifs-smb-signing-disabled vulnerability poses the highest risk to the organization with a risk score of 1,706. Risk scores are based
on the types and numbers of vulnerabilities on affected assets.
One operating system was identified during this scan.
There were 7 services found to be running during this scan.
The CIFS, CIFS Name Service, DCE Endpoint Resolution, DCE RPC, HTTP and RDP services were found on 1 systems, making them
the most common services. The HTTP service was found to have the most vulnerabilities during this scan with 49 vulnerabilities.
Page 2
Audit Report
2. Discovered Systems
Node Operating System Risk Aliases
172.16.72.212 Microsoft Windows Server 2008 20,261 •STREAMING02

R2, Standard Edition SP1
Page 3
Audit Report
3. Discovered and Potential Vulnerabilities
3.1. Critical Vulnerabilities
3.1.1. Apache HTTPD: mod_http2, DoS attack by exhausting h2 workers. (CVE-2019-9517) (apache-httpd-cve-2019-
9517)
Description:
A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the
TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections.
Affected Nodes:
Affected Nodes: Additional Information:
172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

Vulnerable version of product HTTPD found -- Apache HTTPD 2.4.29
References:
Source Reference
CERT-VN 605641
CVE CVE-2019-9517
DEBIAN DSA-4509
REDHAT RHSA-2019:2893
URL http://httpd.apache.org/security/vulnerabilities_24.html
Vulnerability Solution:
Page 4
Audit Report
Apache HTTPD >= 2.4 and < 2.4.41

Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.4.41.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.
3.1.2. Apache HTTPD: mod_session response handling heap overflow (CVE-2021-26691) (apache-httpd-cve-2021-
26691)
Description:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted SessionHeader sent by an origin server could cause a heap overflow
Affected Nodes:

References:
Source Reference
CVE CVE-2021-26691
DEBIAN DSA-4937
operating system.
3.1.3. Apache HTTPD: ap_escape_quotes buffer overflow (CVE-2021-39275) (apache-httpd-cve-2021-39275)
Description:
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to
these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.
Affected Nodes:
Page 5
Audit Report

References:
Source Reference
CVE CVE-2021-39275
DEBIAN DSA-4982
operating system.
3.1.4. Apache HTTPD: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51
and earlier (CVE-2021-44790) (apache-httpd-cve-2021-44790)
Description:
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache
HTTP Server 2.4.51 and earlier.
Affected Nodes:

References:
Source Reference
CVE CVE-2021-44790
DEBIAN DSA-5035
operating system.
Page 6
Audit Report
3.1.5. Apache HTTPD: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier (CVE-2022-
22720) (apache-httpd-cve-2022-22720)
Description:
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body,
exposing the server to HTTP Request Smuggling
Affected Nodes:

References:
Source Reference
CVE CVE-2022-22720
operating system.
3.1.6. Apache HTTPD: mod_sed: Read/write beyond bounds (CVE-2022-23943) (apache-httpd-cve-2022-23943)
Description:
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly
attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.
Affected Nodes:

References:
Source Reference
CVE CVE-2022-23943
Page 7
Audit Report
Source Reference
operating system.
3.1.7. Apache HTTPD: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813) (apache-
httpd-cve-2022-31813)
Description:
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection
header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application.
Affected Nodes:

References:
Source Reference
CVE CVE-2022-31813
operating system.
3.2. Severe Vulnerabilities
3.2.1. Apache HTTPD: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715) (apache-httpd-cve-
2017-15715)
Description:
Page 8
Audit Report
The expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the
end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by
matching the trailing portion of the filename.
Affected Nodes:

References:
Source Reference
BID 103525
CVE CVE-2017-15715
DEBIAN DSA-4164
operating system.
3.2.2. Apache HTTPD: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312) (apache-httpd-cve-
2018-1312)
Description:
When generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a
pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed
across servers by an attacker without detection.
Affected Nodes:

Page 9
Audit Report
References:
Source Reference
BID 103524
CVE CVE-2018-1312
DEBIAN DSA-4164
operating system.
3.2.3. Apache HTTPD: mod_auth_digest possible stack overflow by one nul byte (CVE-2020-35452) (apache-httpd-cve-
2020-35452)
Description:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There
is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler
and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero
byte) of the overflow
Affected Nodes:

References:
Source Reference
CVE CVE-2020-35452
DEBIAN DSA-4937
Page 10
Audit Report
operating system.
3.2.4. Apache HTTPD: mod_proxy SSRF (CVE-2021-40438) (apache-httpd-cve-2021-40438)
Description:
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue
affects Apache HTTP Server 2.4.48 and earlier.
Affected Nodes:

References:
Source Reference
CVE CVE-2021-40438
DEBIAN DSA-4982
operating system.
3.2.5. Apache HTTPD: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-
22721) (apache-httpd-cve-2022-22721)
Description:
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow
happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier.
Affected Nodes:
Page 11
Audit Report

References:
Source Reference
CVE CVE-2022-22721
operating system.
3.2.6. X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch)
Description:
The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate.
Before issuing a certificate, a Certification Authority (CA) must check the identity of the entity requesting the certificate, as specified in
the CA's Certification Practice Statement (CPS). Thus, standard certificate validation procedures require the subject CN field of a
certificate to match the actual name of the entity presenting the certificate. For example, in a certificate presented by
"https://www.example.com/", the CN should be "www.example.com".
In order to detect and prevent active eavesdropping attacks, the validity of a certificate must be verified, or else an attacker could then
launch a man-in-the-middle attack and gain full control of the data stream. Of particular importance is the validity of the subject's CN,
that should match the name of the entity (hostname).
A CN mismatch most often occurs due to a configuration error, though it can also indicate that a man-in-the-middle attack is being
conducted.
Please note that this check may flag a false positive against servers that are properly configured using SNI.
Affected Nodes:
172.16.72.212:443 The subject common name found in the X.509 certificate does not seem to
match the scan target:Subject CN *.vnanet.vn does not match target name
specified in the site.Subject CN *.vnanet.vn could not be resolved to an IP
address via DNS lookupSubject Alternative Name *.vnanet.vn does not match
target name specified in the site.Subject Alternative Name vnanet.vn does not
Page 12
Audit Report
match target name specified in the site.

References:
None
The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate
(e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the
client and server.
3.2.7. SMB signing disabled (cifs-smb-signing-disabled)
Description:
This system does not allow SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps
prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least secure),
enabled, and required (most secure).
Affected Nodes:
172.16.72.212:139 SMB signing is disabled
172.16.72.212:445 SMB signing is disabled
References:
Source Reference
URL http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-
smb2.aspx
•Microsoft Windows
Configure SMB signing for Windows
Configure the system to enable or require SMB signing as appropriate. The method and effect of doing this is system specific so
please see this Microsoft article for details. Note: ensure that SMB signing configuration is done for incoming connections (Server).
•Samba
Configure SMB signing for Samba
Configure Samba to enable or require SMB signing as appropriate. To enable SMB signing, put the following in the Samba
configuration file, typically smb.conf, in the global section:
server signing = auto
To require SMB signing, put the following in the Samba configuration file, typically smb.conf, in the global section:
server signing = mandatory
Page 13
Audit Report
3.2.8. Apache HTTPD: mod_auth_digest access control bypass (CVE-2019-0217) (apache-httpd-cve-2019-0217)
Description:
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could
allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Affected Nodes:

References:
Source Reference
BID 107668
CVE CVE-2019-0217
DEBIAN DSA-4422
operating system.
3.2.9. Apache HTTPD: mod_http2, read-after-free in h2 connection shutdown (CVE-2019-10082) (apache-httpd-cve-

2019-10082)
Page 14
Audit Report
Description:
Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
Affected Nodes:

References:
Source Reference
CVE CVE-2019-10082
operating system.
3.2.10. Apache HTTPD: mod_rewrite potential open redirect (CVE-2019-10098) (apache-httpd-cve-2019-10098)
Description:
Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect
instead to an an unexpected URL within the request URL.
Affected Nodes:

References:
Source Reference
CVE CVE-2019-10098
Page 15
Audit Report

operating system.
3.2.11. Apache HTTPD: mod_rewrite CWE-601 open redirect (CVE-2020-1927) (apache-httpd-cve-2020-1927)
Description:
In Apache HTTP Server versions 2.4.0 to 2.4.41 some mod_rewrite configurations vulnerable to open redirect.
Affected Nodes:

References:
Source Reference
CVE CVE-2020-1927
DEBIAN DSA-4757
Download and apply the upgrade from: https://httpd.apache.org/download.cgi#apache24
operating system.
3.2.12. Apache HTTPD: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server
2.4.51 and earlier (CVE-2021-44224) (apache-httpd-cve-2021-44224)
Description:
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for
configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket
endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Affected Nodes:
Page 16
Audit Report

References:
Source Reference
CVE CVE-2021-44224
DEBIAN DSA-5035
operating system.
3.2.13. Apache HTTPD: Read beyond bounds in ap_strcmp_match() (CVE-2022-28615) (apache-httpd-cve-2022-28615)
Description:
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when
provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party
modules or lua scripts that use ap_strcmp_match() may hypothetically be affected.
Affected Nodes:

References:
Source Reference
CVE CVE-2022-28615
operating system.
3.2.14. SMB signing not required (cifs-smb-signing-not-required)
Page 17
Audit Report
Description:
This system enables, but does not require SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity
and helps prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least
secure), enabled, and required (most secure).
Affected Nodes:
172.16.72.212:139 Smb signing is: disabled
172.16.72.212:445 Smb signing is: disabled
References:
Source Reference
URL http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-
smb2.aspx
•Samba
3.2.15. SMB: Service supports deprecated SMBv1 protocol (cifs-smb1-deprecated)
Description:
The SMB1 protocol has been deprecated since 2014 and is considered obsolete and insecure.
Page 18
Audit Report
Affected Nodes:
172.16.72.212:139 SMB1 is deprecated and should not be used
172.16.72.212:445 SMB1 is deprecated and should not be used
References:
Source Reference
URL https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
•Samba
Remove/disable SMB1
For Samba systems on Linux, disabling SMB1 is quite straightforward:
How to configure Samba to use SMBv2 and disable SMBv1 on Linux or Unix
Remove/disable SMB1
For Windows 8.1 and Windows Server 2012 R2, removing SMB1 is trivial. On older OS'es it can't be removed but should be disabled.
This article contains system-specific details:
How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
3.2.16. SMBv2 signing not required (cifs-smb2-signing-not-required)
Description:
This system enables, but does not require SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity
and helps prevent man in the middle attacks against SMB. SMB 2.x signing can be configured in one of two ways: not required (least
secure) and required (most secure).
Affected Nodes:
172.16.72.212:445 Running CIFS serviceConfiguration item smb2-enabled set to 'true' matched

Configuration item smb2-signing set to 'enabled' matched
References:
Source Reference
URL https://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-
Page 19
Audit Report
Source Reference
and-smb2.aspx
•Samba
3.2.17. HTTP TRACE Method Enabled (http-trace-method-enabled)
Description:
The HTTP TRACE method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes.
An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACE request and capture the
client's cookies. This effectively results in a Cross-Site Scripting attack.
Affected Nodes:
172.16.72.212:80 Running HTTP serviceHTTP TRACE request to http://172.16.72.212/

1: TRACE / HTTP/1.1
2: Host: 172.16.72.212
3: Cookie: vulnerable=yes
References:
Source Reference
APPLE APPLE-SA-2009-11-09-1
BID 15222
Page 20
Audit Report
Source Reference
BID 19915
BID 24456
BID 36956
BID 9506
CERT-VN 867593
CVE CVE-2004-2320
CVE CVE-2004-2763
CVE CVE-2005-3398
CVE CVE-2006-4683
CVE CVE-2007-3008
CVE CVE-2008-7253
CVE CVE-2009-2823
CVE CVE-2010-0386
DISA_SEVERITY Category II
DISA_VMSKEY V0011706
IAVM 2005-T-0043
OSVDB 35511
OSVDB 3726
OVAL 1445
URL http://www.apacheweek.com/issues/03-01-24#news
URL http://www.kb.cert.org/vuls/id/867593
XF 14959
XF 34854
•Apache HTTPD, Apache Tomcat
Disable HTTP TRACE Method for Apache
Newer versions of Apache (1.3.34 and 2.0.55 and later) provide a configuration directive called TraceEnable. To deny TRACE
requests, add the following line to the server configuration:
TraceEnable off
For older versions of the Apache webserver, use the mod_rewrite module to deny the TRACE requests:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
In Apache Tomcat, the HTTP Trace can be disabled by adding security constraints into the Java Servlet specification within the
web.xml configuration file and by setting the attribute allowTrace="False" to the HTTP connector in server.xml. For Spring Boot
Page 21
Audit Report
embedded Tomcat configuration, please refer here
•IIS, PWS, Microsoft-IIS, Internet Information Services, Internet Information Services, Microsoft-PWS
Disable HTTP TRACE Method for Microsoft IIS
For Microsoft Internet Information Services (IIS), you may use the URLScan tool, freely available at
http://www.microsoft.com/technet/security/tools/urlscan.mspx
•Java System Web Server, SunONE WebServer, Sun-ONE-Web-Server, iPlanet

Disable HTTP TRACE Method for SunONE/iPlanet
•For Sun ONE/iPlanet Web Server v6.0 SP2 and later, add the following configuration to the top of the default object in the 'obj.conf'
file:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
You must then restart the server for the changes to take effect.
•For Sun ONE/iPlanet Web Server prior to v6.0 SP2, follow the instructions provided the 'Relief/Workaround' section of Sun's official
advisory: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
•Lotus Domino
Disable HTTP TRACE Method for Domino
Follow IBM's instructions for disabling HTTP methods on the Domino server by adding the following line to the server's NOTES.INI file:
HTTPDisableMethods=TRACE
After saving NOTES.INI, restart the Notes web server by issuing the console command "tell http restart".
3.2.18. Apache HTTPD: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-
2017-15710) (apache-httpd-cve-2017-15710)
Description:
mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset
encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism
is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less
than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case,
quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is
already reserved for future use and the issue has no effect at all.
Affected Nodes:
Page 22
Audit Report

References:
Source Reference
BID 103512
CVE CVE-2017-15710
DEBIAN DSA-4164
operating system.
3.2.19. Apache HTTPD: Possible out of bound read in mod_cache_socache (CVE-2018-1303) (apache-httpd-cve-2018-
1303)
Description:
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.33 due to an out of bound
read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of
mod_cache_socache.
Affected Nodes:

References:
Source Reference
BID 103522
CVE CVE-2018-1303
DEBIAN DSA-4164
Page 23
Audit Report
Source Reference
operating system.
3.2.20. Apache HTTPD: DoS for HTTP/2 connections by crafted requests (CVE-2018-1333) (apache-httpd-cve-2018-
1333)
Description:
By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion
and a denial of service. This issue only affects servers that have configured and enabled HTTP/2 support, which is not the default
Affected Nodes:

References:
Source Reference
CVE CVE-2018-1333
operating system.
Page 24
Audit Report
3.2.21. Apache HTTPD: DoS for HTTP/2 connections via slow request bodies (CVE-2018-17189) (apache-httpd-cve-
2018-17189)
Description:
By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread
cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
Affected Nodes:

References:
Source Reference
BID 106685
CVE CVE-2018-17189
DEBIAN DSA-4422
operating system.
3.2.22. Apache HTTPD: mod_session_cookie does not respect expiry time (CVE-2018-17199) (apache-httpd-cve-2018-
17199)
Description:
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This
causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is
decoded.
Page 25
Audit Report
Affected Nodes:

References:
Source Reference
BID 106742
CVE CVE-2018-17199
DEBIAN DSA-4422
operating system.
3.2.23. Apache HTTPD: mod_http2, read-after-free on a string compare (CVE-2019-0196) (apache-httpd-cve-2019-0196)
Description:
Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining
the method of a request and thus process the request incorrectly.
Affected Nodes:

References:
Source Reference
BID 107669
CVE CVE-2019-0196
Page 26
Audit Report
Source Reference
DEBIAN DSA-4422
operating system.
3.2.24. Apache HTTPD: Apache httpd URL normalization inconsistincy (CVE-2019-0220) (apache-httpd-cve-2019-0220)
Description:
When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and
RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse
them.
Affected Nodes:

References:
Source Reference
BID 107670
CVE CVE-2019-0220
DEBIAN DSA-4422
Page 27
Audit Report
operating system.
3.2.25. Apache HTTPD: mod_http2, memory corruption on early pushes (CVE-2019-10081) (apache-httpd-cve-2019-
10081)
Description:
HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing
request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.
Affected Nodes:

References:
Source Reference
CVE CVE-2019-10081
DEBIAN DSA-4509
operating system.
3.2.26. Apache HTTPD: mod_proxy_wstunnel tunneling of non Upgraded connections (CVE-2019-17567) (apache-httpd-
cve-2019-17567)
Description:
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the
origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass
through with no HTTP validation, authentication or authorization possibly configured.
Page 28
Audit Report
Affected Nodes:

References:
Source Reference
CVE CVE-2019-17567
operating system.
3.2.27. Apache HTTPD: mod_proxy_ftp use of uninitialized value (CVE-2020-1934) (apache-httpd-cve-2020-1934)
Description:
in Apache HTTP Server versions 2.4.0 to 2.4.41, mod_proxy_ftp use of uninitialized value with malicious FTP backend.
Affected Nodes:

References:
Source Reference
CVE CVE-2020-1934
DEBIAN DSA-4757
Download and apply the upgrade from: https://httpd.apache.org/download.cgi#apache24
operating system.
Page 29
Audit Report
3.2.28. Apache HTTPD: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-9490) (apache-httpd-cve-
2020-9490)
Description:
Apache HTTP Server versions 2.4.20 to 2.4.43 A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result
in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will
mitigate this vulnerability for unpatched servers.
Affected Nodes:

References:
Source Reference
CVE CVE-2020-9490
DEBIAN DSA-4757
operating system.
3.2.29. Apache HTTPD: mod_session NULL pointer dereference (CVE-2021-26690) (apache-httpd-cve-2021-26690)
Description:
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer
dereference and crash, leading to a possible Denial Of Service
Affected Nodes:

References:
Page 30
Audit Report
Source Reference
CVE CVE-2021-26690
DEBIAN DSA-4937
operating system.
3.2.30. Apache HTTPD: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193) (apache-httpd-
cve-2021-33193)
Description:
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or
cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
Affected Nodes:

References:
Source Reference
CVE CVE-2021-33193
operating system.
3.2.31. Apache HTTPD: NULL pointer dereference in httpd core (CVE-2021-34798) (apache-httpd-cve-2021-34798)
Description:
Page 31
Audit Report
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.
Affected Nodes:

References:
Source Reference
CVE CVE-2021-34798
DEBIAN DSA-4982
operating system.
3.2.32. Apache HTTPD: mod_lua Use of uninitialized value of in r:parsebody (CVE-2022-22719) (apache-httpd-cve-2022-
22719)
Description:
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects
Apache HTTP Server 2.4.52 and earlier.
Affected Nodes:

References:
Source Reference
CVE CVE-2022-22719
Page 32
Audit Report

operating system.
3.2.33. Apache HTTPD: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377) (apache-httpd-cve-2022-26377)
Description:
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP
Server 2.4 version 2.4.53 and prior versions.
Affected Nodes:

References:
Source Reference
CVE CVE-2022-26377
operating system.
3.2.34. Apache HTTPD: read beyond bounds in mod_isapi (CVE-2022-28330) (apache-httpd-cve-2022-28330)
Description:
Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when configured to process requests with the
mod_isapi module.
Affected Nodes:
Page 33
Audit Report

References:
Source Reference
CVE CVE-2022-28330
operating system.
3.2.35. Apache HTTPD: read beyond bounds via ap_rwrite() (CVE-2022-28614) (apache-httpd-cve-2022-28614)
Description:
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to
reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed
separately from Apache HTTP Server that use the "ap_rputs" function and may pass it a very large (INT_MAX or larger) string must be
compiled against current headers to resolve the issue.
Affected Nodes:

References:
Source Reference
CVE CVE-2022-28614
operating system.
3.2.36. Apache HTTPD: Denial of service in mod_lua r:parsebody (CVE-2022-29404) (apache-httpd-cve-2022-29404)
Page 34
Audit Report
Description:
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service
due to no default limit on possible input size.
Affected Nodes:

References:
Source Reference
CVE CVE-2022-29404
operating system.
3.2.37. Apache HTTPD: Information Disclosure in mod_lua with websockets (CVE-2022-30556) (apache-httpd-cve-2022-
30556)
Description:
Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past the end of the storage
allocated for the buffer.
Affected Nodes:

References:
Source Reference
CVE CVE-2022-30556
Page 35
Audit Report
operating system.
3.2.38. Apache Server mod_info is Publicly Accessible (http-apache-0008)
Description:
The web server publicly offers a report on its configuration to anyone who requests it, revealing sensitive details that give a potential
attacker important information about how to attack the web server.
Affected Nodes:
172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29HTTP

GET request to http://172.16.72.212/server-info?mod_info.c
HTTP response code was an expected 200
3: <html xmlns="http://www.w3.org/1999/xhtml">
4: <head>
5: <title>Server Information</title>
6: </head>
7: ...lign: center">Apache Server Information</h1>
References:
None
The configuration file for apache (httpd.conf), reads:
<Location /server-info>
SetHandler server-info
</Location>
To remove the feature from Apache, rewrite this to:
# comment everything out
#<Location /server-info>
# SetHandler server-info
#</Location>
To keep the feature, adding access control, rewrite it to:
# add access control
<Location/server-info>
SetHandler server-info
Order deny,allow
Deny from all
Page 36
Audit Report
Allow from 127.0.0.1

</Location>
Once these changes have been made, the Apache server needs to be restarted.
3.2.39. Apache HTTPD: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763) (apache-httpd-cve-
2018-11763)
Description:
By sending continous SETTINGS frames of maximum size an ongoing HTTP/2 connection could be kept busy and would never time
out. This can be abused for a DoS on the server. This only affect a server that has enabled the h2 protocol.
Affected Nodes:

References:
Source Reference
BID 105414
CVE CVE-2018-11763
operating system.
3.2.40. Apache HTTPD: Tampering of mod_session data for CGI applications (CVE-2018-1283) (apache-httpd-cve-2018-
1283)
Description:
When mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may
influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to
forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI
specifications. The severity is set to Moderate because "SessionEnv on" is not a default nor common configuration, it should be
Page 37
Audit Report
considered more severe when this is the case though, because of the possible remote exploitation.
Affected Nodes:

References:
Source Reference
BID 103520
CVE CVE-2018-1283
DEBIAN DSA-4164
operating system.
3.2.41. Apache HTTPD: Possible out of bound access after failure in reading the HTTP request (CVE-2018-1301)
(apache-httpd-cve-2018-1301)
Description:
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.33, due to an out of bound access after a
size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug
mode (both log and build level), so it is classified as low risk for common server usage.
Affected Nodes:

References:
Page 38
Audit Report
Source Reference
BID 103515
CVE CVE-2018-1301
DEBIAN DSA-4164
operating system.
3.2.42. Apache HTTPD: Possible write of after free on HTTP/2 stream shutdown (CVE-2018-1302) (apache-httpd-cve-
2018-1302)
Description:
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.33 could have written a
NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerabilty hard to trigger
in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.
Affected Nodes:

References:
Source Reference
BID 103528
CVE CVE-2018-1302
Page 39
Audit Report
operating system.
3.2.43. Apache HTTPD: Limited cross-site scripting in mod_proxy error page (CVE-2019-10092) (apache-httpd-cve-2019-
10092)
Description:
A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page
to be malfomed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying
enabled but was misconfigured in such a way that the Proxy Error page was displayed. We have taken this opportunity to also remove
request data from many other in-built error messages. Note however this issue did not affect them directly and their output was already
escaped to prevent cross-site scripting attacks.
Affected Nodes:

References:
Source Reference
CVE CVE-2019-10092
DEBIAN DSA-4509
operating system.
3.2.44. Apache HTTPD: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-11993) (apache-httpd-cve-
2020-11993)
Description:
Page 40
Audit Report
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge
patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel
of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
Affected Nodes:

References:
Source Reference
CVE CVE-2020-11993
DEBIAN DSA-4757
operating system.
3.2.45. Apache Server mod_status is Publicly Accessible (http-apache-0009)
Description:
The web server publicly offers a report on its current state to anyone who requests it, revealing details that could give a potential
attacker information about how to attack the web server.
Affected Nodes:
172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29HTTP

GET request to http://172.16.72.212/server-status?auto
HTTP response code was an expected 200HTTP response code was an
expected 200HTTP response code was an expected 200
18: BytesPerSec: .0270544
19: BytesPerReq: 392.533
20: BusyWorkers: 8
21: IdleWorkers: 242
22: Scoreboard:
__________________________________________________________...
Page 41
Audit Report
References:
None
The configuration file for apache (httpd.conf), reads:
<Location /server-status>
SetHandler server-status
</Location>
To remove the feature from Apache, rewrite this to:
# comment everything out
#<Location /server-status>
# SetHandler server-status
#</Location>
To keep the feature, adding access control, rewrite this to:
# add access control
<Location/server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
Once these changes have been made, the Apache server needs to be restarted.
3.3. Moderate Vulnerabilities
3.3.1. HTTP OPTIONS Method Enabled (http-options-method-enabled)
Description:
Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing
attackers to narrow and intensify their efforts.
Affected Nodes:
172.16.72.212:80 OPTIONS method returned values including itself
References:
Source Reference
URL https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
Page 42
Audit Report
•Disable HTTP OPTIONS method
Disable HTTP OPTIONS method on your web server. Refer to your web server's instruction manual on how to do this.
Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing
attackers to narrow and intensify their efforts.
•Apache HTTPD
Disable HTTP OPTIONS Method for Apache
Disable the OPTIONS method by including the following in the Apache configuration:
<Limit OPTIONS>
Order deny,allow
Deny from all
</Limit>
•Microsoft IIS
Disable HTTP OPTIONS Method for IIS
Disable the OPTIONS method by doing the following in the IIS manager
1. Select relevent site
2. Select Request filtering and change to HTTP verb tab
3. Select Deny Verb from the actions pane
4. Type OPTIONS into the provided text box and press OK
•nginx nginx
Disable HTTP OPTIONS Method for nginx
Disable the OPTIONS method by adding the following line to your server block, you can add other HTTP methods to be allowed to run
after POST
limit_except GET POST { deny all; }
3.3.2. Apache HTTPD: Improper Handling of Insufficient Privileges (CVE-2020-13938) (apache-httpd-cve-2020-13938)
Description:
Apache HTTPD: Improper Handling of Insufficient Privileges (CVE-2020-13938)
Affected Nodes:
172.16.72.212:80 Vulnerable OS: Microsoft Windows Server 2008 R2, Standard Edition SP1
Page 43
Audit Report
Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

References:
Source Reference
CVE CVE-2020-13938
operating system.
3.3.3. ICMP timestamp response (generic-icmp-timestamp)
Description:
The remote host responded to an ICMP timestamp request. The ICMP timestamp response contains the remote host's date and time.
This information could theoretically be used against some systems to exploit weak time-based random number generators in other
services.
In addition, the versions of some operating systems can be accurately fingerprinted by analyzing their responses to invalid ICMP
timestamp requests.
Affected Nodes:
172.16.72.212 Able to determine remote system time.
References:
Source Reference
CVE CVE-1999-0524
OSVDB 95
XF 306
XF 322
•HP-UX
Disable ICMP timestamp responses on HP/UX
Page 44
Audit Report
Execute the following command:

ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).
•Cisco IOS
Disable ICMP timestamp responses on Cisco IOS
Use ACLs to block ICMP types 13 and 14. For example:
deny icmp any any 13
deny icmp any any 14
Note that it is generally preferable to use ACLs that block everything by default and then selectively allow certain types of traffic in. For
example, block everything and then only allow ICMP unreachable, ICMP echo reply, ICMP time exceeded, and ICMP source quench:
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any source-quench
•SGI Irix
Disable ICMP timestamp responses on SGI Irix
IRIX does not offer a way to disable ICMP timestamp responses. Therefore, you should block ICMP on the affected host using ipfilterd,
and/or block it at any external firewalls.
•Linux
Disable ICMP timestamp responses on Linux
Linux offers neither a sysctl nor a /proc/sys/net/ipv4 interface to disable ICMP timestamp responses. Therefore, you should block ICMP
on the affected host using iptables, and/or block it at the firewall. For example:
ipchains -A input -p icmp --icmp-type timestamp-request -j DROP
ipchains -A output -p icmp --icmp-type timestamp-reply -j DROP
•Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server,
Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition
Disable ICMP timestamp responses on Windows NT 4
Windows NT 4 does not provide a way to block ICMP packets. Therefore, you should block them at the firewall.
Page 45
Audit Report
•OpenBSD
Disable ICMP timestamp responses on OpenBSD
Set the "net.inet.icmp.tstamprepl" sysctl variable to 0.
sysctl -w net.inet.icmp.tstamprepl=0
•Cisco PIX
Disable ICMP timestamp responses on Cisco PIX
A properly configured PIX firewall should never respond to ICMP packets on its external interface. In PIX Software versions 4.1(6) until
5.2.1, ICMP traffic to the PIX's internal interface is permitted; the PIX cannot be configured to NOT respond. Beginning in PIX Software
version 5.2.1, ICMP is still permitted on the internal interface by default, but ICMP responses from its internal interfaces can be
disabled with the icmp command, as follows, where <inside> is the name of the internal interface:
icmp deny any 13 <inside>
icmp deny any 14 <inside>
Don't forget to save the configuration when you are finished.
See Cisco's support document Handling ICMP Pings with the PIX Firewall for more information.
•Sun Solaris
Disable ICMP timestamp responses on Solaris
Execute the following commands:
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
•Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced
Server, Microsoft Windows 2000 Datacenter Server
Disable ICMP timestamp responses on Windows 2000
Use the IPSec filter feature to define and apply an IP filter list that blocks ICMP types 13 and 14. Note that the standard TCP/IP
blocking capability under the "Networking and Dialup Connections" control panel is NOT capable of blocking ICMP (only TCP and
UDP). The IPSec filter features, while they may seem strictly related to the IPSec standards, will allow you to selectively block these
ICMP packets. See http://support.microsoft.com/kb/313190 for more information.
•Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft
Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003,
Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003
Page 46
Audit Report
Disable ICMP timestamp responses on Windows XP/2K3

ICMP timestamp responses can be disabled by deselecting the "allow incoming timestamp request" option in the ICMP configuration
panel of Windows Firewall.
1. Go to the Network Connections control panel.
2. Right click on the network adapter and select "properties", or select the internet adapter and select File->Properties.
3. Select the "Advanced" tab.
4. In the Windows Firewall box, select "Settings".
5. Select the "General" tab.
6. Enable the firewall by selecting the "on (recommended)" option.
7. Select the "Advanced" tab.
8. In the ICMP box, select "Settings".
9. Deselect (uncheck) the "Allow incoming timestamp request" option.
10. Select "OK" to exit the ICMP Settings dialog and save the settings.
11. Select "OK" to exit the Windows Firewall dialog and save the settings.
12. Select "OK" to exit the internet adapter dialog.
For more information, see: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/hnw_understanding_firewall.mspx?mfr=true
•Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft
Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition,
Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition,
Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition,
Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008
Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows
Essential Business Server 2008
Disable ICMP timestamp responses on Windows Vista/2008
ICMP timestamp responses can be disabled via the netsh command line utility.
1. Go to the Windows Control Panel.
2. Select "Windows Firewall".
3. In the Windows Firewall box, select "Change Settings".
4. Enable the firewall by selecting the "on (recommended)" option.
5. Open a Command Prompt.
6. Enter "netsh firewall set icmpsetting 13 disable"
For more information, see: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/hnw_understanding_firewall.mspx?mfr=true
•Disable ICMP timestamp responses

Disable ICMP timestamp replies for the device. If the device does not support this level of configuration, the easiest and most effective
solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14
(timestamp response).
Page 47
Audit Report
3.3.4. TCP timestamp response (generic-tcp-timestamp)
Description:
The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's
uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their
TCP timestamps.
Affected Nodes:
172.16.72.212 Able to determine system boot time.
References:
Source Reference
URL http://uptime.netcraft.com
URL http://www.forensicswiki.org/wiki/TCP_timestamps
URL http://www.ietf.org/rfc/rfc1323.txt
•Cisco
Disable TCP timestamp responses on Cisco
Run the following command to disable TCP timestamps:
no ip tcp timestamp
•FreeBSD
Disable TCP timestamp responses on FreeBSD
Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
sysctl -w net.inet.tcp.rfc1323=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.inet.tcp.rfc1323=0
•Linux
Disable TCP timestamp responses on Linux
Set the value of net.ipv4.tcp_timestamps to 0 by running the following command:
Page 48
Audit Report
sysctl -w net.ipv4.tcp_timestamps=0
net.ipv4.tcp_timestamps=0
•OpenBSD
Disable TCP timestamp responses on OpenBSD
Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
sysctl -w net.inet.tcp.rfc1323=0
net.inet.tcp.rfc1323=0
•Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server,
Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition, Microsoft Windows 95,
Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows ME, Microsoft Windows 2000, Microsoft Windows 2000
Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter
Server, Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows XP Tablet PC
Edition, Microsoft Windows CE, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft
Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web
Edition, Microsoft Windows Small Business Server 2003, Microsoft Windows Server 2003 R2, Microsoft Windows Server 2003 R2,
Standard Edition, Microsoft Windows Server 2003 R2, Enterprise Edition, Microsoft Windows Server 2003 R2, Datacenter Edition,
Microsoft Windows Server 2003 R2, Web Edition, Microsoft Windows Small Business Server 2003 R2, Microsoft Windows Server 2003
R2, Express Edition, Microsoft Windows Server 2003 R2, Workgroup Edition
Disable TCP timestamp responses on Windows versions before Vista
Set the Tcp1323Opts value in the following key to 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
•Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition,
Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008
Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows
Essential Business Server 2008, Microsoft Windows Server 2008 R2, Microsoft Windows Server 2008 R2, Standard Edition, Microsoft
Windows Server 2008 R2, Enterprise Edition, Microsoft Windows Server 2008 R2, Datacenter Edition, Microsoft Windows Server 2008
Page 49
Audit Report
R2, Web Edition, Microsoft Windows Server 2012, Microsoft Windows Server 2012 Standard Edition, Microsoft Windows Server 2012
Foundation Edition, Microsoft Windows Server 2012 Essentials Edition, Microsoft Windows Server 2012 Datacenter Edition, Microsoft
Windows Storage Server 2012, Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista
Home, Basic N Edition, Microsoft Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft
Windows Vista Enterprise Edition, Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft
Windows Vista Starter Edition, Microsoft Windows 7, Microsoft Windows 7 Home, Basic Edition, Microsoft Windows 7 Home, Basic N
Edition, Microsoft Windows 7 Home, Premium Edition, Microsoft Windows 7 Home, Premium N Edition, Microsoft Windows 7 Ultimate
Edition, Microsoft Windows 7 Ultimate N Edition, Microsoft Windows 7 Enterprise Edition, Microsoft Windows 7 Enterprise N Edition,
Microsoft Windows 7 Professional Edition, Microsoft Windows 7 Starter Edition, Microsoft Windows 7 Starter N Edition, Microsoft
Windows 8, Microsoft Windows 8 Enterprise Edition, Microsoft Windows 8 Professional Edition, Microsoft Windows 8 RT, Microsoft
Windows Longhorn Server Beta
Disable TCP timestamp responses on Windows versions since Vista
TCP timestamps cannot be reliably disabled on this OS. If TCP timestamps present enough of a risk, put a firewall capable of blocking
TCP timestamp packets in front of the affected assets.
3.3.5. NetBIOS NBSTAT Traffic Amplification (netbios-nbstat-amplification)
Description:
A NetBIOS NBSTAT query will obtain the status from a NetBIOS-speaking endpoint, which will include any names that the endpoint is
known to respond to as well as the device's MAC address for that endpoint. A NBSTAT response is roughly 3x the size of the request,
and because NetBIOS utilizes UDP, this can be used to conduct traffic amplification attacks against other assets, typically in the form of
distributed reflected denial of service (DRDoS) attacks.
Affected Nodes:
172.16.72.212:137 Running CIFS Name Service serviceConfiguration item advertised-name-count

set to '3' matched
References:
Source Reference
CERT TA14-017A
NetBIOS can be important to the proper functioning of a Windows network depending on the design. Restrict access to the NetBIOS
service to only trusted assets.
Page 50
Audit Report
4. Discovered Services
4.1. <unknown>
4.1.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
172.16.72.212 tcp 443 1 •ssl: true

•ssl.cert.chainerror: [Path does not
chain with any of the trust anchors]
•ssl.cert.issuer.dn: CN=RapidSSL
SHA256 CA - G3, O=GeoTrust Inc.,
C=US
•ssl.cert.key.alg.name: RSA
•ssl.cert.key.rsa.modulusBits: 2048
•ssl.cert.not.valid.after: Thu, 10 May
2018 17:46:26 ICT
•ssl.cert.not.valid.before: Mon, 09 Mar
2015 23:23:11 ICT
•ssl.cert.selfsigned: false
•ssl.cert.serial.number: 189180
•ssl.cert.sha1.fingerprint:
6b3b45267f778bc79dea48305ee24afff
c011629
•ssl.cert.sig.alg.name:
SHA256withRSA
•ssl.cert.subject.alt.name-1: *.vnanet.vn
•ssl.cert.subject.alt.name-2: vnanet.vn
•ssl.cert.subject.alt.name-count: 2
•ssl.cert.subject.dn: CN=*.vnanet.vn,
OU=Domain Control Validated -
RapidSSL(R), OU=See
www.rapidssl.com/resources/cps
(c)15, OU=GT00738243
•ssl.cert.validchain: false
•ssl.cert.version: 3
•ssl.dh.generator.1024: 2
•ssl.dh.prime.1024:
808a1703c67caac6facfbcef64ef26b2a
Page 51
Audit Report
a3dc998215dbf8b26fb864aa74e78635
b5350c237f84cc7e2db408d818fc0aab
efb8ce447f7d8dcfc7c252406835c715
9d4fa642d1b13d34843fd75f048b88a8
ec8192b8a847c7aa08f00f15271c7f49
b79f3b4337cd7bfa63d9df2c725248d5
29bdca08ba97a4648f2154c980746ab
•ssl.protocols: tlsv1_0,tlsv1_1,tlsv1_2
•sslv3: false
•tlsv1_0: true
•tlsv1_0.TLS_DHE_RSA_WITH_AES_
128_CBC_SHA.dh.keysize: 1024
•tlsv1_0.ciphers:
TLS_ECDHE_RSA_WITH_AES_256_
CBC_SHA,TLS_DHE_RSA_WITH_AE
S_256_CBC_SHA,TLS_RSA_WITH_
AES_256_CBC_SHA,TLS_ECDHE_R
SA_WITH_AES_128_CBC_SHA,TLS_
DHE_RSA_WITH_AES_128_CBC_S
HA,TLS_RSA_WITH_AES_128_CBC
_SHA
•tlsv1_0.extensions:
RENEGOTIATION_INFO,EC_POINT_
FORMATS
•tlsv1_1: true
•tlsv1_1.ciphers:
_SHA
Page 52
Audit Report
FORMATS
•tlsv1_2: true
•tlsv1_2.ciphers:
_SHA
FORMATS
•tlsv1_3: false
4.2. CIFS
CIFS, the Common Internet File System, was defined by Microsoft to provide file sharing services over the Internet. CIFS extends the
Server Message Block (SMB) protocol designed by IBM and enhanced by Intel and Microsoft. CIFS provides mechanisms for sharing
resources (files, printers, etc.) and executing remote procedure calls over named pipes.
172.16.72.212 tcp 139 2 •Windows Server 2008 R2 Standard

6.1
•domain: STREAMING02
•password-mode: encrypt
•security-mode: user
•smb-signing: disabled
•smb1-enabled: true
172.16.72.212 tcp 445 2 •Windows Server 2008 R2 Standard

6.1
•domain: STREAMING02
Page 53
Audit Report
•password-mode: encrypt
•security-mode: user
•smb-signing: disabled
•smb2-signing: enabled
4.3. CIFS Name Service

CIFS, the Common Internet File System, was defined by Microsoft to provide file sharing services over the Internet. CIFS extends the
Server Message Block (SMB) protocol designed by IBM and enhanced by Intel and Microsoft. CIFS provides mechanisms for sharing
resources (files, printers, etc.) and executing remote procedure calls over named pipes. This service is used to handle CIFS browsing
(name) requests. Responses contain the names and types of services that can be accessed via CIFS named pipes.
172.16.72.212 udp 137 1 •advertised-name-1: STREAMING02

(Computer Name)
•advertised-name-2: WORKGROUP
(Domain Name)
•advertised-name-3: STREAMING02
(File Server Service)
•advertised-name-count: 3
•mac-address: 005056BD2A1E
4.4. DCE Endpoint Resolution

The DCE Endpoint Resolution service, aka Endpoint Mapper, is used on Microsoft Windows systems by Remote Procedure Call (RPC)
clients to determine the appropriate port number to connect to for a particular RPC service. This is similar to the portmapper service
used on Unix systems.
172.16.72.212 tcp 135 0
4.5. DCE RPC
172.16.72.212 tcp 49152 0 •interface-uuid: D95AFE70-A6D5-

4259-822E-2C84DA1DDB0D
Page 54
Audit Report
•interface-version: 1
•name: D95AFE70-A6D5-4259-822E-
2C84DA1DDB0D
•object-interface-uuid: 765294BA-
60BC-48B8-92E9-89FD77769D91
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:172.16.72.212[49152]
4.6. HTTP
HTTP, the HyperText Transfer Protocol, is used to exchange multimedia content on the World Wide Web. The multimedia files
commonly used with HTTP include text, sound, images and video.
4.6.1. General Security Issues
Simple authentication scheme

Many HTTP servers use BASIC as their primary mechanism for user authentication. This is a very simple scheme that uses base 64 to
encode the cleartext user id and password. If a malicious user is in a position to monitor HTTP traffic, user ids and passwords can be
stolen by decoding the base 64 authentication data. To secure the authentication process, use HTTPS (HTTP over TLS/SSL)
connections to transmit the authentication data.
172.16.72.212 tcp 80 7 •Apache HTTPD 2.4.29

•http.banner: Apache/2.4.29 (Win64)
•http.banner.server: Apache/2.4.29
(Win64)
•verbs-1: GET
•verbs-2: HEAD
•verbs-3: OPTIONS
•verbs-4: POST
•verbs-5: TRACE
•verbs-count: 5
4.7. RDP
172.16.72.212 tcp 3389 0 •Microsoft Terminal Service

•ssl: true
Page 55
Audit Report
•ssl.protocols: tlsv1_0
•sslv3: false
•tlsv1_0: true
•tlsv1_0.ciphers:
TLS_RSA_WITH_AES_128_CBC_SH
A,TLS_RSA_WITH_AES_256_CBC_S
HA,TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_
SHA,TLS_ECDHE_RSA_WITH_AES_
128_CBC_SHA,TLS_ECDHE_RSA_
WITH_AES_256_CBC_SHA,TLS_RS
A_WITH_RC4_128_MD5
RENEGOTIATION_INFO
•tlsv1_1: false
•tlsv1_2: false
•tlsv1_3: false
Page 56
Audit Report
5. Discovered Users and Groups

No user or group information was discovered during the scan.
Page 57
Audit Report
6. Discovered Databases
No database information was discovered during the scan.
Page 58
Audit Report
7. Discovered Files and Directories

No file or directory information was discovered during the scan.
Page 59
Audit Report
8. Policy Evaluations
No policy evaluations were performed.
Page 60
Audit Report
9. Spidered Web Sites
9.1. http://172.16.72.212:80
9.1.1. Common Default URLs

The following URLs were guessed. They are often included with default web server or web server add-on installations.
Access Error (403)

•cgi-bin
•error
•icons
9.1.2. Guessed URLs

The following URLs were guessed using various tricks based on the discovered web site content.
Access Error (403)

•"<script>TestScriptValueHere<
•script>"
•<script>xss<
•script>.asp
•script>.asp
•script>
•script>.aspx
•script>.aspx
•script>
•script>.jsp
•script>.php
•script>.php
•script>
•script>.py
•script>.rb
•script>.shtml
•script>.shtml
•script>
9.1.3. Linked URLs

The following URLs were found as links in the content of other web pages.
Access Error (403)
Page 61

Asset Report For 172.16.72.212

Uploaded by

Copyright:

Available Formats

Asset Report For 172.16.72.212

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Asset Report For 172.16.72.212

Uploaded by

Copyright:

Available Formats

Audit Report

Asset report for 172.16.72.212 new

Audited on July 28, 2022

Reported on July 28, 2022

Site Name Start Time End Time Total Time Status

Overall Risk Trend

Assets Total Risk Average Risk Highest-Risk Asset

1 (was 0) 20,257 (was 0.0) 20,257 (was 0.0) STREAMING02

There were 2 occurrences of the cifs-smb-signing-disabled, cifs-smb-signing-not-required and cifs-smb1-deprecated vulnerabilities,

Node Operating System Risk Aliases

172.16.72.212 Microsoft Windows Server 2008 20,261 •STREAMING02

3. Discovered and Potential Vulnerabilities

3.1. Critical Vulnerabilities

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

Apache HTTPD >= 2.4 and < 2.4.41

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

3.1.3. Apache HTTPD: ap_escape_quotes buffer overflow (CVE-2021-39275) (apache-httpd-cve-2021-39275)

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

Affected Nodes: Additional Information:

Vulnerable version of product HTTPD found -- Apache HTTPD 2.4.29

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

3.1.6. Apache HTTPD: mod_sed: Read/write beyond bounds (CVE-2022-23943) (apache-httpd-cve-2022-23943)

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

3.2. Severe Vulnerabilities

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

3.2.4. Apache HTTPD: mod_proxy SSRF (CVE-2021-40438) (apache-httpd-cve-2021-40438)

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

Affected Nodes: Additional Information:

Affected Nodes: Additional Information:

match target name specified in the site.

3.2.7. SMB signing disabled (cifs-smb-signing-disabled)

Affected Nodes: Additional Information:

172.16.72.212:139 SMB signing is disabled

172.16.72.212:445 SMB signing is disabled

3.2.8. Apache HTTPD: mod_auth_digest access control bypass (CVE-2019-0217) (apache-httpd-cve-2019-0217)

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

3.2.9. Apache HTTPD: mod_http2, read-after-free in h2 connection shutdown (CVE-2019-10082) (apache-httpd-cve-

Affected Nodes: Additional Information:

172.16.72.212:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.4.29

3.2.10. Apache HTTPD: mod_rewrite potential open redirect (CVE-2019-10098) (apache-httpd-cve-2019-10098)