Nexpose Audit Report

Audit Report
Metasploitable
Audited on May 2, 2015
Reported on May 3, 2015

Audit Report
1. Executive Summary
This report represents a security audit performed by Nexpose from Rapid7 LLC. It contains confidential information about the state of
your network. Access to this information by unauthorized personnel may allow them to compromise your network.
Site Name Start Time End Time Total Time Status
Metasploitable May 02, 2015 23:35, ADT May 03, 2015 00:11, ADT 35 minutes Success
There is not enough historical data to display risk trend.
The audit was performed on one system which was found to be active and was scanned.
There were 343 vulnerabilities found during this scan. Of these, 93 were critical vulnerabilities. Critical vulnerabilities require immediate
attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 222
vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems.
There were 28 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting
subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.
There were 2 occurrences of the dns-bind-libbind-off-by-one-vuln, dns-bind-cve-2012-1667, dns-bind-obsolete, cifs-samba-afs-

filesystem-acl-mapping-bof, dns-bind-cve-2012-4244, cifs-samba-file-renaming-dos, cifs-smb-signing-disabled, cifs-smb-signing-not-
required, dns-bind-cve-2010-3614 and cifs-samba-connection-flooding-dos vulnerabilities, making them the most common
vulnerabilities. There were 151 vulnerabilities in the Canonical and Ubuntu Linux categories, making them the most common
vulnerability categories.
Page 1
Audit Report
The dns-bind-libbind-off-by-one-vuln vulnerability poses the highest risk to the organization with a risk score of 1,700. Risk scores are
based on the types and numbers of vulnerabilities on affected assets.
One operating system was identified during this scan.
There were 25 services found to be running during this scan.
The CIFS, CIFS Name Service, DNS, FTP, FTPS, HTTP, MySQL and NFS services were found on 1 systems, making them the most
common services. The HTTP service was found to have the most vulnerabilities during this scan with 92 vulnerabilities.
Page 2
Audit Report
2. Discovered Systems
Node Operating System Risk Aliases
192.168.0.102 Ubuntu Linux 8.04 150,684 •METASPLOITABLE
Page 3
Audit Report
3. Discovered and Potential Vulnerabilities
3.1. Critical Vulnerabilities
3.1.1. Tomcat Application Manager Tomcat Tomcat Password Vulnerability (apache-tomcat-default-password)
Description:
HP Operations Manager 8.10 on Windows contains a "hidden account" in the XML file that specifies Tomcat users, which allows remote
attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the
org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.
Affected Nodes:
Affected Nodes: Additional Information:
192.168.0.102:8180 Running HTTP serviceProduct Tomcat exists -- Apache TomcatBased on the

following 2 results:HTTP GET request to
http://192.168.0.102:8180/manager/html
HTTP response code was an expected 401
HTTP GET request to http://192.168.0.102:8180/manager/html

82: <img border="0" alt="The Apache Software Foundation" align="left"
83: src="/manager/images/asf-logo.gif">
84: </a>
85: <a href="http://tomcat.apache.org/">
82: ...="0" alt="The Tomcat Servlet/JSP Container"
References:
Source Reference
BID 38084
CVE CVE-2009-3843
CVE CVE-2010-0557
OSVDB 60317
OSVDB 62118
XF 54361
Vulnerability Solution:
Page 4
Audit Report
The Tomcat service has an administrator account set to a default configuration. This can be easily changed in conf/tomcat-users.xml
3.1.2. ISC BIND: inet_network() off-by-one buffer overflow (CVE-2008-0122) (dns-bind-libbind-off-by-one-vuln)
Description:
Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-
PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted
input that triggers memory corruption.
Affected Nodes:
192.168.0.102:53 Running DNS serviceProduct BIND exists -- BIND 9.4.2Vulnerable version of

product BIND found -- BIND 9.4.2

References:
Source Reference
BID 27283
CERT-VN 203611
CVE CVE-2008-0122
OVAL OVAL10190
REDHAT RHSA-2008:0300
URL https://kb.isc.org/article/AA-00923/0
URL https://kb.isc.org/article/AA-00923/187/CVE-2008-0122%3A-Buffer-overflow-in-inet_network.html
XF 39670
More information about upgrading your version of ISC BIND is available on the ISC website.
3.1.3. CVE-2014-6271 bash: specially-crafted environment variables can be used to inject shell commands (gnu-bash-
cve-2014-6271)
Description:
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote
attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in
OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and
other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Page 5
Audit Report
Affected Nodes:
192.168.0.102 Execute command: env x='() { :;}; echo CVE-2014-6271' bash -c exit
Standard output matched:
1: CVE-2014-6271
References:
Source Reference
CVE CVE-2014-6271
URL https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-
attack/
Use your operating system's package manager to upgrade GNU bash to the latest version.
3.1.4. CVE-2014-6278 bash: code execution via specially crafted environment variables (gnu-bash-cve-2014-6278)
Description:
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows
remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand
feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP
clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
Affected Nodes:
192.168.0.102 Execute command: x='() { echo Vulnerable; }' bash -c x

1: Vulnerable
References:
Source Reference
CVE CVE-2014-6278
3.1.5. CVE-2014-7169 bash: specially-crafted environment variables can be used to inject shell commands (gnu-bash-
cve-2014-7169)
Page 6
Audit Report
Description:
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment
variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as
demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache
HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a
privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
Affected Nodes:
192.168.0.102 Execute command: env x='() { (a)=>\' bash -c "shellsh0ck echo CVE-2014-
7169"; cat shellsh0ck; rm shellsh0ck
4: bash: x: line 1: syntax error near unexpected token `='
5: bash: x: line 1: `'
6: bash: error importing function definition for `x'
4: CVE-2014-7169
References:
Source Reference
CVE CVE-2014-7169
3.1.6. CVE-2014-7186 bash: parser can allow out-of-bounds memory access while handling redir_stack (gnu-bash-cve-
2014-7186)
Description:
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service
(out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka
the "redir_stack" issue.
Affected Nodes:
192.168.0.102 Execute command: bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo CVE-
2014-7186
3: bash: [4990: 3] tcsetattr: Invalid argument
4: Segmentation fault
Page 7
Audit Report
3: CVE-2014-7186
References:
Source Reference
CVE CVE-2014-7186
3.1.7. PHP Multiple Vulnerabilities Fixed in version 5.2.12 (http-php-multiple-vulns-5-2-12)
Description:
PHP before 5.2.12 does not properly handle session data, which has unspecified impact and attack vectors related to (1) interrupt
corruption of the SESSION superglobal array and (2) the session.save_path directive.
Affected Nodes:
192.168.0.102:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.2.8

Vulnerable version of component PHP found -- PHP 5.2.4-2ubuntu5.10
References:
Source Reference
APPLE APPLE-SA-2010-03-29-1
BID 37389
BID 37390
CVE CVE-2009-3557
CVE CVE-2009-3558
CVE CVE-2009-4017
CVE CVE-2009-4142
CVE CVE-2009-4143
DEBIAN DSA-1940
DEBIAN DSA-2001
OVAL OVAL10005
OVAL OVAL10483
OVAL OVAL6667
OVAL OVAL7085
Page 8
Audit Report
Source Reference
OVAL OVAL7396
OVAL OVAL7439
URL http://www.php.net/ChangeLog-5.php#5.2.12
URL http://www.php.net/releases/5_2_12.php
XF 54455
Download and apply the upgrade from: http://museum.php.net/php5/php-5.2.12.tar.gz
Description:
Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows
context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled
during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4)
mb_parse_str functions.
Affected Nodes:

References:
Source Reference
APPLE APPLE-SA-2008-10-09
BID 30087
BID 31681
BID 32383
BID 32625
BID 32673
BID 32688
BID 32948
CERT TA09-133A
CVE CVE-2008-2371
CVE CVE-2008-5557
Page 9
Audit Report
Source Reference
CVE CVE-2008-5624
CVE CVE-2008-5625
CVE CVE-2008-5658
CVE CVE-2008-5844
DEBIAN DSA-1602
DEBIAN DSA-1789
OSVDB 50480
OSVDB 50483
OSVDB 52205
OSVDB 52207
OVAL OVAL10286
URL http://bugs.php.net/bug.php?id=42718
URL http://bugs.php.net/bug.php?id=45722
XF 47079
XF 47314
XF 47318
XF 47525
3.1.9. MySQL Obsolete Version (mysql-obsolete-version)
Description:
An obsolete version of the MySQL database server is running. Oracle classifies the support lifecycle for its MySQL product versions
into Premier Support, Extended Support and Sustain Support. Extended and Premier support for 5.1 ended on December 31st, 2013.
Note: When the support period ends for a MySQL product, no further patches will be provided even for serious security problems.
Affected Nodes:
192.168.0.102:3306 Running MySQL serviceProduct MySQL exists -- Oracle MySQL 5.0.51a

Vulnerable version of product MySQL found -- Oracle MySQL 5.0.51a
Page 10
Audit Report
References:
Source Reference
URL http://www.mysql.com/company/legal/lifecycle/
URL http://www.mysql.com/support/eol-notice.html
Download and apply the upgrade from: http://dev.mysql.com/downloads/mysql
3.1.10. PHP Vulnerability: CVE-2011-3268 (php-cve-2011-3268)
Description:
Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long
salt argument, a different vulnerability than CVE-2011-2483.
Affected Nodes:

References:
Source Reference
BID 49241
CVE CVE-2011-3268
OSVDB 74738
XF 69427
Download and apply the upgrade from: http://www.php.net/releases/
Description:
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5
has unknown impact and remote attack vectors, related to an "overflow."
Affected Nodes:
Page 11
Audit Report

References:
Source Reference
CVE CVE-2012-2688
DEBIAN DSA-2527
•Upgrade to PHP version 5.3.15
3.1.12. Shell Backdoor Service (shell-backdoor)
Description:
A non-standard service was found that provides a means to establish local shell access on the host over the network.
Note: The presence of a "backdoor" is a serious security concern. It indicates a high probability that this asset has been compromised
and is at risk of being leveraged by malicious users.
Affected Nodes:
192.168.0.102:1524 Running Shell Backdoor service
References:
None
Determine the mechanism used to create the backdoor and safely disable or remove it.
3.1.13. Obsolete Version of Ubuntu (ubuntu-obsolete-version)
Description:
This release has passed its End of Life. There may be unpatched security vulnerabilities. Please check with
https://wiki.ubuntu.com/Releases for supported versions.
Page 12
Audit Report
Affected Nodes:
192.168.0.102 Vulnerable OS: Ubuntu Linux 8.04
References:
None
Upgrade to a supported version of Ubuntu Linux
3.1.14. USN-1403-1: FreeType vulnerabilities (ubuntu-usn-1403-1)
Description:
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of
service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font.
Affected Nodes:
Vulnerable software installed: Ubuntu libfreetype6 2.3.5-1ubuntu4.8.04.2
References:
Source Reference
CVE CVE-2012-1126
CVE CVE-2012-1127
CVE CVE-2012-1128
CVE CVE-2012-1129
CVE CVE-2012-1130
CVE CVE-2012-1131
CVE CVE-2012-1132
CVE CVE-2012-1133
CVE CVE-2012-1134
CVE CVE-2012-1135
Page 13
Audit Report
Source Reference
CVE CVE-2012-1136
CVE CVE-2012-1137
CVE CVE-2012-1138
CVE CVE-2012-1139
CVE CVE-2012-1140
CVE CVE-2012-1141
CVE CVE-2012-1142
CVE CVE-2012-1143
CVE CVE-2012-1144
DEBIAN DSA-2428
USN USN-1403-1
•libfreetype6 on Ubuntu Linux 10.04
Upgrade libfreetype6 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libfreetype6 to the latest version
Upgrade libfreetype6 for Ubuntu 10.10
3.1.15. USN-1423-1: Samba vulnerability (ubuntu-usn-1423-1)
Description:
The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an
array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code
via a crafted RPC call.
Page 14
Audit Report
Affected Nodes:
Vulnerable software installed: Ubuntu samba 3.0.20-0.1ubuntu1
References:
Source Reference
CVE CVE-2012-1182
USN USN-1423-1
•samba on Ubuntu Linux 10.04
Upgrade samba for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade samba to the latest version
Upgrade samba for Ubuntu 11.04
3.1.16. USN-613-1: GnuTLS vulnerabilities (ubuntu-usn-613-1)
Description:
The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not
properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote
attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which
leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1.
Affected Nodes:
Vulnerable software installed: Ubuntu libgnutls13 2.0.4-1ubuntu2
Page 15
Audit Report
References:
Source Reference
BID 29292
CERT-VN 111034
CERT-VN 252626
CERT-VN 659209
CVE CVE-2008-1948
CVE CVE-2008-1949
CVE CVE-2008-1950
DEBIAN DSA-1581
OVAL OVAL10935
OVAL OVAL11393
OVAL OVAL9519
SUSE SUSE-SA:2008:046
USN USN-613-1
XF 42530
XF 42532
XF 42533
•libgnutls13 on Ubuntu Linux 7.04
Upgrade libgnutls13 for Ubuntu 7.04
Use àpt-get upgrade` to upgrade libgnutls13 to the latest version
Upgrade libgnutls13 for Ubuntu 8.04 LTS
3.1.17. USN-644-1: libxml2 vulnerabilities (ubuntu-usn-644-1)
Description:
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent
attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
Page 16
Audit Report
Affected Nodes:
Vulnerable software installed: Ubuntu libxml2 2.6.31.dfsg-2ubuntu1
References:
Source Reference
BID 30783
BID 31126
CERT TA09-133A
CVE CVE-2008-3281
CVE CVE-2008-3529
DEBIAN DSA-1631
DEBIAN DSA-1654
OVAL OVAL11760
OVAL OVAL6103
OVAL OVAL6496
OVAL OVAL9812
USN USN-644-1
XF 45085
•libxml2 on Ubuntu Linux 7.04
Upgrade libxml2 for Ubuntu 7.04
Use àpt-get upgrade` to upgrade libxml2 to the latest version
Page 17
Audit Report

Upgrade libxml2 for Ubuntu 8.04 LTS
Description:
Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service
(memory corruption) or possibly execute arbitrary code via a large XML document.
Affected Nodes:
References:
Source Reference
BID 32326
BID 32331
CVE CVE-2008-4225
CVE CVE-2008-4226
DEBIAN DSA-1666
OSVDB 49992
OSVDB 49993
OVAL OVAL10025
OVAL OVAL6219
OVAL OVAL6234
OVAL OVAL6360
OVAL OVAL6415
OVAL OVAL9888
USN USN-673-1
Page 18
Audit Report
3.1.19. USN-762-1: APT vulnerabilities (ubuntu-usn-762-1)
Description:
apt 0.7.20 does not check when the date command returns an "invalid date" error, which can prevent apt from loading security updates
in time zones for which DST occurs at midnight.
Affected Nodes:
Vulnerable software installed: Ubuntu apt 0.7.9ubuntu17
References:
Source Reference
CVE CVE-2009-1300
DEBIAN DSA-1779
USN USN-762-1
•apt on Ubuntu Linux 8.04
Upgrade apt for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade apt to the latest version
Upgrade apt for Ubuntu 8.10
3.1.20. USN-803-1: dhcp vulnerability (ubuntu-usn-803-1)
Page 19
Audit Report
Description:
Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before
4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
Affected Nodes:
Vulnerable software installed: Ubuntu dhcp3-client 3.0.6.dfsg-1ubuntu9
References:
Source Reference
BID 35668
CERT-VN 410676
CVE CVE-2009-0692
DEBIAN DSA-1833
NETBSD NetBSD-SA2009-010
OSVDB 55819
OVAL OVAL10758
OVAL OVAL5941
USN USN-803-1
•dhcp3-client on Ubuntu Linux 8.04
Upgrade dhcp3-client for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade dhcp3-client to the latest version
Upgrade dhcp3-client for Ubuntu 8.10
•dhcp3-client-udeb on Ubuntu Linux 8.04
Upgrade dhcp3-client-udeb for Ubuntu 8.04 LTS
Page 20
Audit Report
Use àpt-get upgrade` to upgrade dhcp3-client-udeb to the latest version

Upgrade dhcp3-client-udeb for Ubuntu 8.10
Upgrade dhcp3-client-udeb for Ubuntu 9.04
3.1.21. USN-813-1: apr vulnerability (ubuntu-usn-813-1)
Description:
Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and
1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger
crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3)
apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows.
NOTE: some of these details are obtained from third party information.
Affected Nodes:
Vulnerable software installed: Ubuntu libapr1 1.2.11-1
References:
Source Reference
BID 35949
CVE CVE-2009-2412
OSVDB 56765
OSVDB 56766
OVAL OVAL8394
OVAL OVAL9958
USN USN-813-1
•libapr1 on Ubuntu Linux 8.04
Upgrade libapr1 for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade libapr1 to the latest version
Page 21
Audit Report

Upgrade libapr1 for Ubuntu 8.10
3.1.22. USN-813-3: apr-util vulnerability (ubuntu-usn-813-3)
Description:
Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and
1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger
crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3)
apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows.
NOTE: some of these details are obtained from third party information.
Affected Nodes:
Vulnerable software installed: Ubuntu libaprutil1 1.2.12+dfsg-3
References:
Source Reference
BID 35949
CVE CVE-2009-2412
OSVDB 56765
OSVDB 56766
OVAL OVAL8394
OVAL OVAL9958
USN USN-813-3
•libaprutil1 on Ubuntu Linux 8.04
Upgrade libaprutil1 for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade libaprutil1 to the latest version
Page 22
Audit Report

Upgrade libaprutil1 for Ubuntu 8.10
Description:
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent
attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
Affected Nodes:
References:
Source Reference
BID 31126
BID 36010
CERT TA09-133A
CVE CVE-2008-3529
CVE CVE-2009-2414
CVE CVE-2009-2416
DEBIAN DSA-1654
DEBIAN DSA-1859
DISA_SEVERITY Category I
Page 23
Audit Report
Source Reference
DISA_VMSKEY V0019911
IAVM 2009-T-0049
OVAL OVAL10129
OVAL OVAL11760
OVAL OVAL6103
OVAL OVAL7783
OVAL OVAL8639
OVAL OVAL9262
USN USN-815-1
XF 45085
3.1.24. VNC password is "password" (vnc-password-password)
Description:
The VNC server is using the password "password". This would allow anyone to log into the machine via VNC and take complete
control.
Affected Nodes:
192.168.0.102:5900 Running VNC serviceSuccessfully authenticated to the VNC service with

credentials: uid[] pw[password] realm[]
References:
Page 24
Audit Report
None
Change the password to a stronger, unpredictable one.
3.1.25. ISC BIND: Handling of zero length rdata can cause named to terminate unexpectedly (CVE-2012-1667) (dns-bind-
cve-2012-1667)
Description:
ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not
properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service
(daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record.
Affected Nodes:


References:
Source Reference
CVE CVE-2012-1667
IAVM 2012-A-0189
URL https://kb.isc.org/article/AA-00698/74/CVE-2012-1667%3A-Handling-of-zero-length-rdata-can-cause-
named-to-terminate-unexpectedly.html
3.1.26. Obsolete ISC BIND installation (dns-bind-obsolete)
Description:
Page 25
Audit Report
ISC BIND versions before 9.9 are considered obsolete. ISC will not fix security bugs in these versions (even critical ones).
It is strongly recommended that you upgrade your BIND installation to a supported version.
Affected Nodes:


References:
Source Reference
URL https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
URL https://www.isc.org/software/bind
Description:
The resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting the
hash_update_file function via a userspace (1) error or (2) stream handler, which can then be used to destroy and modify internal
resources. NOTE: it was later reported that PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 are also affected.
Affected Nodes:

References:
Source Reference
BID 23062
CVE CVE-2007-1581
XF 33248
Page 26
Audit Report

3.1.28. 'rexec' Remote Execution Service Enabled (service-rexec)
Description:
The RSH remote execution service (rexec) is enabled. This is a legacy service often configured to blindly trust some hosts and IPs.
The protocol also doesn't support encryption or any sort of strong authentication mechanism.
Affected Nodes:
192.168.0.102:512 Running Remote Execution service
References:
None
Disable or firewall this service which usually runs on 512/tcp.
Description:
Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a
heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797.
Affected Nodes:
References:
Source Reference
Page 27
Audit Report
Source Reference
BID 43700
BID 44214
BID 44643
CVE CVE-2010-3311
CVE CVE-2010-3814
CVE CVE-2010-3855
DEBIAN DSA-2116
DEBIAN DSA-2155
USN USN-1013-1
3.1.30. USN-1085-1: tiff vulnerabilities (ubuntu-usn-1085-1)
Description:
Buffer overflow in Fax4Decode in LibTIFF 3.9.4 and possibly other versions, as used in ImageIO in Apple iTunes before 10.2 on
Windows and other products, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a
Page 28
Audit Report
crafted TIFF Internet Fax image file that has been compressed using CCITT Group 4 encoding, related to the EXPAND2D macro in
libtiff/tif_fax3.h. NOTE: some of these details are obtained from third party information.
Affected Nodes:
Vulnerable software installed: Ubuntu libtiff4 3.8.2-7ubuntu3.4
References:
Source Reference
BID 46657
BID 46658
CVE CVE-2010-2482
CVE CVE-2010-2483
CVE CVE-2010-2595
CVE CVE-2010-2597
CVE CVE-2010-2598
CVE CVE-2010-2630
CVE CVE-2010-3087
CVE CVE-2011-0191
CVE CVE-2011-0192
DEBIAN DSA-2210
DEBIAN DSA-2552
USN USN-1085-1
Page 29
Audit Report
•libtiff4 on Ubuntu Linux 10.04
Upgrade libtiff4 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libtiff4 to the latest version
Upgrade libtiff4 for Ubuntu 10.10
3.1.31. USN-1153-1: libxml2 vulnerability (ubuntu-usn-1153-1)
Description:
Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-
dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-
based buffer overflow when adding a new namespace node, related to handling of XPath expressions.
Affected Nodes:
References:
Source Reference
BID 48056
CVE CVE-2011-1944
DEBIAN DSA-2255
Page 30
Audit Report
Source Reference
IAVM 2012-A-0073
IAVM 2012-A-0153
OSVDB 73248
USN USN-1153-1
Description:
FreeType in CoreGraphics in Apple iOS before 5.0.1 allows remote attackers to execute arbitrary code or cause a denial of service
(memory corruption) via a crafted font in a document.
Affected Nodes:
References:
Source Reference
Page 31
Audit Report
Source Reference
BID 50155
CVE CVE-2011-3256
CVE CVE-2011-3439
DEBIAN DSA-2328
USN USN-1267-1
XF 70552
Description:
Off-by-one error in libxml in Apple Safari before 5.0.6 allows remote attackers to execute arbitrary code or cause a denial of service
(heap-based buffer overflow and application crash) via a crafted web site.
Affected Nodes:
References:
Page 32
Audit Report
Source Reference
BID 51300
CVE CVE-2011-0216
CVE CVE-2011-2821
CVE CVE-2011-2834
CVE CVE-2011-3905
CVE CVE-2011-3919
DEBIAN DSA-2394
IAVM 2012-A-0073
IAVM 2012-A-0153
OSVDB 75560
OVAL OVAL13840
OVAL OVAL14410
OVAL OVAL14504
OVAL OVAL14761
USN USN-1334-1
XF 69885
Page 33
Audit Report

3.1.34. USN-1357-1: OpenSSL vulnerabilities (ubuntu-usn-1357-1)
Description:
Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers
to have an unspecified impact by triggering failure of a policy check.
Affected Nodes:
Vulnerable software installed: Ubuntu openssl 0.9.8g-4ubuntu3
References:
Source Reference
BID 51563
CERT-VN 536044
CERT-VN 737740
CVE CVE-2011-1945
CVE CVE-2011-3210
CVE CVE-2011-4108
CVE CVE-2011-4109
CVE CVE-2011-4354
CVE CVE-2011-4576
CVE CVE-2011-4577
CVE CVE-2011-4619
Page 34
Audit Report
Source Reference
CVE CVE-2012-0027
CVE CVE-2012-0050
DEBIAN DSA-2309
DEBIAN DSA-2390
DEBIAN DSA-2392
IAVM 2012-A-0148
IAVM 2012-A-0153
IAVM 2013-A-0027
OSVDB 78191
OSVDB 78320
USN USN-1357-1
XF 72129
•libssl0.9.8 on Ubuntu Linux 10.04
Upgrade libssl0.9.8 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libssl0.9.8 to the latest version
Upgrade libssl0.9.8 for Ubuntu 10.10
Page 35
Audit Report
•openssl on Ubuntu Linux 10.04

Upgrade openssl for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade openssl to the latest version
Upgrade openssl for Ubuntu 10.10
3.1.35. USN-1397-1: MySQL vulnerabilities (ubuntu-usn-1397-1)
Description:
Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through
5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via
format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details
are obtained from third party information.
Affected Nodes:
Vulnerable software installed: Ubuntu mysql-server-5.0 5.0.51a-3ubuntu5
References:
Source Reference
BID 26353
BID 31486
BID 35609
Page 36
Audit Report
Source Reference
BID 37640
BID 37943
BID 37974
BID 38043
BID 39543
BID 40257
BID 41198
BID 42596
BID 42598
BID 42599
BID 42625
BID 42633
BID 42638
BID 42646
BID 43676
BID 51503
BID 51506
BID 51509
BID 51510
BID 51513
BID 51514
BID 51515
BID 51516
BID 51518
BID 51524
BID 51526
CVE CVE-2007-5925
CVE CVE-2008-3963
CVE CVE-2008-4098
CVE CVE-2008-4456
CVE CVE-2008-7247
CVE CVE-2009-2446
CVE CVE-2009-4019
Page 37
Audit Report
Source Reference
CVE CVE-2009-4030
CVE CVE-2009-4484
CVE CVE-2010-1621
CVE CVE-2010-1626
CVE CVE-2010-1848
CVE CVE-2010-1849
CVE CVE-2010-1850
CVE CVE-2010-2008
CVE CVE-2010-3677
CVE CVE-2010-3678
CVE CVE-2010-3679
CVE CVE-2010-3680
CVE CVE-2010-3681
CVE CVE-2010-3682
CVE CVE-2010-3683
CVE CVE-2010-3833
CVE CVE-2010-3834
CVE CVE-2010-3835
CVE CVE-2010-3836
CVE CVE-2010-3837
CVE CVE-2010-3838
CVE CVE-2010-3839
CVE CVE-2010-3840
CVE CVE-2011-2262
CVE CVE-2012-0075
CVE CVE-2012-0087
CVE CVE-2012-0101
CVE CVE-2012-0102
CVE CVE-2012-0112
CVE CVE-2012-0113
CVE CVE-2012-0114
CVE CVE-2012-0115
CVE CVE-2012-0116
Page 38
Audit Report
Source Reference
CVE CVE-2012-0117
CVE CVE-2012-0118
CVE CVE-2012-0119
CVE CVE-2012-0120
CVE CVE-2012-0484
CVE CVE-2012-0485
CVE CVE-2012-0486
CVE CVE-2012-0487
CVE CVE-2012-0488
CVE CVE-2012-0489
CVE CVE-2012-0490
CVE CVE-2012-0491
CVE CVE-2012-0492
CVE CVE-2012-0493
CVE CVE-2012-0494
CVE CVE-2012-0495
CVE CVE-2012-0496
DEBIAN DSA-1413
DEBIAN DSA-1662
DEBIAN DSA-1783
DEBIAN DSA-1997
DEBIAN DSA-2143
OSVDB 55734
OSVDB 61956
OSVDB 78371
OSVDB 78372
OSVDB 78374
OSVDB 78375
OSVDB 78377
OSVDB 78378
OSVDB 78379
OSVDB 78383
OSVDB 78384
Page 39
Audit Report
Source Reference
OSVDB 78385
OSVDB 78386
OSVDB 78387
OSVDB 78388
OSVDB 78389
OSVDB 78390
OSVDB 78393
OSVDB 78394
OVAL OVAL10258
OVAL OVAL10521
OVAL OVAL10591
OVAL OVAL10846
OVAL OVAL11116
OVAL OVAL11349
OVAL OVAL11390
OVAL OVAL11456
OVAL OVAL11857
OVAL OVAL11869
OVAL OVAL6693
OVAL OVAL7210
OVAL OVAL7328
OVAL OVAL8156
OVAL OVAL8500
OVAL OVAL9490
Page 40
Audit Report
Source Reference
USN USN-1397-1
XF 38284
XF 45042
XF 45590
XF 45649
XF 51614
XF 55416
XF 64683
XF 64684
XF 64685
XF 64686
XF 64687
XF 64688
XF 64838
XF 64839
XF 64840
XF 64841
XF 64842
XF 64843
XF 64844
XF 64845
XF 72518
XF 72519
XF 72520
XF 72521
XF 72525
XF 72526
XF 72527
XF 72528
XF 72529
XF 72530
XF 72531
Page 41
Audit Report
Source Reference
XF 72532
XF 72533
XF 72537
XF 72538
XF 72539
XF 72540
•mysql-server-5.0 on Ubuntu Linux 8.04
Upgrade mysql-server-5.0 for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade mysql-server-5.0 to the latest version
Upgrade mysql-server-5.1 for Ubuntu 10.10
3.1.36. USN-1789-1: PostgreSQL vulnerabilities (ubuntu-usn-1789-1)
Description:
PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates
insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the
"contrib/pgcrypto functions."
Affected Nodes:
Vulnerable software installed: Ubuntu postgresql-8.3 8.3.1-1
References:
Page 42
Audit Report
Source Reference
CVE CVE-2013-1899
CVE CVE-2013-1900
CVE CVE-2013-1901
DEBIAN DSA-2657
DEBIAN DSA-2658
USN USN-1789-1
•postgresql-8.3 on Ubuntu Linux 8.04
Upgrade postgresql-8.3 for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade postgresql-8.3 to the latest version
Upgrade postgresql-9.1 for Ubuntu 11.10
3.1.37. USN-617-1: Samba vulnerabilities (ubuntu-usn-617-1)
Description:
Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller,
allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server
requests.
Affected Nodes:
Page 43
Audit Report
References:
Source Reference
BID 26454
BID 29404
BID 31255
CERT TA07-352A
CVE CVE-2007-4572
CVE CVE-2008-1105
DEBIAN DSA-1409
DEBIAN DSA-1590
OVAL OVAL10020
OVAL OVAL11132
OVAL OVAL5643
OVAL OVAL5733
USN USN-617-1
XF 38501
XF 42664
XF 45251
Page 44
Audit Report
•libsmbclient on Ubuntu Linux 7.04

Upgrade libsmbclient for Ubuntu 7.04
Use àpt-get upgrade` to upgrade libsmbclient to the latest version
Upgrade libsmbclient for Ubuntu 7.10
Upgrade libsmbclient for Ubuntu 8.04 LTS
3.1.38. USN-839-1: Samba vulnerabilities (ubuntu-usn-839-1)
Description:
Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent
attackers to execute arbitrary code via format string specifiers in a filename.
Affected Nodes:
References:
Source Reference
BID 35472
BID 36363
BID 36572
Page 45
Audit Report
Source Reference
BID 36573
CVE CVE-2009-1886
CVE CVE-2009-1888
CVE CVE-2009-2813
CVE CVE-2009-2906
CVE CVE-2009-2948
DEBIAN DSA-1823
OSVDB 57955
OSVDB 58519
OSVDB 58520
OVAL OVAL10434
OVAL OVAL10790
OVAL OVAL7087
OVAL OVAL7090
OVAL OVAL7211
OVAL OVAL7257
OVAL OVAL7292
OVAL OVAL7791
OVAL OVAL9191
OVAL OVAL9944
USN USN-839-1
XF 51327
XF 51328
XF 53174
XF 53574
XF 53575
Page 46
Audit Report

•smbclient on Ubuntu Linux 8.10
Upgrade smbclient for Ubuntu 8.10
Use àpt-get upgrade` to upgrade smbclient to the latest version
•smbfs on Ubuntu Linux 8.04
Upgrade smbfs for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade smbfs to the latest version
Upgrade smbfs for Ubuntu 8.10
Upgrade smbfs for Ubuntu 9.04
Description:
Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through
5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via
format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. NOTE: some of these details
are obtained from third party information.
Affected Nodes:
References:
Source Reference
BID 31486
BID 35609
BID 37640
BID 37943
BID 37974
Page 47
Audit Report
Source Reference
BID 38043
CVE CVE-2008-4098
CVE CVE-2008-4456
CVE CVE-2008-7247
CVE CVE-2009-2446
CVE CVE-2009-4019
CVE CVE-2009-4030
CVE CVE-2009-4484
DEBIAN DSA-1662
DEBIAN DSA-1783
DEBIAN DSA-1997
OSVDB 55734
OSVDB 61956
OVAL OVAL10591
OVAL OVAL11116
OVAL OVAL11349
OVAL OVAL11456
OVAL OVAL11857
OVAL OVAL8156
OVAL OVAL8500
USN USN-897-1
XF 45590
XF 45649
XF 51614
XF 55416
Page 48
Audit Report

Description:
Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in
cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad,
allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in
embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party
information.
Affected Nodes:
References:
Source Reference
BID 42151
BID 42285
CVE CVE-2010-1797
CVE CVE-2010-2541
CVE CVE-2010-2805
CVE CVE-2010-2806
Page 49
Audit Report
Source Reference
CVE CVE-2010-2807
CVE CVE-2010-2808
OSVDB 66828
USN USN-972-1
XF 60856
3.1.41. Apache Tomcat Example Scripts Information Leakage (apache-tomcat-example-leaks)
Description:
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the
system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection.
•/examples/jsp/num/numguess.jsp
•/examples/jsp/dates/date.jsp
•/examples/jsp/snp/snoop.jsp
•/examples/jsp/error/error.html
•/examples/jsp/sessions/carts.html
•/examples/jsp/checkbox/check.html
•/examples/jsp/colors/colors.html
Page 50
Audit Report
•/examples/jsp/cal/login.html
•/examples/jsp/include/include.jsp
•/examples/jsp/forward/forward.jsp
•/examples/jsp/plugin/plugin.jsp
•/examples/jsp/jsptoserv/jsptoservlet.jsp
•/examples/jsp/simpletag/foo.jsp
•/examples/jsp/mail/sendmail.jsp
•/examples/servlet/HelloWorldExample
•/examples/servlet/RequestInfoExample
•/examples/servlet/RequestHeaderExample
•/examples/servlet/RequestParamExample
•/examples/servlet/CookieExample
•/examples/servlet/JndiServlet
•/examples/servlet/SessionExample
•/tomcat-docs/appdev/sample/web/hello.jsp
Affected Nodes:
192.168.0.102:8180 Running HTTP serviceProduct Tomcat exists -- Apache TomcatHTTP GET

request to http://192.168.0.102:8180/tomcat-docs/appdev/sample/web/hello.jsp
19: limitations under the License.
20: -->
21: <html>
22: <head>
19: <title>Sample Application JSP Page</title>
References:
None
Delete these scripts entirely. Example scripts should never be installed on production servers.
3.1.42. VNC remote control service installed (backdoor-vnc-0001)
Description:
AT&T Virtual Network Computing (VNC) provides remote users with access to the system it is installed on. If this service is
compromised, the user can gain complete control of the system.
Page 51
Audit Report
Affected Nodes:
192.168.0.102:5900 Running VNC service
References:
None
Remove or disable this service. If it is necessary, be sure to use well thought out (hard to crack) passwords. It is important to note that
VNC truncates passwords to 8 bytes when authenticating, making it more susceptible to brute force attacks.
To protect data from eaves-droppers, tunneling VNC through SSH is recommended.
Additionally, restricting access to specific IP addresses using TCP wrappers is also recommended.
For more information on VNC, visit the VNC website.
3.1.43. CIFS NULL Session Permitted (cifs-nt-0001)
Description:
NULL sessions allow anonymous users to establish unauthenticated CIFS sessions with Windows or third-party CIFS implementations
such as Samba or the Solaris CIFS Server. These anonymous users may be able to enumerate local users, groups, servers, shares,
domains, domain policies, and may be able to access various MSRPC services through RPC function calls. These services have been
historically affected by numerous vulnerabilities. The wealth of information available to attackers through NULL sessions may also allow
them to carry out more sophisticated attacks.
Affected Nodes:
192.168.0.102 Found server name: METASPLOITABLEFound policy for domain(s):

METASPLOITABLE Builtin
References:
Source Reference
CVE CVE-1999-0519
URL http://www.hsc.fr/ressources/presentations/null_sessions/
•Microsoft Windows 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition,
Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business
Server 2003
Disable NULL sessions for Windows 2003
Modify the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
with the following values:
Page 52
Audit Report
Value Name: RestrictAnonymous

Data Type: REG_DWORD
Data Value: 1
Value Name: RestrictAnonymousSAM

Data Value: 1
Value Name: EveryoneIncludesAnonymous

Data Value: 0
and set the following value to 0 (or, alternatively, delete it):
Value Name: TurnOffAnonymousBlock

Data Value: 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
Value Name: RestrictNullSessAccess

Data Value: 1
Value Name: NullSessionPipes

Data Type: REG_MULTI_SZ
Data Value: "" (empty string, without quotes)
Open Local Security Settings, and disable the following setting:
Security Settings -> Local Policies -> Security Options ->

Network access: Allow anonymous SID/Name translation: Disabled
Finally, reboot the machine.
Please note that disabling NULL sessions may have an adverse impact on functionality, as some applications and network
environments may depend on them for proper operation. Refer to Microsoft Knowledge Base Article 823659 for more information.
•Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional

Disable NULL sessions for Windows XP
Page 53
Audit Report

Data Value: 1

Data Value: 1

Data Value: 0

Data Value: 1


environments may depend on them for proper operation. Refer to Microsoft Knowledge Base Article Q246261 for more information.
•Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced
Server, Microsoft Windows 2000 Datacenter Server
with the following value:

Data Value: 2
Page 54
Audit Report
After modifying the registry, reboot the machine.

•Microsoft Windows NT Server 4.0, Microsoft Windows NT Server, Enterprise Edition 4.0, Microsoft Windows NT Workstation 4.0
Install Microsoft service pack Windows NT4 Service Pack 4
Download and apply the upgrade from: http://support.microsoft.com/sp
•Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server,
Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition
Disable NULL sessions for Windows NT

Data Value: 1
It is important to note that on Windows NT 4.0 systems, setting this registry entry will still leave the system open to various attacks,
including brute-force enumeration of users and groups. A complete solution for Windows NT 4.0 systems is not available.
•Samba on Linux
Restrict anonymous access
To restrict anonymous access to Samba, modify your "smb.conf" settings as follows:
guest account = nobody

restrict anonymous = 1
Note: Make sure you do NOT list a user "nobody" in your password file.
•Novell NetWare
Novell Netware CIFS
As of May 9, 2007 Novell Netware CIFS does not provide a workaround for this vulnerability.
3.1.44. Samba AFS Filesystem ACL Mapping Format String Vulnerability (cifs-samba-afs-filesystem-acl-mapping-bof)
Description:
Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 through 3.0.23d allows context-dependent attackers to execute
arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL
mapping.
Page 55
Audit Report
Affected Nodes:
192.168.0.102:139 Running CIFS serviceProduct Samba exists -- Samba 3.0.20-DebianVulnerable

version of product Samba found -- Samba 3.0.20-Debian

References:
Source Reference
BID 22403
CERT-VN 649732
CVE CVE-2007-0454
DEBIAN DSA-1257
OSVDB 33101
URL http://www.samba.org/samba/security/CVE-2007-0454.html
XF 32304
Samba < 3.0.24
Download and apply the upgrade from: https://ftp.samba.org/pub/samba/stable/samba-3.0.24.tar.gz
Alternatively, patches may be available at http://www.samba.org/samba/history/security.html. Although Samba provides source code, it
is recommended that you use your operating system's package manager to upgrade if possible. Please note that many operating
system vendors choose to apply the most recent Samba security patches to their distributions without changing the package version to
the most recent Samba version number. For the most reliable scan results, use correlation with authenticated scans.
3.1.45. ISC BIND: A specially crafted Resource Record could cause named to terminate (CVE-2012-4244) (dns-bind-cve-
2012-4244)
Description:
ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows
remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record.
Affected Nodes:

Page 56
Audit Report

References:
Source Reference
CVE CVE-2012-4244
DEBIAN DSA-2547
IAVM 2013-A-0031
URL https://kb.isc.org/article/AA-00778/74/CVE-2012-4244%3A-A-specially-crafted-Resource-Record-could-
cause-named-to-terminate.html
3.1.46. IP Source Routing Enabled (generic-ip-source-routing-enabled)
Description:
The host is configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a
packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally
designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for
legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.
Affected Nodes:
192.168.0.102 The net.ipv4.conf.all.accept_source_route sysctl variable is set to 0, as

expected.The net.ipv4.conf.all.forwarding sysctl variable is set to 0, as
expected.The net.ipv4.conf.all.mc_forwarding sysctl variable is set to 0, as
expected.The net.ipv4.conf.default.accept_source_route sysctl variable is set to
1, expected 0.The net.ipv4.conf.default.forwarding sysctl variable is set to 0, as
expected.The net.ipv4.conf.default.mc_forwarding sysctl variable is set to 0, as
expected.
Page 57
Audit Report
References:
Source Reference
BID 646
CVE CVE-1999-0510
CVE CVE-1999-0909
MS MS99-038
MSKB 238453
URL http://packetstormsecurity.nl/advisories/nai/nai.99-09-20.windows_ip_source_routing
•IBM AIX
Disable IP source routing on IBM AIX
Issue the following command to disable forwarding of source routed packets:
/usr/sbin/no -o nonlocsrcroute=0
Also, issue the following command to disable the sending of source routed packets:
/usr/sbin/no -o ipsrcroutesend=0
In order to make this setting permanent, you can add this command to /etc/rc.net.
You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have
the firewall remove the source routing options if possible).
•FreeBSD
Disable IP source routing on FreeBSD
IP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following
command:
sysctl net.inet.ip.sourceroute
If the option is not set to 0, you can set it to zero by issuing the following command:
sysctl -w net.inet.ip.sourceroute=0
These settings can be added to /etc/sysctl.conf to make them permanent.
•Cisco IOS
Disable IP source routing on Cisco IOS
Use the 'no ip source-route' command to disable source-routing on the affected interface(s).
•SGI Irix
Disable IP source routing on SGI Irix
Issue the following command to disable forwarding of source routed packets:
Page 58
Audit Report
/usr/sbin/systune ipforward to 2
•Linux
Disable IP source routing on Linux
Source routing is disabled by default. On Linux kernel 2.2 and earlier, this setting was controlled by the contents of the following proc
file:
/proc/sys/net/ipv4/conf/all/accept_source_route
However, in more recent versions of Linux, the source route setting is controlled by several sysctl variables. Issue the following
command to drop all source routed packets:
/sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
Also, issue the following commands to disable forwarding of any frames with source routing options:
/sbin/sysctl -w net.ipv4.conf.all.forwarding=0
/sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
Disable IP source routing on Windows NT 4
First upgrade to the latest NT4 Service Pack (SP6 for NT4 Terminal Server, SP6a for all other versions of NT4). Versions of NT4 prior
to SP6 can still be "tricked" into honoring source routing even if you have disabled it via the registry. See Q238453 for more
information.
After upgrading to NT Service Pack 6a, run the registry editor (regedit.exe) and browse to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.
•OpenBSD
Disable IP source routing on OpenBSD
IP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following
command:
sysctl net.inet.ip.sourceroute
If the option is not set to 0, you can set it to zero by issuing the following command:
sysctl -w net.inet.ip.sourceroute=0
Page 59
Audit Report
•Cisco PIX
Disable IP source routing on Cisco PIX
PIX firewalls are designed to drop IP packets with insecure options, including source routing. See the following Cisco support
document for more information.
•Sun Solaris
Disable IP source routing on Solaris
While you cannot completely disable Solaris's handling of source-routed packets directed at the Solaris host itself, you can prevent
Solaris from forwarding source routed packets on to the next hop by issuing the following command:
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
In order to make this setting permanent, you will need to set this option automatically when the machine is booted.
•Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft
Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition,
Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition,
Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition,
Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008
Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows
Essential Business Server 2008, Microsoft Windows Server 2012, Microsoft Windows Server 2012 Essentials Edition, Microsoft
Windows Server 2012 Standard Edition, Microsoft Windows Server 2012 Datacenter Edition, Microsoft Windows Server 2012
Foundation Edition, Microsoft Windows Storage Server 2012, Microsoft Windows 7, Microsoft Windows 7 Home, Basic Edition,
Microsoft Windows 7 Home, Basic N Edition, Microsoft Windows 7 Home, Premium Edition, Microsoft Windows 7 Home, Premium N
Edition, Microsoft Windows 7 Ultimate Edition, Microsoft Windows 7 Ultimate N Edition, Microsoft Windows 7 Enterprise Edition,
Microsoft Windows 7 Enterprise N Edition, Microsoft Windows 7 Professional Edition, Microsoft Windows 7 Starter Edition, Microsoft
Windows 7 Starter N Edition, Microsoft Windows Embedded Standard 7, Microsoft Windows Server 2008 R2, Microsoft Windows
Server 2008 R2, Enterprise Edition, Microsoft Windows Server 2008 R2, Standard Edition, Microsoft Windows Server 2008 R2,
Datacenter Edition, Microsoft Windows Server 2008 R2, Web Edition, Microsoft Windows 8, Microsoft Windows 8 Enterprise Edition,
Microsoft Windows 8 Professional Edition, Microsoft Windows RT
Disable IP source routing on Windows Vista and newer
Run the registry editor (regedit.exe) and browse to the following keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
For Tcpip, the DWORD value named "DisableIPSourceRouting" must either not exist or have a value of 1 or 2. For Tcpip6, the
DWORD value named "DisableIPSourceRouting" must exist and have a value of 1 or 2. For the highest security level, both should
exist and be set to 2. Windows must be rebooted for the change to take effect.
See
Page 60
Audit Report
http://technet.microsoft.com/library/dd349797%28v=ws.10%29.aspx for more information.
Server, Microsoft Windows 2000 Datacenter Server, Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP
Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003,
Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft
Windows Small Business Server 2003
Disable IP source routing on Windows 2000/XP/2003
Run the registry editor (regedit.exe) and browse to the following key:
Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.
•Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows ME
Disable IP source routing on Windows 95/98/ME
Microsoft has provided a fix for this issue, but requires users to contact Microsoft directly to obtain the fix. Please see MSKB article
Q238453 for more information.
Description:
Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to
an incorrect "sanity check for the color index."
Affected Nodes:

References:
Source Reference
CVE CVE-2009-3291
CVE CVE-2009-3292
CVE CVE-2009-3293
Page 61
Audit Report
Source Reference
DEBIAN DSA-1940
OSVDB 58185
OSVDB 58186
OSVDB 58187
OVAL OVAL10438
OVAL OVAL7047
OVAL OVAL7394
OVAL OVAL7652
OVAL OVAL9982
URL http://bugs.php.net/44683
XF 53334
Description:
** DISPUTED ** main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1 does not recognize the safe_mode_include_dir directive,
which allows context-dependent attackers to have an unknown impact by triggering the failure of PHP scripts that perform include or
require operations, as demonstrated by a script that attempts to perform a require_once on a file in a standard library directory. NOTE:
a reliable third party reports that this is not a vulnerability, because it results in a more restrictive security policy.
Affected Nodes:

References:
Source Reference
CVE CVE-2009-3292
CVE CVE-2009-3557
Page 62
Audit Report
Source Reference
CVE CVE-2009-3558
CVE CVE-2009-3559
CVE CVE-2009-4017
DEBIAN DSA-1940
OSVDB 58186
OVAL OVAL10483
OVAL OVAL6667
OVAL OVAL7396
OVAL OVAL7652
OVAL OVAL9982
XF 54455
3.1.49. MySQL default account: root/no password (mysql-default-account-root-nopassword)
Description:
The default configuration of the Windows binary release of MySQL 3.23.2 through 3.23.52 has a NULL root password, which could
allow remote attackers to gain unauthorized root access to the MySQL database.
Affected Nodes:
192.168.0.102:3306 Running MySQL serviceSuccessfully authenticated to the MySQL service with

credentials: uid[root] pw[] realm[mysql]
References:
Source Reference
BID 5503
CVE CVE-2002-1809
XF 9902
The password should be changed to a non-default value. To change the password for the account, use the mysql command line tool to
run the commands:
Page 63
Audit Report
UPDATE user SET password=password('new-password') WHERE user='user-name';

FLUSH PRIVILEGES;
Where user-name should be replaced with the appropriate user name and new-password should be replaced with the new password.
3.1.50. Debian's OpenSSL Library Predictable Random Number Generator (openssl-debian-weak-keys)
Description:
A weakness has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems. As a result of
this weakness, certain encryption keys are much more common than they should be, such that an attacker could guess the key through
a brute-force attack given minimal knowledge of the system. This particularly affects the use of encryption keys in OpenSSH, OpenVPN
and SSL certificates. This vulnerability only affects operating systems which are based on Debian. However, other systems can be
indirectly affected if weak keys are imported into them.
Affected Nodes:
192.168.0.102:22 SSH public key with fingerprint 5656240F211DDEA72BAE61B1243DE8F3 is a

known weak key
References:
Source Reference
BID 29179
CERT TA08-137A
CERT-VN 925211
CVE CVE-2008-0166
DEBIAN DSA-1571
DEBIAN DSA-1576
URL http://metasploit.com/users/hdm/tools/debian-openssl/
URL http://wiki.debian.org/SSLkeys
URL http://www.debian.org/security/2008/dsa-1571
URL http://www.debian.org/security/2008/dsa-1576
URL http://www.debian.org/security/key-rollover/
URL http://www.ubuntu.com/usn/usn-612-1
Page 64
Audit Report
Source Reference
XF 42375
Upgrade the OpenSSL package to the version recomended below to fix the random number generator and stop generating weak keys
•For Debian 4.0 etch, upgrade to 0.9.8c-4etch3
•For Debian testing (lenny), upgrade to 0.9.8g-9
•For Debian unstable (sid), upgrade to 0.9.8g-9
•For Ubuntu 7.0.4 (feisty), upgrade to 0.9.8c-4ubuntu0.3
•For Ubuntu 7.10 (gusty), upgrade to 0.9.8e-5ubuntu3.2
•For Ubuntu 8.0.4 (hardy), upgrade to 0.9.8g-4ubuntu3.1
Then regenerate all cryptographic key material which has been created by vulnerable OpenSSL versions on Debian-based systems.
Affected keys include SSH server and user keys, OpenVPN keys, DNSSEC keys, keys associated to X.509 certificates, etc.
Optionally, Debian and Ubuntu have released updated OpenSSH, OpenSSL and OpenVPN packages to automatically blacklist known
weak keys. It is recomended to install these upgrades on all systems.
Description:
Directory traversal vulnerability in PHP 5.2.4 and earlier allows attackers to bypass open_basedir restrictions and possibly execute
arbitrary code via a .. (dot dot) in the dl function.
Affected Nodes:

References:
Source Reference
CVE CVE-2007-4825
OSVDB 45902
XF 36528
Page 65
Audit Report
Description:
Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows
remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a
heap-based buffer overflow.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-2386
Description:
ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir
directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the
creation of cached SOAP WSDL files in an arbitrary directory.
Affected Nodes:

Page 66
Audit Report
References:
Source Reference
CVE CVE-2013-1635
DEBIAN DSA-2639
Description:
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote
attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date,
leading to improper XML-RPC encoding.
Affected Nodes:

References:
Source Reference
CVE CVE-2014-8626
Description:
Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20
and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown
vectors.
Page 67
Audit Report
Affected Nodes:

References:
Source Reference
CVE CVE-2014-9425
URL https://bugs.php.net/bug.php?id=68676
Description:
** DISPUTED ** The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to
perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory
corruption or application crash) or possibly have unspecified other impact via unknown vectors. NOTE: this is disputed by the vendor
because the standard erealloc behavior makes the free operation unreachable.
Affected Nodes:

References:
Source Reference
CVE CVE-2014-9426
Page 68
Audit Report
Description:
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does
not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of
service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.
Affected Nodes:

References:
Source Reference
CVE CVE-2014-9653
DEBIAN DSA-3196
Description:
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before
5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.
Affected Nodes:

References:
Source Reference
Page 69
Audit Report
Source Reference
CVE CVE-2014-9705
DEBIAN DSA-3195
Description:
Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allow
remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data
handled by the php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the php_date_initialize_from_hash
function.
Affected Nodes:

References:
Source Reference
CVE CVE-2015-0273
DEBIAN DSA-3195
Page 70
Audit Report
Description:
Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache extension in PHP through
5.6.7 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Affected Nodes:

References:
Source Reference
CVE CVE-2015-1351
Description:
Multiple integer overflows in the calendar extension in PHP through 5.6.7 allow remote attackers to cause a denial of service or possibly
have unspecified other impact via a crafted year value to (1) the GregorianToSdn function in gregor.c or (2) the JulianToSdn function in
julian.c, as demonstrated by a crafted third argument to the gregoriantojd or juliantojd function.
Affected Nodes:

References:
Source Reference
CVE CVE-2015-1353
Description:
Page 71
Audit Report
Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows
remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming
of a Phar archive to the name of an existing file.
Affected Nodes:

References:
Source Reference
CVE CVE-2015-2301
DEBIAN DSA-3198
Description:
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before
5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.
Affected Nodes:

References:
Source Reference
CVE CVE-2015-2331
DEBIAN DSA-3198
Page 72
Audit Report
Description:
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before
5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the
unset function within an __wakeup function, a related issue to CVE-2015-0231.
Affected Nodes:

References:
Source Reference
CVE CVE-2015-2787
3.1.65. 'rlogin' Remote Login Service Enabled (service-rlogin)
Description:
The RSH remote login service (rlogin) is enabled. This is a legacy service often configured to blindly trust some hosts and IPs. The
protocol also doesn't support encryption or any sort of strong authentication mechanism.
Page 73
Audit Report
Affected Nodes:
192.168.0.102:513 Running Remote Login service
References:
Source Reference
CVE CVE-1999-0651
3.1.66. 'rsh' Remote Shell Service Enabled (service-rsh)
Description:
The RSH remote shell service (rsh) is enabled. This is a legacy service often configured to blindly trust some hosts and IPs. The
protocol also doesn't support encryption or any sort of strong authentication mechanism.
Affected Nodes:
192.168.0.102:514 Running Remote Shell service
References:
Source Reference
CVE CVE-1999-0651
3.1.67. USN-1082-1: Pango vulnerabilities (ubuntu-usn-1082-1)
Description:
Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3
and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.
Affected Nodes:
Page 74
Audit Report
Vulnerable software installed: Ubuntu libpango1.0-0 1.20.5-0ubuntu1.1

References:
Source Reference
BID 38760
BID 45842
BID 46632
CVE CVE-2010-0421
CVE CVE-2011-0020
CVE CVE-2011-0064
DEBIAN DSA-2019
DEBIAN DSA-2178
OSVDB 70596
OVAL OVAL9417
USN USN-1082-1
XF 64832
XF 65770
•gir1.0-pango-1.0 on Ubuntu Linux 10.04
Upgrade gir1.0-pango-1.0 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade gir1.0-pango-1.0 to the latest version
•gir1.0-pango-1.0 on Ubuntu Linux 10.10
Upgrade gir1.0-pango-1.0 for Ubuntu 10.10
Use àpt-get upgrade` to upgrade gir1.0-pango-1.0 to the latest version
•libpango1.0-0 on Ubuntu Linux 8.04
Upgrade libpango1.0-0 for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade libpango1.0-0 to the latest version
•libpango1.0-0 on Ubuntu Linux 9.10
Upgrade libpango1.0-0 for Ubuntu 9.10
Use àpt-get upgrade` to upgrade libpango1.0-0 to the latest version
Page 75
Audit Report
3.1.68. USN-1108-1: DHCP vulnerability (ubuntu-usn-1108-1)
Description:
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote
attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by
a hostname that is provided to dhclient-script.
Affected Nodes:
Vulnerable software installed: Ubuntu dhcp3-client 3.0.6.dfsg-1ubuntu9
References:
Source Reference
BID 47176
CERT-VN 107886
CVE CVE-2011-0997
DEBIAN DSA-2216
DEBIAN DSA-2217
IAVM 2011-A-0108
OSVDB 71493
OVAL OVAL12812
USN USN-1108-1
XF 66580
Page 76
Audit Report

3.1.69. USN-1126-1: PHP vulnerabilities (ubuntu-usn-1126-1)
Description:
Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to
obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via
format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call.
Affected Nodes:
Vulnerable software installed: Ubuntu php5-gd 5.2.4-2ubuntu5.10
References:
Source Reference
BID 45338
BID 45952
BID 46354
BID 46365
BID 46429
BID 46605
BID 46786
BID 46843
BID 46854
BID 46928
BID 46967
Page 77
Audit Report
Source Reference
BID 46968
BID 46969
BID 46970
BID 46975
BID 46977
BID 49241
CERT-VN 210829
CVE CVE-2006-7243
CVE CVE-2010-4697
CVE CVE-2010-4698
CVE CVE-2011-0420
CVE CVE-2011-0421
CVE CVE-2011-0441
CVE CVE-2011-0708
CVE CVE-2011-1072
CVE CVE-2011-1092
CVE CVE-2011-1144
CVE CVE-2011-1148
CVE CVE-2011-1153
CVE CVE-2011-1464
CVE CVE-2011-1466
CVE CVE-2011-1467
CVE CVE-2011-1468
CVE CVE-2011-1469
CVE CVE-2011-1470
CVE CVE-2011-1471
DEBIAN DSA-2266
OVAL OVAL11939
OVAL OVAL12528
OVAL OVAL12569
Page 78
Audit Report
Source Reference
USN USN-1126-1
XF 65310
XF 65437
XF 65721
XF 65911
XF 65988
XF 66079
XF 66080
XF 66173
XF 66180
•libapache2-mod-php5 on Ubuntu Linux 10.04
Upgrade libapache2-mod-php5 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libapache2-mod-php5 to the latest version
Upgrade libapache2-mod-php5 for Ubuntu 10.10
•php-pear on Ubuntu Linux 10.04
Upgrade php-pear for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php-pear to the latest version
Upgrade php-pear for Ubuntu 10.10
Page 79
Audit Report

Upgrade php-pear for Ubuntu 8.04 LTS
•php5 on Ubuntu Linux 10.04
Upgrade php5 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php5 to the latest version
Upgrade php5 for Ubuntu 10.10
•php5-cgi on Ubuntu Linux 10.04
Upgrade php5-cgi for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php5-cgi to the latest version
Upgrade php5-cgi for Ubuntu 10.10
•php5-cli on Ubuntu Linux 10.04
Upgrade php5-cli for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php5-cli to the latest version
Page 80
Audit Report

Upgrade php5-cli for Ubuntu 10.10
•php5-common on Ubuntu Linux 10.04
Upgrade php5-common for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php5-common to the latest version
Upgrade php5-common for Ubuntu 10.10
•php5-curl on Ubuntu Linux 10.04
Upgrade php5-curl for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php5-curl to the latest version
Upgrade php5-curl for Ubuntu 10.10
Upgrade php5-curl for Ubuntu 8.04 LTS
Page 81
Audit Report

•php5-dev on Ubuntu Linux 10.04
Upgrade php5-dev for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php5-dev to the latest version
Upgrade php5-dev for Ubuntu 10.10
Upgrade php5-dev for Ubuntu 8.04 LTS
•php5-gd on Ubuntu Linux 10.04
Upgrade php5-gd for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php5-gd to the latest version
Upgrade php5-gd for Ubuntu 10.10
Upgrade php5-gd for Ubuntu 8.04 LTS
•php5-intl on Ubuntu Linux 10.04
Upgrade php5-intl for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php5-intl to the latest version
Upgrade php5-intl for Ubuntu 10.10
Upgrade php5-intl for Ubuntu 11.04
Page 82
Audit Report
3.1.70. USN-1158-1: curl vulnerabilities (ubuntu-usn-1158-1)
Description:
lib/ssluse.c in cURL and libcurl 7.4 through 7.19.5, when OpenSSL is used, does not properly handle a '\0' character in a domain name
in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Affected Nodes:
Vulnerable software installed: Ubuntu libcurl3-gnutls 7.18.0-1ubuntu2
References:
Source Reference
BID 36032
CVE CVE-2009-2417
CVE CVE-2010-0734
CVE CVE-2011-2192
DEBIAN DSA-2023
DEBIAN DSA-2271
IAVM 2011-A-0066
IAVM 2012-A-0020
OVAL OVAL10114
OVAL OVAL10760
OVAL OVAL6756
OVAL OVAL8542
Page 83
Audit Report
Source Reference
USN USN-1158-1
XF 52405
•libcurl3 on Ubuntu Linux 10.04
Upgrade libcurl3 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libcurl3 to the latest version
Upgrade libcurl3 for Ubuntu 10.10
•libcurl3-gnutls on Ubuntu Linux 10.04
Upgrade libcurl3-gnutls for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libcurl3-gnutls to the latest version
Upgrade libcurl3-gnutls for Ubuntu 10.10
•libcurl3-nss on Ubuntu Linux 11.04
Upgrade libcurl3-nss for Ubuntu 11.04
Use àpt-get upgrade` to upgrade libcurl3-nss to the latest version
3.1.71. USN-1199-1: Apache vulnerability (ubuntu-usn-1199-1)
Description:
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause
a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the
wild in August 2011, a different vulnerability than CVE-2007-0086.
Page 84
Audit Report
Affected Nodes:
Vulnerable software installed: Ubuntu apache2-mpm-prefork 2.2.8-1ubuntu0.15
References:
Source Reference
BID 49303
CERT-VN 405811
CVE CVE-2011-3192
OSVDB 74721
OVAL OVAL14762
OVAL OVAL14824
OVAL OVAL18827
USN USN-1199-1
XF 69396
•apache2-mpm-event on Ubuntu Linux 8.04
Upgrade apache2-mpm-event for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade apache2-mpm-event to the latest version
•apache2-mpm-perchild on Ubuntu Linux 8.04
Upgrade apache2-mpm-perchild for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade apache2-mpm-perchild to the latest version
•apache2-mpm-prefork on Ubuntu Linux 8.04
Upgrade apache2-mpm-prefork for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade apache2-mpm-prefork to the latest version
•apache2-mpm-worker on Ubuntu Linux 8.04
Upgrade apache2-mpm-worker for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade apache2-mpm-worker to the latest version
Page 85
Audit Report
•apache2.2-bin on Ubuntu Linux 10.04

Upgrade apache2.2-bin for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade apache2.2-bin to the latest version
Upgrade apache2.2-bin for Ubuntu 10.10
3.1.72. USN-1231-1: PHP Vulnerabilities (ubuntu-usn-1231-1)
Description:
Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-
dependent attackers to execute arbitrary code via a long pathname for a UNIX socket.
Affected Nodes:
Vulnerable software installed: Ubuntu php5-common 5.2.4-2ubuntu5.10
References:
Source Reference
BID 48259
BID 49241
BID 49249
BID 49252
CVE CVE-2010-1914
CVE CVE-2010-2484
CVE CVE-2011-1657
CVE CVE-2011-1938
CVE CVE-2011-2202
Page 86
Audit Report
Source Reference
CVE CVE-2011-2483
CVE CVE-2011-3182
CVE CVE-2011-3267
DEBIAN DSA-2266
DEBIAN DSA-2340
DEBIAN DSA-2399
OSVDB 72644
OSVDB 74739
USN USN-1231-1
XF 58587
XF 67606
XF 67999
XF 69319
XF 69320
XF 69428
XF 69430
Page 87
Audit Report

Page 88
Audit Report

Description:
The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request
containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an
incorrect fix for CVE-2011-4885.
Affected Nodes:
Vulnerable software installed: Ubuntu php5-common 5.2.4-2ubuntu5.10
References:
Source Reference
BID 46928
BID 51193
BID 51830
BID 51954
CERT-VN 903934
CVE CVE-2011-0441
CVE CVE-2011-4153
CVE CVE-2011-4885
CVE CVE-2012-0057
CVE CVE-2012-0788
CVE CVE-2012-0830
Page 89
Audit Report
Source Reference
CVE CVE-2012-0831
DEBIAN DSA-2399
DEBIAN DSA-2403
OSVDB 78819
USN USN-1358-1
XF 66180
XF 72021
XF 72908
XF 72911
XF 73125
Page 90
Audit Report

Page 91
Audit Report

•php5-xsl on Ubuntu Linux 10.04
Upgrade php5-xsl for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade php5-xsl to the latest version
Upgrade php5-xsl for Ubuntu 10.10
Upgrade php5-xsl for Ubuntu 8.04 LTS
3.1.74. USN-1367-1: libpng vulnerabilities (ubuntu-usn-1367-1)
Description:
Integer overflow in libpng, as used in Google Chrome before 17.0.963.56, allows remote attackers to cause a denial of service or
possibly have unspecified other impact via unknown vectors that trigger an integer truncation.
Affected Nodes:
Page 92
Audit Report
Vulnerable software installed: Ubuntu libpng12-0 1.2.15~beta5-3ubuntu0.2

References:
Source Reference
CVE CVE-2009-5063
CVE CVE-2011-3026
OVAL OVAL15032
USN USN-1367-1
•libpng12-0 on Ubuntu Linux 10.04
Upgrade libpng12-0 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libpng12-0 to the latest version
Upgrade libpng12-0 for Ubuntu 10.10
Description:
Heap-based buffer overflow in process.c in smbd in Samba 3.0, as used in the file-sharing service on the BlackBerry PlayBook tablet
before 2.0.0.7971 and other products, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary
code via a Batched (aka AndX) request that triggers infinite recursion.
Affected Nodes:
Page 93
Audit Report
References:
Source Reference
CVE CVE-2012-0870
USN USN-1374-1
XF 73361
samba on Ubuntu Linux 8.04
3.1.76. USN-1396-1: GNU C Library vulnerabilities (ubuntu-usn-1396-1)
Description:
nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the
passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS
accounts by calling the getpwnam function.
Affected Nodes:
Vulnerable software installed: Ubuntu libc6 2.7-10ubuntu5
References:
Source Reference
BID 46563
BID 46740
BID 52201
CVE CVE-2009-5029
CVE CVE-2010-0015
CVE CVE-2011-1071
CVE CVE-2011-1089
Page 94
Audit Report
Source Reference
CVE CVE-2011-1095
CVE CVE-2011-1658
CVE CVE-2011-1659
CVE CVE-2011-2702
CVE CVE-2011-4609
CVE CVE-2012-0864
IAVM 2011-A-0108
IAVM 2011-A-0147
IAVM 2012-A-0148
IAVM 2012-A-0153
OSVDB 80718
OVAL OVAL12272
OVAL OVAL12853
USN USN-1396-1
XF 66819
XF 66820
•libc-bin on Ubuntu Linux 10.04
Upgrade libc-bin for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libc-bin to the latest version
•libc-bin on Ubuntu Linux 10.10
Upgrade libc-bin for Ubuntu 10.10
Page 95
Audit Report
Use àpt-get upgrade` to upgrade libc-bin to the latest version

•libc6 on Ubuntu Linux 10.04
Upgrade libc6 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libc6 to the latest version
Upgrade libc6 for Ubuntu 10.10
3.1.77. USN-1437-1: PHP vulnerability (ubuntu-usn-1437-1)
Description:
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly
handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary
code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2012-1823.
Affected Nodes:
Vulnerable software installed: Ubuntu php5-cgi 5.2.4-2ubuntu5.10
References:
Source Reference
CERT-VN 520827
CERT-VN 673343
CVE CVE-2012-1823
CVE CVE-2012-2311
Page 96
Audit Report
Source Reference
USN USN-1437-1
Description:
Integer signedness error in the TIFFReadDirectory function in tif_dirread.c in libtiff 3.9.4 and earlier allows remote attackers to cause a
denial of service (application crash) and possibly execute arbitrary code via a negative tile depth in a tiff image, which triggers an
improper conversion between signed and unsigned types, leading to a heap-based buffer overflow.
Affected Nodes:
References:
Source Reference
Page 97
Audit Report
Source Reference
BID 54076
BID 54270
CVE CVE-2012-2088
CVE CVE-2012-2113
DEBIAN DSA-2552
IAVM 2013-A-0048
USN USN-1498-1
•libtiff-tools on Ubuntu Linux 10.04
Upgrade libtiff-tools for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libtiff-tools to the latest version
Upgrade libtiff-tools for Ubuntu 11.04
Upgrade libtiff-tools for Ubuntu 11.10
Page 98
Audit Report

3.1.79. USN-1601-1: Bind vulnerability (ubuntu-usn-1601-1)
Description:
ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows
remote attackers to cause a denial of service (named daemon hang) via unspecified combinations of resource records.
Affected Nodes:
Vulnerable software installed: Ubuntu bind9 1:9.4.2-10
References:
Source Reference
BID 55852
CVE CVE-2012-5166
DEBIAN DSA-2560
OSVDB 86118
OVAL OVAL19706
USN USN-1601-1
•bind9 on Ubuntu Linux 10.04
Upgrade bind9 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade bind9 to the latest version
Upgrade bind9 for Ubuntu 11.04
Page 99
Audit Report

3.1.80. USN-1643-1: Perl vulnerabilities (ubuntu-usn-1643-1)
Description:
Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before
15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary
code via the 'x' string repeat operator.
Affected Nodes:
Vulnerable software installed: Ubuntu perl 5.8.8-12ubuntu0.5
References:
Source Reference
BID 49858
BID 49911
BID 56287
BID 56562
CVE CVE-2011-2939
CVE CVE-2011-3597
CVE CVE-2012-5195
CVE CVE-2012-5526
DEBIAN DSA-2586
IAVM 2012-A-0148
Page 100
Audit Report
Source Reference
IAVM 2012-A-0153
OVAL OVAL19446
USN USN-1643-1
XF 80098
•perl on Ubuntu Linux 10.04
Upgrade perl for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade perl to the latest version
Upgrade perl for Ubuntu 11.10
3.1.81. USN-1770-1: Perl vulnerability (ubuntu-usn-1770-1)
Description:
The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory
consumption and crash) via a crafted hash key.
Affected Nodes:
Vulnerable software installed: Ubuntu perl 5.8.8-12ubuntu0.5
References:
Page 101
Audit Report
Source Reference
BID 58311
CVE CVE-2013-1667
DEBIAN DSA-2641
OSVDB 90892
OVAL OVAL18771
USN USN-1770-1
XF 82598
3.1.82. USN-612-2: OpenSSH vulnerability (ubuntu-usn-612-2)
Description:
OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates
predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
Affected Nodes:
Page 102
Audit Report
Vulnerable software installed: Ubuntu openssh-server 1:4.7p1-8ubuntu1

References:
Source Reference
BID 29179
CERT TA08-137A
CERT-VN 925211
CVE CVE-2008-0166
DEBIAN DSA-1571
DEBIAN DSA-1576
USN USN-612-2
XF 42375
•openssh-client on Ubuntu Linux 7.04
Upgrade openssh-client for Ubuntu 7.04
Use àpt-get upgrade` to upgrade openssh-client to the latest version
Upgrade openssh-client for Ubuntu 7.10
Upgrade openssh-client for Ubuntu 8.04 LTS
•openssh-server on Ubuntu Linux 7.04
Upgrade openssh-server for Ubuntu 7.04
Use àpt-get upgrade` to upgrade openssh-server to the latest version
Upgrade openssh-server for Ubuntu 7.10
Upgrade openssh-server for Ubuntu 8.04 LTS
3.1.83. USN-612-4: ssl-cert vulnerability (ubuntu-usn-612-4)
Description:
OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates
predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys.
Page 103
Audit Report
Affected Nodes:
Vulnerable software installed: Ubuntu ssl-cert 1.0.14-0ubuntu2
References:
Source Reference
BID 29179
CERT TA08-137A
CERT-VN 925211
CVE CVE-2008-0166
DEBIAN DSA-1571
DEBIAN DSA-1576
USN USN-612-4
XF 42375
•ssl-cert on Ubuntu Linux 7.04
Upgrade ssl-cert for Ubuntu 7.04
Use àpt-get upgrade` to upgrade ssl-cert to the latest version
Upgrade ssl-cert for Ubuntu 7.10
Upgrade ssl-cert for Ubuntu 8.04 LTS
3.1.84. USN-624-1: PCRE vulnerability (ubuntu-usn-624-1)
Description:
Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7 allows context-dependent
attackers to cause a denial of service (crash) or possibly execute arbitrary code via a regular expression that begins with an option and
contains multiple branches.
Affected Nodes:
Page 104
Audit Report
Vulnerable software installed: Ubuntu libpcre3 7.4-1ubuntu2
References:
Source Reference
BID 30087
BID 31681
CERT TA09-133A
CVE CVE-2008-2371
DEBIAN DSA-1602
USN USN-624-1
•libpcre3 on Ubuntu Linux 7.04
Upgrade libpcre3 for Ubuntu 7.04
Use àpt-get upgrade` to upgrade libpcre3 to the latest version
Upgrade libpcre3 for Ubuntu 7.10
Upgrade libpcre3 for Ubuntu 8.04 LTS
3.1.85. USN-786-1: apr-util vulnerabilities (ubuntu-usn-786-1)
Description:
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and
mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a
crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar
issue to CVE-2003-1564.
Affected Nodes:
Page 105
Audit Report
References:
Source Reference
BID 35221
BID 35251
BID 35253
CVE CVE-2009-0023
CVE CVE-2009-1955
CVE CVE-2009-1956
DEBIAN DSA-1812
OVAL OVAL10270
OVAL OVAL10968
OVAL OVAL11567
OVAL OVAL12237
OVAL OVAL12321
OVAL OVAL12473
USN USN-786-1
XF 50964
Page 106
Audit Report
3.1.86. USN-790-1: Cyrus SASL vulnerability (ubuntu-usn-790-1)
Description:
Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause
a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Affected Nodes:
Vulnerable software installed: Ubuntu libsasl2-2 2.1.22.dfsg1-18ubuntu2
References:
Source Reference
BID 34961
CERT TA10-103B
CERT-VN 238019
CVE CVE-2009-0688
DEBIAN DSA-1807
OSVDB 54514
OSVDB 54515
OVAL OVAL10687
OVAL OVAL6136
USN USN-790-1
XF 50554
•libsasl2-2 on Ubuntu Linux 8.04
Upgrade libsasl2-2 for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade libsasl2-2 to the latest version
Upgrade libsasl2-2 for Ubuntu 8.10
Upgrade libsasl2-2 for Ubuntu 9.04
Page 107
Audit Report
Description:
libgnutls in GnuTLS before 2.8.2 does not properly handle a '\0' character in a domain name in the subject's (1) Common Name (CN) or
(2) Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
servers via a crafted certificate issued by a legitimate Certification Authority.
Affected Nodes:
References:
Source Reference
CVE CVE-2009-2409
CVE CVE-2009-2730
DEBIAN DSA-1874
DEBIAN DSA-1888
OVAL OVAL10763
OVAL OVAL10778
OVAL OVAL6631
OVAL OVAL7155
OVAL OVAL8409
OVAL OVAL8594
USN USN-809-1
XF 52404
Page 108
Audit Report

Description:
Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow
context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon
function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec.
Affected Nodes:
References:
Source Reference
BID 28479
BID 40063
CERT TA08-350A
CVE CVE-2008-1391
CVE CVE-2010-0296
CVE CVE-2010-0830
DEBIAN DSA-2058
Page 109
Audit Report
Source Reference
IAVM 2011-A-0147
IAVM 2012-A-0148
IAVM 2012-A-0153
USN USN-944-1
XF 41504
XF 58915
XF 59240
Description:
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before
3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code
via a crafted field in a packet.
Affected Nodes:
References:
Page 110
Audit Report
Source Reference
BID 40884
CVE CVE-2010-2063
DEBIAN DSA-2061
OSVDB 65518
OVAL OVAL12427
OVAL OVAL7115
OVAL OVAL9859
USN USN-951-1
XF 59481
Description:
Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote
attackers to execute arbitrary code via a PNG image that triggers an additional data row.
Affected Nodes:
References:
Source Reference
Page 111
Audit Report
Source Reference
BID 41174
CVE CVE-2010-1205
CVE CVE-2010-2249
DEBIAN DSA-2072
OVAL OVAL11851
USN USN-960-1
XF 59815
XF 59816
Description:
Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions in Samba before 3.5.5 allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code via a crafted Windows Security ID (SID) on a file share.
Affected Nodes:
Page 112
Audit Report
References:
Source Reference
BID 43212
CVE CVE-2010-3069
USN USN-987-1
XF 61773
Description:
Use-after-free vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to
execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function.
Affected Nodes:
Vulnerable software installed: Ubuntu php5-cli 5.2.4-2ubuntu5.10
References:
Source Reference
Page 113
Audit Report
Source Reference
BID 38430
BID 38431
BID 38708
BID 40948
CVE CVE-2010-0397
CVE CVE-2010-1128
CVE CVE-2010-1129
CVE CVE-2010-1130
CVE CVE-2010-1866
CVE CVE-2010-1868
CVE CVE-2010-1917
CVE CVE-2010-2094
CVE CVE-2010-2225
CVE CVE-2010-2531
CVE CVE-2010-2950
CVE CVE-2010-3065
DEBIAN DSA-2089
DEBIAN DSA-2266
USN USN-989-1
XF 58585
XF 59610
Page 114
Audit Report

3.1.93. .rhosts files exist (unix-rhosts-file)
Description:
One or more .rhosts files were found on the system. The .rhosts file is used with the r- commands (rlogin, rsh, etc.) and it allows anyone
to log in to the system without a password as long as they report having certain usernames or hostnames. The .rhosts authentication
method should never be used, because it is very easy for an attacker to spoof his identity and log in to the system. Furthermore, the r-
commands should be disabled -- the ssh protocol could be used instead where appropriate.
Affected Nodes:
Page 115
Audit Report
192.168.0.102 The following .rhosts files were found./root/.rhosts/home/msfadmin/.rhosts
References:
None
Delete all .rhosts files on the system. You should also make sure rshd and other r-commands are disabled.
3.2. Severe Vulnerabilities
3.2.1. Apache HTTPD: insecure LD_LIBRARY_PATH handling (CVE-2012-0883) (apache-httpd-cve-2012-0883)
Description:
Insecure handling of LD_LIBRARY_PATH was found that could lead to the current working directory to be searched for DSOs. This
could allow a local user to execute code as root if an administrator runs apachectl from an untrusted directory.
Affected Nodes:

Vulnerable version of product HTTPD found -- Apache HTTPD 2.2.8
References:
Source Reference
CVE CVE-2012-0883
URL http://httpd.apache.org/security/vulnerabilities_22.html
•Apache HTTPD >= 2.2 and < 2.2.23
Upgrade to Apache HTTPD version 2.2.23
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.2.23.tar.gz
Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually
customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your
operating system.

Page 116
Audit Report
operating system.
3.2.2. Apache HTTPD: mod_status buffer overflow (CVE-2014-0226) (apache-httpd-cve-2014-0226)
Description:
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_status. Review your web
server configuration for validation. A race condition was found in mod_status. An attacker able to access a public server status page on
a server using a threaded MPM could send a carefully crafted request which could lead to a heap buffer overflow. Note that it is not a
default or recommended configuration to have a public accessible server status page.
Affected Nodes:

References:
Source Reference
BID 68678
CVE CVE-2014-0226
DEBIAN DSA-2989
IAVM 2014-A-0114
OSVDB 109216
Page 117
Audit Report
operating system.

operating system.
3.2.3. Samba File Renaming Denial of Service Vulnerability (cifs-samba-file-renaming-dos)
Description:
smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by
renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop.
Affected Nodes:


References:
Source Reference
BID 22395
CVE CVE-2007-0452
DEBIAN DSA-1257
OSVDB 33100
OVAL OVAL9758
SGI 20070201-01-P
XF 32301
Page 118
Audit Report
Samba < 3.0.24
3.2.4. SMB signing disabled (cifs-smb-signing-disabled)
Description:
This system does not allow SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity and helps
prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least secure),
enabled, and required (most secure).
Affected Nodes:
192.168.0.102:139 Negotiate protocol response's security mode 3 indicates that SMB signing is
disabled
192.168.0.102:445 Negotiate protocol response's security mode 3 indicates that SMB signing is
disabled
References:
Source Reference
URL http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-
smb2.aspx
•Microsoft Windows
Configure SMB signing for Windows
Configure the system to enable or require SMB signing as appropriate. The method and effect of doing this is system specific so
please see this TechNet article for details. Note: ensure that SMB signing configuration is done for incoming connections (Server).
•Samba
Configure SMB signing for Samba
Configure Samba to enable or require SMB signing as appropriate. To enable SMB signing, put the following in the Samba
configuration file, typically smb.conf, in the global section:
server signing = auto
To require SMB signing, put the following in the Samba configuration file, typically smb.conf, in the global section:
server signing = mandatory
Page 119
Audit Report
3.2.5. FTP credentials transmitted unencrypted (ftp-plaintext-auth)
Description:
The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to
intercept traffic between a client and this server, the credentials would be exposed.
Affected Nodes:
192.168.0.102:21 Running FTP serviceConfiguration item ftp.plaintext.authentication set to 'true'

matched
References:
None
Disable plaintext authentication methods or enable encryption for the FTP service. Refer to the software's documentation for specific
instructions.
Description:
PHP before 5.2.5 allows local users to bypass protection mechanisms configured through php_admin_value or php_admin_flag in
httpd.conf by using ini_set to modify arbitrary configuration variables, a different issue than CVE-2006-4625.
Affected Nodes:

References:
Source Reference
CVE CVE-2007-5898
CVE CVE-2007-5899
CVE CVE-2007-5900
Page 120
Audit Report
Source Reference
DEBIAN DSA-1444
OSVDB 38918
OVAL OVAL10080
OVAL OVAL11211
3.2.7. No authentication for single user mode (lilo-linux-single-user-mode)
Description:
Authorization is not enabled for the linux single user mode. This means that an attacker with physical access to the machine can enter
single user mode (with root priveleges) simply by typing 'linux single' at LILO prompt or at GRUB boot-editing menu. In Red Hat and
Fedora this authorization is disabled by default to help users with lost root passwords. In any case this is a clear security risk.
Affected Nodes:
192.168.0.102 Authentication not enabled for single user mode in /etc/inittab
References:
Source Reference
BID 1005
CVE CVE-2000-0219
URL http://www.securityfocus.com/templates/archive.pike?list=1&[email protected]
u.au
•Red Hat Linux >= 6, Oracle Linux >= 6, CentOS Linux >= 6
Enable authorization for linux single user mode
Refer to your vendor's documentation for exact details on enabling authorization for single user mode, however on RHEL 6+ and
Page 121
Audit Report
variants this involves adding the following line to /etc/sysconfig/init:
SINGLE=/sbin/sulogin
•Enable authorization for linux single user mode

Refer to your vendor's documentation for exact details on enabling authorization for single user mode, however on systems that still
use /etc/inittab, this involves adding the following line:
~:S:wait:/sbin/sulogin
3.2.8. ICMP redirection enabled (linux-icmp-redirect)
Description:
By default, many linux systems enable a feature called ICMP redirection, where the machine will alter its route table in response to an
ICMP redirect message from any network device.
There is a risk that this feature could be used to subvert a host's routing table in order to compromise its security (e.g., tricking it into
sending packets via a specific route where they may be sniffed or altered).
Affected Nodes:
192.168.0.102 The net.ipv4.conf.all.accept_redirects sysctl variable is set to 1, expected 0.The

net.ipv4.conf.default.accept_redirects sysctl variable is set to 1, expected 0.The
net.ipv4.conf.all.secure_redirects sysctl variable is set to 1, expected 0.The
net.ipv4.conf.default.secure_redirects sysctl variable is set to 1, expected 0.
References:
Source Reference
BID 6823
MSKB 293626
XF cisco-ios-icmp-redirect(11306)
Linux
Issue the following commands as root:
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
Page 122
Audit Report
sysctl -w net.ipv4.conf.default.secure_redirects=0
3.2.9. MySQL vio_verify_callback() Zero-Depth X.509 Certificate Vulnerability (mysql-vio_verify_callback-zero-depth-x-

509-certificate)
Description:
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used,
accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based
MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Affected Nodes:

References:
Source Reference
CVE CVE-2009-4028
OVAL OVAL10940
OVAL OVAL8510
URL http://bugs.mysql.com/bug.php?id=47320
URL http://dev.mysql.com/doc/refman/5.0/en/news-5-0-88.html
URL http://dev.mysql.com/doc/refman/5.1/en/news-5-1-41.html
•Oracle MySQL >= 5.0 and < 5.0.88
Upgrade to Oracle MySQL version 5.0.88
Download and apply the upgrade from: http://downloads.mysql.com/archives.php
Please note that individual platforms and OS distributions may provide their own means of upgrading MySQL (via an RPM, for
example). These supported upgrade methods should be used if available, instead of building the distribution from scratch.

Page 123
Audit Report
3.2.10. Oracle MySQL Vulnerability: CVE-2009-5026 (oracle-mysql-cve-2009-5026)
Description:
The executable comment feature in MySQL 5.0.x before 5.0.93 and 5.1.x before 5.1.50, when running in certain slave configurations in
which the slave is running a newer version than the master, allows remote attackers to execute arbitrary SQL commands via custom
comments.
Affected Nodes:

References:
Source Reference
CVE CVE-2009-5026

Description:
The MySQL extension in PHP 5.2.4 and earlier allows remote attackers to bypass safe_mode and open_basedir restrictions via the
MySQL (1) LOAD_FILE, (2) INTO DUMPFILE, and (3) INTO OUTFILE functions, a different issue than CVE-2007-3997.
Affected Nodes:
Page 124
Audit Report

References:
Source Reference
CVE CVE-2007-4889
XF 36555
Description:
Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by
specifying a session ID.
Affected Nodes:

References:
Source Reference
CVE CVE-2011-4718
Description:
ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT
environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by
leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.
Affected Nodes:
Page 125
Audit Report
References:
Source Reference
BID 44154
BID 44347
CERT-VN 537223
CVE CVE-2010-3847
CVE CVE-2010-3856
DEBIAN DSA-2122
USN USN-1009-1
Description:
Page 126
Audit Report
The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed
subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection
protection mechanisms via a crafted string.
Affected Nodes:
References:
Source Reference
BID 43926
BID 44605
BID 44718
BID 44723
BID 44727
BID 44889
BID 45119
BID 45668
CERT-VN 479900
CVE CVE-2009-5016
CVE CVE-2010-3436
CVE CVE-2010-3709
CVE CVE-2010-3710
CVE CVE-2010-3870
CVE CVE-2010-4156
CVE CVE-2010-4409
CVE CVE-2010-4645
USN USN-1042-1
Page 127
Audit Report
Source Reference
XF 64470
Page 128
Audit Report
3.2.15. USN-1102-1: tiff vulnerability (ubuntu-usn-1102-1)
Description:
Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote
attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value.
Affected Nodes:
References:
Source Reference
BID 46951
CVE CVE-2011-1167
DEBIAN DSA-2210
OSVDB 71256
USN USN-1102-1
XF 66247
Page 129
Audit Report
3.2.16. USN-1113-1: Postfix vulnerabilities (ubuntu-usn-1113-1)
Description:
The postfix.postinst script in the Debian GNU/Linux and Ubuntu postfix 2.5.5 package grants the postfix user write access to
/var/spool/postfix/pid, which might allow local users to conduct symlink attacks that overwrite arbitrary files.
Affected Nodes:
Vulnerable software installed: Ubuntu postfix 2.5.1-2ubuntu1
References:
Source Reference
BID 46767
CERT-VN 555316
CVE CVE-2009-2939
CVE CVE-2011-0411
DEBIAN DSA-2233
OSVDB 71021
USN USN-1113-1
XF 65932
•postfix on Ubuntu Linux 10.04
Upgrade postfix for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade postfix to the latest version
Upgrade postfix for Ubuntu 10.10
Page 130
Audit Report
3.2.17. USN-1131-1: Postfix vulnerability (ubuntu-usn-1131-1)
Description:
The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10, 2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL
authentication methods are enabled, does not create a new server handle after client authentication fails, which allows remote attackers
to cause a denial of service (heap memory corruption and daemon crash) or possibly execute arbitrary code via an invalid AUTH
command with one method followed by an AUTH command with a different method.
Affected Nodes:
References:
Source Reference
BID 47778
CERT-VN 727230
CVE CVE-2011-1720
DEBIAN DSA-2233
OSVDB 72259
USN USN-1131-1
XF 67359
Page 131
Audit Report
3.2.18. USN-1140-1: PAM vulnerabilities (ubuntu-usn-1140-1)
Description:
pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of the invoking
application or service during execution of the namespace.init script, which might allow local users to gain privileges by running a setuid
program that relies on the pam_namespace PAM check, as demonstrated by the sudo program.
Affected Nodes:
Vulnerable software installed: Ubuntu libpam-modules 0.99.7.1-5ubuntu6
References:
Source Reference
BID 34010
BID 46045
CVE CVE-2009-0887
CVE CVE-2010-3316
CVE CVE-2010-3430
CVE CVE-2010-3431
CVE CVE-2010-3435
CVE CVE-2010-3853
CVE CVE-2010-4706
CVE CVE-2010-4707
IAVM 2011-A-0066
USN USN-1140-1
XF 49110
XF 65035
Page 132
Audit Report
Source Reference
XF 65036
•libpam-modules on Ubuntu Linux 10.04
Upgrade libpam-modules for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libpam-modules to the latest version
Upgrade libpam-modules for Ubuntu 10.10
3.2.19. USN-1172-1: logrotate vulnerabilities (ubuntu-usn-1172-1)
Description:
The shred_file function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to execute arbitrary
commands via shell metacharacters in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a
hostname or virtual machine name.
Affected Nodes:
Vulnerable software installed: Ubuntu logrotate 3.7.1-3
References:
Source Reference
BID 47167
CVE CVE-2011-1098
CVE CVE-2011-1154
CVE CVE-2011-1155
CVE CVE-2011-1548
Page 133
Audit Report
Source Reference
USN USN-1172-1
•logrotate on Ubuntu Linux 10.04
Upgrade logrotate for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade logrotate to the latest version
Upgrade logrotate for Ubuntu 10.10
Upgrade logrotate for Ubuntu 11.04
Upgrade logrotate for Ubuntu 8.04 LTS
Description:
Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application
that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an
arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.
Affected Nodes:
References:
Source Reference
BID 48474
BID 48618
BID 48660
CERT-VN 819894
Page 134
Audit Report
Source Reference
CVE CVE-2011-2501
CVE CVE-2011-2690
CVE CVE-2011-2692
DEBIAN DSA-2287
USN USN-1175-1
XF 68517
XF 68536
XF 68538
3.2.21. USN-1237-1: PAM vulnerabilities (ubuntu-usn-1237-1)
Description:
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10,
before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS,
and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.04 LTS, when using certain configurations such as "session optional pam_motd.so",
allows local users to gain privileges by modifying the PATH environment variable to reference a malicious command, as demonstrated
via uname.
Affected Nodes:
Page 135
Audit Report
Vulnerable software installed: Ubuntu libpam-modules 0.99.7.1-5ubuntu6
References:
Source Reference
CVE CVE-2011-3148
CVE CVE-2011-3149
CVE CVE-2011-3628
USN USN-1237-1
Description:
CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before
9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with
newlines, which are inserted into an SQL script that is used when the database is restored.
Affected Nodes:
Page 136
Audit Report

References:
Source Reference
CVE CVE-2012-0866
CVE CVE-2012-0867
CVE CVE-2012-0868
DEBIAN DSA-2418
USN USN-1378-1
3.2.23. USN-1402-1: libpng vulnerability (ubuntu-usn-1402-1)
Description:
Integer signedness error in the png_inflate function in pngrutil.c in libpng before 1.4.10beta01, as used in Google Chrome before
17.0.963.83 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary
code via a crafted PNG file, a different vulnerability than CVE-2011-3026.
Affected Nodes:
Page 137
Audit Report
References:
Source Reference
CVE CVE-2011-3045
OVAL OVAL14763
USN USN-1402-1
Description:
Multiple integer overflows in tiff_getimage.c in LibTIFF 3.9.4 allow remote attackers to execute arbitrary code via a crafted tile size in a
TIFF file, which is not properly handled by the (1) gtTileSeparate or (2) gtStripSeparate function, leading to a heap-based buffer
overflow.
Affected Nodes:
Page 138
Audit Report
References:
Source Reference
BID 47338
BID 52891
CVE CVE-2010-4665
CVE CVE-2012-1173
DEBIAN DSA-2447
DEBIAN DSA-2552
OSVDB 81025
USN USN-1416-1
XF 74656
3.2.25. USN-1417-1: libpng vulnerability (ubuntu-usn-1417-1)
Page 139
Audit Report
Description:
The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10
allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file,
which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.
Affected Nodes:
References:
Source Reference
BID 52830
CVE CVE-2011-3048
DEBIAN DSA-2446
OSVDB 80822
USN USN-1417-1
XF 74494
Page 140
Audit Report
3.2.26. USN-1442-1: Sudo vulnerability (ubuntu-usn-1442-1)
Description:
sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not properly support configurations that use a netmask syntax,
which allows local users to bypass intended command restrictions in opportunistic circumstances by executing a command on a host
that has an IPv4 address.
Affected Nodes:
Vulnerable software installed: Ubuntu sudo 1.6.9p10-1ubuntu3
References:
Source Reference
CVE CVE-2012-2337
DEBIAN DSA-2478
DISA_SEVERITY Category II
IAVM 2013-B-0064
USN USN-1442-1
•sudo on Ubuntu Linux 10.04
Upgrade sudo for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade sudo to the latest version
Upgrade sudo for Ubuntu 11.04
Page 141
Audit Report

•sudo-ldap on Ubuntu Linux 10.04
Upgrade sudo-ldap for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade sudo-ldap to the latest version
Upgrade sudo-ldap for Ubuntu 11.04
Description:
Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084.46 and other products, allows remote attackers to cause a
denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors.
Affected Nodes:
References:
Source Reference
BID 53540
CVE CVE-2011-3102
IAVM 2013-A-0031
Page 142
Audit Report
Source Reference
USN USN-1447-1
Description:
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with
CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a
crafted TLS packet that is not properly handled during a certain explicit IV calculation.
Affected Nodes:
References:
Source Reference
BID 53476
CERT-VN 737740
Page 143
Audit Report
Source Reference
CVE CVE-2012-0884
CVE CVE-2012-2333
DEBIAN DSA-2454
DEBIAN DSA-2475
USN USN-1451-1
XF 75525
Page 144
Audit Report

3.2.29. USN-1576-1: DBus vulnerability (ubuntu-usn-1576-1)
Description:
libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to
gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers
state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use
of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
Affected Nodes:
Vulnerable software installed: Ubuntu libdbus-1-3 1.1.20-1ubuntu1
References:
Source Reference
BID 55517
CVE CVE-2012-3524
USN USN-1576-1
•dbus on Ubuntu Linux 10.04
Upgrade dbus for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade dbus to the latest version
Upgrade dbus for Ubuntu 11.04
Upgrade dbus for Ubuntu 11.10
Page 145
Audit Report

•libdbus-1-3 on Ubuntu Linux 10.04
Upgrade libdbus-1-3 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libdbus-1-3 to the latest version
Upgrade libdbus-1-3 for Ubuntu 11.04
Description:
Multiple integer overflows in libxml2, as used in Google Chrome before 20.0.1132.43 and other products, on 64-bit Linux platforms
allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Affected Nodes:
References:
Source Reference
BID 54718
CVE CVE-2012-2807
DEBIAN DSA-2521
Page 146
Audit Report
Source Reference
IAVM 2013-A-0031
USN USN-1587-1
Description:
The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly
restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the
FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a
crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404
and CVE-2012-3405.
Affected Nodes:
References:
Source Reference
Page 147
Audit Report
Source Reference
BID 54982
CVE CVE-2012-3404
CVE CVE-2012-3405
CVE CVE-2012-3406
CVE CVE-2012-3480
OSVDB 84710
USN USN-1589-1
3.2.32. USN-1613-1: Python 2.5 vulnerabilities (ubuntu-usn-1613-1)
Description:
Page 148
Audit Report
Untrusted search path vulnerability in the PySys_SetArgv API function in Python 2.6 and earlier, and possibly later versions, prepends
an empty string to sys.path when the argv[0] argument does not contain a path separator, which might allow local users to execute
arbitrary code via a Trojan horse Python file in the current working directory.
Affected Nodes:
Vulnerable software installed: Ubuntu python2.5-minimal 2.5.2-2ubuntu6.1
References:
Source Reference
BID 40370
BID 40863
BID 44533
BID 46541
BID 52379
BID 54083
CVE CVE-2008-5983
CVE CVE-2010-1634
CVE CVE-2010-2089
CVE CVE-2010-3493
CVE CVE-2011-1015
CVE CVE-2011-1521
CVE CVE-2011-4940
CVE CVE-2011-4944
CVE CVE-2012-0845
CVE CVE-2012-0876
CVE CVE-2012-1148
DEBIAN DSA-2525
Page 149
Audit Report
Source Reference
IAVM 2012-A-0020
IAVM 2012-A-0189
OVAL OVAL12210
USN USN-1613-1
•python2.5 on Ubuntu Linux 8.04
Upgrade python2.5 for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade python2.5 to the latest version
•python2.5-minimal on Ubuntu Linux 8.04
Upgrade python2.5-minimal for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade python2.5-minimal to the latest version
3.2.33. USN-1631-1: LibTIFF vulnerabilities (ubuntu-usn-1631-1)
Description:
ppm2tiff does not check the return value of the TIFFScanlineSize function, which allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a crafted PPM image that triggers an integer overflow, a zero-memory allocation, and a
heap-based buffer overflow.
Affected Nodes:
References:
Source Reference
BID 55673
BID 56372
CVE CVE-2012-4447
CVE CVE-2012-4564
DEBIAN DSA-2561
DEBIAN DSA-2575
Page 150
Audit Report
Source Reference
IAVM 2013-A-0048
OSVDB 86878
USN USN-1631-1
XF 79750
3.2.34. USN-1655-1: LibTIFF vulnerability (ubuntu-usn-1655-1)
Description:
Stack-based buffer overflow in tif_dir.c in LibTIFF before 4.0.2 allows remote attackers to cause a denial of service (crash) and possibly
execute arbitrary code via a crafted DOTRANGE tag in a TIFF image.
Affected Nodes:
References:
Page 151
Audit Report
Source Reference
BID 56715
CVE CVE-2012-5581
USN USN-1655-1
XF 80339
3.2.35. USN-1656-1: Libxml2 vulnerability (ubuntu-usn-1656-1)
Description:
Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google
Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary
code via crafted entities in an XML document.
Affected Nodes:
References:
Source Reference
Page 152
Audit Report
Source Reference
BID 56684
CVE CVE-2012-5134
DEBIAN DSA-2580
USN USN-1656-1
XF 80294
3.2.36. USN-1717-1: PostgreSQL vulnerability (ubuntu-usn-1717-1)
Description:
PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly
declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote
authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which
triggers an array index error and an out-of-bounds read.
Affected Nodes:
Page 153
Audit Report
References:
Source Reference
BID 57844
CVE CVE-2013-0255
DEBIAN DSA-2630
OSVDB 89935
USN USN-1717-1
XF 81917
Description:
sudo 1.6.0 through 1.7.10p6 and sudo 1.8.0 through 1.8.6p6 allows local users or physically proximate attackers to bypass intended
time restrictions and retain privileges without re-authenticating by setting the system clock and sudo user timestamp to the epoch.
Affected Nodes:
Page 154
Audit Report
References:
Source Reference
CVE CVE-2013-1775
DEBIAN DSA-2642
OSVDB 90677
USN USN-1754-1
Page 155
Audit Report
3.2.38. USN-695-1: shadow vulnerability (ubuntu-usn-695-1)
Description:
/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to
overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.
Affected Nodes:
Vulnerable software installed: Ubuntu login 1:4.0.18.2-1ubuntu2
References:
Source Reference
BID 32552
CVE CVE-2008-5394
OSVDB 52200
USN USN-695-1
XF 47037
•login on Ubuntu Linux 7.10
Upgrade login for Ubuntu 7.10
Use àpt-get upgrade` to upgrade login to the latest version
Upgrade login for Ubuntu 8.04 LTS
Upgrade login for Ubuntu 8.10
3.2.39. USN-722-1: sudo vulnerability (ubuntu-usn-722-1)
Description:
parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during
authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain
root privileges via a sudo command.
Page 156
Audit Report
Affected Nodes:
References:
Source Reference
BID 33517
CVE CVE-2009-0034
OSVDB 51736
OVAL OVAL10856
OVAL OVAL6462
USN USN-722-1
3.2.40. USN-726-1: curl vulnerability (ubuntu-usn-726-1)
Description:
The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary
Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite
arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL.
Affected Nodes:
Vulnerable software installed: Ubuntu libcurl3-gnutls 7.18.0-1ubuntu2
Page 157
Audit Report
References:
Source Reference
BID 33962
CVE CVE-2009-0037
DEBIAN DSA-1738
OVAL OVAL11054
OVAL OVAL6074
USN USN-726-1
XF 49030
3.2.41. USN-732-1: dash vulnerability (ubuntu-usn-732-1)
Description:
Untrusted search path vulnerability in dash 0.5.4, when used as a login shell, allows local users to execute arbitrary code via a Trojan
horse .profile file in the current working directory.
Page 158
Audit Report
Affected Nodes:
Vulnerable software installed: Ubuntu dash 0.5.4-8ubuntu1
References:
Source Reference
BID 34092
CVE CVE-2009-0854
USN USN-732-1
XF 49216
•dash on Ubuntu Linux 8.04
Upgrade dash for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade dash to the latest version
•dash on Ubuntu Linux 8.10
Upgrade dash for Ubuntu 8.10
Use àpt-get upgrade` to upgrade dash to the latest version
3.2.42. USN-758-1: udev vulnerabilities (ubuntu-usn-758-1)
Description:
udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges
by sending a NETLINK message from user space.
Affected Nodes:
Vulnerable software installed: Ubuntu udev 117-8
References:
Source Reference
BID 34536
BID 34539
CVE CVE-2009-1185
Page 159
Audit Report
Source Reference
CVE CVE-2009-1186
DEBIAN DSA-1772
OVAL OVAL10925
OVAL OVAL5975
USN USN-758-1
•udev on Ubuntu Linux 7.10
Upgrade udev for Ubuntu 7.10
Use àpt-get upgrade` to upgrade udev to the latest version
Upgrade udev for Ubuntu 8.04 LTS
Upgrade udev for Ubuntu 8.10
3.2.43. USN-778-1: cron vulnerability (ubuntu-usn-778-1)
Description:
do_command.c in Vixie cron (vixie-cron) 4.1 does not check the return code of a setuid call, which might allow local users to gain root
privileges if setuid fails in cases such as PAM failures or resource limits, as originally demonstrated by a program that exceeds the
process limits as defined in /etc/security/limits.conf.
Affected Nodes:
Vulnerable software installed: Ubuntu cron 3.0pl1-100ubuntu2
References:
Source Reference
BID 18108
CVE CVE-2006-2607
Page 160
Audit Report
Source Reference
OVAL OVAL10213
USN USN-778-1
XF 26691
•cron on Ubuntu Linux 8.04
Upgrade cron for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade cron to the latest version
Upgrade cron for Ubuntu 8.10
Upgrade cron for Ubuntu 9.04
Description:
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous
binds, allows remote attackers to bypass authentication via an empty password.
Affected Nodes:
References:
Source Reference
BID 36314
CVE CVE-2009-3229
CVE CVE-2009-3230
CVE CVE-2009-3231
DEBIAN DSA-1900
OVAL OVAL10166
Page 161
Audit Report
Source Reference
USN USN-834-1
3.2.45. USN-842-1: Wget vulnerability (ubuntu-usn-842-1)
Description:
GNU Wget before 1.12 does not properly handle a '\0' character in a domain name in the Common Name field of an X.509 certificate,
which allows man-in-the-middle remote attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate
Certification Authority, a related issue to CVE-2009-2408.
Affected Nodes:
Vulnerable software installed: Ubuntu wget 1.10.2-3ubuntu1
References:
Source Reference
BID 36205
CVE CVE-2009-3490
OVAL OVAL11099
USN USN-842-1
•wget on Ubuntu Linux 8.04
Upgrade wget for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade wget to the latest version
Upgrade wget for Ubuntu 8.10
Page 162
Audit Report

Description:
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2
does not properly manage session-local state during execution of an index function by a database superuser, which allows remote
authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path
or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230.
Affected Nodes:
References:
Source Reference
BID 37333
BID 37334
CVE CVE-2009-4034
CVE CVE-2009-4136
OSVDB 61038
OSVDB 61039
OVAL OVAL9358
USN USN-876-1
Page 163
Audit Report

3.2.47. USN-889-1: gzip vulnerabilities (ubuntu-usn-889-1)
Description:
Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others,
allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that
uses LZW compression, leading to an array index error.
Affected Nodes:
Vulnerable software installed: Ubuntu gzip 1.3.12-3.2
References:
Source Reference
CVE CVE-2009-2624
CVE CVE-2010-0001
DEBIAN DSA-1974
DEBIAN DSA-2074
OSVDB 61869
OVAL OVAL10546
OVAL OVAL7511
USN USN-889-1
Page 164
Audit Report
•gzip on Ubuntu Linux 8.04
Upgrade gzip for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade gzip to the latest version
Upgrade gzip for Ubuntu 8.10
3.2.48. USN-905-1: sudo vulnerabilities (ubuntu-usn-905-1)
Description:
sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the
pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted
executable file, as demonstrated by a file named sudoedit in a user's home directory.
Affected Nodes:
References:
Source Reference
BID 38362
CVE CVE-2010-0426
CVE CVE-2010-0427
DEBIAN DSA-2006
OVAL OVAL10814
OVAL OVAL10946
OVAL OVAL7216
OVAL OVAL7238
Page 165
Audit Report
Source Reference
USN USN-905-1
Description:
The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause
a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as
demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."
Affected Nodes:
Page 166
Audit Report

References:
Source Reference
BID 37973
CVE CVE-2010-0442
DEBIAN DSA-2051
OVAL OVAL9720
USN USN-933-1
XF 55902
Description:
Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass
intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot)
in a table name.
Affected Nodes:
Page 167
Audit Report
References:
Source Reference
BID 39543
BID 40257
CVE CVE-2010-1621
CVE CVE-2010-1626
CVE CVE-2010-1848
CVE CVE-2010-1849
CVE CVE-2010-1850
OVAL OVAL10258
OVAL OVAL10846
OVAL OVAL6693
OVAL OVAL7210
OVAL OVAL7328
OVAL OVAL9490
USN USN-950-1
Description:
Page 168
Audit Report
Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to
cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file.
Affected Nodes:
References:
Source Reference
BID 40823
CVE CVE-2010-1411
CVE CVE-2010-2065
CVE CVE-2010-2067
OSVDB 65676
USN USN-954-1
Page 169
Audit Report
Description:
Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application
crash) or possibly execute arbitrary code via a crafted font file.
Affected Nodes:
References:
Source Reference
CVE CVE-2010-2498
CVE CVE-2010-2499
CVE CVE-2010-2500
CVE CVE-2010-2519
CVE CVE-2010-2520
CVE CVE-2010-2527
DEBIAN DSA-2070
USN USN-963-1
Page 170
Audit Report
3.2.53. USN-967-1: w3m vulnerability (ubuntu-usn-967-1)
Description:
istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a
domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-
middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408.
Affected Nodes:
Vulnerable software installed: Ubuntu w3m 0.5.1-5.1ubuntu1
References:
Source Reference
BID 40837
CVE CVE-2010-2074
OSVDB 65538
USN USN-967-1
•w3m on Ubuntu Linux 10.04
Upgrade w3m for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade w3m to the latest version
Upgrade w3m for Ubuntu 8.04 LTS
Upgrade w3m for Ubuntu 9.04
Upgrade w3m for Ubuntu 9.10
3.2.54. USN-981-1: libwww-perl vulnerability (ubuntu-usn-981-1)
Description:
Page 171
Audit Report
lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows
remote servers to create or overwrite files via (1) a 3xx redirect to a URL with a crafted filename or (2) a Content-Disposition header
that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
Affected Nodes:
Vulnerable software installed: Ubuntu libwww-perl 5.808-1
References:
Source Reference
CVE CVE-2010-2253
USN USN-981-1
•libwww-perl on Ubuntu Linux 10.04
Upgrade libwww-perl for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libwww-perl to the latest version
Upgrade libwww-perl for Ubuntu 8.04 LTS
Upgrade libwww-perl for Ubuntu 9.04
Upgrade libwww-perl for Ubuntu 9.10
3.2.55. USN-982-1: Wget vulnerability (ubuntu-usn-982-1)
Description:
GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a
download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed
by a 3xx redirect to a URL with a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a
home directory.
Affected Nodes:
Page 172
Audit Report
Vulnerable software installed: Ubuntu wget 1.10.2-3ubuntu1
References:
Source Reference
CVE CVE-2010-2252
USN USN-982-1
3.2.56. Anonymous root login is allowed (unix-anonymous-root-logins)
Description:
Anonymous root logins should only be allowed from system console. /etc/securetty allows you to specify on which tty's and virual
consoles root is allowed to login. The tty and vc's listed in this file will allow root to login on certain tty's and VC's. On other tty or vc's
root user will not be allowed and user has to "su" to become root.
Affected Nodes:
192.168.0.102 Following entries in /etc/securetty may allow anonymous root logins: ttyS0tts/0
xvc0hvc0pts/1pts/2pts/3pts/4pts/5pts/6pts/7pts/8pts/9pts/10pts/11pts/12pts/13
pts/14pts/15pts/16pts/17pts/18pts/19pts/20pts/21pts/22pts/23pts/24pts/25pts/26
Page 173
Audit Report
pts/92pts/93pts/94pts/95pts/96pts/97pts/98pts/99pts/100pts/101pts/102pts/103
pts/104pts/105pts/106pts/107pts/108pts/109pts/110pts/111pts/112pts/113
pts/114pts/115pts/116pts/117pts/118pts/119pts/120pts/121pts/122pts/123
pts/124pts/125pts/126pts/127pts/128rshrlogin
References:
None
Remove all the entries in /etc/securetty except console, tty[0-9]* and vc\[0-9]*
Note: ssh does not use /etc/securetty. To disable root login through ssh, use the "PermitRootLogin" setting in /etc/ssh/sshd_config and
restart the ssh daemon.
3.2.57. CIFS Share Writeable By Everyone (cifs-share-world-writeable)
Description:
A share was found which allows write access by anyone. The impact of this vulnerability could include:
•Total system compromise (if the share point allows write access to critical system files)
•Untraceable modification of important data
•Denial of service by filling up the disk
Affected Nodes:
192.168.0.102 Successfully opened share "tmp" with write permissions.
References:
Source Reference
CVE CVE-1999-0520
Adjust the share permissions to restrict access to only those members of the organization who need the data. It is considered bad
practice to grant the "Everyone", "Guest", or "Authenticated Users" groups read or write access to a share.
3.2.58. SMB signing not required (cifs-smb-signing-not-required)
Description:
Page 174
Audit Report
This system enables, but does not require SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity
and helps prevent man in the middle attacks against SMB. SMB signing can be configured in one of three ways: disabled entirely (least
secure), enabled, and required (most secure).
Affected Nodes:
192.168.0.102:139 Negotiate protocol response's security mode 3 indicates that SMB signing is not
required
192.168.0.102:445 Negotiate protocol response's security mode 3 indicates that SMB signing is not
required
References:
Source Reference
URL http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-
smb2.aspx
•Microsoft Windows
Configure SMB signing for Windows
Configure the system to enable or require SMB signing as appropriate. The method and effect of doing this is system specific so
please see this TechNet article for details. Note: ensure that SMB signing configuration is done for incoming connections (Server).
•Samba
Configure SMB signing for Samba
Configure Samba to enable or require SMB signing as appropriate. To enable SMB signing, put the following in the Samba
configuration file, typically smb.conf, in the global section:
server signing = auto
To require SMB signing, put the following in the Samba configuration file, typically smb.conf, in the global section:
server signing = mandatory
3.2.59. ISC BIND: Key algorithm rollover bug in BIND 9 (CVE-2010-3614) (dns-bind-cve-2010-3614)
Description:
named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not
properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to
cause a denial of service (DNSSEC validation error) by triggering a rollover.
Page 175
Audit Report
Affected Nodes:


References:
Source Reference
BID 45137
CERT-VN 837744
CVE CVE-2010-3614
DEBIAN DSA-2130
OSVDB 69559
URL https://kb.isc.org/article/AA-00936/187/CVE-2010-3614%3A-Key-algorithm-rollover-bug-in-bind9.html
3.2.60. HTTP TRACE Method Enabled (http-trace-method-enabled)
Description:
The HTTP TRACE method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes.
An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACE request and capture the
client's cookies. This effectively results in a Cross-Site Scripting attack.
Affected Nodes:
192.168.0.102:80 Running HTTP serviceHTTP TRACE request to http://192.168.0.102/

3: TRACE / HTTP/1.1
4: Host: 192.168.0.102
3: Cookie: vulnerable=yes
Page 176
Audit Report
References:
Source Reference
BID 15222
BID 19915
BID 24456
BID 36956
BID 9506
CERT-VN 867593
CVE CVE-2004-2320
CVE CVE-2004-2763
CVE CVE-2005-3398
CVE CVE-2006-4683
CVE CVE-2007-3008
CVE CVE-2008-7253
CVE CVE-2009-2823
CVE CVE-2010-0386
IAVM 2005-T-0043
OSVDB 35511
OSVDB 3726
OVAL OVAL1445
URL http://www.apacheweek.com/issues/03-01-24#news
URL http://www.kb.cert.org/vuls/id/867593
XF 14959
XF 34854
•Apache HTTPD
Disable HTTP TRACE Method for Apache
Newer versions of Apache (1.3.34 and 2.0.55 and later) provide a configuration directive called TraceEnable. To deny TRACE
requests, add the following line to the server configuration:
Page 177
Audit Report
TraceEnable off
For older versions of the Apache webserver, use the mod_rewrite module to deny the TRACE requests:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
•IIS, PWS, Microsoft-IIS, Internet Information Services, Internet Information Services, Microsoft-PWS
Disable HTTP TRACE Method for Microsoft IIS
For Microsoft Internet Information Services (IIS), you may use the URLScan tool, freely available at
http://www.microsoft.com/technet/security/tools/urlscan.mspx
•Java System Web Server, SunONE WebServer, Sun-ONE-Web-Server, iPlanet

Disable HTTP TRACE Method for SunONE/iPlanet
•For Sun ONE/iPlanet Web Server v6.0 SP2 and later, add the following configuration to the top of the default object in the 'obj.conf'
file:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
You must then restart the server for the changes to take effect.
•For Sun ONE/iPlanet Web Server prior to v6.0 SP2, follow the instructions provided the 'Relief/Workaround' section of Sun's official
advisory: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
•Lotus Domino
Disable HTTP TRACE Method for Domino
Follow IBM's instructions for disabling HTTP methods on the Domino server by adding the following line to the server's NOTES.INI file:
HTTPDisableMethods=TRACE
After saving NOTES.INI, restart the Notes web server by issuing the console command "tell http restart".
3.2.61. MySQL Bug #29801: Remote Federated Engine Crash (mysql-bug-29801-remote-federated-engine-crash)
Description:
Versions of MySQL server before 5.0.52 and 5.1.23 suffer from a denial of service vulnerability via a flaw in the federated engine. On
issuance of a command to a remote server (e.g., SHOW TABLE STATUS LIKE 'table'), the local federated server expects a query to
contain fourteen columns. A response with less than fourteen columns causes the federated server to crash.
Affected Nodes:
Page 178
Audit Report

References:
Source Reference

3.2.62. MySQL Bug #32707: send_error() Buffer Overflow Vulnerability (mysql-bug-32707-send-error-bof)
Description:
A buffer overflow in MySQL 5.0 through 5.0.54 and 5.1 before 5.1.23 contains a flaw in the protocol layer. A long error message can
cause a buffer overflow, potentially leading to execution of code.
Affected Nodes:

References:
Source Reference
Page 179
Audit Report

3.2.63. MySQL Bug #37428: User-Defind Function Remote Code Execution (mysql-bug-37428-user-defind-function-
remote-codex)
Description:
MySQL server 5.0 before 5.0.67 contains a flaw in creating and dropping certain functions. Using MySQL's user-defined functions, an
authenticated attacker can create a function in a shared library and run arbitrary code against the server.
Affected Nodes:

References:
Source Reference
Oracle MySQL >= 5.0 and < 5.0.67
3.2.64. MySQL Bug #38296: Nested Boolean Query Exhaustion Denial of Service (mysql-bug-38296-nested-boolean-
query-exhaustion-dos)
Description:
There is a flaw in parsing queries in MySQL 5.0 before 5.0.68 and MySQL 5.1 before 5.1.28. An attacker can potentially cause the
server to crash by sending a query with multiple nested logic operators, e.g. 'SELECT * FROM TABLE WHERE ... OR ( ... OR ( ... OR (
...' etc.
Page 180
Audit Report
Affected Nodes:

References:
Source Reference

Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect
confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0118.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0113
URL http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
Page 181
Audit Report


Description:
The sysvshm extension for PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to write to arbitrary
memory addresses by using an object's __sleep function to interrupt an internal call to the shm_put_var function, which triggers access
of a freed resource.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-1861
Page 182
Audit Report
Description:
The (1) parse_str, (2) preg_match, (3) unpack, and (4) pack functions; the (5) ZEND_FETCH_RW, (6) ZEND_CONCAT, and (7)
ZEND_ASSIGN_CONCAT opcodes; and the (8) ArrayObject::uasort method in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow
context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace
interruption of an internal function or handler. NOTE: vectors 2 through 4 are related to the call time pass by reference feature.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-2191
XF 59221
Description:
The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in
name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory
traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.
Affected Nodes:

References:
Source Reference
Page 183
Audit Report
Source Reference
CVE CVE-2012-1172
3.2.69. USN-1045-1: FUSE vulnerability (ubuntu-usn-1045-1)
Description:
FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any
filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-
0789.
Affected Nodes:
Vulnerable software installed: Ubuntu fuse-utils 2.7.2-1ubuntu2
References:
Source Reference
BID 44623
CVE CVE-2010-3879
OSVDB 70520
USN USN-1045-1
XF 62986
•fuse-utils on Ubuntu Linux 10.04
Upgrade fuse-utils for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade fuse-utils to the latest version
Upgrade fuse-utils for Ubuntu 10.10
Page 184
Audit Report
3.2.70. USN-1307-1: PHP vulnerability (ubuntu-usn-1307-1)
Description:
Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows
remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an
EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708.
Affected Nodes:
References:
Source Reference
BID 50907
CVE CVE-2011-4566
DEBIAN DSA-2399
USN USN-1307-1
XF 71612
Page 185
Audit Report

3.2.71. USN-1682-1: GnuPG vulnerability (ubuntu-usn-1682-1)
Description:
The read_block function in g10/import.c in GnuPG 1.4.x before 1.4.13 and 2.0.x through 2.0.19, when importing a key, allows remote
attackers to corrupt the public keyring database or cause a denial of service (application crash) via a crafted length field of an
OpenPGP packet.
Affected Nodes:
Vulnerable software installed: Ubuntu gnupg 1.4.6-2ubuntu5
References:
Source Reference
BID 57102
CVE CVE-2012-6085
Page 186
Audit Report
Source Reference
USN USN-1682-1
XF 80990
•gnupg on Ubuntu Linux 10.04
Upgrade gnupg for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade gnupg to the latest version
Upgrade gnupg for Ubuntu 11.10
•gnupg2 on Ubuntu Linux 10.04
Upgrade gnupg2 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade gnupg2 to the latest version
Upgrade gnupg2 for Ubuntu 11.10
Description:
Postfix before 2.3.15, 2.4 before 2.4.8, 2.5 before 2.5.4, and 2.6 before 2.6-20080814, when the operating system supports hard links
to symlinks, allows local users to append e-mail messages to a file to which a root-owned symlink points, by creating a hard link to this
symlink and then sending a message. NOTE: this can be leveraged to gain privileges if there is a symlink to an init script.
Page 187
Audit Report
Affected Nodes:
References:
Source Reference
BID 30691
CERT-VN 938323
CVE CVE-2008-2936
DEBIAN DSA-1629
OVAL OVAL10033
USN USN-636-1
XF 44460
3.2.73. USN-704-1: OpenSSL vulnerability (ubuntu-usn-704-1)
Description:
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers
to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
Affected Nodes:
Page 188
Audit Report
References:
Source Reference
BID 33150
CERT TA09-133A
CVE CVE-2008-5077
OVAL OVAL6380
OVAL OVAL9155
USN USN-704-1
3.2.74. USN-953-1: fastjar vulnerability (ubuntu-usn-953-1)
Description:
Page 189
Audit Report
Directory traversal vulnerability in the extract_jar function in jartool.c in FastJar 0.98 allows remote attackers to create or overwrite
arbitrary files via a .. (dot dot) in a non-initial pathname component in a filename within a .jar archive, a related issue to CVE-2005-
1080. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-3619.
Affected Nodes:
Vulnerable software installed: Ubuntu fastjar 2:0.95-1ubuntu2
References:
Source Reference
BID 41006
CVE CVE-2010-0831
OSVDB 65467
USN USN-953-1
•fastjar on Ubuntu Linux 10.04
Upgrade fastjar for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade fastjar to the latest version
Upgrade fastjar for Ubuntu 8.04 LTS
Upgrade fastjar for Ubuntu 9.04
Upgrade fastjar for Ubuntu 9.10
3.2.75. USN-956-1: sudo vulnerability (ubuntu-usn-956-1)
Description:
The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment
that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable.
Page 190
Audit Report
Affected Nodes:
References:
Source Reference
BID 40538
CVE CVE-2010-1646
DEBIAN DSA-2062
OSVDB 65083
OVAL OVAL10580
OVAL OVAL7338
USN USN-956-1
Page 191
Audit Report

3.2.76. USN-990-2: Apache vulnerability (ubuntu-usn-990-2)
Description:
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in
the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services
(NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an
existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions
protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation
context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Affected Nodes:
Vulnerable software installed: Ubuntu apache2.2-common 2.2.8-1ubuntu0.15
References:
Source Reference
BID 36935
CERT TA10-222A
CERT TA10-287A
CERT-VN 120541
CVE CVE-2009-3555
DEBIAN DSA-1934
DEBIAN DSA-2141
IAVM 2011-A-0066
MS MS10-049
Page 192
Audit Report
Source Reference
OSVDB 60521
OSVDB 60972
OSVDB 62210
OSVDB 65202
OVAL OVAL10088
OVAL OVAL11578
OVAL OVAL11617
OVAL OVAL7315
OVAL OVAL7478
OVAL OVAL7973
OVAL OVAL8366
OVAL OVAL8535
USN USN-990-2
XF 54158
Page 193
Audit Report
•apache2.2-common on Ubuntu Linux 10.04
Upgrade apache2.2-common for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade apache2.2-common to the latest version
Upgrade apache2.2-common for Ubuntu 9.04
3.2.77. /etc/hosts.equiv allows remote access from some systems (unix-hosts-equiv-allows-access)
Description:
The file /etc/hosts.equiv contains at least one entry that allows unauthenticated remote access from certain systems based only on the
IP address or hostname. Not only is IP/host information easily hijacked by an attacker, but allowing users from certain hosts to log in
without authenticating means anyone who gains access to the remote system can log in to your system.
Affected Nodes:
192.168.0.102 /etc/hosts.equiv contains 1 positive access entries
References:
None
The /etc/hosts.equiv file should never be used. Remove the file. After removing the file create a symlink from that file to /dev/null, so
that attackers cannot append to it:
rm /etc/hosts.equiv && ln -s /dev/null /etc/hosts.equiv
3.2.78. Apache HTTPD: mod_proxy reverse proxy exposure (CVE-2011-3368) (apache-httpd-cve-2011-3368)
Description:
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_proxy. Review your web
server configuration for validation. An exposure was found when using mod_proxy in reverse proxy mode. In certain configurations
using RewriteRule with proxy flag, a remote attacker could cause the reverse proxy to connect to an arbitrary server, possibly disclosing
sensitive information from internal web servers not directly accessible to attacker. No update of 1.3 will be released. Patches will be
published to http://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/
Page 194
Audit Report
Affected Nodes:

References:
Source Reference
BID 49957
CVE CVE-2011-3368
OSVDB 76079
XF 70336
•Apache HTTPD >= 1.3 and < 2
Apply the patch for CVE-2011-3368 to 1.3
Download and apply the upgrade from: http://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/
No update of 1.3 will be released. Patches will be published to
http://archive.apache.org/dist/httpd/patches/apply_to_1.3.42/

operating system.

operating system.
Page 195
Audit Report
3.2.79. Apache HTTPD: HTTP Trailers processing bypass (CVE-2013-5704) (apache-httpd-cve-2013-5704)
Description:
HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing
modules that examined or modified request headers earlier. This fix adds the "MergeTrailers" directive to restore legacy behavior.
Affected Nodes:

References:
Source Reference
CVE CVE-2013-5704
operating system.

operating system.
3.2.80. Apache HTTPD: mod_dav crash (CVE-2013-6438) (apache-httpd-cve-2013-6438)
Description:
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_dav. Review your web
server configuration for validation. XML parsing code in mod_dav incorrectly calculates the end of the string when removing leading
Page 196
Audit Report
spaces and places a NUL character outside the buffer, causing random crashes. This XML parsing code is only used with DAV provider
modules that support DeltaV, of which the only publicly released provider is mod_dav_svn.
Affected Nodes:

References:
Source Reference
BID 66303
CVE CVE-2013-6438
operating system.

operating system.
3.2.81. Apache HTTPD: mod_log_config crash (CVE-2014-0098) (apache-httpd-cve-2014-0098)
Description:
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_log_config. Review your
web server configuration for validation. A flaw was found in mod_log_config. A remote attacker could send a specific truncated cookie
causing a crash. This crash would only be a denial of service if using a threaded MPM.
Page 197
Audit Report
Affected Nodes:

References:
Source Reference
BID 66303
CVE CVE-2014-0098
operating system.

operating system.
3.2.82. Apache HTTPD: mod_cgid denial of service (CVE-2014-0231) (apache-httpd-cve-2014-0231)
Description:
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_cgid. Review your web
server configuration for validation. A flaw was found in mod_cgid. If a server using mod_cgid hosted CGI scripts which did not consume
standard input, a remote attacker could cause child processes to hang indefinitely, leading to denial of service.
Affected Nodes:
Page 198
Audit Report

References:
Source Reference
BID 68742
CVE CVE-2014-0231
DEBIAN DSA-2989
IAVM 2014-A-0114
operating system.

operating system.
3.2.83. Apache Tomcat default installation/welcome page installed (apache-tomcat-default-install-page)
Description:
The Tomcat default installation or "Welcome" page is installed on this server. This usually indicates a newly installed server which has
not yet been configured properly and which may not be known about.
Page 199
Audit Report
In many cases, Tomcat is installed along with other applications and the user may not be aware that the web server is running. These
servers are rarely patched and rarely monitored, providing hackers with a convenient target that is not likely to trip any alarms.
Affected Nodes:
192.168.0.102:8180 Running HTTP serviceProduct Tomcat exists -- Apache TomcatHTTP GET

request to http://192.168.0.102:8180/
194: <td style="width:20px"> </td>
195:
196: 
197: <td align="left" valign="top">
194: ... means you've setup Tomcat successfully. Congratulations!</p>
References:
Source Reference
OSVDB 2117
If this server is required to provide necessary functionality, then the default page should be replaced with relevant content. Otherwise,
this server should be removed from the network, following the security principle of minimum complexity.
3.2.84. Anonymous users can obtain the Windows password policy (cifs-nt-0002)
Description:
Anonymous users can obtain the Windows password policy from the system by using CIFS NULL sessions. The password policy
contains sensitive information about minimum password length, password lockout threshold, password lockout duration, etc.
Affected Nodes:
192.168.0.102 Retrieved domain policy for the METASPLOITABLE domain, with SID S-1-5-21-
1042354039-2475377354-766472396
References:
Source Reference
BID 959
CVE CVE-2000-1200
Page 200
Audit Report
Source Reference
XF 4015
•Microsoft Windows 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition,
Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business
Server 2003

Data Value: 1

Data Value: 1

Data Value: 0
and set the following value to 0 (or, alternatively, delete it):
Value Name: TurnOffAnonymousBlock

Data Value: 0

Data Value: 1

Page 201
Audit Report

environments may depend on them for proper operation. Refer to Microsoft Knowledge Base Article 823659 for more information.
•Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional

Disable NULL sessions for Windows XP

Data Value: 1

Data Value: 1

Data Value: 0

Data Value: 1


Page 202
Audit Report

Data Value: 2
•Microsoft Windows NT Server 4.0, Microsoft Windows NT Server, Enterprise Edition 4.0, Microsoft Windows NT Workstation 4.0
Install Microsoft service pack Windows NT4 Service Pack 4
Download and apply the upgrade from: http://support.microsoft.com/sp
Disable NULL sessions for Windows NT

Data Value: 1
It is important to note that on Windows NT 4.0 systems, setting this registry entry will still leave the system open to various attacks,
including brute-force enumeration of users and groups. A complete solution for Windows NT 4.0 systems is not available.
•Samba on Linux
Restrict anonymous access
To restrict anonymous access to Samba, modify your "smb.conf" settings as follows:
guest account = nobody

restrict anonymous = 1
Note: Make sure you do NOT list a user "nobody" in your password file.
Page 203
Audit Report
•Novell NetWare
Novell Netware CIFS
As of May 9, 2007 Novell Netware CIFS does not provide a workaround for this vulnerability.
3.2.85. Samba Connection Flooding Denial of Service Vulnerability (cifs-samba-connection-flooding-dos)
Description:
The smdb daemon (smbd/service.c) in Samba 3.0.1 through 3.0.22 allows remote attackers to cause a denial of service (memory
consumption) via a large number of share connection requests.
Affected Nodes:


References:
Source Reference
BID 18927
CERT TA06-333A
CERT-VN 313836
CVE CVE-2006-3403
DEBIAN DSA-1110
OVAL OVAL11355
SGI 20060703-01-P
XF 27648
Samba < 3.0.23
Page 204
Audit Report
3.2.86. DNS server allows cache snooping (dns-allows-cache-snooping)
Description:
This DNS server is susceptible to DNS cache snooping, whereby an attacker can make non-recursive queries to a DNS server, looking
for records potentially already resolved by this DNS server for other clients. Depending on the response, an attacker can use this
information to potentially launch other attacks.
Affected Nodes:
192.168.0.102:53 Received 2 answers to a non-recursive query for www.rapid7.com
192.168.0.102:53 Received 2 answers to a non-recursive query for www.rapid7.com
References:
Source Reference
URL http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
Restrict the processing of DNS queries to only systems that should be allowed to use this nameserver.
3.2.87. ISC BIND: BIND 9 Resolver crashes after logging an error in query.c (CVE-2011-4313) (dns-bind-cve-2011-4313)
Description:
query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0
through 9.8.1, and 9.9.0a1 through 9.9.0b1 allows remote attackers to cause a denial of service (assertion failure and named exit) via
unknown vectors related to recursive DNS queries, error logging, and the caching of an invalid record by the resolver.
Affected Nodes:


References:
Source Reference
BID 50690
Page 205
Audit Report
Source Reference
CERT-VN 606539
CVE CVE-2011-4313
DEBIAN DSA-2347
OSVDB 77159
OVAL OVAL14343
URL https://kb.isc.org/article/AA-00544/74/CVE-2011-4313%3A-BIND-9-Resolver-crashes-after-logging-an-
error-in-query.c.html
XF 71332
•Upgrade ISC BIND to latest version
•Apply patch to mitigate BIND 9 resolver crash
Patches mitigating this issue are available at:
•https://www.isc.org/software/bind/981-p1
•https://www.isc.org/software/bind/974-p1
•https://www.isc.org/software/bind/96-esv-r5-p1
•https://www.isc.org/software/bind/94-esv-r5-p1
3.2.88. CVE-2012-1033: Ghost Domain Names: Revoked Yet Still Resolvable (dns-bind-cve-2012-1033)
Description:
The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server names and TTL values in NS records during the processing of a
response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost
domain names" attack.
Affected Nodes:


Page 206
Audit Report
References:
Source Reference
BID 51898
CERT-VN 542123
CVE CVE-2012-1033
IAVM 2012-A-0189
OSVDB 78916
URL https://kb.isc.org/article/AA-00691/74/CVE-2012-1033%3A-Ghost-Domain-Names%3A-Revoked-Yet-Still-
Resolvable.html
XF 73053
3.2.89. Nameserver Processes Recursive Queries (dns-processes-recursive-queries)
Description:
Allowing nameservers to process recursive queries coming from any system may, in certain situations, help attackers conduct denial of
service or cache poisoning attacks.
Affected Nodes:
192.168.0.102:53 Nameserver resolved www.google.com to:www.google.com. 300 IN A

74.125.226.113www.google.com. 300 IN A 74.125.226.115www.google.com.
300 IN A 74.125.226.112www.google.com. 300 IN A 74.125.226.116
www.google.com. 300 IN A 74.125.226.114
192.168.0.102:53 Nameserver resolved www.google.com to:www.google.com. 300 IN A

74.125.226.113www.google.com. 300 IN A 74.125.226.115www.google.com.
300 IN A 74.125.226.112www.google.com. 300 IN A 74.125.226.116
www.google.com. 300 IN A 74.125.226.114
References:
Source Reference
URL http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
Page 207
Audit Report
Restrict the processing of recursive queries to only systems that should be allowed to use this nameserver.
3.2.90. Debian Linux httpd Vulnerability (http-apache-0007)
Description:
The Debian GNU/Linux 2.1 Apache package by default allows anyone to view /usr/doc via the web, remotely. This is because srm.conf
is preconfigured with the line:
Alias /doc/ /usr/doc/
Affected Nodes:
192.168.0.102:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.2.8HTTP

GET request to http://192.168.0.102/doc/
4: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
5: <html>
6: <head>
4: <title>Index of /doc</title>
References:
Source Reference
BID 318
CVE CVE-1999-0678
URL http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=2822
The following addition to /etc/apache/access.conf will restrict access:
<Directory /usr/doc>
AllowOverride None order deny,allow
deny from all
allow from localhost
</Directory>
Description:
The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x before 5.2.9 allows context-dependent attackers to cause a denial
of service (crash) via a ZIP file that contains filenames with relative paths, which is not properly handled during extraction.
Page 208
Audit Report
Affected Nodes:

References:
Source Reference
CVE CVE-2009-1271
CVE CVE-2009-1272
DEBIAN DSA-1775
DEBIAN DSA-1789
Description:
Improved LCG entropy.
Fixed safe_mode validation inside tempnam() when the directory path does not end with a /.
Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak.
Affected Nodes:

References:
Source Reference
Page 209
Audit Report
3.2.93. PHP Fixed security issues (CVE-2008-2665) (http-php-safemode-bypass3)
Description:
Directory traversal vulnerability in the posix_access function in PHP 5.2.6 and earlier allows remote attackers to bypass safe_mode
restrictions via a .. (dot dot) in an http URL, which results in the URL being canonicalized to a local filename after the safe_mode check
has successfully run.
Affected Nodes:

References:
Source Reference
BID 29797
CERT TA09-133A
CVE CVE-2008-2665
XF 43196
3.2.94. No password for Grub (linux-grub-missing-passwd)
Description:
GRUB bootloader is not password protected. An attacker can use the GRUB editor interface to change its configuration or to gather
information using the cat command. It can also be exploited to boot into single user mode as root or boot into an insecure operating
system.
Affected Nodes:
192.168.0.102 GRUB password not enabled in /boot/grub/menu.lst
References:
Page 210
Audit Report
None
Set a password in the GRUB configuration file. This is often located in one of several locations, but can really be anywhere:
/etc/grub.conf
/boot/grub/grub.conf
/boot/grub/menu.lst
To set a plain-text password, edit your GRUB configuration file and add the following line before the first uncommented line:
password <password>
To set an encrypted password, run grub-md5-crypt and use its output when adding the following line before the first uncommented line:
password --md5 <encryptedpassword>
For either approach, choose an appropriately strong password.
3.2.95. Exported volume is publicly mountable (nfs-mountd-0002)
Description:
An NFS volume is mountable by everyone. Although this is not necessarily a vulnerability itself, this does not exhibit "best practice"
from a security standpoint; mounting privileges should be restricted only to hosts that require them.
Affected Nodes:
192.168.0.102:34478 /
192.168.0.102:39883 /
References:
None
Restrict mounting privileges to only hosts that require them.
Description:
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 does not properly propagate type errors, which allows remote
attackers to cause a denial of service (server crash) via crafted arguments to extreme-value functions such as (1) LEAST and (2)
GREATEST, related to KILL_BAD_DATA and a "CREATE TABLE ... SELECT."
Affected Nodes:
Page 211
Audit Report

References:
Source Reference
BID 43676
CVE CVE-2010-3833
DEBIAN DSA-2143
XF 64845


Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote attackers to affect availability
via unknown vectors.
Affected Nodes:
Page 212
Audit Report

References:
Source Reference
CVE CVE-2011-2262


Description:
confidentiality and integrity via unknown vectors.
Affected Nodes:

Page 213
Audit Report
References:
Source Reference
CVE CVE-2012-0116


Description:
confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0113.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0118
Page 214
Audit Report


Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect
availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489,
CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Affected Nodes:

References:
Source Reference
BID 51514
CVE CVE-2012-0486
OSVDB 78384
XF 72527
Page 215
Audit Report


Description:
The iconv_substr function in PHP 5.2.4 and earlier allows context-dependent attackers to cause (1) a denial of service (application
crash) via a long string in the charset parameter, probably also requiring a long string in the str parameter; or (2) a denial of service
(temporary application hang) via a long string in the str parameter. NOTE: this might not be a vulnerability in most web server
environments that support multiple threads, unless these issues can be demonstrated for code execution.
Affected Nodes:

References:
Source Reference
CVE CVE-2007-4783
OSVDB 38917
Page 216
Audit Report
Description:
PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the
out_charset parameter to the iconv function; or a long string in the charset parameter to the (2) iconv_mime_decode_headers, (3)
iconv_mime_decode, or (4) iconv_strlen function. NOTE: this might not be a vulnerability in most web server environments that support
multiple threads, unless these issues can be demonstrated for code execution.
Affected Nodes:

References:
Source Reference
CVE CVE-2007-4840
OSVDB 38916
Description:
Multiple directory traversal vulnerabilities in PHP 5.2.6 and earlier allow context-dependent attackers to bypass safe_mode restrictions
by creating a subdirectory named http: and then placing ../ (dot dot slash) sequences in an http URL argument to the (1) chdir or (2) ftok
function.
Affected Nodes:

References:
Source Reference
Page 217
Audit Report
Source Reference
BID 29796
CERT TA09-133A
CVE CVE-2008-2666
XF 43198
Description:
The (1) rand and (2) mt_rand functions in PHP 5.2.6 do not produce cryptographically strong random numbers, which allows attackers
to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset
functionality in Joomla! 1.5.x and WordPress before 2.6.2, a different vulnerability than CVE-2008-2107, CVE-2008-2108, and CVE-
2008-4102.
Affected Nodes:

References:
Source Reference
BID 31115
CVE CVE-2008-4107
OSVDB 48700
XF 45956
Description:
Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of
arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.
Page 218
Audit Report
Affected Nodes:

References:
Source Reference
BID 33002
CVE CVE-2008-5498
OSVDB 51031
OVAL OVAL9667
XF 47635
Description:
The php_zip_make_relative_path function in php_zip.c in PHP 5.2.x before 5.2.9 allows context-dependent attackers to cause a denial
of service (crash) via a ZIP file that contains filenames with relative paths, which is not properly handled during extraction.
Affected Nodes:

References:
Source Reference
CVE CVE-2009-1272
Page 219
Audit Report
Description:
The unserialize function in PHP 5.3.0 and earlier allows context-dependent attackers to cause a denial of service (resource
consumption) via a deeply nested serialized variable, as demonstrated by a string beginning with a:1: followed by many {a:1:
sequences.
Affected Nodes:

References:
Source Reference
CVE CVE-2009-4418
Description:
The html_entity_decode function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain
sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal call, related to
the call time pass by reference feature.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-1860
Page 220
Audit Report

Description:
The chunk_split function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive
information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference
feature.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-1862
Description:
The addcslashes function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive
feature.
Affected Nodes:

References:
Page 221
Audit Report
Source Reference
CVE CVE-2010-1864
Description:
The preg_quote function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive
feature, modification of ZVALs whose values are not updated in the associated local variables, and access of previously-freed memory.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-1915
XF 58586
Description:
Use-after-free vulnerability in the request shutdown functionality in PHP 5.2 before 5.2.13 and 5.3 before 5.3.2 allows context-
dependent attackers to cause a denial of service (crash) via a stream context structure that is freed before destruction occurs.
Page 222
Audit Report
Affected Nodes:

References:
Source Reference
CVE CVE-2010-2093
Description:
The (1) iconv_mime_decode, (2) iconv_substr, and (3) iconv_mime_encode functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2
allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal
function, related to the call time pass by reference feature.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-2097
Page 223
Audit Report
Description:
The (1) htmlentities, (2) htmlspecialchars, (3) str_getcsv, (4) http_build_query, (5) strpbrk, and (6) strtr functions in PHP 5.2 through
5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a
userspace interruption of an internal function, related to the call time pass by reference feature.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-2100
Description:
The (1) strip_tags, (2) setcookie, (3) strtok, (4) wordwrap, (5) str_word_count, and (6) str_pad functions in PHP 5.2 through 5.2.13 and
5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace
interruption of an internal function, related to the call time pass by reference feature.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-2101
Page 224
Audit Report

Description:
The (1) trim, (2) ltrim, (3) rtrim, and (4) substr_replace functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-
dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function,
related to the call time pass by reference feature.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-2190
XF 59220
Description:
Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3
before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified
vectors.
Affected Nodes:

Page 225
Audit Report
References:
Source Reference
BID 44980
CVE CVE-2010-4150
OVAL OVAL12489
XF 63390
Description:
The iconv_mime_decode_headers function in the Iconv extension in PHP before 5.3.4 does not properly handle encodings that are
unrecognized by the iconv and mbstring (aka Multibyte String) implementations, which allows remote attackers to trigger an incomplete
output array, and possibly bypass spam detection or have unspecified other impact, via a crafted Subject header in an e-mail message,
as demonstrated by the ks_c_5601-1987 character set.
Affected Nodes:

References:
Source Reference
CVE CVE-2010-4699
OVAL OVAL12393
XF 64963
Page 226
Audit Report
Description:
The extract function in PHP before 5.2.15 does not prevent use of the EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS
superglobal array and (2) the this variable, which allows context-dependent attackers to bypass intended access restrictions by
modifying data structures that were not intended to depend on external input, a related issue to CVE-2005-2691 and CVE-2006-3758.
Affected Nodes:

References:
Source Reference
CVE CVE-2011-0752
OVAL OVAL12016
XF 65432
Description:
Integer overflow in the mt_rand function in PHP before 5.3.4 might make it easier for context-dependent attackers to predict the return
values by leveraging a script's use of a large max parameter, as demonstrated by a value that exceeds mt_getrandmax.
Affected Nodes:

References:
Source Reference
CVE CVE-2011-0755
OVAL OVAL12589
XF 65426
Page 227
Audit Report
Description:
Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory
consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0789
Description:
The libxml RSHUTDOWN function in PHP 5.x allows remote attackers to bypass the open_basedir protection mechanism and read
arbitrary files via vectors involving a stream_close method call during use of a custom stream wrapper.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-1171
Page 228
Audit Report

Description:
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly
handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource
consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case.
NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-2336
URL http://www.php.net/archive/2012.php#id2012-05-08-1
Description:
The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via
unspecified vectors.
Affected Nodes:
Page 229
Audit Report

References:
Source Reference
CVE CVE-2012-3365
Description:
The SOAP parser in PHP before 5.3.23 and 5.4.x before 5.4.13 allows remote attackers to read arbitrary files via a SOAP WSDL file
containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in
the soap_xmlParseFile and soap_xmlParseMemory functions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-
1824.
Affected Nodes:

References:
Source Reference
CVE CVE-2013-1643
DEBIAN DSA-2639
Page 230
Audit Report
Description:
Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before
5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted
argument to the quoted_printable_encode function.
Affected Nodes:

References:
Source Reference
CVE CVE-2013-2110
Description:
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp
directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable
filename that is used by the get_sdl function in ext/soap/php_sdl.c.
Affected Nodes:

References:
Source Reference
CVE CVE-2013-6501
Page 231
Audit Report
Description:
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21,
and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string,
which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.
Affected Nodes:

References:
Source Reference
CVE CVE-2014-9652
Description:
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote
attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the
gdImageCreateFromGif function.
Affected Nodes:

Page 232
Audit Report
References:
Source Reference
CVE CVE-2014-9709
DEBIAN DSA-3215
Description:
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate token
extraction for table names, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash)
via a crafted name.
Affected Nodes:

References:
Source Reference
CVE CVE-2015-1352
Description:
The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before
5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension
restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2006-7243.
Page 233
Audit Report
Affected Nodes:

References:
Source Reference
CVE CVE-2015-2348
3.2.132. PHP Fixed iconv_*() functions to limit argument sizes (CVE-2007-4783) (php-fixed-iconv-functions-to-limit-
argument-sizes-cve-2007-4783)
Description:
The iconv_substr function in PHP 5.2.4 and earlier allows context-dependent attackers to cause (1) a denial of service (application
crash) via a long string in the charset parameter, probably also requiring a long string in the str parameter; or (2) a denial of service
(temporary application hang) via a long string in the str parameter. NOTE: this might not be a vulnerability in most web server
environments that support multiple threads, unless these issues can be demonstrated for code execution.
Affected Nodes:

References:
Source Reference
CVE CVE-2007-4783
OSVDB 38917
Page 234
Audit Report
3.2.133. PHP Fixed iconv_*() functions to limit argument sizes (CVE-2007-4840) (php-fixed-iconv-functions-to-limit-
argument-sizes-cve-2007-4840)
Description:
PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via (1) a long string in the
out_charset parameter to the iconv function; or a long string in the charset parameter to the (2) iconv_mime_decode_headers, (3)
iconv_mime_decode, or (4) iconv_strlen function. NOTE: this might not be a vulnerability in most web server environments that support
multiple threads, unless these issues can be demonstrated for code execution.
Affected Nodes:

References:
Source Reference
CVE CVE-2007-4840
OSVDB 38916
3.2.134. PHP Fixed security issue in imagerotate() (php-fixed-security-issue-in-imagerotate)
Description:
Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of
arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.
Affected Nodes:

References:
Source Reference
Page 235
Audit Report
Source Reference
BID 33002
CVE CVE-2008-5498
OSVDB 51031
OVAL OVAL9667
XF 47635
3.2.135. PHP Fixed security issues (CVE-2008-2666) (php-fixed-security-issues-cve-2008-2666)
Description:
Multiple directory traversal vulnerabilities in PHP 5.2.6 and earlier allow context-dependent attackers to bypass safe_mode restrictions
by creating a subdirectory named http: and then placing ../ (dot dot slash) sequences in an http URL argument to the (1) chdir or (2) ftok
function.
Affected Nodes:

References:
Source Reference
BID 29796
CERT TA09-133A
CVE CVE-2008-2666
XF 43198
3.2.136. PHP possible double free in imap extension (php-possible-double-free-in-imap-extension)
Description:
Page 236
Audit Report
Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3
before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified
vectors.
Affected Nodes:

References:
Source Reference
BID 44980
CVE CVE-2010-4150
OVAL OVAL12489
XF 63390
3.2.137. TCP Sequence Number Approximation Vulnerability (tcp-seq-num-approximation)
Description:
TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service
(connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived
connections, such as BGP.
Affected Nodes:
192.168.0.102 TCP reset with incorrect sequence number triggered this fault: Connection reset
by peer
References:
Source Reference
Page 237
Audit Report
Source Reference
BID 10183
CERT TA04-111A
CERT-VN 415294
CVE CVE-2004-0230
MS MS05-019
MS MS06-064
OSVDB 4030
OVAL OVAL2689
OVAL OVAL270
OVAL OVAL3508
OVAL OVAL4791
OVAL OVAL5711
SGI 20040403-01-A
URL ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc
URL http://tools.ietf.org/html/draft-ietf-tcpm-tcpsecure-12
URL http://www.uniras.gov.uk/vuls/2004/236929/index.htm
XF 15886
•Enable TCP MD5 Signatures
Enable the TCP MD5 signature option as documented in RFC 2385. It was designed to reduce the danger from certain security
attacks on BGP, such as TCP resets.
•Microsoft Windows 2000 SP4 OR SP3 (x86), Microsoft Windows 2000 Professional SP4 OR SP3 (x86), Microsoft Windows 2000
Server SP4 OR SP3 (x86), Microsoft Windows 2000 Advanced Server SP4 OR SP3 (x86), Microsoft Windows 2000 Datacenter Server
SP4 OR SP3 (x86)
MS05-019: Security Update for Windows 2000 (KB893066)
Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=36661
•Microsoft Windows Server 2003 < SP1 (x86), Microsoft Windows Server 2003, Standard Edition < SP1 (x86), Microsoft Windows
Server 2003, Enterprise Edition < SP1 (x86), Microsoft Windows Server 2003, Datacenter Edition < SP1 (x86), Microsoft Windows
Server 2003, Web Edition < SP1 (x86), Microsoft Windows Small Business Server 2003 < SP1 (x86)
MS05-019: Security Update for Windows Server 2003 (KB893066)
•Microsoft Windows XP Professional SP2 OR SP1 (x86), Microsoft Windows XP Home SP2 OR SP1 (x86)
MS05-019: Security Update for Windows XP (KB893066)
Page 238
Audit Report
•Microsoft Windows XP Professional SP1 OR SP2 (x86), Microsoft Windows XP Home SP1 OR SP2 (x86)
MS06-064: Security Update for Windows XP (KB922819)
•Microsoft Windows Server 2003 SP1 (x86_64), Microsoft Windows Server 2003, Standard Edition SP1 (x86_64), Microsoft Windows
Server 2003, Enterprise Edition SP1 (x86_64), Microsoft Windows Server 2003, Datacenter Edition SP1 (x86_64), Microsoft Windows
Server 2003, Web Edition SP1 (x86_64), Microsoft Windows Small Business Server 2003 SP1 (x86_64)
MS06-064: Security Update for Windows Server 2003 x64 Edition (KB922819)
•Microsoft Windows XP Professional SP1 (x86_64)
MS06-064: Security Update for Windows XP x64 Edition (KB922819)
•Microsoft Windows Server 2003 SP1 OR < SP1 (ia64), Microsoft Windows Server 2003, Standard Edition SP1 OR < SP1 (ia64),
Microsoft Windows Server 2003, Enterprise Edition SP1 OR < SP1 (ia64), Microsoft Windows Server 2003, Datacenter Edition SP1
OR < SP1 (ia64), Microsoft Windows Server 2003, Web Edition SP1 OR < SP1 (ia64), Microsoft Windows Small Business Server 2003
SP1 OR < SP1 (ia64)
MS06-064: Security Update for Windows Server 2003 for Itanium-based Systems (KB922819)
•Microsoft Windows Server 2003 SP1 OR < SP1 (x86), Microsoft Windows Server 2003, Standard Edition SP1 OR < SP1 (x86),
Microsoft Windows Server 2003, Enterprise Edition SP1 OR < SP1 (x86), Microsoft Windows Server 2003, Datacenter Edition SP1 OR
< SP1 (x86), Microsoft Windows Server 2003, Web Edition SP1 OR < SP1 (x86), Microsoft Windows Small Business Server 2003 SP1
OR < SP1 (x86)
MS06-064: Security Update for Windows Server 2003 (KB922819)
• Locate and fix vulnerable traffic inspection devices along the route to the target
In many situations, target systems are, by themselves, patched or otherwise unaffected by this vulnerability. In certain configurations,
however, unaffected systems can be made vulnerable if the path between an attacker and the target system contains an affected and
unpatched network device such as a firewall or router and that device is responsible for handling TCP connections for the target. In this
case, locate and apply remediation steps for network devices along the route that are affected.
Description:
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 does not properly propagate type errors, which allows remote
attackers to cause a denial of service (server crash) via crafted arguments to extreme-value functions such as (1) LEAST and (2)
GREATEST, related to KILL_BAD_DATA and a "CREATE TABLE ... SELECT."
Affected Nodes:
Page 239
Audit Report

References:
Source Reference
BID 41198
BID 42596
BID 42598
BID 42599
BID 42625
BID 42633
BID 42638
BID 42646
BID 43676
CVE CVE-2010-2008
CVE CVE-2010-3677
CVE CVE-2010-3678
CVE CVE-2010-3679
CVE CVE-2010-3680
CVE CVE-2010-3681
CVE CVE-2010-3682
CVE CVE-2010-3683
CVE CVE-2010-3833
CVE CVE-2010-3834
CVE CVE-2010-3835
CVE CVE-2010-3836
CVE CVE-2010-3837
CVE CVE-2010-3838
CVE CVE-2010-3839
CVE CVE-2010-3840
DEBIAN DSA-2143
OVAL OVAL11869
Page 240
Audit Report
Source Reference
USN USN-1017-1
XF 64683
XF 64684
XF 64685
XF 64686
XF 64687
XF 64688
XF 64838
XF 64839
XF 64840
XF 64841
XF 64842
XF 64843
XF 64844
XF 64845
3.2.139. USN-1021-1: Apache vulnerabilities (ubuntu-usn-1021-1)
Description:
Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-
util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to
Page 241
Audit Report
cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.
Affected Nodes:
References:
Source Reference
BID 43673
CVE CVE-2010-1452
CVE CVE-2010-1623
OVAL OVAL11683
OVAL OVAL12341
OVAL OVAL12800
USN USN-1021-1
Page 242
Audit Report
3.2.140. USN-1022-1: APR-util vulnerability (ubuntu-usn-1022-1)
Description:
Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-
util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to
cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.
Affected Nodes:
References:
Source Reference
BID 43673
CVE CVE-2010-1623
OVAL OVAL12800
USN USN-1022-1
Page 243
Audit Report
Description:
Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 does not perform range checks for file descriptors before use of
the FD_SET macro, which allows remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon
crash) by opening a large number of files, related to (1) Winbind or (2) smbd.
Affected Nodes:
References:
Source Reference
BID 46597
CVE CVE-2011-0719
DEBIAN DSA-2175
USN USN-1075-1
XF 65724
Page 244
Audit Report
Description:
crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not
properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by
leveraging knowledge of a password hash.
Affected Nodes:
References:
Source Reference
BID 49241
CVE CVE-2011-2483
DEBIAN DSA-2340
DEBIAN DSA-2399
USN USN-1229-1
XF 69319
Page 245
Audit Report
3.2.143. USN-1259-1: Apache vulnerabilities (ubuntu-usn-1259-1)
Description:
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not
properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which
allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
Affected Nodes:
References:
Source Reference
BID 46953
BID 49616
BID 49957
CVE CVE-2011-1176
CVE CVE-2011-3348
CVE CVE-2011-3368
DEBIAN DSA-2202
OSVDB 76079
OVAL OVAL14941
OVAL OVAL18154
USN USN-1259-1
XF 66248
XF 69804
XF 70336
Page 246
Audit Report
•apache2-mpm-itk on Ubuntu Linux 10.04

Upgrade apache2-mpm-itk for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade apache2-mpm-itk to the latest version
Upgrade apache2-mpm-itk for Ubuntu 10.10
Upgrade apache2-mpm-itk for Ubuntu 11.04
Upgrade apache2.2-bin for Ubuntu 10.04 LTS
3.2.144. USN-1308-1: bzip2 vulnerability (ubuntu-usn-1308-1)
Description:
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during
extraction, which allows local users to execute arbitrary code by precreating a temporary directory.
Affected Nodes:
Vulnerable software installed: Ubuntu bzip2 1.0.4-2ubuntu4
References:
Source Reference
Page 247
Audit Report
Source Reference
CVE CVE-2011-4089
USN USN-1308-1
•bzip2 on Ubuntu Linux 10.04
Upgrade bzip2 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade bzip2 to the latest version
Upgrade bzip2 for Ubuntu 10.10
3.2.145. USN-1368-1: Apache HTTP Server vulnerabilities (ubuntu-usn-1368-1)
Description:
scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during
shutdown) or possibly have unspecified other impact by modifying a certain type field within a scoreboard shared memory segment,
leading to an invalid call to the free function.
Affected Nodes:
References:
Source Reference
BID 50494
BID 51407
Page 248
Audit Report
Source Reference
BID 51706
CVE CVE-2011-3607
CVE CVE-2011-4317
CVE CVE-2012-0021
CVE CVE-2012-0031
CVE CVE-2012-0053
OSVDB 76744
USN USN-1368-1
XF 71093
Description:
libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-
dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
Affected Nodes:
Page 249
Audit Report

References:
Source Reference
BID 52107
CVE CVE-2012-0841
DEBIAN DSA-2417
IAVM 2012-A-0148
IAVM 2012-A-0153
USN USN-1376-1
Page 250
Audit Report
Description:
gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block
cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record,
as demonstrated by a crafted GenericBlockCipher structure.
Affected Nodes:
References:
Source Reference
CVE CVE-2011-4128
CVE CVE-2012-1573
IAVM 2012-A-0148
IAVM 2012-A-0153
OSVDB 80259
USN USN-1418-1
Page 251
Audit Report

3.2.148. USN-1436-1: Libtasn1 vulnerability (ubuntu-usn-1436-1)
Description:
The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products,
does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory
corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.
Affected Nodes:
Vulnerable software installed: Ubuntu libtasn1-3 1.1-1
References:
Source Reference
CVE CVE-2012-1569
IAVM 2012-A-0148
IAVM 2012-A-0153
USN USN-1436-1
•libtasn1-3 on Ubuntu Linux 10.04
Upgrade libtasn1-3 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libtasn1-3 to the latest version
Upgrade libtasn1-3 for Ubuntu 11.04
Page 252
Audit Report

Upgrade libtasn1-3 for Ubuntu 11.10
Description:
sql/password.c in Oracle MySQL 5.1.x before 5.1.63, 5.5.x before 5.5.24, and 5.6.x before 5.6.6, and MariaDB 5.1.x before 5.1.62,
5.2.x before 5.2.12, 5.3.x before 5.3.6, and 5.5.x before 5.5.23, when running in certain environments with certain implementations of
the memcmp function, allows remote attackers to bypass authentication by repeatedly authenticating with the same incorrect password,
which eventually causes a token comparison to succeed due to an improperly-checked return value.
Affected Nodes:
References:
Source Reference
BID 53911
CVE CVE-2012-2122
USN USN-1467-1
Page 253
Audit Report

3.2.150. USN-1527-1: Expat vulnerabilities (ubuntu-usn-1527-1)
Description:
Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a
denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures
when expanding entities.
Affected Nodes:
Vulnerable software installed: Ubuntu libexpat1 2.0.1-0ubuntu1
References:
Source Reference
BID 52379
CVE CVE-2012-0876
CVE CVE-2012-1148
DEBIAN DSA-2525
IAVM 2012-A-0189
USN USN-1527-1
•lib64expat1 on Ubuntu Linux 10.04
Upgrade lib64expat1 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade lib64expat1 to the latest version
Page 254
Audit Report

Upgrade lib64expat1 for Ubuntu 11.04
•libexpat1 on Ubuntu Linux 10.04
Upgrade libexpat1 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libexpat1 to the latest version
Upgrade libexpat1 for Ubuntu 11.04
•libexpat1-udeb on Ubuntu Linux 10.04
Upgrade libexpat1-udeb for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libexpat1-udeb to the latest version
Upgrade libexpat1-udeb for Ubuntu 11.04
Page 255
Audit Report
Description:
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not
properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or
trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security
options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
Affected Nodes:
References:
Source Reference
BID 55072
BID 55074
CVE CVE-2012-3488
CVE CVE-2012-3489
DEBIAN DSA-2534
USN USN-1542-1
Page 256
Audit Report

3.2.152. USN-1546-1: libgc vulnerability (ubuntu-usn-1546-1)
Description:
Multiple integer overflows in the (1) GC_generic_malloc and (2) calloc funtions in malloc.c, and the (3)
GC_generic_malloc_ignore_off_page function in mallocx.c in Boehm-Demers-Weiser GC (libgc) before 7.2 make it easier for context-
dependent attackers to perform memory-related attacks such as buffer overflows via a large size value, which causes less memory to
be allocated than expected.
Affected Nodes:
Vulnerable software installed: Ubuntu libgc1c2 1:6.8-1.1
References:
Source Reference
BID 54227
CVE CVE-2012-2673
USN USN-1546-1
•libgc1c2 on Ubuntu Linux 10.04
Upgrade libgc1c2 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libgc1c2 to the latest version
Upgrade libgc1c2 for Ubuntu 11.04
Upgrade libgc1c2 for Ubuntu 11.10
Page 257
Audit Report

Description:
OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP
responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an
invalid key.
Affected Nodes:
Vulnerable software installed: Ubuntu libssl0.9.8 0.9.8g-4ubuntu3.18
References:
Source Reference
BID 57755
CERT TA13-051A
CERT-VN 737740
CVE CVE-2012-2686
CVE CVE-2013-0166
CVE CVE-2013-0169
DEBIAN DSA-2621
DEBIAN DSA-2622
OVAL OVAL18754
OVAL OVAL18841
OVAL OVAL18868
OVAL OVAL19016
Page 258
Audit Report
Source Reference
OVAL OVAL19081
OVAL OVAL19360
OVAL OVAL19424
OVAL OVAL19487
OVAL OVAL19540
OVAL OVAL19608
OVAL OVAL19660
USN USN-1732-1
Description:
The mod_proxy_ajp module in the Apache HTTP Server 2.2.12 through 2.2.21 places a worker node into an error state upon detection
of a long request-processing time, which allows remote attackers to cause a denial of service (worker consumption) via an expensive
request.
Page 259
Audit Report
Affected Nodes:
References:
Source Reference
BID 64758
CVE CVE-2012-3499
CVE CVE-2012-4557
CVE CVE-2012-4558
CVE CVE-2013-1048
DEBIAN DSA-2579
DEBIAN DSA-2637
IAVM 2013-A-0177
OVAL OVAL18938
OVAL OVAL18977
OVAL OVAL19284
OVAL OVAL19312
USN USN-1765-1
Page 260
Audit Report

3.2.155. USN-1801-1: curl vulnerability (ubuntu-usn-1801-1)
Description:
The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies,
which allows remote attackers to steal cookies via a matching suffix in the domain of a URL.
Affected Nodes:
Vulnerable software installed: Ubuntu libcurl3 7.18.0-1ubuntu2.3
References:
Source Reference
BID 59058
CVE CVE-2013-1944
DEBIAN DSA-2660
OSVDB 92316
USN USN-1801-1
•curl on Ubuntu Linux 10.04
Upgrade curl for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade curl to the latest version
Upgrade curl for Ubuntu 11.10
Page 261
Audit Report

Upgrade curl for Ubuntu 12.10
3.2.156. USN-653-1: D-Bus vulnerabilities (ubuntu-usn-653-1)
Description:
dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security
policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL
interface.
Affected Nodes:
Page 262
Audit Report
References:
Source Reference
BID 28023
BID 31602
CVE CVE-2008-0595
CVE CVE-2008-3834
DEBIAN DSA-1599
DEBIAN DSA-1658
OVAL OVAL10253
OVAL OVAL9353
USN USN-653-1
XF 45701
Description:
MySQL before 5.0.67 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified
(1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that
can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL home
data directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4097.
Affected Nodes:
Page 263
Audit Report

References:
Source Reference
BID 29106
BID 31681
CVE CVE-2008-2079
CVE CVE-2008-3963
CVE CVE-2008-4097
CVE CVE-2008-4098
DEBIAN DSA-1608
DEBIAN DSA-1662
DEBIAN DSA-1783
OVAL OVAL10133
OVAL OVAL10521
OVAL OVAL10591
USN USN-671-1
XF 42267
XF 45042
XF 45648
XF 45649
Page 264
Audit Report

3.2.158. USN-837-1: Newt vulnerability (ubuntu-usn-837-1)
Description:
Heap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and 0.52.2 allows local users to cause a denial of service (application
crash) or possibly execute arbitrary code via a request to display a crafted text dialog box.
Affected Nodes:
Vulnerable software installed: Ubuntu libnewt0.52 0.52.2-11.2ubuntu1
References:
Source Reference
BID 36515
CVE CVE-2009-2905
DEBIAN DSA-1894
OVAL OVAL8556
OVAL OVAL9664
USN USN-837-1
•libnewt0.52 on Ubuntu Linux 8.04
Upgrade libnewt0.52 for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade libnewt0.52 to the latest version
Upgrade libnewt0.52 for Ubuntu 8.10
Upgrade libnewt0.52 for Ubuntu 9.04
3.2.159. USN-890-1: Expat vulnerabilities (ubuntu-usn-890-1)
Page 265
Audit Report
Description:
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software,
allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8
sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
Affected Nodes:
Vulnerable software installed: Ubuntu libexpat1 2.0.1-0ubuntu1
References:
Source Reference
BID 35958
BID 37203
CERT TA09-294A
CERT TA10-012A
CVE CVE-2009-2625
CVE CVE-2009-3560
CVE CVE-2009-3720
DEBIAN DSA-1953
DEBIAN DSA-1984
IAVM 2012-A-0020
OVAL OVAL10613
OVAL OVAL11019
OVAL OVAL12719
OVAL OVAL12942
OVAL OVAL6883
OVAL OVAL7112
OVAL OVAL8520
OVAL OVAL9356
Page 266
Audit Report
Source Reference
USN USN-890-1
Page 267
Audit Report

3.2.160. USN-986-1: bzip2 vulnerability (ubuntu-usn-986-1)
Description:
Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent
attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.
Affected Nodes:
Vulnerable software installed: Ubuntu libbz2-1.0 1.0.4-2ubuntu4
References:
Source Reference
CVE CVE-2010-0405
IAVM 2010-B-0083
Page 268
Audit Report
Source Reference
USN USN-986-1
•libbz2-1.0 on Ubuntu Linux 10.04
Upgrade libbz2-1.0 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libbz2-1.0 to the latest version
Upgrade libbz2-1.0 for Ubuntu 8.04 LTS
Upgrade libbz2-1.0 for Ubuntu 9.04
Upgrade libbz2-1.0 for Ubuntu 9.10
3.2.161. USN-986-3: dpkg vulnerability (ubuntu-usn-986-3)
Description:
Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent
attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.
Affected Nodes:
Vulnerable software installed: Ubuntu dpkg 1.14.16.6ubuntu3
Page 269
Audit Report
References:
Source Reference
CVE CVE-2010-0405
IAVM 2010-B-0083
USN USN-986-3
•dpkg on Ubuntu Linux 10.04
Upgrade dpkg for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade dpkg to the latest version
Upgrade dpkg for Ubuntu 8.04 LTS
Upgrade dpkg for Ubuntu 9.04
Upgrade dpkg for Ubuntu 9.10
3.2.162. Apache HTTPD: error responses can expose cookies (CVE-2012-0053) (apache-httpd-cve-2012-0053)
Description:
A flaw was found in the default error response for status code 400. This flaw could be used by an attacker to expose "httpOnly" cookies
when no custom ErrorDocument is specified.
Affected Nodes:
192.168.0.102:80 Running HTTP serviceHTTP GET request to http://192.168.0.102/

9: <h1>Bad Request</h1>
10: <p>Your browser sent a request that this server could not understan...
11: Request header field is missing ':' separator.<br />
Page 270
Audit Report
12: <pre>
9:
R7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR7TESTR
7TESTR7TESTR7TE...
References:
Source Reference
BID 51706
CVE CVE-2012-0053
operating system.

operating system.
3.2.163. Apache HTTPD: mod_deflate denial of service (CVE-2014-0118) (apache-httpd-cve-2014-0118)
Description:
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_deflate. Review your web
server configuration for validation. A resource consumption flaw was found in mod_deflate. If request body decompression was
configured (using the "DEFLATE" input filter), a remote attacker could cause the server to consume significant memory and/or CPU
resources. The use of request body decompression is not a common configuration.
Affected Nodes:
Page 271
Audit Report

References:
Source Reference
BID 68745
CVE CVE-2014-0118
DEBIAN DSA-2989
IAVM 2014-A-0114
operating system.

operating system.
3.2.164. ISC BIND: DNSSEC validation code could cause bogus NXDOMAIN responses (CVE-2010-0097) (dns-bind-cve-
2010-0097)
Description:
Page 272
Audit Report
ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate
DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged
NXDOMAIN response for an existing domain.
Affected Nodes:


References:
Source Reference
BID 37865
CERT-VN 360341
CVE CVE-2010-0097
DEBIAN DSA-2054
OSVDB 61853
OVAL OVAL12205
OVAL OVAL7212
OVAL OVAL7430
OVAL OVAL9357
URL https://kb.isc.org/article/AA-00932/187/CVE-2010-0097%3A-BIND-9-DNSSEC-validation-code-could-
cause-bogus-NXDOMAIN-responses.html
XF 55753
3.2.165. ISC BIND: cache incorrectly allows an ncache entry and an RRSIG for the same type (CVE-2010-3613) (dns-
bind-cve-2010-3613)
Page 273
Audit Report
Description:
named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the
combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a
denial of service (daemon crash) via a query for cached data.
Affected Nodes:


References:
Source Reference
BID 45133
CERT-VN 706148
CVE CVE-2010-3613
DEBIAN DSA-2130
IAVM 2011-A-0066
OSVDB 69558
OVAL OVAL12601
URL https://kb.isc.org/article/AA-00938/187/CVE-2010-3613%3A-cache-incorrectly-allows-a-ncache-entry-and-
a-rrsig-for-the-same-type.html
3.2.166. MySQL Bug #29908: ALTER VIEW Privilege Escalation Vulnerability (mysql-bug-29908-alter-view-priv-esc)
Page 274
Audit Report
Description:
A flaw in the ALTER VIEW routine of MySQL allows for the opportunity of an authenticated user to elevate their privileges in certain
contexts.
Affected Nodes:

References:
Source Reference

3.2.167. MySQL Bug #44798: Stored Procedures Server Crash (mysql-bug-44798-stored-procedures-server-crash)
Description:
Versions of MySQL server 5.0 before 5.0.84 and 5.1 before 5.1.36 suffer from a privilege interpretation flaw that causes a server crash.
A user created with the privileges to create stored procedures but not execute them will trigger this issue.
Affected Nodes:

References:
Page 275
Audit Report
Source Reference

Description:
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon
crash) via a join query that uses a table with a unique SET column.
Affected Nodes:

References:
Source Reference
BID 42646
CVE CVE-2010-3677
DEBIAN DSA-2143
XF 64688
Page 276
Audit Report

Description:
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon
crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL
pointer dereference in the Item_singlerow_subselect::store function.
Affected Nodes:

References:
Source Reference
BID 42599
CVE CVE-2010-3682
DEBIAN DSA-2143
XF 64684
Page 277
Audit Report

Description:
Unspecified vulnerability in MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to
cause a denial of service (server crash) via vectors related to "materializing a derived table that required a temporary table for grouping"
and "user variable assignments."
Affected Nodes:

References:
Source Reference
BID 43676
CVE CVE-2010-3834
DEBIAN DSA-2143
XF 64844

Page 278
Audit Report

Description:
MySQL 5.0 before 5.0.92, 5.1 before 5.1.51, and 5.5 before 5.5.6 allows remote authenticated users to cause a denial of service
(assertion failure and server crash) via vectors related to view preparation, pre-evaluation of LIKE predicates, and IN Optimizers.
Affected Nodes:

References:
Source Reference
BID 43676
CVE CVE-2010-3836
DEBIAN DSA-2143
XF 64842

Page 279
Audit Report

Description:
(server crash) via a prepared statement that uses GROUP_CONCAT with the WITH ROLLUP modifier, probably triggering a use-after-
free error when a copied object is modified in a way that also affects the original object.
Affected Nodes:

References:
Source Reference
BID 43676
CVE CVE-2010-3837
DEBIAN DSA-2143
XF 64841
Page 280
Audit Report


Description:
(server crash) via a query that uses the (1) GREATEST or (2) LEAST function with a mixed list of numeric and LONGBLOB arguments,
which is not properly handled when the function's result is "processed using an intermediate temporary table."
Affected Nodes:

References:
Source Reference
BID 43676
CVE CVE-2010-3838
DEBIAN DSA-2143
XF 64840
Page 281
Audit Report


Description:
availability via unknown vectors, a different vulnerability than CVE-2012-0101 and CVE-2012-0102.
Affected Nodes:

References:
Source Reference
BID 51509
CVE CVE-2012-0087
OSVDB 78377
XF 72519
Page 282
Audit Report


Description:
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0101
OSVDB 78378
XF 72520

Page 283
Audit Report

Description:
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0102
OSVDB 78379
XF 72521

Page 284
Audit Report

Description:
availability via unknown vectors, a different vulnerability than CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and
CVE-2012-0492.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0112


Page 285
Audit Report
Description:
CVE-2012-0492.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0115


Page 286
Audit Report
Description:
CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0117


Description:
CVE-2012-0492.
Page 287
Audit Report
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0119


Description:
CVE-2012-0492.
Affected Nodes:
Page 288
Audit Report

References:
Source Reference
CVE CVE-2012-0120


Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows remote authenticated users to
affect confidentiality via unknown vectors.
Affected Nodes:

References:
Page 289
Audit Report
Source Reference
BID 51515
CVE CVE-2012-0484
OSVDB 78372
XF 72525


Description:
CVE-2012-0492.
Affected Nodes:

References:
Page 290
Audit Report
Source Reference
BID 51513
CVE CVE-2012-0485
OSVDB 78383
XF 72526


Description:
CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Affected Nodes:

References:
Page 291
Audit Report
Source Reference
BID 51503
CVE CVE-2012-0487
OSVDB 78385
XF 72528


Description:
CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Affected Nodes:

References:
Page 292
Audit Report
Source Reference
BID 51506
CVE CVE-2012-0488
OSVDB 78386
XF 72529


Description:
CVE-2012-0491, CVE-2012-0493, and CVE-2012-0495.
Affected Nodes:

References:
Page 293
Audit Report
Source Reference
BID 51510
CVE CVE-2012-0489
OSVDB 78387
XF 72530


Description:
affect availability via unknown vectors.
Affected Nodes:

References:
Page 294
Audit Report
Source Reference
BID 51524
CVE CVE-2012-0490
OSVDB 78388
XF 72531


Description:
CVE-2012-0489, CVE-2012-0493, and CVE-2012-0495.
Affected Nodes:

References:
Page 295
Audit Report
Source Reference
BID 51518
CVE CVE-2012-0491
OSVDB 78389
XF 72532


Description:
CVE-2012-0489, CVE-2012-0491, and CVE-2012-0493.
Affected Nodes:

References:
Page 296
Audit Report
Source Reference
CVE CVE-2012-0495
OSVDB 78390
XF 72533


Description:
The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long
string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability.
Affected Nodes:

References:
Source Reference
Page 297
Audit Report
Source Reference
BID 26403
CVE CVE-2007-4887
OVAL OVAL5767
Description:
ioncube_loader_win_5.2.dll in the ionCube Loader 6.5 extension for PHP 5.2.4 does not follow safe_mode and disable_functions
restrictions, which allows context-dependent attackers to bypass intended limitations, as demonstrated by reading arbitrary files via the
ioncube_read_file function.
Affected Nodes:

References:
Source Reference
BID 26024
CVE CVE-2007-5447
OSVDB 41708
XF 37227
Description:
Race condition in the PCNTL extension in PHP before 5.3.4, when a user-defined signal handler exists, might allow context-dependent
attackers to cause a denial of service (memory corruption) via a large number of concurrent signals.
Affected Nodes:
Page 298
Audit Report

References:
Source Reference
CVE CVE-2011-0753
OVAL OVAL12271
XF 65431
Description:
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka
carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted
URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and
Google Chrome.
Affected Nodes:

References:
Source Reference
CVE CVE-2011-1398
3.2.194. PHP Fixed possible attack in SSL sockets with SSL 3.0 / TLS 1.0 (php-cve-2011-3389)
Page 299
Audit Report
Description:
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google
Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-
middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in
conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight
WebClient API, aka a "BEAST" attack.
Affected Nodes:

References:
Source Reference
BID 49388
BID 49778
CERT TA12-010A
CERT-VN 864643
CVE CVE-2011-3389
IAVM 2012-B-0006
MS MS12-006
OSVDB 74829
OVAL OVAL14752
Page 300
Audit Report
Description:
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products,
does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-
dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated
by a Unicode password.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-2143
DEBIAN DSA-2491
Description:
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a
denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
Affected Nodes:
Page 301
Audit Report

References:
Source Reference
CVE CVE-2014-2497
DEBIAN DSA-3215
Description:
The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a
(1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.
Affected Nodes:

References:
Source Reference
CVE CVE-2014-5459
3.2.198. PHP Fixed dl() to limit argument size to MAXPATHLEN (php-fixed-dl-to-limit-argument-size-to-maxpathlen)
Page 302
Audit Report
Description:
The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long
string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability.
Affected Nodes:

References:
Source Reference
BID 26403
CVE CVE-2007-4887
OVAL OVAL5767
3.2.199. Unencrypted Telnet Service Available (telnet-open-port)
Description:
Telnet is an unencrypted protocol, as such it sends sensitive data (usernames, passwords) in clear text.
Affected Nodes:
192.168.0.102:23 Running Telnet service
References:
Source Reference
URL https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
Disable the telnet service. Replace it with technologies such as SSH, VPN, or TLS.
3.2.200. USN-1009-2: GNU C Library vulnerability (ubuntu-usn-1009-2)
Page 303
Audit Report
Description:
USN-1009-1 fixed vulnerabilities in the GNU C library. Colin Watsondiscovered that the fixes were incomplete and introduced flaws
withsetuid programs loading libraries that used dynamic string tokens in theirRPATH. If the "man" program was installed setuid, a local
attacker couldexploit this to gain "man" user privileges, potentially leading to furtherprivilege escalations. Default Ubuntu installations
were not affected. Original advisory details: Tavis Ormandy discovered multiple flaws in the GNU C Library's handling of the LD_AUDIT
environment variable when running a privileged binary. A local attacker could exploit this to gain root privileges. (CVE-2010-3847, CVE-
2010-3856) The problem can be corrected by updating your system to the following package version: To update your system, please
follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary
changes. LP: 701783
Affected Nodes:
References:
Source Reference
USN USN-1009-2
Description:
libxml2 before 2.7.8, as used in Google Chrome before 7.0.517.44, Apple Safari 5.0.2 and earlier, and other products, reads from
invalid memory locations during processing of malformed XPath expressions, which allows context-dependent attackers to cause a
denial of service (application crash) via a crafted XML document.
Page 304
Audit Report
Affected Nodes:
References:
Source Reference
BID 44779
CVE CVE-2010-4008
DEBIAN DSA-2128
IAVM 2012-A-0073
IAVM 2012-A-0153
OVAL OVAL12148
USN USN-1016-1
Page 305
Audit Report

3.2.202. USN-1134-1: APR vulnerabilities (ubuntu-usn-1134-1)
Description:
The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP
Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of
wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.
NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.
Affected Nodes:
Vulnerable software installed: Ubuntu libapr1 1.2.11-1
References:
Source Reference
CVE CVE-2011-0419
CVE CVE-2011-1928
DEBIAN DSA-2237
IAVM 2011-B-0060
OVAL OVAL14638
OVAL OVAL14804
USN USN-1134-1
Page 306
Audit Report

3.2.203. USN-1215-1: APT vulnerabilities (ubuntu-usn-1215-1)
Description:
It was discovered that the apt-key utility incorrectly verified GPGkeys when downloaded via the net-update option. If a remote attacker
wereable to perform a man-in-the-middle attack, this flaw could potentially beused to install altered packages. This update corrects the
issue bydisabling the net-update option completely. A future update will re-enablethe option with corrected verification. The problem can
be corrected by updating your system to the following package version: To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system update will make all the necessary changes. LP: 856489
Affected Nodes:
References:
Source Reference
USN USN-1215-1
Page 307
Audit Report

Description:
Multiple security issues were discovered in MySQL and this update includesnew upstream MySQL versions to fix these issues. MySQL
has been updated to 5.1.62 in Ubuntu 10.04 LTS, Ubuntu 11.04 andUbuntu 11.10. Ubuntu 8.04 LTS has been updated to MySQL
5.0.96. In addition to security fixes, the updated packages contain bug fixes, newfeatures, and possibly incompatible changes. Please
see the following for more information: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-
62.htmlhttp://dev.mysql.com/doc/refman/5.0/en/news-5-0-96.html The problem can be corrected by updating your system to the
following package version: To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In
general, a standard system update will make all the necessary changes. LP: 965523
Affected Nodes:
References:
Source Reference
USN USN-1427-1
Page 308
Audit Report
3.2.205. USN-1450-1: Net-SNMP vulnerability (ubuntu-usn-1450-1)
Description:
Array index error in the handle_nsExtendOutput2Table function in agent/mibgroup/agent/extend.c in Net-SNMP 5.7.1 allows remote
authenticated users to cause a denial of service (out-of-bounds read and snmpd crash) via an SNMP GET request for an entry not in
the extension table.
Affected Nodes:
Vulnerable software installed: Ubuntu libsnmp15 5.4.1~dfsg-4ubuntu4.3
References:
Source Reference
BID 53255
BID 53258
CVE CVE-2012-2141
USN USN-1450-1
XF 75169
•libsnmp15 on Ubuntu Linux 10.04
Upgrade libsnmp15 for Ubuntu 10.04 LTS
Use àpt-get upgrade` to upgrade libsnmp15 to the latest version
Upgrade libsnmp15 for Ubuntu 11.04
Upgrade libsnmp15 for Ubuntu 11.10
Page 309
Audit Report
Description:
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products,
does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-
dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated
by a Unicode password.
Affected Nodes:
References:
Source Reference
CVE CVE-2012-2143
CVE CVE-2012-2655
DEBIAN DSA-2491
USN USN-1461-1
Page 310
Audit Report
3.2.207. USN-1570-1: GnuPG vulnerability (ubuntu-usn-1570-1)
Description:
It was discovered that GnuPG used a short ID when downloading keys from akeyserver, even if a long ID was requested. An attacker
could possibly usethis to return a different key with a duplicate short key id. The problem can be corrected by updating your system to
the following package version: To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In
general, a standard system update will make all the necessary changes. LP: 1016643
Affected Nodes:
Vulnerable software installed: Ubuntu gnupg 1.4.6-2ubuntu5
References:
Source Reference
USN USN-1570-1
Page 311
Audit Report

Description:
The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-
bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.
Affected Nodes:
References:
Source Reference
CVE CVE-2012-5668
CVE CVE-2012-5669
CVE CVE-2012-5670
USN USN-1686-1
Page 312
Audit Report

3.2.209. USN-1752-1: GnuTLS vulnerability (ubuntu-usn-1752-1)
Description:
The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-
channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote
attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a
related issue to CVE-2013-0169.
Affected Nodes:
References:
Source Reference
CVE CVE-2013-1619
USN USN-1752-1
Page 313
Audit Report

Description:
libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML
file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with
linear complexity.
Affected Nodes:
References:
Source Reference
CVE CVE-2013-0338
DEBIAN DSA-2652
USN USN-1782-1
Page 314
Audit Report
Description:
libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-
dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.
Affected Nodes:
References:
Source Reference
BID 30783
CVE CVE-2008-3281
DEBIAN DSA-1631
OVAL OVAL6496
OVAL OVAL9812
USN USN-640-1
3.2.212. USN-670-1: VMBuilder vulnerability (ubuntu-usn-670-1)
Page 315
Audit Report
Description:
Mathias Gug discovered that vm-builder improperly set the rootpassword when creating virtual machines. An attacker could exploitthis
to gain root privileges to the virtual machine by using apredictable password. This vulnerability only affects virtual machines created
withvm-builder under Ubuntu 8.10, and does not affect native Ubuntuinstallations. An update was made to the shadow package to
detectvulnerable systems and disable password authentication for theroot account. Vulnerable virtual machines which an attacker
hasaccess to should be considered compromised, and appropriate actionstaken to secure the machine. The problem can be corrected
by updating your system to the following package version: To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades. In general, a standard system upgrade is sufficient to effect thenecessary changes.
https://bugs.launchpad.net/+bug/296841
Affected Nodes:
Vulnerable software installed: Ubuntu passwd 1:4.0.18.2-1ubuntu2
References:
Source Reference
USN USN-670-1
•passwd on Ubuntu Linux 7.10
Upgrade passwd for Ubuntu 7.10
Use àpt-get upgrade` to upgrade passwd to the latest version
Upgrade passwd for Ubuntu 8.04 LTS
Upgrade passwd for Ubuntu 8.10
•python-vm-builder on Ubuntu Linux 8.10
Upgrade python-vm-builder for Ubuntu 8.10
Use àpt-get upgrade` to upgrade python-vm-builder to the latest version
3.2.213. USN-678-1: GnuTLS vulnerability (ubuntu-usn-678-1)
Description:
The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the
last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for
any Distinguished Name (DN).
Page 316
Audit Report
Affected Nodes:
References:
Source Reference
BID 32232
CVE CVE-2008-4989
DEBIAN DSA-1719
OVAL OVAL11650
USN USN-678-1
XF 46482
Description:
PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack
consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as
demonstrated using mismatched encoding conversion requests.
Affected Nodes:
Page 317
Audit Report
References:
Source Reference
BID 34090
CVE CVE-2009-0922
OVAL OVAL10874
OVAL OVAL6252
USN USN-753-1
3.2.215. USN-799-1: D-Bus vulnerability (ubuntu-usn-799-1)
Description:
The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic
to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for
CVE-2008-3834.
Affected Nodes:
References:
Source Reference
BID 31602
Page 318
Audit Report
Source Reference
CVE CVE-2009-1189
OVAL OVAL10308
USN USN-799-1
XF 50385
3.2.216. USN-808-1: Bind vulnerability (ubuntu-usn-808-1)
Description:
The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1,
when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an
ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.
Affected Nodes:
Vulnerable software installed: Ubuntu bind9 1:9.4.2-10
References:
Source Reference
CERT-VN 725188
CVE CVE-2009-0696
OVAL OVAL10414
OVAL OVAL12245
Page 319
Audit Report
Source Reference
OVAL OVAL7806
USN USN-808-1
3.2.217. USN-855-1: libhtml-parser-perl vulnerability (ubuntu-usn-855-1)
Description:
The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service
(infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character.
Affected Nodes:
Vulnerable software installed: Ubuntu libhtml-parser-perl 3.56-1
References:
Source Reference
BID 36807
CVE CVE-2009-3627
USN USN-855-1
XF 53941
•libhtml-parser-perl on Ubuntu Linux 8.04
Upgrade libhtml-parser-perl for Ubuntu 8.04 LTS
Use àpt-get upgrade` to upgrade libhtml-parser-perl to the latest version
Upgrade libhtml-parser-perl for Ubuntu 8.10
Page 320
Audit Report

Description:
The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists,
allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink
command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide
links options.
Affected Nodes:
References:
Source Reference
CVE CVE-2010-0926
USN USN-918-1
Page 321
Audit Report
Description:
Valerio Costamagna discovered that sudo did not properly validate the pathfor the 'sudoedit' pseudo-command when the PATH
contained only a dot ('.').If secure_path and ignore_dot were disabled, a local attacker could exploitthis to execute arbitrary code as root
if sudo was configured to allow theattacker to use sudoedit. By default, secure_path is used and the sudoeditpseudo-command is not
used in Ubuntu. This is a different but related issueto CVE-2010-0426. The problem can be corrected by updating your system to the
following package version: To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. In
general, a standard system upgrade is sufficient to effect thenecessary changes. LP: 563963
Affected Nodes:
References:
Source Reference
USN USN-928-1
Page 322
Audit Report

3.2.220. Non-absolute directory entries in PATH (unix-dot-entries-in-root-path)
Description:
Non-absolute (ie. relative) directory entries (such as "." or ".." or "subdir1/subdir2") have been found in the PATH variable. An attacker
could elevate his privileges by creating strategically named executable files (such as "ls") and waiting for a user to execute a command
with the same name from a particular current working directory (CWD).
Affected Nodes:
192.168.0.102 User "stdin" has the following unwanted entries in his/her PATH: is not a tty
References:
None
Remove any non-absolute directory entries from the PATH variable. Depending on the configuration and type of operating system, this
variable may be defined or modified in one of the following system or user files:
•/etc/environment
•/etc/profile
•/etc/rc
•/etc/login.defs
•/etc/csh.*
•/etc/ksh.*
•/etc/bash.*
•~/.profile
•~/.login
•~/.*shrc
3.2.221. Root's umask value is unsafe (unix-umask-unsafe)
Description:
The umask value for root was found to be unsafe. The umask value determines the file permission for newly created files. It specifies
the permissions which should not be given by default to the newly created file. Although the default value of umask in most unix
Page 323
Audit Report
systems is 022, it is a common practice to set it to 077 to be safe.
Affected Nodes:
192.168.0.102 The umask value was found to be 0022 but was expected to be 0077
References:
None
To ensure complete access control over newly created files, set the umask value to 077 for root and other user accounts for both
interactive and non-interactive processes. The umask value for interactive processes is typically set in a shell configuration file such as
.login, .cshrc, .profile, .bashrc, .bash_profile, or others. For non-interactive processes, /etc/login.defs is a common location for
controlling umask on Linux systems. In both cases, you may need to consult your operating system's documentation for the correct
file(s) and settings.
3.2.222. World writable files exist (unix-world-writable-files)
Description:
World writable files were found on the system. A file that can be written by any user on the system could be a serious security flaw.
Affected Nodes:
192.168.0.102 The following world writable files were found.

/var/www/twiki/data/Sandbox/WebChanges.txt
/var/www/twiki/data/Sandbox/.mailnotify
/var/www/twiki/data/Sandbox/WebHome.txt
/var/www/twiki/data/Sandbox/WebNotify.txt
/var/www/twiki/data/Sandbox/WebTopicList.txt
/var/www/twiki/data/Sandbox/WebChanges.txt,v
/var/www/twiki/data/Sandbox/WebNotify.txt,v
/var/www/twiki/data/Sandbox/WebSearch.txt
/var/www/twiki/data/Sandbox/WebIndex.txt,v
/var/www/twiki/data/Sandbox/WebPreferences.txt
/var/www/twiki/data/Sandbox/WebHome.txt,v
/var/www/twiki/data/Sandbox/WebTopicList.txt,v
/var/www/twiki/data/Sandbox/WebSearch.txt,v
/var/www/twiki/data/Sandbox/WebStatistics.txt
/var/www/twiki/data/Sandbox/WebPreferences.txt,v
/var/www/twiki/data/Sandbox/.changes
/var/www/twiki/data/Sandbox/WebIndex.txt
/var/www/twiki/data/Sandbox/WebStatistics.txt,v
Page 324
Audit Report
/var/www/twiki/data/Main/WebRss.txt/var/www/twiki/data/Main/WebChanges.txt
/var/www/twiki/data/Main/AndreaSterbini.txt,v
/var/www/twiki/data/Main/NobodyGroup.txt/var/www/twiki/data/Main/.mailnotify
/var/www/twiki/data/Main/AndreaSterbini.txt
/var/www/twiki/data/Main/LondonOffice.txt,v
/var/www/twiki/data/Main/FileAttachment.txt
/var/www/twiki/data/Main/TWikiVariables.txt
/var/www/twiki/data/Main/TWikiGuest.txt,v
/var/www/twiki/data/Main/WebHome.txt/var/www/twiki/data/Main/NicholasLee.txt
/var/www/twiki/data/Main/SanJoseOffice.txt,v
/var/www/twiki/data/Main/WebNotify.txt/var/www/twiki/data/Main/GrantBow.txt
/var/www/twiki/data/Main/WebTopicList.txt
/var/www/twiki/data/Main/OfficeLocations.txt,v
/var/www/twiki/data/Main/WebRss.txt,v
/var/www/twiki/data/Main/MikeMannix.txt,v
/var/www/twiki/data/Main/JohnTalintyre.txt
/var/www/twiki/data/Main/KevinKinnell.txt
/var/www/twiki/data/Main/OfficeLocations.txt
/var/www/twiki/data/Main/LondonOffice.txt
/var/www/twiki/data/Main/TWikiGroups.txt
/var/www/twiki/data/Main/PeterThoeny.txt
/var/www/twiki/data/Main/PeterThoeny.txt,v
/var/www/twiki/data/Main/WebChanges.txt,v
/var/www/twiki/data/Main/TokyoOffice.txt
/var/www/twiki/data/Main/WebNotify.txt,v
/var/www/twiki/data/Main/GrantBow.txt,v
/var/www/twiki/data/Main/WebSearch.txt
/var/www/twiki/data/Main/FileAttachment.txt,v
References:
None
For each world-writable file, determine whether there is a good reason for it to be world writable. If not, remove world write permissions
for the file.
3.3. Moderate Vulnerabilities
3.3.1. Apache HTTPD: CRLF injection in mod_negotiation when untrusted uploads are supported (CVE-2008-0456)
(apache-httpd-cve-2008-0456)
Description:
The affected asset is vulnerable to this vulnerability ONLY if it is running one of the following modules: mod_negotiation. Review your
web server configuration for validation. Possible CRLF injection allowing HTTP response splitting attacks for sites which use
mod_negotiation and allow untrusted uploads to locations which have MultiViews enabled.
Page 325
Audit Report
Affected Nodes:

References:
Source Reference
BID 27409
CERT TA09-133A
CVE CVE-2008-0456
XF 39893
Apache HTTPD >= 2.2 and < 2.2.12
operating system.
3.3.2. ISC BIND: Cache Update From Additional Section (CVE-2009-4022) (dns-bind9-dnssec-cache-poisoning)
Description:
Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta
before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning
attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not
properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.
Affected Nodes:


Page 326
Audit Report
References:
Source Reference
BID 37118
CERT-VN 418861
CVE CVE-2009-4022
OSVDB 60493
OVAL OVAL10821
OVAL OVAL11745
OVAL OVAL7261
OVAL OVAL7459
URL https://kb.isc.org/article/AA-00931/187/CVE-2009-4022%3A-BIND-9-Cache-Update-from-Additional-
Section.html
XF 54416
Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.0.x, 5.1.x, and 5.5.x allows local users to affect
confidentiality and integrity via unknown vectors.
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0114
Page 327
Audit Report


Description:
acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack
on the /tmp/phpglibccheck file.
Affected Nodes:

References:
Source Reference
CVE CVE-2014-3981
Page 328
Audit Report
3.3.5. USN-1077-1: FUSE vulnerabilities (ubuntu-usn-1077-1)
Description:
Certain legacy functionality in fusermount in fuse 2.8.5 and earlier, when util-linux does not support the --no-canonicalize option, allows
local users to bypass intended access restrictions and unmount arbitrary directories via a symlink attack.
Affected Nodes:
References:
Source Reference
CVE CVE-2011-0541
CVE CVE-2011-0542
CVE CVE-2011-0543
USN USN-1077-1
3.3.6. USN-1283-1: APT vulnerability (ubuntu-usn-1283-1)
Description:
methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled,
which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.
Page 329
Audit Report
Affected Nodes:
References:
Source Reference
CVE CVE-2011-3634
USN USN-1283-1
3.3.7. USN-1477-1: APT vulnerability (ubuntu-usn-1477-1)
Description:
APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument
order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM)
attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.
Affected Nodes:
Page 330
Audit Report
References:
Source Reference
BID 54046
CVE CVE-2012-0954
USN USN-1477-1
Description:
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data
without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP
headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an
unknown string in an HTTP header, aka a "CRIME" attack.
Affected Nodes:
References:
Source Reference
Page 331
Audit Report
Source Reference
BID 55131
BID 55704
CVE CVE-2012-2687
CVE CVE-2012-4929
DEBIAN DSA-2579
DEBIAN DSA-2627
OVAL OVAL18832
OVAL OVAL18920
OVAL OVAL19539
USN USN-1627-1
3.3.9. USN-892-1: FUSE vulnerability (ubuntu-usn-892-1)
Page 332
Audit Report
Description:
fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local users to unmount an arbitrary FUSE filesystem share via a
symlink attack on a mountpoint.
Affected Nodes:
References:
Source Reference
BID 37983
CVE CVE-2009-3297
CVE CVE-2010-0789
DEBIAN DSA-1989
USN USN-892-1
XF 55945
Description:
affect integrity via unknown vectors.
Page 333
Audit Report
Affected Nodes:

References:
Source Reference
BID 51526
CVE CVE-2012-0075
OSVDB 78374
XF 72539


Description:
CVE-2012-0485.
Page 334
Audit Report
Affected Nodes:

References:
Source Reference
BID 51516
CVE CVE-2012-0492
OSVDB 78393
XF 72537


Description:
CVE-2012-0489, CVE-2012-0491, and CVE-2012-0495.
Page 335
Audit Report
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0493
OSVDB 78394
XF 72538


Description:
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows local users to affect availability via unknown
vectors.
Page 336
Audit Report
Affected Nodes:

References:
Source Reference
CVE CVE-2012-0494
OSVDB 78375
XF 72540


Description:
PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in (1) the
domain parameter to the dgettext function, the message parameter to the (2) dcgettext or (3) gettext function, the msgid1 parameter to
the (4) dngettext or (5) ngettext function, or (6) the classname parameter to the stream_wrapper_register function. NOTE: this might not
be a vulnerability in most web server environments that support multiple threads, unless this issue can be demonstrated for code
execution.
Page 337
Audit Report
Affected Nodes:

References:
Source Reference
BID 26426
BID 26428
CVE CVE-2007-6039
XF 38442
XF 38443
3.3.15. Postfix vulnerability (CVE-2008-2937) (postfix-cve-2008-2937)
Description:
Postfix 2.5 before 2.5.4 and 2.6 before 2.6-20080814 delivers to a mailbox file even when this file is not owned by the recipient, which
allows local users to read e-mail messages by creating a mailbox file corresponding to another user's account name.
Affected Nodes:
192.168.0.102:25 Running SMTP serviceProduct Postfix exists -- Postfix 2.5.1Vulnerable version

of product Postfix found -- Postfix 2.5.1
References:
Source Reference
BID 30691
CVE CVE-2008-2937
XF 44461
For more information or to download Postfix updates, visit the Postfix website.
Page 338
Audit Report
3.3.16. USN-1044-1: D-Bus vulnerability (ubuntu-usn-1044-1)
Description:
Stack consumption vulnerability in D-Bus (aka DBus) before 1.4.1 allows local users to cause a denial of service (daemon crash) via a
message containing many nested variants.
Affected Nodes:
References:
Source Reference
BID 45377
CVE CVE-2010-4352
DEBIAN DSA-2149
USN USN-1044-1
Description:
Postfix 2.4 before 2.4.9, 2.5 before 2.5.5, and 2.6 before 2.6-20080902, when used with the Linux 2.6 kernel, leaks epoll file descriptors
during execution of "non-Postfix" commands, which allows local users to cause a denial of service (application slowdown or exit) via a
crafted command, as demonstrated by a command in a .forward file.
Page 339
Audit Report
Affected Nodes:
References:
Source Reference
BID 30977
CVE CVE-2008-3889
USN USN-642-1
XF 44865
3.3.18. Partition Mounting Weakness (unix-partition-mounting-weakness)
Description:
One or more of the system's partitions are mounted without certain hardening options enabled. While this is not a definite vulnerability
on its own, system security may be improved by employing hardening techniques.
Affected Nodes:
192.168.0.102 The following issues were discovered: /boot partition does not have 'nodev'
option set. /var/lib/nfs/rpc_pipefs partition does not have 'nodev' option set.
References:
None
The specific way to modify the partition mount options varies from system to system. Consult your operating system's manual or mount
man page.
Page 340
Audit Report
3.3.19. User home directory mode unsafe (unix-user-home-dir-mode)
Description:
A user's home directory was found to have permissions mode more than 750. Group or world writable user home directories means that
a malicious user may gain complete access over vulnerable user's data and priveleges. Also the "read" and "execute" access for others
should be disbled.
Affected Nodes:
192.168.0.102 The permissions for home directory of user msfadmin was found to be 755
instead of 750.
References:
None
Restrict the user home directory mode to at most 750 using the command:
chmod 750 userDir
3.3.20. CIFS Share Readable By Everyone (cifs-share-world-readable)
Description:
A share was found which allows read access by anyone. The impact of this vulnerability depends on the contents of the share.
Affected Nodes:
192.168.0.102 Sucessfully read share "tmp" and found the following files:#sqlfeb_1c_0.MYD
#sqlfeb_1c_0.MYI#sqlfeb_1c_0.frm.ICE-unix.X11-unix.X0-lock4460.jsvc_up
References:
None
Adjust the share permissions to restrict access to only those members of the organization who need the data. It is considered bad
practice to grant the "Everyone", "Guest", or "Authenticated Users" groups read or write access to a share.
3.3.21. DNS Traffic Amplification (dns-amplification)
Description:
Page 341
Audit Report
A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of
publically accessible open DNS servers to overwhelm a victim system with DNS response traffic.
A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use
publically accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an
attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the targets address. When
the DNS server sends the DNS record response, it is sent instead to the target. Attackers will typically submit a request for as much
zone information as possible to maximize the amplification effect. In most attacks of this type observed by US-CERT, the spoofed
queries sent by the attacker are of the type, ANY, which returns all known information about a DNS zone in a single request. Because
the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the
victim. By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic
with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent
these types of attacks. While the attacks are difficult to stop, network operators can apply several possible mitigation strategies.
While the most common form of this attack that US-CERT has observed involves DNS servers configured to allow unrestricted
recursive resolution for any client on the Internet, attacks can also involve authoritative name servers that do not provide recursive
resolution. The attack method is similar to open recursive resolvers, but is more difficult to mitigate since even a server configured with
best practices can still be used in an attack. In the case of authoritative servers, mitigation should focus on using Response Rate
Limiting to restrict the amount of traffic.
Affected Nodes:
192.168.0.102:53 Running DNS over UDP
References:
Source Reference
CERT TA13-088A
CERT TA14-017A
DNS is often vital to the proper functioning of a network. Restrict access to the DNS service to only trusted assets.
3.3.22. FTP access with ftp account (ftp-generic-0001)
Description:
Many FTP servers support a default account with the user ID "ftp" and password "ftp". It is best practice to remove default accounts, if
possible. For accounts required by the system, the default password should be changed.
Affected Nodes:
192.168.0.102:21 Running FTP serviceSuccessfully authenticated to the FTP service with

credentials: uid[ftp] pw[ftp] realm[]
Page 342
Audit Report
References:
Source Reference
CVE CVE-1999-0497
Remove or disable the account if it is not critical for the system to function. Otherwise, the password should be changed to a non-
default value.
3.3.23. FTP access with anonymous account (ftp-generic-0002)
Description:
Many FTP servers support a default account with the user ID "anonymous" and password "ftp@". It is best practice to remove default
accounts, if possible. For accounts required by the system, the default password should be changed.
Affected Nodes:
192.168.0.102:21 Running FTP serviceSuccessfully authenticated to the FTP service with

credentials: uid[anonymous] pw[joe@] realm[]
References:
Source Reference
CVE CVE-1999-0497
Remove or disable the account if it is not critical for the system to function. Otherwise, the password should be changed to a non-
default value.
3.3.24. ICMP timestamp response (generic-icmp-timestamp)
Description:
The remote host responded to an ICMP timestamp request. The ICMP timestamp response contains the remote host's date and time.
This information could theoretically be used against some systems to exploit weak time-based random number generators in other
services.
In addition, the versions of some operating systems can be accurately fingerprinted by analyzing their responses to invalid ICMP
timestamp requests.
Affected Nodes:
192.168.0.102 Able to determine remote system time.
Page 343
Audit Report
References:
Source Reference
CVE CVE-1999-0524
OSVDB 95
XF 306
XF 322
•HP-UX
Disable ICMP timestamp responses on HP/UX
Execute the following command:
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).
•Cisco IOS
Disable ICMP timestamp responses on Cisco IOS
Use ACLs to block ICMP types 13 and 14. For example:
deny icmp any any 13
deny icmp any any 14
Note that it is generally preferable to use ACLs that block everything by default and then selectively allow certain types of traffic in. For
example, block everything and then only allow ICMP unreachable, ICMP echo reply, ICMP time exceeded, and ICMP source quench:
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any source-quench
•SGI Irix
Disable ICMP timestamp responses on SGI Irix
IRIX does not offer a way to disable ICMP timestamp responses. Therefore, you should block ICMP on the affected host using ipfilterd,
and/or block it at any external firewalls.
•Linux
Disable ICMP timestamp responses on Linux
Linux offers neither a sysctl nor a /proc/sys/net/ipv4 interface to disable ICMP timestamp responses. Therefore, you should block ICMP
on the affected host using iptables, and/or block it at the firewall. For example:
Page 344
Audit Report
ipchains -A input -p icmp --icmp-type timestamp-request -j DROP

ipchains -A output -p icmp --icmp-type timestamp-reply -j DROP
Disable ICMP timestamp responses on Windows NT 4
Windows NT 4 does not provide a way to block ICMP packets. Therefore, you should block them at the firewall.
•OpenBSD
Disable ICMP timestamp responses on OpenBSD
Set the "net.inet.icmp.tstamprepl" sysctl variable to 0.
sysctl -w net.inet.icmp.tstamprepl=0
•Cisco PIX
Disable ICMP timestamp responses on Cisco PIX
A properly configured PIX firewall should never respond to ICMP packets on its external interface. In PIX Software versions 4.1(6) until
5.2.1, ICMP traffic to the PIX's internal interface is permitted; the PIX cannot be configured to NOT respond. Beginning in PIX Software
version 5.2.1, ICMP is still permitted on the internal interface by default, but ICMP responses from its internal interfaces can be
disabled with the icmp command, as follows, where <inside> is the name of the internal interface:
icmp deny any 13 <inside>
icmp deny any 14 <inside>
Don't forget to save the configuration when you are finished.
See Cisco's support document Handling ICMP Pings with the PIX Firewall for more information.
•Sun Solaris
Disable ICMP timestamp responses on Solaris
Execute the following commands:
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
Page 345
Audit Report
Disable ICMP timestamp responses on Windows 2000

Use the IPSec filter feature to define and apply an IP filter list that blocks ICMP types 13 and 14. Note that the standard TCP/IP
blocking capability under the "Networking and Dialup Connections" control panel is NOT capable of blocking ICMP (only TCP and
UDP). The IPSec filter features, while they may seem strictly related to the IPSec standards, will allow you to selectively block these
ICMP packets. See http://support.microsoft.com/kb/313190 for more information.
•Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft
Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003,
Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003
Disable ICMP timestamp responses on Windows XP/2K3
ICMP timestamp responses can be disabled by deselecting the "allow incoming timestamp request" option in the ICMP configuration
panel of Windows Firewall.
1. Go to the Network Connections control panel.
2. Right click on the network adapter and select "properties", or select the internet adapter and select File->Properties.
3. Select the "Advanced" tab.
4. In the Windows Firewall box, select "Settings".
5. Select the "General" tab.
6. Enable the firewall by selecting the "on (recommended)" option.
7. Select the "Advanced" tab.
8. In the ICMP box, select "Settings".
9. Deselect (uncheck) the "Allow incoming timestamp request" option.
10. Select "OK" to exit the ICMP Settings dialog and save the settings.
11. Select "OK" to exit the Windows Firewall dialog and save the settings.
12. Select "OK" to exit the internet adapter dialog.
For more information, see: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/hnw_understanding_firewall.mspx?mfr=true
•Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft
Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition,
Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition,
Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition,
Essential Business Server 2008
Disable ICMP timestamp responses on Windows Vista/2008
ICMP timestamp responses can be disabled via the netsh command line utility.
1. Go to the Windows Control Panel.
2. Select "Windows Firewall".
3. In the Windows Firewall box, select "Change Settings".
Page 346
Audit Report
4. Enable the firewall by selecting the "on (recommended)" option.

5. Open a Command Prompt.
6. Enter "netsh firewall set icmpsetting 13 disable"
For more information, see: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/hnw_understanding_firewall.mspx?mfr=true
•Disable ICMP timestamp responses

Disable ICMP timestamp replies for the device. If the device does not support this level of configuration, the easiest and most effective
solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14
(timestamp response).
3.3.25. TCP timestamp response (generic-tcp-timestamp)
Description:
The remote host responded with a TCP timestamp. The TCP timestamp response can be used to approximate the remote host's
uptime, potentially aiding in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their
TCP timestamps.
Affected Nodes:
192.168.0.102 Able to determine system boot time.
References:
Source Reference
URL http://uptime.netcraft.com
URL http://www.forensicswiki.org/wiki/TCP_timestamps
URL http://www.ietf.org/rfc/rfc1323.txt
•Cisco
Disable TCP timestamp responses on Cisco
Run the following command to disable TCP timestamps:
no ip tcp timestamp
•FreeBSD
Disable TCP timestamp responses on FreeBSD
Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
Page 347
Audit Report
sysctl -w net.inet.tcp.rfc1323=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.inet.tcp.rfc1323=0
•Linux
Disable TCP timestamp responses on Linux
Set the value of net.ipv4.tcp_timestamps to 0 by running the following command:
sysctl -w net.ipv4.tcp_timestamps=0
net.ipv4.tcp_timestamps=0
•OpenBSD
Disable TCP timestamp responses on OpenBSD
Set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
sysctl -w net.inet.tcp.rfc1323=0
net.inet.tcp.rfc1323=0
Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition, Microsoft Windows 95,
Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows ME, Microsoft Windows 2000, Microsoft Windows 2000
Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter
Server, Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows XP Tablet PC
Edition, Microsoft Windows CE, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft
Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web
Edition, Microsoft Windows Small Business Server 2003, Microsoft Windows Server 2003 R2, Microsoft Windows Server 2003 R2,
Standard Edition, Microsoft Windows Server 2003 R2, Enterprise Edition, Microsoft Windows Server 2003 R2, Datacenter Edition,
Microsoft Windows Server 2003 R2, Web Edition, Microsoft Windows Small Business Server 2003 R2, Microsoft Windows Server 2003
R2, Express Edition, Microsoft Windows Server 2003 R2, Workgroup Edition
Page 348
Audit Report
Disable TCP timestamp responses on Windows versions before Vista

Set the Tcp1323Opts value in the following key to 1:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
•Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition,
Essential Business Server 2008, Microsoft Windows Server 2008 R2, Microsoft Windows Server 2008 R2, Standard Edition, Microsoft
Windows Server 2008 R2, Enterprise Edition, Microsoft Windows Server 2008 R2, Datacenter Edition, Microsoft Windows Server 2008
R2, Web Edition, Microsoft Windows Server 2012, Microsoft Windows Server 2012 Standard Edition, Microsoft Windows Server 2012
Foundation Edition, Microsoft Windows Server 2012 Essentials Edition, Microsoft Windows Server 2012 Datacenter Edition, Microsoft
Windows Storage Server 2012, Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista
Home, Basic N Edition, Microsoft Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft
Windows Vista Enterprise Edition, Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft
Windows Vista Starter Edition, Microsoft Windows 7, Microsoft Windows 7 Home, Basic Edition, Microsoft Windows 7 Home, Basic N
Edition, Microsoft Windows 7 Home, Premium Edition, Microsoft Windows 7 Home, Premium N Edition, Microsoft Windows 7 Ultimate
Edition, Microsoft Windows 7 Ultimate N Edition, Microsoft Windows 7 Enterprise Edition, Microsoft Windows 7 Enterprise N Edition,
Microsoft Windows 7 Professional Edition, Microsoft Windows 7 Starter Edition, Microsoft Windows 7 Starter N Edition, Microsoft
Windows 8, Microsoft Windows 8 Enterprise Edition, Microsoft Windows 8 Professional Edition, Microsoft Windows 8 RT, Microsoft
Windows Longhorn Server Beta
Disable TCP timestamp responses on Windows versions since Vista
TCP timestamps cannot be reliably disabled on this OS. If TCP timestamps present enough of a risk, put a firewall capable of blocking
TCP timestamp packets in front of the affected assets.
3.3.26. NetBIOS NBSTAT Traffic Amplification (netbios-nbstat-amplification)
Description:
A NetBIOS NBSTAT query will obtain the status from a NetBIOS-speaking endpoint, which will include any names that the endpoint is
known to respond to as well as the device's MAC address for that endpoint. A NBSTAT response is roughly 3x the size of the request,
and because NetBIOS utilizes UDP, this can be used to conduct traffic amplification attacks against other assets, typically in the form of
distributed reflected denial of service (DRDoS) attacks.
Affected Nodes:
192.168.0.102:137 Running CIFS Name Service serviceConfiguration item advertised-name-count

set to '5' matched
Page 349
Audit Report
References:
Source Reference
CERT TA14-017A
NetBIOS can be important to the proper functioning of a Windows network depending on the design. Restrict access to the NetBIOS
service to only trusted assets.
3.3.27. OpenSSH "X11UseLocalhost" X11 Forwarding Session Hijacking Vulnerability (ssh-openssh-x11uselocalhost-x11-

forwarding-session-hijack)
Description:
OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which
allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX
platform.
Affected Nodes:
192.168.0.102:22 OpenBSD OpenSSH 4.7p1 on Ubuntu Linux 8.04
References:
Source Reference
BID 30339
CVE CVE-2008-3259
XF 43940
OpenBSD OpenSSH < 5.1
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.
These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the
packages if they are available for your operating system.
3.3.28. UDP IP ID Zero (udp-ipid-zero)
Description:
The remote host responded with a UDP packet whose IP ID was zero. Normally the IP ID should be set to a unique value and is used
in the reconstruction of fragmented packets. Generally this behavior is only seen with systems derived from a Linux kernel, which may
allow an attacker to fingerprint the target's operating system.
Page 350
Audit Report
Affected Nodes:
192.168.0.102 Received UDP packet with IP ID of zero:IPv4 SRC[192.168.0.102]

TGT[192.168.0.104]
TOS[0] TTL[64] Flags[40] Proto[17] ID[0] FragOff[0]
HDR-LENGTH[20] TOTAL-LENGTH[52] CKSUM[47258]
UDP SRC-PORT[40809] TGT-PORT[9720] CKSUM[38260]
RAW DATA [24]:
3EECE3CA000000010000000000000000 >............
0000000000000001 ........
References:
None
Many vendors do not consider this to be a vulnerability, or a vulnerability worth fixing, so there are no vendor-provided solutions aside
from putting a firewall or other filtering device between the target and hostile attackers that is capable of randomizing IP IDs.
Page 351
Audit Report
4. Discovered Services
4.1. <unknown>
4.1.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.168.0.102 tcp 1099 0
192.168.0.102 tcp 3632 0
192.168.0.102 tcp 6697 0
192.168.0.102 tcp 8787 0
192.168.0.102 tcp 37208 0
4.2. CIFS
192.168.0.102 tcp 139 4 •Samba 3.0.20-Debian
192.168.0.102 tcp 445 4 •Samba 3.0.20-Debian
4.3. CIFS Name Service
192.168.0.102 udp 137 1 •advertised-name-1:

METASPLOITABLE (Computer Name)
•advertised-name-2:
METASPLOITABLE (Logged-on User)
•advertised-name-3:
METASPLOITABLE (File Server
Service)
•advertised-name-4: WORKGROUP
(Domain Name)
•advertised-name-5: WORKGROUP
(Browser Service Elections)
•advertised-name-count: 5
•mac-address: 000000000000
Page 352
Audit Report
4.4. DNS
192.168.0.102 udp 53 0 •BIND 9.4.2

•bind.version: 9.4.2
192.168.0.102 tcp 53 0 •BIND 9.4.2

•bind.version: 9.4.2
192.168.0.102 udp 53 2
192.168.0.102 tcp 53 1
192.168.0.102 udp 53 1
192.168.0.102 tcp 53 1
192.168.0.102 udp 53 1
192.168.0.102 tcp 53 1
192.168.0.102 udp 53 1
192.168.0.102 tcp 53 1
192.168.0.102 udp 53 1
192.168.0.102 tcp 53 1
192.168.0.102 udp 53 1
192.168.0.102 tcp 53 1
192.168.0.102 udp 53 1
192.168.0.102 tcp 53 1
4.5. FTP
192.168.0.102 tcp 21 2 •vsFTPd 2.3.4

•ftp.banner: 220 (vsFTPd 2.3.4)
•ftp.plaintext.authentication: true
•ftp.supports-starttls: false
4.6. FTPS
Page 353
Audit Report
192.168.0.102 tcp 2121 0 •ftp.banner: 500 HELO not understood
4.7. HTTP
192.168.0.102 tcp 80 9 •Apache HTTPD 2.2.8

•DAV: 2
•PHP: 5.2.4-2ubuntu5.10
•http.banner: Apache/2.2.8 (Ubuntu)
DAV/2
•http.banner.server: Apache/2.2.8
(Ubuntu) DAV/2
•http.banner.x-powered-by: PHP/5.2.4-
2ubuntu5.10
192.168.0.102 tcp 8180 3 •Apache Tomcat

•Coyote: 1.1
•http.banner: Apache-Coyote/1.1
•http.banner.server: Apache-
Coyote/1.1
4.8. MySQL
192.168.0.102 tcp 3306 8 •Oracle MySQL 5.0.51a

•auto_increment_increment: 1
•auto_increment_offset: 1
•automatic_sp_privileges: ON
•back_log: 50
•basedir: /usr/
•binlog_cache_size: 32768
•bulk_insert_buffer_size: 8388608
•character_set_client: latin1
•character_set_connection: latin1
•character_set_database: latin1
•character_set_filesystem: binary
Page 354
Audit Report
•character_set_results:
•character_set_server: latin1
•character_set_system: utf8
•character_sets_dir:
/usr/share/mysql/charsets/
•collation_connection:
latin1_swedish_ci
•collation_database: latin1_swedish_ci
•collation_server: latin1_swedish_ci
•completion_type: 0
•concurrent_insert: 1
•connect_timeout: 5
•datadir: /var/lib/mysql/
•date_format: %Y-%m-%d
•datetime_format: %Y-%m-%d
%H:%i:%s
•default_week_format: 0
•delay_key_write: ON
•delayed_insert_limit: 100
•delayed_insert_timeout: 300
•delayed_queue_size: 1000
•div_precision_increment: 4
•engine_condition_pushdown: OFF
•expire_logs_days: 10
•flush: OFF
•flush_time: 0
•ft_boolean_syntax: + -><()~*:""&|
•ft_max_word_len: 84
•ft_min_word_len: 4
•ft_query_expansion_limit: 20
•ft_stopword_file: (built-in)
•group_concat_max_len: 1024
•have_archive: YES
•have_bdb: NO
•have_blackhole_engine: YES
•have_compress: YES
•have_crypt: YES
•have_csv: YES
•have_dynamic_loading: YES
•have_example_engine: NO
Page 355
Audit Report
•have_federated_engine: YES
•have_geometry: YES
•have_innodb: YES
•have_isam: NO
•have_merge_engine: YES
•have_ndbcluster: DISABLED
•have_openssl: YES
•have_query_cache: YES
•have_raid: NO
•have_rtree_keys: YES
•have_ssl: YES
•have_symlink: YES
•hostname: metasploitable
•init_connect:
•init_file:
•init_slave:
•innodb_additional_mem_pool_size:
1048576
•innodb_autoextend_increment: 8
•innodb_buffer_pool_awe_mem_mb: 0
•innodb_buffer_pool_size: 8388608
•innodb_checksums: ON
•innodb_commit_concurrency: 0
•innodb_concurrency_tickets: 500
•innodb_data_file_path:
ibdata1:10M:autoextend
•innodb_data_home_dir:
•innodb_doublewrite: ON
•innodb_fast_shutdown: 1
•innodb_file_io_threads: 4
•innodb_file_per_table: OFF
•innodb_flush_log_at_trx_commit: 1
•innodb_flush_method:
•innodb_force_recovery: 0
•innodb_lock_wait_timeout: 50
•innodb_locks_unsafe_for_binlog: OFF
•innodb_log_arch_dir:
•innodb_log_archive: OFF
•innodb_log_buffer_size: 1048576
•innodb_log_file_size: 5242880
Page 356
Audit Report
•innodb_log_files_in_group: 2
•innodb_log_group_home_dir: ./
•innodb_max_dirty_pages_pct: 90
•innodb_max_purge_lag: 0
•innodb_mirrored_log_groups: 1
•innodb_open_files: 300
•innodb_rollback_on_timeout: OFF
•innodb_support_xa: ON
•innodb_sync_spin_loops: 20
•innodb_table_locks: ON
•innodb_thread_concurrency: 8
•innodb_thread_sleep_delay: 10000
•interactive_timeout: 28800
•join_buffer_size: 131072
•keep_files_on_create: OFF
•key_buffer_size: 16777216
•key_cache_age_threshold: 300
•key_cache_block_size: 1024
•key_cache_division_limit: 100
•language: /usr/share/mysql/english/
•large_files_support: ON
•large_page_size: 0
•large_pages: OFF
•lc_time_names: en_US
•license: GPL
•local_infile: ON
•locked_in_memory: OFF
•log: OFF
•log_bin: OFF
•log_bin_trust_function_creators: OFF
•log_error:
•log_queries_not_using_indexes: OFF
•log_slave_updates: OFF
•log_slow_queries: OFF
•log_warnings: 1
•logging: disabled
•long_query_time: 10
•low_priority_updates: OFF
•lower_case_file_system: OFF
•lower_case_table_names: 0
Page 357
Audit Report
•max_allowed_packet: 16776192
•max_binlog_cache_size: 4294967295
•max_binlog_size: 104857600
•max_connect_errors: 10
•max_connections: 100
•max_delayed_threads: 20
•max_error_count: 64
•max_heap_table_size: 16777216
•max_insert_delayed_threads: 20
•max_join_size:
18446744073709551615
•max_length_for_sort_data: 1024
•max_prepared_stmt_count: 16382
•max_relay_log_size: 0
•max_seeks_for_key: 4294967295
•max_sort_length: 1024
•max_sp_recursion_depth: 0
•max_tmp_tables: 32
•max_user_connections: 0
•max_write_lock_count: 4294967295
•multi_range_count: 256
•myisam_data_pointer_size: 6
•myisam_max_sort_file_size:
2147483647
•myisam_recover_options: OFF
•myisam_repair_threads: 1
•myisam_sort_buffer_size: 8388608
•myisam_stats_method: nulls_unequal
•ndb_autoincrement_prefetch_sz: 32
•ndb_cache_check_time: 0
•ndb_connectstring:
•ndb_force_send: ON
•ndb_use_exact_count: ON
•ndb_use_transactions: ON
•net_buffer_length: 16384
•net_read_timeout: 30
•net_retry_count: 10
•net_write_timeout: 60
•new: OFF
•old_passwords: OFF
Page 358
Audit Report
•open_files_limit: 1024
•optimizer_prune_level: 1
•optimizer_search_depth: 62
•pid_file: /var/run/mysqld/mysqld.pid
•port: 3306
•preload_buffer_size: 32768
•profiling: OFF
•profiling_history_size: 15
•protocolVersion: 10
•protocol_version: 10
•query_alloc_block_size: 8192
•query_cache_limit: 1048576
•query_cache_min_res_unit: 4096
•query_cache_size: 16777216
•query_cache_type: ON
•query_cache_wlock_invalidate: OFF
•query_prealloc_size: 8192
•range_alloc_block_size: 2048
•read_buffer_size: 131072
•read_only: OFF
•read_rnd_buffer_size: 262144
•relay_log_purge: ON
•relay_log_space_limit: 0
•rpl_recovery_rank: 0
•secure_auth: OFF
•secure_file_priv:
•server_id: 0
•skip_external_locking: ON
•skip_networking: OFF
•skip_show_database: OFF
•slave_compressed_protocol: OFF
•slave_load_tmpdir: /tmp/
•slave_net_timeout: 3600
•slave_skip_errors: OFF
•slave_transaction_retries: 10
•slow_launch_time: 2
•socket: /var/run/mysqld/mysqld.sock
•sort_buffer_size: 2097144
•sql_big_selects: ON
•sql_mode: STRICT_TRANS_TABLES
Page 359
Audit Report
•sql_notes: ON
•sql_warnings: OFF
•ssl_ca: /etc/mysql/cacert.pem
•ssl_capath:
•ssl_cert: /etc/mysql/server-cert.pem
•ssl_cipher:
•ssl_key: /etc/mysql/server-key.pem
•storage_engine: MyISAM
•sync_binlog: 0
•sync_frm: ON
•system_time_zone: EDT
•table_cache: 64
•table_lock_wait_timeout: 50
•table_type: MyISAM
•thread_cache_size: 8
•thread_stack: 131072
•time_format: %H:%i:%s
•time_zone: SYSTEM
•timed_mutexes: OFF
•tmp_table_size: 33554432
•tmpdir: /tmp
•transaction_alloc_block_size: 8192
•transaction_prealloc_size: 4096
•tx_isolation: REPEATABLE-READ
•updatable_views_with_limit: YES
•version: 5.0.51a-3ubuntu5
•version_comment: (Ubuntu)
•version_compile_machine: i486
•version_compile_os: debian-linux-gnu
•wait_timeout: 28800
4.9. NFS
192.168.0.102 udp 2049 0 •program-number: 100003

•program-version: 4
192.168.0.102 tcp 2049 0 •program-number: 100003

Page 360
Audit Report
4.10. NFS lockd


4.11. Postgres
192.168.0.102 tcp 5432 0
4.12. Remote Execution
192.168.0.102 tcp 512 1
4.13. Remote Login
192.168.0.102 tcp 513 1
4.14. Remote Shell
192.168.0.102 tcp 514 1
4.15. SMTP
Page 361
Audit Report
192.168.0.102 tcp 25 1 •Postfix 2.5.1

•advertised-esmtp-extension-count: 8
•advertises-esmtp: TRUE
•max-message-size: 10240000
•smtp.plaintext.authentication: false
•supports-8bitmime: TRUE
•supports-debug: FALSE
•supports-dsn: TRUE
•supports-enhancedstatuscodes: TRUE
•supports-etrn: TRUE
•supports-expand: FALSE
•supports-pipelining: TRUE
•supports-size: TRUE
•supports-starttls: TRUE
•supports-turn: FALSE
•supports-verify: FALSE
•supports-vrfy: TRUE
4.16. SSH
192.168.0.102 tcp 22 2 •OpenBSD OpenSSH 4.7p1

•ssh.banner: SSH-2.0-OpenSSH_4.7p1
Debian-8ubuntu1
•ssh.protocol.version: 2.0
•ssh.rsa.pubkey.fingerprint:
5656240F211DDEA72BAE61B1243D
E8F3
4.17. Shell Backdoor
192.168.0.102 tcp 1524 1 •system: unix

•unix.shell: bash
4.18. Telnet
Page 362
Audit Report
192.168.0.102 tcp 23 1
4.19. VNC
192.168.0.102 tcp 5900 2 •protocol-version: 3.3

•supported-auth-1: VNC Authentication
•supported-auth-count: 1
4.20. XWindows
192.168.0.102 tcp 6000 0
4.21. ajp13 (Apache JServ Protocol 1.3)
192.168.0.102 tcp 8009 0
4.22. irc (Internet Relay Chat)
192.168.0.102 tcp 6667 0
4.23. mountd

192.168.0.102 tcp 39883 1
Page 363
Audit Report
•program-number: 100005
4.24. portmapper


4.25. status


Page 364
Audit Report
5. Discovered Users and Groups
5.1. System
5.1.1. 192.168.0.102
Account Name Type Additional Information
AnonymousLogon Group •comment: AnonymousLogon

•group-id: 7
Authenticated Users Group •comment: Authenticated Users

•group-id: 11
Batch Group •comment: Batch

•group-id: 3
Creator Group Group •comment: Creator Group

•group-id: 1
Creator Owner Group •comment: Creator Owner
Dialup Group •comment: Dialup

•group-id: 1
Everyone Group •comment: Everyone
Interactive Group •comment: Interactive

•group-id: 4
Local Service Group •comment: Local Service

•group-id: 19
Network Group •comment: Network

•group-id: 2
Network Service Group •comment: Network Service

•group-id: 20
Proxy Group •comment: Proxy

•group-id: 8
Remote Interactive Logon Group •comment: Remote Interactive Logon

•group-id: 14
Restricted Group •comment: Restricted

•group-id: 12
SYSTEM Group •comment: SYSTEM
Page 365
Audit Report
•group-id: 18
Self Group •comment: Self
•group-id: 10
ServerLogon Group •comment: ServerLogon

•group-id: 9
Service Group •comment: Service

•group-id: 6
Terminal Server User Group •comment: Terminal Server User

•group-id: 13
This Organization Group •comment: This Organization

•group-id: 15
adm Group •group-id: 4
admin Group •group-id: 112
audio Group •group-id: 29
backup Group •group-id: 34
bin User •gid: 2

•loginShell: /bin/sh
•password: x
•user-id: 2
•userDir: /bin
bind User •gid: 113

•loginShell: /bin/false
•password: x
•user-id: 105
•userDir: /var/cache/bind
cdrom Group •group-id: 24
crontab Group •group-id: 108
daemon User •comment:

•user-id: 1002
dhcp User •gid: 102

•password: x
•user-id: 101
•userDir: /nonexistent
Page 366
Audit Report
dialout Group •group-id: 20
dip Group •group-id: 30
disk Group •group-id: 6
distccd User •gid: 65534

•password: x
•user-id: 111
•userDir: /
fax Group •group-id: 21
floppy Group •group-id: 25
ftp User •comment:

•user-id: 1214
fuse Group •group-id: 107
games User •comment:

•user-id: 1010
gnats User •comment:

•full-name: Gnats Bug-Reporting System (admin)
•user-id: 1082
irc Group •group-id: 39
klog Group •group-id: 104
kmem Group •group-id: 15
libuuid User •gid: 101

•password: x
•user-id: 100
•userDir: /var/lib/libuuid
list User •full-name: Mailing List Manager

•gid: 38
•password: x
•user-id: 38
•userDir: /var/list
lp Group •group-id: 7
lpadmin Group •group-id: 111
Page 367
Audit Report
mail User •gid: 8

•password: x
•user-id: 8
•userDir: /var/mail
man Group •group-id: 12
mlocate Group •group-id: 109
msfadmin User •comment:

•full-name: msfadmin,,,
•user-id: 3000
mysql User •full-name: MySQL Server,,,

•gid: 118
•password: x
•user-id: 109
•userDir: /var/lib/mysql
news User •comment:

•user-id: 1018
nobody User •gid: 65534

•password: x
•user-id: 65534
•userDir: /nonexistent
nogroup Group •group-id: 65534
nvram Group •group-id: 106
operator Group •group-id: 37
plugdev Group •group-id: 46
postdrop Group •group-id: 116
postfix User •comment:

•user-id: 1212
postgres User •full-name: PostgreSQL administrator,,,

•gid: 117
•loginShell: /bin/bash
•password: x
•user-id: 108
Page 368
Audit Report
•userDir: /var/lib/postgresql
proftpd User •comment:
•user-id: 1226
proxy User •comment:

•user-id: 1026
root User •gid: 0

•password: x
•userDir: /root
sambashare Group •group-id: 119
sasl Group •group-id: 45
scanner Group •group-id: 105
service User •full-name: ,,,

•gid: 1002
•password: x
•user-id: 1002
•userDir: /home/service
shadow Group •group-id: 42
snmp User •gid: 65534

•password: x
•user-id: 115
•userDir: /var/lib/snmp
src Group •group-id: 40
ssh Group •group-id: 110
sshd User •gid: 65534

•loginShell: /usr/sbin/nologin
•password: x
•user-id: 104
•userDir: /var/run/sshd
ssl-cert Group •group-id: 114
staff Group •group-id: 50
statd User •gid: 65534
Page 369
Audit Report
•password: x
•user-id: 114
•userDir: /var/lib/nfs
sudo Group •group-id: 27
sync User •comment:

•user-id: 1008
sys Group •group-id: 3
syslog User •comment:

•user-id: 1204
tape Group •group-id: 26
telnetd Group •group-id: 120
tomcat55 User •gid: 65534

•password: x
•user-id: 110
•userDir: /usr/share/tomcat5.5
tty Group •group-id: 5
user User •comment:

•full-name: just a user,111,,
•user-id: 3002
users Group •group-id: 100
utmp Group •group-id: 43
uucp Group •group-id: 10
video Group •group-id: 44
voice Group •group-id: 22
www-data Group •group-id: 33
5.2. MySQL
5.2.1. 192.168.0.102
debian-sys-maint User
Page 370
Audit Report
guest User
root User
Page 371
Audit Report
6. Discovered Databases
6.1. MySQL
6.1.1. 192.168.0.102
•dvwa
•information_schema
•metasploit
•mysql
•owasp10
•tikiwiki
•tikiwiki195
Page 372
Audit Report
7. Discovered Files and Directories
7.1. 192.168.0.102
File/Directory Name Type Properties
opt Directory •comment:

•mount-point: C:\tmp
print$ Directory •comment: Printer Drivers

•mount-point: C:\var\lib\samba\printers
tmp Directory •comment: oh noes!

•mount-point: C:\tmp
Page 373
Audit Report
8. Policy Evaluations
No policy evaluations were performed.
Page 374
Audit Report
9. Spidered Web Sites

No web sites were spidered during the scan.
Page 375

Nexpose Audit Report

Uploaded by

Copyright:

Available Formats

Nexpose Audit Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nexpose Audit Report

Uploaded by

Copyright:

Available Formats

Audit Report

Audited on May 2, 2015

Reported on May 3, 2015

Site Name Start Time End Time Total Time Status

There were 2 occurrences of the dns-bind-libbind-off-by-one-vuln, dns-bind-cve-2012-1667, dns-bind-obsolete, cifs-samba-afs-

Node Operating System Risk Aliases

192.168.0.102 Ubuntu Linux 8.04 150,684 •METASPLOITABLE

3. Discovered and Potential Vulnerabilities

3.1. Critical Vulnerabilities

3.1.1. Tomcat Application Manager Tomcat Tomcat Password Vulnerability (apache-tomcat-default-password)

Affected Nodes: Additional Information:

192.168.0.102:8180 Running HTTP serviceProduct Tomcat exists -- Apache TomcatBased on the

HTTP GET request to http://192.168.0.102:8180/manager/html

3.1.2. ISC BIND: inet_network() off-by-one buffer overflow (CVE-2008-0122) (dns-bind-libbind-off-by-one-vuln)

Affected Nodes: Additional Information:

192.168.0.102:53 Running DNS serviceProduct BIND exists -- BIND 9.4.2Vulnerable version of

192.168.0.102:53 Running DNS serviceProduct BIND exists -- BIND 9.4.2Vulnerable version of

Affected Nodes: Additional Information:

Affected Nodes: Additional Information:

192.168.0.102 Execute command: x='() { echo Vulnerable; }' bash -c x

Affected Nodes: Additional Information:

Affected Nodes: Additional Information:

Affected Nodes: Additional Information:

3.1.7. PHP Multiple Vulnerabilities Fixed in version 5.2.12 (http-php-multiple-vulns-5-2-12)

Affected Nodes: Additional Information:

192.168.0.102:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.2.8

3.1.8. PHP Multiple Vulnerabilities Fixed in version 5.2.8 (http-php-multiple-vulns-5-2-8)

Affected Nodes: Additional Information:

192.168.0.102:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.2.8

3.1.9. MySQL Obsolete Version (mysql-obsolete-version)

Affected Nodes: Additional Information:

192.168.0.102:3306 Running MySQL serviceProduct MySQL exists -- Oracle MySQL 5.0.51a

3.1.10. PHP Vulnerability: CVE-2011-3268 (php-cve-2011-3268)

Affected Nodes: Additional Information:

192.168.0.102:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.2.8

3.1.11. PHP Vulnerability: CVE-2012-2688 (php-cve-2012-2688)

Affected Nodes: Additional Information:

192.168.0.102:80 Running HTTP serviceProduct HTTPD exists -- Apache HTTPD 2.2.8

3.1.12. Shell Backdoor Service (shell-backdoor)

Affected Nodes: Additional Information:

192.168.0.102:1524 Running Shell Backdoor service

3.1.13. Obsolete Version of Ubuntu (ubuntu-obsolete-version)

Affected Nodes: Additional Information:

192.168.0.102 Vulnerable OS: Ubuntu Linux 8.04

3.1.14. USN-1403-1: FreeType vulnerabilities (ubuntu-usn-1403-1)

Affected Nodes: Additional Information:

192.168.0.102 Vulnerable OS: Ubuntu Linux 8.04

Vulnerable software installed: Ubuntu libfreetype6 2.3.5-1ubuntu4.8.04.2

3.1.15. USN-1423-1: Samba vulnerability (ubuntu-usn-1423-1)

Affected Nodes: Additional Information:

192.168.0.102 Vulnerable OS: Ubuntu Linux 8.04

Vulnerable software installed: Ubuntu samba 3.0.20-0.1ubuntu1

3.1.16. USN-613-1: GnuTLS vulnerabilities (ubuntu-usn-613-1)

Affected Nodes: Additional Information:

192.168.0.102 Vulnerable OS: Ubuntu Linux 8.04

Vulnerable software installed: Ubuntu libgnutls13 2.0.4-1ubuntu2

3.1.17. USN-644-1: libxml2 vulnerabilities (ubuntu-usn-644-1)

Affected Nodes: Additional Information:

192.168.0.102 Vulnerable OS: Ubuntu Linux 8.04

Vulnerable software installed: Ubuntu libxml2 2.6.31.dfsg-2ubuntu1