INTRODUCTION
Advanced Research Corporation ® was tasked to perform a Security Auditor's Research Assistant (SARA) security scan on hosts on the sara-data sub-nets. The SARA scan was performed to identify potential security vulnerabilities in the sara-data sub-domain. The SARA scan was completed on 2002/05/10 and its scan mode was set to extreme. The version of SARA was Version 3.5.6b .
DISCUSSION
SARA is a third generation security analysis tool that analyzes network-based services on the target computers. SARA classifies a detected service in one of five categories:
A total of 3 devices were detected of which 2 are possibly vulnerable. Figure 1 summarizes this scan by color where the Green bar indicates hosts with no detected vulnerabilities. Grey indicates hosts with no services. The Red bar indicates hosts that have one or more red vulnerabilities. The Yellow bar indicates hosts that have one or more yellow vulnerabilities (but no red). And the Brown bar indicates hosts that have one or more brown problems (but no red or yellow)
Green | 1 |
Grey | 0 |
Red | 2 |
Yellow | 0 |
Brown | 0 |
Figure 1 Host Summary by Color
The SARA scan results are distributed as three appendices to this paper:
Appendices are hyper-linked to assist the reader in navigating through this report. The report includes information on all non-Windows hosts that have one or more vulnerabilities. In addition, Windows hosts that have Red and/or Yellow vulnerabilities are also included.
RECOMMENDATION
The identified hosts should be analyzed immediately.
Host Name | IP Address | Host Type | Green | Red | Yellow | Brown | FP |
fujitsu | 127.0.0.1 | unknown type | 0 |
Host Name | IP Address | Host Type | Green | Red | Yellow | Brown | FP |
192.168.1.1 | 192.168.1.1 | Windows | 0 |
IIS:
Microsoft placed a password backdoor in their IIS 4 and IIS 5 products. Knowledge of the password can provide the user to certain Web administrater operations.
WebSite Pro:
BEA Weblogic:
Apache:
IIS:
Microsoft installed a password backdoor in IIS 4.0 and IIS 5.0 servers where they could access and control Web servers.
Netscape:
BEA Weblogic:
Apache:
IIS:
On 10 April 2002, Microsoft released 10 advisories on various vulnerabilities with IIS 4.0, 5.0, and 5.1. Refer to Microsoft Technet Bulletin MS02-018.
Reference: www.securityfocus.com/bid/2674
As of 15 May 2001, Microsoft has not issued an advisory on the password backdoor. However, various CERTs have stated that Microsoft recommends deleting the dvwssr.dll file in any of the FrontPage directories.
Netscape:
Reference: X-Force advisory 39
WebSite Pro:
Reference: CIS advisores
BEA Weblogic:
Reference: www.securityfocus.com/bid/1570
Apache:
Reference: www.securityfocus.com/bid/1728
sgi_fam: A Silicon Graphics daemon that is an RPC server that tracks changes to the filesystem under the IRIX operating system.
The vulnerability can be exploited remotely by using carefully crafted RPC packets that are sent to the fam daemon. It can lead to unauthorized access to the names of files and directories on an IRIX system.
The sgi_fam daemon on IRIX 5.x and 6.x systems can be compromised which can reveal the names of files and directories on the system. Apparently, the contents of the files can not be read or modified. SGI is currently working on a solution. IRIX 6.5.8 and above will not be effected
Similar problems have been detected with Microsoft Mail and Microsoft Exchange products. However, older Microsoft products report a relay operation when none occurred (false positive).
Some MTA's may time out during SARA testing. In these cases, the MTA must be exercised manually to determine if it is a relay.
Many versions of the sendmail program and other mail transport agents (MTAs) do not provide sufficient safeguards against malicious users sending spam mail through a third party computer. Further, the spam mail will often have a forged source address.
Until 1999, most implementations of sendmail and its clones provided little checking of source and destination addresses. For example a user on host A could use the sendmail on Host B sending mail to a user on Host C with a source email address from Host D. In other words, A hacker on foo.bar.com would use the sendmail at host1.swipnet.se to send a message to 5,000 users with the source address of [email protected].
Similar problems have been detected with Microsoft Mail and Microsoft Exchange products. However, older Microsoft products report a relay operation when none occurred (false positive).
Some MTA's may time out during SARA testing. In these cases, the MTA must be exercised manually to determine if it is a relay.
Vendor and Web server patches and workarounds to protect against this vulnerability are available. If your vendor does not have an upgrade, current versions of sendmail from sendmail.org. In addition, sendmail.org has an excellent tutorial on the subject.
This document will summarize vulnerabilities in the ssh cryptographic login program. These vulnerabilites enables a malicious user to access a remote host without proper authorization. Numerous flaws have been uncovered in the implementation of the SSH protocol.
In addition, many SSH version 2 implementations that are configured for verion 1 fallback are vulnerable to the CRC32 exploit.
Resolutions
Vendors recommend upgrading to SSH version 2 protocol products. Most of these exploits do not exist in the newer version 2. However, be sure that the version 2 implmentation does not support version 1 fallback or confirm that it has been patched for fallback.