Transcription

Information Security Vulnerability Assessment ProgramNetwork Vulnerability AssessmentConducted by:Information Systems Security and Compliance (aka “ISS/C”)Jeff HollandNorthwestern UniversityIP scan originated from: 192.168.127.128Conducted for:School of Egyptology (aka “Client”)Northwestern UniversityEvanston, ILDate Conducted:3/16/07Focus of Assessment:A network-based assessment of the devices noted below. There were no Googlehacking, password cracking, firewall analysis, social engineering or policy reviewsconducted (per the agreement with the Client.Server1: Apache Web ApplianceHostname: apache applianceIP: 192.168.127.129Server2: Solaris Web/App ServerHostname: unknownIP: 192.168.127.130Compliance Requirements (i.e. HIPAA, etc):None

Information Security Vulnerability Assessment Program1 Table of Contents1234567891011121314151617Table of Contents. 2Executive Summary . 3Findings and Recommendations . 5Network Profile Template. 9Server 1 Information . 10Server 2 Information . 13Appendix – Tools Outputs . 16192.168.127.129. 16192.168.127.130. 20Vulnerability Exploitation / Penetration Testing . 32Google Hacking . 33Firewall Analysis Template . 34Social Engineering Target Template . 35Social Engineering Telephone Attack Template . 35Social Engineering E-mail Attack Template . 35Password Cracking Template . 36Security Policy Review. 37

Information Security Vulnerability Assessment Program2 Executive SummaryThe following report details the findings from the security assessment performed byISS/C for the Client. The assessment included the following activities as outlined in theVulnerability Assessment Profiles section of the Assessment Program document. Vulnerability AssessmentPositive FindingsThe following are some positives findings from the assessment, outlining what securitycontrols already in place are helping to secure you environment. There were relatively few security vulnerabilities, with only one being “High”.The “High” vulnerability (remote Telnet vulnerability on Server 2), whilesignificant and require immediate attention, is easily fixed by applying the properpatch as noted in the recommendations. The Client technical personnel were responsive and helpful during and after theassessment regarding questions and the discussion of the results of the scan.Deficiencies NotedThe following findings were noted during the assessment. Server 1:There were Cross Site Tracing vulnerabilities ono192.168.127.129 for ports 80 and 443.There were “Low” vulnerabilities and should be fixed withino24 weeks Server 2:oThere were Cross Site Tracing vulnerabilities on192.168.127.129 for ports 80 and 443.oThere was a Telnet remote access vulnerability on port 23 thatwas a “High” vulnerability. This should be fixed within 1 week.Overall Summary:

Information Security Vulnerability Assessment ProgramThe assessment uncovered several deficiencies (one of which is of High criticality) in thesecurity of the network that requires attention, but overall reflects the relatively securenature of the network. In terms of a numerical score, based upon the experience of ISS/C,the Client would receive a score of 8 out of 10 (10 being the highest) in terms of security.

Information Security Vulnerability Assessment Program3 Findings and RecommendationsThe following findings and recommendations are made per the output from the Nessusscan. Note that each device below (servers, in this case) has a synopsis and a solution forthe issue. Any additional recommendations beyond what any scanning tools supply areincluded as necessary.Note that the assessment agreement between the Client and ISS/C, the Client isresponsible for fixing the issues themselves and following up with ISS/C in a timelymanner when they have been addressed. ISS/C will be available for consultation on anyof the recommendations as defined in the agreement.For the findings, note the following: “Information found” maps to “Low” vulnerabilities“Warning found” maps to “Medium” vulnerabilities“Vulnerability found” maps to “High” vulnerabilitiesThere is no mapping within Nessus for “Critical” vulnerabilities. These aremapped in a manual process as outlined in the Vulnerability Assessment Programdocument.“Banners” refer to information that is advertised by a computer process or serviceand allows a person to software tool to query the information. Knowing thisinformation can help ascertain which vulnerabilities a host might be subject to.Also, note that these banners are also subject to falsification, so relying on themsolely is not advised.“Concern or Vulnerability” refers to the deficiency found during the assessment.If the item is of “High” criticality, it is a vulnerability. If it of “Low” or“Medium” criticality, it is a concern.Server 1Information found on port https (443/tcp)Synopsis :Debugging functions are enabled on the remote HTTP server.Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE andTRACK are HTTP methods which are used to debug web server connections.It has been shown that servers supporting this method are subject to cross-site-scriptingattacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with variousweaknesses in browsers.An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Information Security Vulnerability Assessment ProgramSolution :Disable these methods.See also :http://www.kb.cert.org/vuls/id/867593Risk factor :Low / CVSS Base Score : 2(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)SolutionAdd the following lines for each virtual host in your configuration file :RewriteEngine onRewriteCond %{REQUEST METHOD} (TRACE TRACK)RewriteRule .* - [F]Information found on port http (80/tcp)Synopsis :Debugging functions are enabled on the remote HTTP server.Description :The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK areHTTP methods which are used to debug web server connections.It has been shown that servers supporting this method are subject tocross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunctionwith various weaknesses in browsers. An attacker may use this flaw to trick your legitimateweb users to give him their credentials.Solution :Disable these methods.See also :http://www.kb.cert.org/vuls/id/867593Risk factor :Low / CVSS Base Score : 2(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)Solution :Add the following lines for each virtual host in your configuration file :RewriteEngine onRewriteCond %{REQUEST METHOD} (TRACE TRACK)RewriteRule .* - [F]

Information Security Vulnerability Assessment ProgramServer 2Information found on port https (443/tcp)Synopsis :Debugging functions are enabled on the remote HTTP server.Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE andTRACK are HTTP methods which are used to debug web server connections.It has been shown that servers supporting this method are subject to cross-site-scriptingattacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with variousweaknesses in browsers.An attacker may use this flaw to trick your legitimate web users to give him their credentials.Solution :Disable these methods.See also :http://www.kb.cert.org/vuls/id/867593Risk factor :Low / CVSS Base Score : 2(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)SolutionAdd the following lines for each virtual host in your configuration file :RewriteEngine onRewriteCond %{REQUEST METHOD} (TRACE TRACK)RewriteRule .* - [F]Information found on port http (80/tcp)Synopsis :Debugging functions are enabled on the remote HTTP server.Description :The remote webserver supports the TRACE and/or TRACK methods. TRACE andTRACK are HTTP methods which are used to debug web server connections.It has been shown that servers supporting this method are subject tocross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunctionwith various weaknesses in browsers.An attacker may use this flaw to trick your legitimate web users to give him their credentials.Solution :Disable these methods.

Information Security Vulnerability Assessment ProgramSee also :http://www.kb.cert.org/vuls/id/867593Risk factor :Low / CVSS Base Score : 2(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)Solution :Add the following lines for each virtual host in your configuration file :RewriteEngine onRewriteCond %{REQUEST METHOD} (TRACE TRACK)RewriteRule .* - [F]Vulnerability found on port telnet (23/tcp)Synopsis :It is possible to log into the remote system using telnet withoutsupplying any credentialsDescription :The remote version of telnet does not sanitize the user-supplied'USER' environement variable. By supplying a specially malformedUSER environment variable, an attacker may force the remotetelnet server to believe that the user has already authenticated.For instance, the following command :telnet -l '-fbin' 192.168.127.130Will result in obtaining a shell with the privileges of the 'bin'user.Solution :Install patches 120068-02 (sparc) or 120069-02 (i386)which are available from Sun.Filter incoming to this port or disable the telnet serviceand use SSH instead, or use inetadm to mitigate this

Information Security Vulnerability Assessment Programproblem (see the link below).See also d 2220Risk factor :Critical / CVSS Base Score : 10(AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)CVE : CVE-2007-0882BID : 22512Nessus ID : 243234 Network ProfileIP address test was conducted from192.168.127.128IP ranges to be tested and details of these ranges192.168.127.129192.168.127.130Apache Web Server ApplianceSolaris Web Server (Solaris 10)Domain information and configurationsZone Transfer Highlights

Information Security Vulnerability Assessment Programn/aSERVER LISTIP Address192.168.127.129192.168.127.130Domain Name(s)Operating SystemLinux (rpath)Solaris 105 Server 1 InformationIP Address192.168.127.129Domain NameServiceo norton-av-for-gateways-web-interfaceo terabaseo ssho httpso nfso shoutcasto sunrpco httpo ftpo fcp-udpo 8003/tcp)(4000/tcp)(22/tcp)(443/tcp) (Security notes found)(2049/tcp)(8004/tcp)(111/tcp)(80/tcp) (Security notes found)(21/tcp)(810/tcp)(776/tcp)BannerTRACE /Nessus240472754.html HTTP/1.1Connection: CloseHost: apache appliancePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0)Accept: image/gif, image/x-xbitmap, image/jpeg,image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8

Information Security Vulnerability Assessment Program80TCPTRACE /Nessus240472754.html HTTP/1.1Connection: CloseHost: apache appliancePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0)Accept: image/gif, image/x-xbitmap, image/jpeg,image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8CONCERNS AND VULNERABILITIES:Concern or VulnerabilityInformation found on port https (443/tcp)Synopsis :Debugging functions are enabled on the remote HTTP server.Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE andTRACK are HTTP methods which are used to debug web server connections.It has been shown that servers supporting this method are subject tocross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", whenused in conjunction with various weaknesses in browsers.An attacker may use this flaw to trick your legitimate web users to givehim their credentials.SolutionSolution :Disable these methods.See also :http://www.kb.cert.org/vuls/id/867593Risk factor :Low / CVSS Base Score : 2(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)SolutionAdd the following lines for each virtual host in your configuration file :RewriteEngine on

Information Security Vulnerability Assessment ProgramRewriteCond %{REQUEST METHOD} (TRACE TRACK)RewriteRule .* - [F]Information found on port http (80/tcp)Synopsis :Debugging functions are enabled on the remote HTTP server.Description :The remote webserver supports the TRACE and/or TRACK methods. TRACE andTRACKare HTTP methods which are used to debug web server connections.It has been shown that servers supporting this method are subject tocross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", whenused in conjunction with various weaknesses in browsers.An attacker may use this flaw to trick your legitimate web users to givehim their credentials.SolutionSolution :Disable these methods.See also :http://www.kb.cert.org/vuls/id/867593Risk factor :Low / CVSS Base Score