
                Network Security Analysis Tool

              Vulnerability Advisories (Summary)

                         (c) Mixter

NSAT scans for the following remote services, which may
represent security holes. If you identify one of the described
vulnerabilities, apply the fix described in this paper.

TCPMUX: This is an internal service enabled on many IRIX systems.
VULN: Your box can easily be identified as IRIX. No known vulnerabilities.
RISK: LOW
FIX: Disable the tcpmux service in inetd.conf and restart inetd.

ECHO: This is an internal service for test purposes.
VULN: The service can be used to multiply Denial Of Service attacks.
RISK: LOW
FIX: Disable the echo service in inetd.conf and restart inetd.

NETSTAT: This services shows your current local connections.
VULN: Sensitive network information can be retrieved.
RISK: MEDIUM
FIX: Disable the netstat service in inetd.conf and restart inetd.

CHARGEN: This is an internal service for test purposes.
VULN: The service can be used to multiply Denial Of Service attacks.
RISK: LOW
FIX: Disable the chargen service in inetd.conf and restart inetd.

FTP: The FTP server is used to transfer files.
VULN: ProFTP, Wu-FTP, Serv-U and possibly other servers are vulnerable
      to buffer overflows that can lead to root compromise.
RISK: VERY HIGH
FIX: Upgrade to the latest secure version available.
VULN: Writable directories can be used for buffer overflows, and to
      store dangerous or unwanted files.
RISK: MEDIUM
FIX: Disable anonymous access in ftp.conf and/or fix the file permissions.
VULN: Uses insecure plaintext password authentication.
RISK: LOW
FIX: If needed, use ssh/sftp for ftp sessions.

SSH: SecureShell Daemon for secure authentication and encrypted sessions.
VULN: Some versions are vulnerable to a race condition DoS and a remote
      buffer overflow exploit.
RISK: HIGH
FIX: Upgrade to version 1.2.28, ssh2, or higher. Don't use RSAREF.

TELNET: The Telnet Daemon enables users to login on remote machines.
VULN: Uses insecure plaintext password authentication.
RISK: LOW
FIX: Consider disabling telnetd and use sshd instead.
VULN: Vulnerable to brute-force password guessing,
      vulnerable to DoS (Solaris 2.x).
RISK: MEDIUM
FIX: Use a tcp wrapper and compile a hosts.allow and hosts.deny file.

SENDMAIL/SMTP: The Sendmail Daemon handles electronic mail distribution.
VULN: By using the EXPN/VRFY commands, one can obtain private information
      and network topography infrastructure.
RISK: LOW
FIX: Edit sendmail.cf (e.g. set PrivacyOptions to 'goaway')
VULN: Your server can be used to send huge amounts of fake mail and spam.
RISK: HIGH
FIX: Edit sendmail.cf (disable relaying, or restrict access with K/F lines).

BIND/DNS: The Domain NameServer is used to translate IP addresses to hostnames.
VULN: Many servers that respond to an IQUERY and NXT request are vulnerable
      to buffer overflows that can lead to a root compromise.
RISK: VERY HIGH
FIX: Upgrade to version 4.9.7 / 8.1.2 or higher.
VULN: Zone transfer queries can reveal network infrastructure.
RISK: LOW
FIX: Restrict access to 53/tcp to local clients and nameservers.
VULN: Constructed DNS queries can be used to multiply DoS attacks.
RISK: LOW
FIX: Restrict incoming traffic to nameservers to your local network.

LINUXCONF: A web-based configuration service for linux.
VULN: Several vulnerabilities exist in the linuxconf server.
RISK: HIGH
FIX: Disable the service or use a tcp wrapper and compile a hosts.allow
     and hosts.deny file.

FINGER: Displays information about local users.
VULN: Service can be used to gain user names and information for brute
      force attacks or to trace users.
RISK: MEDIUM
FIX: Disable the service or use a tcp wrapper and compile a hosts.allow
     and hosts.deny file.
VULN: Older versions allow arbitrary shell commands to be executed as nobody.
RISK: HIGH
FIX: Upgrade to version 0.10 or higher.

HTTP: The HTTP Server handles access to your Website.
VULN: Various severe bugs exist in MS-IE 4 and 5.
RISK: HIGH
FIX: Disable the '.htr' association and apply all recent patches.
VULN: Old versions of apache are vulnerable to a buffer overflow.
RISK: HIGH
FIX: Upgrade to version 1.3 or higher.
VULN: CGI scripts, Cold Fusion, and Frontpage extensions are exploitable.
RISK: LOW - HIGH
FIX: See Advisory.cgi.

POP2: PostOfficeProtocol 2-Server used to handle incoming e-mail.
VULN: Old Linux POP2 servers are vulnerable to a buffer overflow.
RISK: HIGH
FIX: Upgrade to version 4 or higher or disable the service.

POP3: PostOfficeProtocol 3-Server used to handle incoming e-mail.
VULN: QPOP 2.x, ipop3d 3.x, and a few other products are vulnerable
      to a buffer overflow that can lead to a root compromise.
RISK: VERY HIGH
FIX: Upgrade to the latest version of your product available.

PORTMAP: Used to lookup and communicate with rpc services.
VULN: Everybody can look up your rpc services.
RISK: LOW
FIX: Restrict access to 111/tcp to local clients.
VULN: Some RPC services are exploitable.
RISK: HIGH - VERY HIGH
FIX: See Advisory.rpc.

NNTP/INND: The InterNetNews Daemon handles newsgroups traffic.
VULN: Version 1.6 and below is vulnerable to a buffer overflow.
      Version 2 prior to 2.2.1 are vulnerable to multiple buffer overflows.
RISK: HIGH
FIX: Disable the service or upgrade to INND 2.2.1-24 or higher.

NETBIOS-NS: The netbios-ns service provides clients with your samba name.
VULN: Everyone knowing your samba/netbios name can establish a samba session.
RISK: LOW
FIX: Disable the service (nmbd), if not needed by remote clients.

SAMBA: Samba is a server that manages remote file access.
VULN: Buffer overflows that can lead to a root compromise exist in
      Windows and older Linux implementations.
RISK: VERY HIGH
FIX: Upgrade to the latest version (1.9.18 or up), or disable the service.
VULN: Uses insecure plaintext password authentication.
RISK: MEDIUM
FIX: none

IMAP: IMAP 2/4 Server used to handle incoming e-mail.
VULN: Many versions are vulnerable to buffer overflows that can
      lead to a root compromise.
RISK: VERY HIGH
FIX: Upgrade to version IMAP4.1 v12.X or higher, or disable the service.
VULN: Uses insecure plaintext password authentication.
RISK: MEDIUM
FIX: none

SNMP: Simple Network Management Protocol
VULN: Given an improperly configured SNMP network, an attacker could
      obtain sensitive information, retrieve local files, reconfigure
      router interfaces (if run on a router), and even gain root access.
RISK: VERY HIGH
FIX: Create an ACL for each running snmp daemon. Restrict access to all
     MIB by using non-standard community names and strong passwords.
VULN: Uses insecure plaintext password authentication.
RISK: MEDIUM
FIX: Future implementations of SNMPv2 might support encryption.

FIREWALL-1: Remote Authentication Agent for a Windows NT firewall.
VULN: FW-1 AuthAgent 1.1 can be used reveal FW-1 user names and passwords.
RISK: HIGH
FIX: Configure all three IP addresses for authentication, and, if
     possible, disable access to 261/tcp to remote clients.

REXECD: The remote execution daemon enables users to login remotely.
VULN: Vulnerable to .rhost, sniffing and brute force attacks.
RISK: HIGH
FIX: Disable the service.

RLOGIND: The remote login daemon enables users to login remotely.
VULN: Vulnerable to .rhost, sniffing and brute force attacks.
RISK: HIGH
FIX: Disable the service.

RSHD: The remote shell daemon enables users to login remotely.
VULN: Vulnerable to .rhost, sniffing and brute force attacks.
RISK: HIGH
FIX: Disable the service.

LPD: Remote line printer services.
VULN: Various buffer overflows exist in implementations of the
      line printer daemon, especially under Linux, BSD and IRIX,
      which can lead to a root compromise. Linux lpd has proven to
      be exploitable to spawn a root shell.
RISK: VERY HIGH
FIX: Upgrade to the latest lpd version; disable the service if you
     do not use it. Upgrade your PAM (Pluggable Authentication
     Modules) library.

PORT 666: Most likely a backdoor installed by an intruder.
VULN: This is a serious sign of a previous compromise.
FIX: Immediately remove the machine from the network, and see
     www.cert.org on how to recover from a compromise.

SOCKS: SOCKS4/5 proxy server used to relay client connections.
VULN: A mis-configured server can be used to relay everywhere.
RISK: MEDIUM
FIX: Compile a list of authorized hosts.

MSQL: miniSQL database server.
VULN: The Linux and BSD versions are vulnerable to a buffer overflow
      that can lead to a root compromise.
RISK: VERY HIGH
FIX: Upgrade to the latest version.
VULN: SQL Servers should not be accessible by everyone.
RISK: HIGH
FIX: Restrict access to 1114/tcp to authorized SQL clients.
     Upgrade to msql version 3.2 or higher.

PORT 1524/INGRESLOCKD: Most likely a backdoor installed by an intruder.
VULN: This is a serious trace of a previous compromise,
      unless you are knowingly running the ingreslock rpc service.
FIX: Immediately remove the machine from the network, and see
     www.cert.org on how to recover from a compromise.

ORACLE: Oracle SQL database server.
VULN: SQL Servers should not be accessible by everyone.
RISK: HIGH
FIX: Restrict access to 1525/tcp to authorized SQL clients.

NLPSD: Solaris remote line printer service.
VULN: The nlps server is vulnerable to a remote buffer overflow
      that can lead to a root compromise.
FIX: Upgrade to the latest version or disable listening.

X-WINDOWS: Graphical User Interface for UNIX.
VULN: Uses insecure plaintext password authentication.
RISK: MEDIUM
FIX: none
VULN: There is the possibility that everyone can log into Xwindows.
RISK: HIGH
FIX: add 'xhost -' to your X options file.
VULN: By opening a raw session to the X server, sessions
      and probably sensitive data can be snooped.
RISK: MEDIUM
FIX: Restrict access to 6000/tcp to local clients.

CISCO ROUTERS: Cisco routers and switches can be susceptible to remote attacks.
VULN: Cisco routers with port 7161 can be crashed repeatedly, leading to
      a severe DoS. The Cisco backdoor on port 1999 can be used to remotely
      identify Cisco routers and gain access to them.
RISK: VERY HIGH
FIX: Filter incoming TCP traffic to the router and contact Cisco
     for the latest software patch.

PORT 8080/PROXY: Proxy server used to relay client connections.
VULN: A mis-configured server can be used to relay everywhere.
RISK: MEDIUM
FIX: Depending on the kind of server, compile a list of
     authorized users, and/or limit relaying to port 80.

BACK ORIFICE: Most likely installed by an intruder.
VULN: This is a serious trace of a previous compromise.
FIX: Immediately remove the machine from the network, and see
     www.cert.org on how to recover from a compromise.

TRINOO: Most likely installed by an intruder.
VULN: This is a serious trace of a previous compromise.
FIX: Immediately remove the machine from the network, and see
     www.cert.org on how to recover from a compromise.
