Scan Customer Information Scan Company Information
Company: Example Name Company: SRC Security Research & Con-sulting GmbH
Contact: Mr. Example Contact: Holger von Rhein
Title: Title: Senior Consultant
Telephone: 0000-123456 Telephone: +49 (0) 228 2806 166
E-Mail: [email protected] E-Mail: [email protected] Business
Address: Example Street BusinessAddress: Graurheindorfer Strasse 149a
City: City: Bonn
State: Example Location State: NRW
ZIP: 00000 ZIP: 53117
URL: www.example.com URL: www.src-gmbh.de
Scan Status
Status: FAIL
Number of unique components scanned: 1
Number of Hosts not alive during scan: 0
Number of identified failing vulnerabilities: 3
Number of components found by Scanner but not scanned
because scan customer confirmed components were out of scope: 0
Date scan completed: 2015-08-25
Scan expiration date (90 days from date scan completed): 2015-11-23
Scan Attestation
This scan and report was prepared and conducted by SRC Security Research & Consulting GmbH . SRC Security Research & Consulting GmbH attests that the Cyber Security scan process was fol-lowed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results for anomalies, and review and correction of 1) disputed or incom-plete results, 2) false positives, and 3) active scan interference.
This report and any exceptions were reviewed by Holger von Rhein and Konstantin Pedan.
y Scan Rep ort Strictly Confidential
Part 1. Scan Information
Scan Customer Company: Example Name Scan Company: SRC Security Research & Consult-ing GmbH Date scan was completed: 2015-08-25 Scan expiration date: 2015-11-23
Part 2. Component Summary
IP Address: 127.0.0.1 FAIL
Part 3a. Vulnerabilities Noted for each IP Address
IP Address Vulnerabilities Noted per IP Address SeverityLevel CVSSScore Status Exceptions, False Positives, or Com-pensating Controls (Noted by the Scanner for this Vulnerability) 127.0.0.1
Port: 80 Slow HTTP POST vulnerability MEDIUM 6.8 PASS Vulnerability is not Cyber Security rel-evant. 127.0.0.1
Port: 80
Server accepts unnecessarily large POST
request body MEDIUM 5 PASS Vulnerability is not Cyber Security rel-evant. 127.0.0.1 OpenSSH LoginGraceTime Denial of Ser-vice Vulnerability
CVE-2010-5107
MEDIUM 5 PASS Vulnerability is not Cyber Security rel-evant. 127.0.0.1
Port: 443
Cookie Does Not Contain The "secure"
Attribute MEDIUM 4.3 FAIL Automatic Failure: Session tokenshave to be flagged as secure. 127.0.0.1
Port: 443
OpenSSL Use-After-Free Memory Corrup-tion Vulnerability
CVE-2010-5298
MEDIUM 4 FAIL
127.0.0.1 Remote Access or Management ServiceDetected LOW 2.3 PASS
Cyb er Securit y Example Scan Page 2
Securit y Scan Rep ort Strictly Confidential
IP Address Vulnerabilities Noted per IP Address SeverityLevel CVSSScore Status pensating Controls (Noted by the Scanner for this Vulnerability) 127.0.0.1
Port: 80
Links Discovered During User-Agent and
Mobile Site Checks LOW 2.3 PASS
127.0.0.1
Port: 80 List of Web Directories LOW 0 FAIL Automatic Failure: Direct access todatabase detected.
127.0.0.1 Host Names Found LOW 0 PASS
127.0.0.1 ICMP Replies Received LOW 0 PASS
127.0.0.1 Open TCP Services List LOW 0 PASS
127.0.0.1 Open UDP Services List LOW 0 PASS
127.0.0.1
Port: 22 SSH Banner LOW 0 PASS
127.0.0.1
Port: 80 Web Server Version LOW 0 PASS
Consolidated Solution/Correction Plan for above IP Address:
Upgrade OpenSSH to a still supported major version and update/patch OpenSSH to the latest minor version of the chosen major version. Restrict access to remote access or remote management services only to the system administrators or intended users of the system.
Audit the Open TCP services list and disable, remove or restrict any service which is not intended or not allowed to be available from the Internet. This should especially include database services or unencrypted remote console services.
Audit the Open UDP services list and disable, remove or restrict any service which is not intended or not allowed to be available from the Internet. A detailed Solution for all failing vulnerabilities can be found on the following pages.
Cyb er Securit y Example Scan Page 3
y Scan Rep ort Strictly Confidential
IP Address Note access soft-ware, POS
software, etc.)
that software is implemented securely (see next column if not implemented securely)
of actions taken to either: 1) remove the software or 2) im-plement security controls to secure the software
127.0.0.1
Note to scan customer: Due to in-creased risk to the cardholder data en-vironment when remote access soft-ware is present, please 1) justify the business need for this software to the Scanner and 2) confirm it is either implemented securely per Appendix C or disabled/ removed. Please consult your Contact if you have questions about this Special Note.
SSH
127.0.0.1
Note to scan customer: Untypical ser-vice accessable to the internet. Due to increased risk to the cardholder data environment, please 1) justify the business need for this configura-tion to the Scanner, or 2) confirm that it is disabled. Please consult your Contact if you have questions about this Special Note.
SSH, NTP Cyb er Securit y Example Scan Page 4
Systems not scanned, but found during Discovery 1
Scan Report Vulnerability Details
Scan InformationScan Customer
Company Example Name Scan Company SRC Security Research& Consulting GmbH Date scan was
completed 2015-08-25 Scan expiration date 2015-11-23
System: 127.0.0.1
This system is running with 3 disadvantages.
Title Slow HTTP POST vulnerability
Severity MEDIUM Status PASS
IP 127.0.0.1
Category Potential Port 80
Subcategory Web Application Protocol tcp
Internal ID 150085
CVSS Base Score 6.8
CVSS Temporal Score 6.1
Comment This is a potential vulnerability. Please contact SRC in order to determinewhether your system is affected by this vulnerability.
Diagnosis
The web application is possibly vulnerable to a "slow HTTP POST" Denial of Service (DoS) attack. This is an application-level DoS that consumes server resources by maintaining open connections for an extended period of time by slowly sending traffic to the server. If the server maintains too many connections open at once, then it may not be able to respond to new, legitimate connections. Unlike bandwidth-consumption DoS attacks, the "slow" attack does not require a large amount of traffic to be sent to the server – only that the client is able to maintain open connections for several minutes at a time.
The attack holds server connections open by sending properly crafted HTTP POST headers that contain a Content-Length header with a large value to in-form the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources. By waiting for the complete request body, the server is helping clients with slow or intermittent connections to complete requests, but is also exposing itself to abuse.
More information can be found at the in this presentation2.
Consequence All other services remain intact but the web server itself becomes inaccessible. Solution
Solution would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request timeout for connection with POST request Server-specific details can be found here3. A tool that demonstrates
this vulnerability in a more intrusive manner is available here4.
2
https://media.blackhat.com/bh-dc-11/Brennan/BlackHat_DC_2011_Brennan_Denial_Service-Slides.pdf
3
https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks
Result
url: http://www.example.com/ matched: Vulnerable
to slow HTTP POST attack Connection with partial
POST body remained open for: 305162 milliseconds
Title Server accepts unnecessarily large POST request body
Severity MEDIUM Status PASS
IP 127.0.0.1
Category Informational Port 80
Subcategory Web Application Protocol tcp
Internal ID 150086
CVSS Base Score 5
CVSS Temporal Score 0
Diagnosis
Web application scanner successfully sent a POST request with content type of application/x-www-form-urlencoded and 65536 bytes length random text data. Accepting request bodies with unnecessarily large size could help attacker to use less connections to achieve Layer 7 DDoS of web server. More information can be found at the here5
Consequence Could result in successful application level (Layer 7) DDoS attack.
Solution Limit the size of the request body to each form’s requirements. For example, asearch form with 256-char search field should not accept more than 1KB value. Server-specific details can be found here6.
Result
Server responded 200 to unnecessarily large random request body(over 64 KB) for URL
http://www.example.com/, significantly increasing attacker's chances to prolong slow HTTP POST attack.
5
https://media.blackhat.com/bh-dc-11/Brennan/BlackHat_DC_2011_Brennan_Denial_Service-Slides.pdf
Title OpenSSH LoginGraceTime Denial of Service Vulnerability
Severity MEDIUM Status PASS
IP 127.0.0.1
Category Potential Port
Subcategory General remote services Protocol
Internal ID 42413
CVSS Base Score 5
CVSS Temporal Score 3.9
CVE ID CVE-2010-51077
Comment This is a potential vulnerability. Please contact SRC in order to determinewhether your system is affected by this vulnerability.
Diagnosis
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing en-crypted communication sessions over a computer network using the SSH protocol. Default OpenSSH installations have an overly long LoginGraceTime and a lack of early connection release for MaxStartups settings. Remote unauthenticated attackers could bypass the LoginGraceTime and MaxStartups thresholds by inter-mittently transmitting a large number of new TCP connections to the targeted server. This could lead to connection slot exhaustion.
Affected Software: OpenSSH 6.1 and prior. Consequence
Successful exploitation could allow an unauthenticated remote attacker to cause the targeted server to stop responding to legitimate user queries, leading to a denial of service on the targeted server.
Solution
Customers are advised to upgrade to OpenSSH 6.28and apply the associated server
configuration settings to remediate this vulnerability. Patch:
Following are links for downloading patches to fix the vulnerabilities: OpenSSH 6.29
Result ID: 42413 detected on port 22 over TCP -SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1
7
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5107
8
http://www.openssh.org/
9http://www.openssh.org/
Title Cookie Does Not Contain The "secure" Attribute
Severity MEDIUM Status FAIL
IP 127.0.0.1
Category Vulnerability Port 443
Subcategory Web Application Protocol tcp
Internal ID 150122
CVSS Base Score 4.3
CVSS Temporal Score 0
Diagnosis The cookie does not contain the "secure" attribute.
Consequence Cookies with the "secure" attribute are only permitted to be sent via HTTPS.Session cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account. Solution Flag the session cookie as secure. If the affected software is not self-developed,please contact SRC.
Result
url: https://www.example.com/ matched:
x5492c=5u8sh5cb8dq5g20ctiagss25l0; path=/; domain=www.example.com
Title OpenSSL Use-After-Free Memory Corruption Vulnerability
Severity MEDIUM Status FAIL
IP 127.0.0.1
Category Potential Port 443
Subcategory General remote services Protocol tcp
Internal ID 42431
CVSS Base Score 4
CVSS Temporal Score 3.4
CVE ID CVE-2010-529810
Comment This is a potential vulnerability. Please contact SRC in order to determinewhether your system is affected by this vulnerability.
Diagnosis
OpenSSL is an open source implementation of the SSL protocol that is used by a number of other projects. It is available for various platforms.
OpenSSL is exposed to a remote memory corruption vulnerability which exists in the "ssl3_release_read_buffer" function of the "s3_pkt.c" source file.
Affected Versions:
OpenSSL 1.0.0 up to 1.0.0l and OpenSSL 1.0.1 up to 1.0.1g.
Consequence If this vulnerability is successfully exploited, attackers can inject data from oneconnection into another. Solution There are no OpenSSL official patches available at this time.OpenSSL fixed this issue in the git Source Repository. Contact the vendor of your
Operation Systems for patch.
Result ID: 42431 detected on port 443 over TCP -Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e
10http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
Title Remote Access or Management Service Detected
Severity LOW Status PASS
IP 127.0.0.1
Category Informational Port
Subcategory General remote services Protocol
Internal ID 42017
CVSS Base Score 2.3
CVSS Temporal Score 0
Diagnosis
A remote access or remote management service was detected. If such a service is accessible to malicious users it can be used to carry different type of attacks. Malicious users could try to brute force credentials or collect additional information on the service which could enable them in crafting further attacks.
The Results section includes information on the remote access service that was found on the target.
Services like Telnet, Rlogin, SSH, windows remote desktop, pcAnywhere, Citrix Management Console, Remote Admin (RAdmin), VNC, OPENVPN and ISAKMP are checked.
Consequence Consequences vary by the type of attack.
Solution Expose the remote access or remote management services only to the systemadministrators or intended users of the system. Result Service name: SSH on TCP port 22.
Title Links Discovered During User-Agent and Mobile Site Checks
Severity LOW Status PASS
IP 127.0.0.1
Category Informational Port 80
Subcategory Web Application Protocol tcp
Internal ID 150067
CVSS Base Score 2.3
CVSS Temporal Score 0
Diagnosis
Links were discovered via requests using an alternate User-Agent or guessed based on common mobile device URI patterns. The scanner attempts to determine if the Web application changes its behavior when accessed by mobile devices. These checks are based on modifying the User-Agent, changing the domain name, and appending common directories.
The extra links discovered by the Web application scanner during User-Agent manipulation are provided in the Results section.
Consequence
The Web application should apply consistent security measures irrespective of browser platform, type or version used to access the application. If the Web application fails to apply security controls to alternate representations of the site, then it may be exposed to vulnerabilities like cross-site scripting, SQL injection, or authorization-based attacks.
Solution No specific vulnerability has been discovered that requires action to be taken.These links are provided to ensure that a review of the web application includes all possible access points.
Result
Unique content discovered during user-agent and common mobile device specific subdomains and paths manipulation: User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us)
AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2
Safari/6533.18.5
http://www.example.com/ User-Agen
t: Opera/9.80 (IPhone; Opera Mini/5.0.019802/886; U; en) Presto/2.4.15 http://www.example.com/ User-Agent: BlackBerry9700/5.0.0.405 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/102 http://www.example.com/
Title List of Web Directories
Severity LOW Status FAIL
IP 127.0.0.1
Category Informational Port 80
Subcategory Web server Protocol tcp
Internal ID 86672
CVSS Base Score 0
CVSS Temporal Score 0
Diagnosis Based largely on the HTTP reply code, the following directories are most likelypresent on the host. Consequence Solution Result Directory Source /cgi-bin/ brute force
/images/ brute force /login/ brute
force
/phpmyadmin/ brute force /cart/ brute
force
/search/ brute force /Cart/ brute
force
/content/ brute force /conf/ brute
force
/Content/ brute force /www/ brute
force
/installer/ brute force /content brute
force
/Content brute force /plugins/ brute force
/cache/ web page /www/ web page /www/themes/ web page /www/themes/original/ web page
Title Host Names Found
Severity LOW Status PASS
IP 127.0.0.1
Category Informational Port
Subcategory Information gathering Protocol
Internal ID 45039
CVSS Base Score 0
CVSS Temporal Score 0
Diagnosis The following host names were discovered for this computer using various methodssuch as DNS look up, NetBIOS query, and SQL server name query. Consequence N/A
Solution N/A
Result Host Name Sourcewww.example.com FQDN
Title ICMP Replies Received
Severity LOW Status PASS
IP 127.0.0.1
Category Informational Port
Subcategory TCP/IP Protocol
Internal ID 82040
CVSS Base Score 0
CVSS Temporal Score 0
Diagnosis
ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP’s principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts. We have sent the following types of packets to trigger the host to send us ICMP replies:
Echo Request (to trigger Echo Reply)
Timestamp Request (to trigger Timestamp Reply) Address Mask Request (to trigger Address Mask Reply) UDP Packet (to trigger Port Unreachable Reply)
IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply) Listed in the "Result" section are the ICMP replies that we have received. Consequence
Result
ICMP Reply Type Triggered By Additional Information
Echo (type=0 code=0) Echo Request Echo Reply
Unreachable (type=3 code=3) UDP Port 1027 Port Unreachable
Unreachable (type=3
code=3) UDP Port 4781 Port Unreachable Unreachable
(type=3 code=3) UDP Port 1 Port Unreachable
Unreachable (type=3 code=3) UDP Port 51413 Port Unreachable
Unreachable (type=3
code=3) UDP Port 20001 Port Unreachable
Unreachable (type=3 code=3) UDP Port 7301 Port Unreachable
Unreachable (type=3
code=3) UDP Port 31335 Port Unreachable Time Stamp
(type=14 code=0) Time Stamp Request 08:08:58 GMT
Unreachable (type=3 code=3) UDP Port 1031 Port Unreachable
Unreachable (type=3 code=3) UDP Port 53001 Port Unreachable
Unreachable (type=3
code=3) UDP Port 1028 Port Unreachable Unreachable
(type=3 code=2) IP with High Protocol Protocol Unreachable
Title Open TCP Services List
Severity LOW Status PASS
IP 127.0.0.1
Category Service Port
Subcategory TCP/IP Protocol
Internal ID 82023
CVSS Base Score 0
CVSS Temporal Score 0
Diagnosis
The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections.
The Results section displays the port number (Port), the default service listen-ing on the port (IANA Assigned Ports/Services), the description of the service (Description) and the service that the scanner detected using service discovery (Service Detected).
Consequence Unauthorized users can exploit this information to test vulnerabilities in each ofthe open services. Solution
Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider’s support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site11.
Result
Port IANA Assigned
Ports/Services Description Service Detected OS On Redirected Port
21 ftp File Transfer [Control] unknown
22 ssh SSH Remote Login Protocol ssh
80 www World Wide Web HTTP http
443 https http protocol over TLS/SSL http over ssl
Title Open UDP Services List
Severity LOW Status PASS
IP 127.0.0.1
Category Service Port
Subcategory TCP/IP Protocol
Internal ID 82004
CVSS Base Score 0
CVSS Temporal Score 0
Diagnosis
A port scanner was used to draw a map of all the UDP services on this host that can be accessed from the Internet.
Note that if the host is behind a firewall, there is a small chance that the list includes a few ports that are filtered or blocked by the firewall but are not actually open on the target host. This (false positive on UDP open ports) may happen when the firewall is configured to reject UDP packets for most (but not all) ports with an ICMP Port Unreachable packet. This may also happen when the firewall is configured to allow UDP packets for most (but not all) ports through and filter/block/drop UDP packets for only a few ports. Both cases are uncommon. Consequence Unauthorized users can exploit this information to test vulnerabilities in each ofthe open services. Solution
Shut down any unknown or unused service on the list. If you have difficulty working out which service is provided by which process or program, contact your provider’s support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site12.
Result
Port IANA Assigned
Ports/Services Description Service Detected
123 ntp Network Time Protocol ntp
12http://www.cert.org
Title SSH Banner
Severity LOW Status PASS
IP 127.0.0.1
Category Service Port 22
Subcategory General remote services Protocol tcp
Internal ID 38050 CVSS Base Score 0 CVSS Temporal Score 0 Diagnosis Consequence Solution
Title Web Server Version
Severity LOW Status PASS
IP 127.0.0.1
Category Service Port 80
Subcategory Web server Protocol tcp
Internal ID 86000 CVSS Base Score 0 CVSS Temporal Score 0 Diagnosis N/A Consequence N/A Solution N/A Result
Server Version Server Banner Apache/2.2.27 (Unix)
mod_ssl/2.2.27 OpenSSL/1.0.1e Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e
