Network Vulnerability Assessment Report
16.10.2006
Sorted by host names

Session name: Orient-wr514rStart Time:16.10.2006 20:06:25
Finish Time:16.10.2006 20:15:22
Elapsed:0 day(s) 00:08:56
Total records generated:14
high severity:0
Medium severity:1
informational:13


Summary of scanned hosts

HostHolesWarningsOpen portsState
10.0.0.99013Finished


10.0.0.99

ServiceSeverityDescription
www (80/tcp)
Info
Port is open
domain (53/udp)
Info
Port is open
domain (53/tcp)
Info
Port is open
domain (53/udp)
Medium

Synopsis :

The remote name server allows recursive queries to be performed
by the host running nessusd.


Description :

It is possible to query the remote name server for third party names.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also :

http://www.cert.org/advisories/CA-1997-22.html

Solution :

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)
CVE : CVE-1999-0024
BID : 136, 678
www (80/tcp)
Info
A web server is running on this port
domain (53/udp)
Info

Synopsis :

Remote DNS server is vulnerable to Cache Snooping attacks.

Description :

The remote DNS server answers to queries for third party domains which do
not have the recursion bit set.

This may allow a remote attacker to determine which domains have recently
been resolved via this name server, and therefore which hosts have been
recently visited.

For instance, if an attacker was interested in whether your company utilizes
the online services of a particular financial institution, they would
be able to use this attack to build a statistical model regarding
company usage of aforementioned financial institution. Of course,
the attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:
http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
domain (53/udp)
Info

A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low
domain (53/tcp)
Info

Synopsis :

It is possible to obtain the version number of the remote DNS server.

Description :

The remote host is running BIND, an open-source DNS server. It is possible
to extract the version number of the remote installation by sending
a special DNS request for the text 'version.bind' in the domain 'chaos'.

Solution :

It is possible to hide the version number of bind by using the 'version'
directive in the 'options' section in named.conf

Risk factor :

None

Plugin output:

The version of the remote BIND server is : hidden
general/tcp
Info
Nessus was not able to reliably identify the remote operating system. It might be:
NetGear Router
VMWare ESX Server 2.5
The fingerprint differs from these known signatures on 1 points.
If you know what operating system this host is running, please send this signature to
os-signatures@nessus.org :
:1:1:0:255:1:255:1:0:255:1:0:255:1:>64:255:0:1:1:2:1:1:1:1:0:64:5440:MSTNW:0:1:1
($Revision: 1.132 $)
www (80/tcp)
Info
The remote web server type is :

GoAhead-Webs


www (80/tcp)
Info

Synopsis :

The remote web server itself is prone to cross-site scripting attacks.

Description :

The remote host is running a web server that fails to adequately
sanitize request strings of Javascript. By exploiting this flaw, an
attacker may be able to cause arbitrary HTML and script code to be
executed in a user's browser within the security context of the affected
site.

Solution :

Contact the vendor for a patch or upgrade.

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :

The request string used to detect this flaw was:

/<script>cross_site_scripting.nasl</script>

CVE : CVE-2002-1060, CVE-2005-2453, CVE-2006-1681
BID : 5305, 7344, 7353, 8037, 14473, 17408
domain (53/udp)
Info
The remote name server could be fingerprinted as being : ISC BIND 9.3.0

general/icmp
Info

Synopsis :

It is possible to determine the exact time set on the remote host.

Description :

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

The difference between the local and remote clock is 57502 seconds

CVE : CVE-1999-0524
domain (53/tcp)
Info
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
ADM worm
Lion

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low