Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test 1
Number of security holes found 4
Number of security warnings found 4


Host List
Host(s) Possible Issue
127.0.0.1 Security hole(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
127.0.0.1 ssh (22/tcp) Security hole found
127.0.0.1 netviewdm1 (729/tcp) No Information
127.0.0.1 cap (1026/tcp) No Information
127.0.0.1 esl-lm (1455/tcp) Security notes found
127.0.0.1 x11 (6000/tcp) Security notes found
127.0.0.1 ntp (123/udp) Security notes found
127.0.0.1 general/tcp Security warning(s) found
127.0.0.1 xdmcp (177/udp) Security warning(s) found
127.0.0.1 general/udp Security notes found


Security Issues and Fixes: 127.0.0.1
Type Port Issue and Fix
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH which is older than 3.1.

Versions prior than 3.1 are vulnerable to an off by one error
that allows local users to gain root access, and it may be
possible for remote users to similarly compromise the daemon
for remote access.

In addition, a vulnerable SSH client may be compromised by
connecting to a malicious SSH daemon that exploits this
vulnerability in the client code, thus compromising the
client system.

Solution : Upgrade to OpenSSH 3.1 or apply the patch for
prior versions. (See: http://www.openssh.org)

Risk factor : High
CVE : CVE-2002-0083
BID : 4241
Nessus ID : 10883
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH which is older than 3.4

There is a flaw in this version that can be exploited remotely to
give an attacker a shell on this host.

Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.

If you are running a RedHat host, make sure that the command :
rpm -q openssh-server

Returns :
openssh-server-3.1p1-6


Solution : Upgrade to OpenSSH 3.4 or contact your vendor for a patch
Risk factor : High
CVE : CVE-2002-0639, CVE-2002-0640, CAN-2002-0639, CAN-2002-0640
BID : 5093
Nessus ID : 11031
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH older than OpenSSH 3.2.1

A buffer overflow exists in the daemon if AFS is enabled on
your system, or if the options KerberosTgtPassing or
AFSTokenPassing are enabled. Even in this scenario, the
vulnerability may be avoided by enabling UsePrivilegeSeparation.

Versions prior to 2.9.9 are vulnerable to a remote root
exploit. Versions prior to 3.2.1 are vulnerable to a local
root exploit.

Solution :
Upgrade to the latest version of OpenSSH

Risk factor : High
CVE : CVE-2002-0575
BID : 4560
Nessus ID : 10954
Vulnerability ssh (22/tcp)
You are running a version of OpenSSH which is older than 3.7.1

Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on this
host.

An exploit for this issue is rumored to exist.


Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.

If you are running a RedHat host, make sure that the command :
rpm -q openssh-server

Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)

Solution : Upgrade to OpenSSH 3.7.1
See also : http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279-02, SuSE:SUSE-SA:2003:039
Nessus ID : 11837
Warning ssh (22/tcp)
You are running OpenSSH-portable 3.6.1p1 or older.

If PAM support is enabled, an attacker may use a flaw in this version
to determine the existence or a given login name by comparing the times
the remote sshd daemon takes to refuse a bad password for a non-existent
login compared to the time it takes to refuse a bad password for a
valid login.

An attacker may use this flaw to set up a brute force attack against
the remote host.

*** Nessus did not check whether the remote SSH daemon is actually
*** using PAM or not, so this might be a false positive

Solution : Upgrade to OpenSSH-portable 3.6.1p2 or newer
Risk Factor : Low
CVE : CAN-2003-0190
BID : 7482, 7467, 7342
Other references : RHSA:RHSA-2003:222-01
Nessus ID : 11574
Warning ssh (22/tcp)
You are running OpenSSH-portable 3.6.1 or older.

There is a flaw in this version which may allow an attacker to
bypass the access controls set by the administrator of this server.

OpenSSH features a mechanism which can restrict the list of
hosts a given user can log from by specifying a pattern
in the user key file (ie: *.mynetwork.com would let a user
connect only from the local network).

However there is a flaw in the way OpenSSH does reverse DNS lookups.
If an attacker configures his DNS server to send a numeric IP address
when a reverse lookup is performed, he may be able to circumvent
this mechanism.

Solution : Upgrade to OpenSSH 3.6.2 when it comes out
Risk Factor : Low
CVE : CAN-2003-0386
BID : 7831
Nessus ID : 11712
Informational ssh (22/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational ssh (22/tcp) Remote SSH version : SSH-2.0-OpenSSH_3.0.2p1
Nessus ID : 10267
Informational ssh (22/tcp) The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.99
. 2.0

Nessus ID : 10881
Informational esl-lm (1455/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Informational x11 (6000/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
The Thing

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Informational ntp (123/udp) It is possible to determine a lot of information about the remote host
by querying the NTP (Network Time Protocol) variables - these include
OS descriptor, and time settings.

It was possible to gather the following information from the remote NTP host :

system='IRIX', leap=3, stratum=16, rootdelay=0.00, rootdispersion=0.00,
peer=0, refid=0.0.0.0, reftime=0x00000000.00000000, poll=4,
clock=0xc45914e2.14d8d000, phase=0.000, freq=0.00, error=0.00



Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore

Risk factor : Low
Nessus ID : 10884
Warning general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.

An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:

1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.

2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.

3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.


Solution : Contact your vendor for a patch
Risk factor : Low
Nessus ID : 10201
Informational general/tcp 127.0.0.1 resolves as pi.win.tue.nl.
Nessus ID : 12053
Warning xdmcp (177/udp)
The remote host is running XDMCP.

This protocol is used to provide X display connections for
X terminals. XDMCP is completely insecure, since the traffic and
passwords are not encrypted.

An attacker may use this flaw to capture all the keystrokes of
the users using this host through their X terminal, including
passwords.

Risk factor : Medium
Solution : Disable XDMCP
Nessus ID : 10891
Informational general/udp For your information, here is the traceroute to 127.0.0.1 :
127.0.0.1

Nessus ID : 10287

This file was generated by Nessus, the open-sourced security scanner.