Audit Report

FGX-201407-099 2
Audited on August 28, 2014
Reported on August 28, 2014
Page 1
Audit Report
1. Executive Summary
This report represents a security audit performed by Nexpose from Rapid7 LLC. It contains confidential information about the state of
your network. Access to this information by unauthorized personnel may allow them to compromise your network.
Site Name Start Time End Time Total Time Status
FGX099 Science August 28, 2014 09:10,
GMT
August 28, 2014 09:36,
GMT
25 minutes Success
There is not enough historical data to display overall asset trend.

The audit was performed on one system which was found to be active and was scanned.
There were 40 vulnerabilities found during this scan. Of these, 6 were critical vulnerabilities. Critical vulnerabilities require immediate
attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 28
vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems.
There were 6 moderate vulnerabilities discovered. These often provide information to attackers that may assist them in mounting
subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.
There were 5 occurrences of the ssl-weak-ciphers vulnerability, making it the most common vulnerability. There were 17 vulnerabilities
in the Denial of Service, HTTP and PHP categories, making them the most common vulnerability categories.
Page 2
Audit Report
The imap-plaintext-auth, ftp-plaintext-auth, smtp-plaintext-auth and pop-plaintext-auth vulnerabilities pose the highest risk to the
organization with a risk score of 853. Risk scores are based on the types and numbers of vulnerabilities on affected assets.
One operating system was identified during this scan.
There were 15 services found to be running during this scan.
The DNS, DNS-TCP, FTP, HTTP, HTTPS, IMAP, IMAPS and MySQL services were found on 1 systems, making them the most
common services. The HTTPS service was found to have the most vulnerabilities during this scan with 25 vulnerabilities.

Page 3
Audit Report
2. Discovered Systems
Node Operating System Risk Aliases
192.169.82.178 Linux 2.6.18 14,247
server.sciencesuppliesdirect.com

Page 4
Audit Report
3. Discovered and Potential Vulnerabilities
3.1. Critical Vulnerabilities
3.1.1. CVE-2012-1667: Handling of zero length rdata can cause named to terminate unexpectedly (dns-bind-cve-2012-
1667)
Description:

ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not
properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service
(daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-
RedHat-9.3.6-20.P1.el5_8.6
References:
Source Reference
APPLE APPLE-SA-2012-09-19-2
CVE CVE-2012-1667
REDHAT RHSA-2012:1110
SECUNIA 51096
URL https://kb.isc.org/article/AA-00698/74/CVE-2012-1667%3A-Handling-of-zero-length-rdata-can-cause-
named-to-terminate-unexpectedly.html
Vulnerability Solution:
Upgrade to ISC BIND version 9.6-ESV-R7-P1
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R7-P1/bind-9.6-ESV-R7-P1.tar.gz
Upgrade to ISC BIND version 9.6-ESV-R7-P1. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.7.6-P1
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.6-P1/bind-9.7.6-P1.tar.gz
Upgrade to ISC BIND version 9.7.6-P1. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.8.3-P1
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.8.3-P1/bind-9.8.3-P1.tar.gz

Page 5
Audit Report
Upgrade to ISC BIND version 9.8.3-P1. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.9.1-P1
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.9.1-P1/bind-9.9.1-P1.tar.gz
Upgrade to ISC BIND version 9.9.1-P1. The source code and binaries for this release can be downloaded from BIND website

3.1.2. Obsolete ISC BIND installation (dns-bind-obsolete)
Description:

ISC BIND versions before 9.8 are considered obsolete. ISC will not fix security bugs in these versions (even critical ones).

It is strongly recommended that you upgrade your BIND installation to a supported version.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-
RedHat-9.3.6-20.P1.el5_8.6
References:
Source Reference
URL https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
URL https://www.isc.org/software/bind
Vulnerability Solution:
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.10.1b2/bind-9.10.1b2.tar.gz
The latest version of BIND is version 9.10.1b2.
3.1.3. CVE-2012-4244: A specially crafted Resource Record could cause named to terminate (dns-bind-cve-2012-4244)
Description:

ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows
remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-

Page 6
Audit Report
Affected Nodes: Additional Information:
RedHat-9.3.6-20.P1.el5_8.6
References:
Source Reference
APPLE APPLE-SA-2013-09-12-1
CVE CVE-2012-4244
DEBIAN DSA-2547
REDHAT RHSA-2012:1266
REDHAT RHSA-2012:1267
REDHAT RHSA-2012:1268
REDHAT RHSA-2012:1365
SECUNIA 50560
SECUNIA 50579
SECUNIA 50582
SECUNIA 50645
SECUNIA 50673
SECUNIA 51096
URL https://kb.isc.org/article/AA-00778/74/CVE-2012-4244%3A-A-specially-crafted-Resource-Record-could-
cause-named-to-terminate.html
Vulnerability Solution:
Upgrade to ISC BIND version 9.6-ESV-R7-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R7-P3/bind-9.6-ESV-R7-P3.tar.gz
Upgrade to ISC BIND version 9.6-ESV-R7-P3. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.6-ESV-R8
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R8/bind-9.6-ESV-R8.tar.gz
Upgrade to ISC BIND version 9.6-ESV-R8. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.7.6-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.6-P3/bind-9.7.6-P3.tar.gz
Upgrade to ISC BIND version 9.7.6-P3. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.7.7
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.7/bind-9.7.7.tar.gz
Upgrade to ISC BIND version 9.7.7. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.8.3-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.8.3-P3/bind-9.8.3-P3.tar.gz

Page 7
Audit Report
Upgrade to ISC BIND version 9.8.3-P3. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.8.4
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.8.4/bind-9.8.4.tar.gz
Upgrade to ISC BIND version 9.8.4. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.9.1-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.9.1-P3/bind-9.9.1-P3.tar.gz
Upgrade to ISC BIND version 9.9.1-P3. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.9.2
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.9.2/bind-9.9.2.tar.gz
Upgrade to ISC BIND version 9.9.2. The source code and binaries for this release can be downloaded from BIND website

3.1.4. CVE-2012-5166: Specially crafted DNS data can cause a lockup in named (dns-bind-cve-2012-5166)
Description:

ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows
remote attackers to cause a denial of service (named daemon hang) via unspecified combinations of resource records.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-
RedHat-9.3.6-20.P1.el5_8.6
References:
Source Reference
APPLE APPLE-SA-2013-09-12-1
BID 55852
CVE CVE-2012-5166
DEBIAN DSA-2560
OSVDB 86118
OVAL OVAL19706
REDHAT RHSA-2012:1363
REDHAT RHSA-2012:1364
REDHAT RHSA-2012:1365

Page 8
Audit Report
Source Reference
SECUNIA 50903
SECUNIA 50909
SECUNIA 50956
SECUNIA 51054
SECUNIA 51078
SECUNIA 51096
SECUNIA 51106
SECUNIA 51178
URL https://kb.isc.org/article/AA-00801/74/CVE-2012-5166%3A-Specially-crafted-DNS-data-can-cause-a-
lockup-in-named.html
Vulnerability Solution:
Upgrade to ISC BIND version 9.6-ESV-R7-P4
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R7-P4/bind-9.6-ESV-R7-P4.tar.gz
Upgrade to ISC BIND version 9.6-ESV-R7-P4. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.6-ESV-R8
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R8/bind-9.6-ESV-R8.tar.gz
Upgrade to ISC BIND version 9.6-ESV-R8. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.7.6-P4
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.6-P4/bind-9.7.6-P4.tar.gz
Upgrade to ISC BIND version 9.7.6-P4. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.7.7
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.7/bind-9.7.7.tar.gz
Upgrade to ISC BIND version 9.7.7. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.8.3-P4
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.8.3-P4/bind-9.8.3-P4.tar.gz
Upgrade to ISC BIND version 9.8.3-P4. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.8.4
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.8.4/bind-9.8.4.tar.gz
Upgrade to ISC BIND version 9.8.4. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.9.1-P4
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.9.1-P4/bind-9.9.1-P4.tar.gz
Upgrade to ISC BIND version 9.9.1-P4. The source code and binaries for this release can be downloaded from BIND website

Page 9
Audit Report
Upgrade to ISC BIND version 9.9.2
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.9.2/bind-9.9.2.tar.gz
Upgrade to ISC BIND version 9.9.2. The source code and binaries for this release can be downloaded from BIND website

3.1.5. OpenSSH X11 Cookie Local Authentication Bypass Vulnerability (openssh-x11-cookie-auth-bypass)
Description:

ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie
instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:22 OpenBSD OpenSSH 4.3 on Linux 2.6.18
References:
Source Reference
APPLE APPLE-SA-2008-03-18
BID 25628
CVE CVE-2007-4752
DEBIAN DSA-1576
DISA_SEVERITY Category II
DISA_VMSKEY V0017144
IAVM 2008-T-0046
OVAL OVAL10809
OVAL OVAL5599
REDHAT RHSA-2008:0855
SECUNIA 27399
SECUNIA 29420
SECUNIA 30249
SECUNIA 31575
SECUNIA 32241
XF 36637
Vulnerability Solution:
OpenBSD OpenSSH < 4.7

Page 10
Audit Report
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.
These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the
packages if they are available for your operating system.
3.1.6. PHP Vulnerability: CVE-2014-3515 (php-cve-2014-3515)
Description:

The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array
data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a
Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-3515
SECUNIA 59794
SECUNIA 59831
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.14
Download and apply the upgrade from: http://www.php.net/releases/
3.2. Severe Vulnerabilities
3.2.1. FTP credentials transmitted unencrypted (ftp-plaintext-auth)
Description:

The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to
intercept traffic between a client and this server, the credentials would be exposed.

Affected Nodes:
Page 11
Audit Report
Affected Nodes: Additional Information:
192.169.82.178:21 Running FTP serviceConfiguration item ftp.plaintext.authentication set to 'true'
matched
References:
None
Vulnerability Solution:
Disable plaintext authentication methods or enable encryption for the FTP service. Refer to the software's documentation for specific
instructions.
3.2.2. IMAP credentials transmitted unencrypted (imap-plaintext-auth)
Description:

The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker were to
intercept traffic between a client and this server, the credentials would be exposed.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:143 Running IMAP serviceConfiguration item imap.plaintext.authentication set to
'true' matched
References:
None
Vulnerability Solution:
Follow the product-specific documentation to disable plaintext authentication methods for the IMAP service.
3.2.3. PHP Vulnerability: CVE-2011-4718 (php-cve-2011-4718)
Description:

Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by
specifying a session ID.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28

Page 12
Audit Report
References:
Source Reference
CVE CVE-2011-4718
Vulnerability Solution:
Download and apply the upgrade from: http://www.php.net/releases/
3.2.4. PHP Vulnerability: CVE-2014-0185 (php-cve-2014-0185)
Description:

sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions
for the UNIX socket, which allows local users to gain privileges via a crafted FastCGI client.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-0185
Vulnerability Solution:
Upgrade to PHP version 5.4.28
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.12
Download and apply the upgrade from: http://www.php.net/releases/
3.2.5. POP credentials transmitted unencrypted (pop-plaintext-auth)
Description:

The server supports authentication methods where credentials are sent in plaintext over unencrypted channels. If an attacker can
intercept traffic between a client and this server, the credentials would be exposed.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:110 Running POP serviceConfiguration item pop.plaintext.authentication set to 'true'
matched
Page 13
Audit Report
References:
None
Vulnerability Solution:
Follow the product-specific documentation to disable plaintext authentication methods for the POP service.
3.2.6. SMTP credentials transmitted unencrypted (smtp-plaintext-auth)
Description:

The server supports authentication methods where credentials are sent in plaintext over unencrypted channels. If an attacker can
intercept traffic between a client and this server, the credentials would be exposed.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:25 Running SMTP serviceConfiguration item smtp.plaintext.authentication set to
'true' matched
192.169.82.178:587 Running SMTP serviceConfiguration item smtp.plaintext.authentication set to
'true' matched
References:
None
Vulnerability Solution:
Follow the product-specific documentation to disable plaintext authentication methods for the SMTP service.
3.2.7. OpenSSH X11 Forwarding Information Disclosure Vulnerability (ssh-openssh-x11-forwarding-info-disclosure)
Description:

OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to
:10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a
cookie sent by Emacs.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:22 OpenBSD OpenSSH 4.3 on Linux 2.6.18
References:
Source Reference
APPLE APPLE-SA-2008-09-15
Page 14
Audit Report
Source Reference
BID 28444
CERT TA08-260A
CVE CVE-2008-1483
DEBIAN DSA-1576
NETBSD NetBSD-SA2008-005
OVAL OVAL6085
SECUNIA 29522
SECUNIA 29537
SECUNIA 29554
SECUNIA 29626
SECUNIA 29676
SECUNIA 29683
SECUNIA 29686
SECUNIA 29721
SECUNIA 29735
SECUNIA 29873
SECUNIA 29939
SECUNIA 30086
SECUNIA 30230
SECUNIA 30249
SECUNIA 30347
SECUNIA 30361
SECUNIA 31531
SECUNIA 31882
XF 41438
Vulnerability Solution:
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
The latest version of OpenSSH is 6.6.
While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.
These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the
packages if they are available for your operating system.
3.2.8. CVE-2010-3614: Key algorithm rollover bug in bind9 (dns-bind-cve-2010-3614)
Description:

Page 15
Audit Report

named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not
properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to
cause a denial of service (DNSSEC validation error) by triggering a rollover.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-
RedHat-9.3.6-20.P1.el5_8.6
References:
Source Reference
APPLE APPLE-SA-2011-10-12-3
BID 45137
CERT-VN 837744
CVE CVE-2010-3614
DEBIAN DSA-2130
OSVDB 69559
REDHAT RHSA-2010:0975
REDHAT RHSA-2010:0976
SECUNIA 42435
SECUNIA 42459
SECUNIA 42522
SECUNIA 42671
URL https://kb.isc.org/article/AA-00936/187/CVE-2010-3614%3A-Key-algorithm-rollover-bug-in-bind9.html
Vulnerability Solution:
Upgrade to ISC BIND version 9.4-ESV-R4
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.4-ESV-R4/bind-9.4-ESV-R4.tar.gz
Upgrade to ISC BIND version 9.4-ESV-R4. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.6.2-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6.2-P3/bind-9.6.2-P3.tar.gz
Upgrade to ISC BIND version 9.6.2-P3. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.6-ESV-R3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R3/bind-9.6-ESV-R3.tar.gz
Upgrade to ISC BIND version 9.6-ESV-R3. The source code and binaries for this release can be downloaded from BIND website

Page 16
Audit Report

Upgrade to ISC BIND version 9.7.2-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz
Upgrade to ISC BIND version 9.7.2-P3. The source code and binaries for this release can be downloaded from BIND website

3.2.9. TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)
Description:

The TLS/SSL server supports cipher suites based on weak algorithms. This may enable an attacker to launch man-in-the-middle
attacks and monitor or tamper with sensitive data. In general, the following ciphers are considered weak:

So called "null" ciphers, because they do not encrypt data.
Export ciphers using secret key lengths restricted to 40 bits. This is usually indicated by the word EXP/EXPORT in the name of the
cipher suite.
Obsolete encryption algorithms with secret key lengths considered short by today's standards, eg. DES or RC4 with 56-bit keys.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Negotiated with the following insecure cipher suites. SSLv3 ciphers:
SSL_RSA_WITH_RC4_128_SHA
192.169.82.178:2078 Negotiated with the following insecure cipher suites. SSLv3 ciphers:
SSL_RSA_WITH_RC4_128_SHA
192.169.82.178:2083 Negotiated with the following insecure cipher suites. SSLv2 ciphers:
SSL_CK_RC4_128_WITH_MD5SSL_CK_RC4_128_EXPORT40_WITH_MD5
SSL_CK_RC2_128_CBC_WITH_MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
SSL_CK_DES_64_CBC_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5SSLv3 ciphers:
SSL_RSA_WITH_RC4_128_SHASSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
192.169.82.178:2087 Negotiated with the following insecure cipher suites. SSLv2 ciphers:
SSL_CK_RC4_128_WITH_MD5SSL_CK_RC4_128_EXPORT40_WITH_MD5
SSL_CK_RC2_128_CBC_WITH_MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
SSL_CK_DES_64_CBC_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5SSLv3 ciphers:
SSL_RSA_WITH_RC4_128_SHASSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
192.169.82.178:2096 Negotiated with the following insecure cipher suites. SSLv2 ciphers:

Page 17
Audit Report
Affected Nodes: Additional Information:
SSL_CK_RC4_128_WITH_MD5SSL_CK_RC4_128_EXPORT40_WITH_MD5
SSL_CK_RC2_128_CBC_WITH_MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
SSL_CK_DES_64_CBC_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5SSLv3 ciphers:
SSL_RSA_WITH_RC4_128_SHASSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
References:
None
Vulnerability Solution:
Configure the server to disable support for weak ciphers.
For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on disabling weak ciphers.
For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:
SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
For other servers, refer to the respective vendor documentation to disable the weak ciphers
3.2.10. TLS/SSL Server Supports SSLv2 (sslv2-and-up-enabled)
Description:

Although the server accepts clients using TLS or SSLv3, it also accepts clients using SSLv2. SSLv2 is an older implementation of the
Secure Sockets Layer protocol. It suffers from a number of security flaws allowing attackers to capture and alter information passed
between a client and the server, including the following weaknesses:

No protection from against man-in-the-middle attacks during the handshake.
Weak MAC construction and MAC relying solely on the MD5 hash function.
Exportable cipher suites unnecessarily weaken the MACs
Same cryptographic keys used for message authentication and encryption.
Vulnerable to truncation attacks by forged TCP FIN packets

SSLv2 has been deprecated and is no longer recommended. Note that neither SSLv2 nor SSLv3 meet the U.S. FIPS 140-2 standard,
which governs cryptographic modules for use in federal information systems. Only the newer TLS (Transport Layer Security) protocol
meets FIPS 140-2 requirements. In addition, the presence of an SSLv2-only service on a host is deemed a failure by the PCI (Payment
Card Industry) Data Security Standard.

Note that this vulnerability will be reported when the remote server supports SSLv2 regardless of whether TLS or SSLv3 are also
supported.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:2083 SSLv2 is supported

Page 18
Audit Report
Affected Nodes: Additional Information:
192.169.82.178:2087 SSLv2 is supported
192.169.82.178:2096 SSLv2 is supported
References:
Source Reference
URL http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm
URL https://www.pcisecuritystandards.org/pdfs/pcissc_assessors_nl_2008-11.pdf
Vulnerability Solution:
Apache HTTPD
Disable SSLv2 protocol support in Apache HTTPD
For Apache web servers with mod_ssl, edit the Apache configuration file and change the SSLCipherSuite line to read:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2
The ! (exclamation point) before SSLv2 is what disables this protocol.

Windows
Disable SSLv2 protocol support in Microsoft Windows
Configure the server to require clients to use at least SSLv3 or TLS.
For Microsoft Windows before Windows 2003, see KB187498. For newer versions of Microsoft Windows, see KB245030.

3.2.11. Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)
Description:

The server's TLS/SSL certificate is signed by a Certification Authority (CA) that is not a well-known, trusted one. It could indicate that a
TLS/SSL man-in-the-middle is taking place and is eavesdropping on TLS/SSL connections.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:25 TLS/SSL certificate signed by unknown, untrusted CA: CN=thawte EV SSL CA -
G2, O="thawte, Inc.", C=US -- Path does not chain with any of the trust anchors.
The list of well-known, trusted CAs is:CN=DigiCert Assured ID Root
CA,OU=www.digicert.com,O=DigiCert Inc,C=USCN=TC TrustCenter Class 2
CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
1.2.840.113549.1.9.1=#16197072656d69756d2d736572766572407468617774
652e636f6d,CN=Thawte Premium Server CA,OU=Certification Services
Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CHCN=SwissSign Silver
CA - G2,O=SwissSign AG,C=CH
1.2.840.113549.1.9.1=#16177365727665722d6365727473407468617774652e
Page 19
Audit Report
Affected Nodes: Additional Information:
636f6d,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte
Consulting cc,L=Cape Town,ST=Western Cape,C=ZACN=Equifax Secure
eBusiness CA-1,O=Equifax Secure Inc.,C=USCN=UTN-USERFirst-Client
Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST
Network,L=Salt Lake City,ST=UT,C=US
1.2.840.113549.1.9.1=#161c706572736f6e616c2d667265656d61696c4074686
17774652e636f6d,CN=Thawte Personal Freemail CA,OU=Certification Services
Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA
CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust\,
Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust\,
Inc.,C=USCN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The
USERTRUST Network,L=Salt Lake City,ST=UT,C=USCN=Certum
CA,O=Unizeto Sp. z o.o.,C=PLCN=AddTrust Class 1 CA Root,OU=AddTrust
TTP Network,O=AddTrust AB,C=SECN=Entrust Root Certification Authority -
G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See
www.entrust.net/legal-terms,O=Entrust\, Inc.,C=USOU=Equifax Secure
Certificate Authority,O=Equifax,C=USCN=QuoVadis Root CA 3,O=QuoVadis
Limited,C=BMCN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert
Inc,C=US
1.2.840.113549.1.9.1=#1611696e666f4076616c69636572742e636f6d,CN=http:
//www.valicert.com/,OU=ValiCert Class 1 Policy Validation
Authority,O=ValiCert\, Inc.,L=ValiCert Validation NetworkCN=Equifax Secure
Global eBusiness CA-1,O=Equifax Secure Inc.,C=USCN=GeoTrust Universal
CA,O=GeoTrust Inc.,C=USOU=Class 3 Public Primary Certification
Authority,O=VeriSign\, Inc.,C=USCN=thawte Primary Root CA - G3,OU=(c)
2008 thawte\, Inc. - For authorized use only,OU=Certification Services
Division,O=thawte\, Inc.,C=USCN=thawte Primary Root CA - G2,OU=(c) 2007
thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=USCN=Deutsche
Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom
AG,C=DECN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The
USERTRUST Network,L=Salt Lake City,ST=UT,C=USCN=GeoTrust Primary
Certification Authority,O=GeoTrust Inc.,C=USCN=Baltimore CyberTrust Code
Signing Root,OU=CyberTrust,O=Baltimore,C=IEOU=Class 1 Public Primary
Certification Authority,O=VeriSign\, Inc.,C=USCN=Baltimore CyberTrust
Root,OU=CyberTrust,O=Baltimore,C=IEOU=Starfield Class 2 Certification
Authority,O=Starfield Technologies\, Inc.,C=USCN=Chambers of Commerce
Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF
A82743287,C=EUCN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust
Center,O=T-Systems Enterprise Services GmbH,C=DECN=VeriSign Class 3
Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For
authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USCN=T-
TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems
Enterprise Services GmbH,C=DECN=TC TrustCenter Universal CA I,OU=TC
TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DECN=VeriSign Class 3
Public Primary Certification Authority - G4,OU=(c) 2007 VeriSign\, Inc. - For
authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
Page 20
Audit Report
Affected Nodes: Additional Information:
CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999
VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust
Network,O=VeriSign\, Inc.,C=USCN=Class 3P Primary CA,O=Certplus,C=FR
CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto
Technologies S.A.,C=PLOU=VeriSign Trust Network,OU=(c) 1998 VeriSign\,
Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority
- G2,O=VeriSign\, Inc.,C=USCN=GlobalSign,O=GlobalSign,OU=GlobalSign
Root CA - R3CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The
USERTRUST Network,L=Salt Lake City,ST=UT,C=USOU=Security
Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JPCN=GTE
CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
Corporation,C=USOU=Security Communication RootCA1,O=SECOM
Trust.net,C=JPCN=TC TrustCenter Class 4 CA II,OU=TC TrustCenter Class 4
CA,O=TC TrustCenter GmbH,C=DECN=VeriSign Universal Root Certification
Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign
Trust Network,O=VeriSign\, Inc.,C=US
CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2CN=Class 2
Primary CA,O=Certplus,C=FRCN=DigiCert Global Root
CA,OU=www.digicert.com,O=DigiCert Inc,C=USCN=GlobalSign Root
CA,OU=Root CA,O=GlobalSign nv-sa,C=BECN=thawte Primary Root
CA,OU=(c) 2006 thawte\, Inc. - For authorized use only,OU=Certification
Services Division,O=thawte\, Inc.,C=USCN=GeoTrust Global CA,O=GeoTrust
Inc.,C=USCN=Sonera Class2 CA,O=Sonera,C=FICN=Thawte Timestamping
CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA
CN=Sonera Class1 CA,O=Sonera,C=FICN=QuoVadis Root Certification
Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
1.2.840.113549.1.9.1=#1611696e666f4076616c69636572742e636f6d,CN=http:
//www.valicert.com/,OU=ValiCert Class 2 Policy Validation
Authority,O=ValiCert\, Inc.,L=ValiCert Validation NetworkCN=AAA Certificate
Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust
AB,C=SECN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR
CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SECN=VeriSign Class 2 Public Primary
Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use
only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USCN=America Online
Root Certification Authority 1,O=America Online Inc.,C=USOU=VeriSign Trust
Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2
Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US
CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. -
For authorized use only,O=GeoTrust Inc.,C=USCN=GeoTrust Primary
Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use
only,O=GeoTrust Inc.,C=USCN=SwissSign Gold CA - G2,O=SwissSign
AG,C=CHCN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net
Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.),O=Entrust.netCN=GTE CyberTrust Root 5,OU=GTE CyberTrust
Page 21
Audit Report
Affected Nodes: Additional Information:
Solutions\, Inc.,O=GTE Corporation,C=USCN=Global Chambersign Root -
2008,O=AC Camerfirma S.A.,2.5.4.5=#1309413832373433323837,L=Madrid
(see current address at www.camerfirma.com/address),C=EUCN=Chambers of
Commerce Root - 2008,O=AC Camerfirma
S.A.,2.5.4.5=#1309413832373433323837,L=Madrid (see current address at
www.camerfirma.com/address),C=EUCN=Entrust.net Secure Server
Certification Authority,OU=(c) 1999 Entrust.net
Limited,OU=www.entrust.net/CPS incorp. by ref. (limits
liab.),O=Entrust.net,C=USOU=Go Daddy Class 2 Certification Authority,O=The
Go Daddy Group\, Inc.,C=USCN=VeriSign Class 1 Public Primary Certification
Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use
only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USOU=Security
Communication EV RootCA1,O=SECOM Trust Systems CO.\,LTD.,C=JP
OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use
only,OU=Class 1 Public Primary Certification Authority - G2,O=VeriSign\,
Inc.,C=US
192.169.82.178:587 TLS/SSL certificate signed by unknown, untrusted CA: CN=thawte EV SSL CA -
G2, O="thawte, Inc.", C=US -- Path does not chain with any of the trust anchors.
The list of well-known, trusted CAs is:CN=DigiCert Assured ID Root
CA,OU=www.digicert.com,O=DigiCert Inc,C=USCN=TC TrustCenter Class 2
CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
1.2.840.113549.1.9.1=#16197072656d69756d2d736572766572407468617774
652e636f6d,CN=Thawte Premium Server CA,OU=Certification Services
Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
CN=SwissSign Platinum CA - G2,O=SwissSign AG,C=CHCN=SwissSign Silver
CA - G2,O=SwissSign AG,C=CH
1.2.840.113549.1.9.1=#16177365727665722d6365727473407468617774652e
636f6d,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte
Consulting cc,L=Cape Town,ST=Western Cape,C=ZACN=Equifax Secure
eBusiness CA-1,O=Equifax Secure Inc.,C=USCN=UTN-USERFirst-Client
Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST
Network,L=Salt Lake City,ST=UT,C=US
1.2.840.113549.1.9.1=#161c706572736f6e616c2d667265656d61696c4074686
17774652e636f6d,CN=Thawte Personal Freemail CA,OU=Certification Services
Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA
CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust\,
Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust\,
Inc.,C=USCN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The
USERTRUST Network,L=Salt Lake City,ST=UT,C=USCN=Certum
CA,O=Unizeto Sp. z o.o.,C=PLCN=AddTrust Class 1 CA Root,OU=AddTrust
TTP Network,O=AddTrust AB,C=SECN=Entrust Root Certification Authority -
G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See
www.entrust.net/legal-terms,O=Entrust\, Inc.,C=USOU=Equifax Secure
Certificate Authority,O=Equifax,C=USCN=QuoVadis Root CA 3,O=QuoVadis
Limited,C=BMCN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert
Inc,C=US
Page 22
Audit Report
Affected Nodes: Additional Information:
1.2.840.113549.1.9.1=#1611696e666f4076616c69636572742e636f6d,CN=http:
//www.valicert.com/,OU=ValiCert Class 1 Policy Validation
Authority,O=ValiCert\, Inc.,L=ValiCert Validation NetworkCN=Equifax Secure
Global eBusiness CA-1,O=Equifax Secure Inc.,C=USCN=GeoTrust Universal
CA,O=GeoTrust Inc.,C=USOU=Class 3 Public Primary Certification
Authority,O=VeriSign\, Inc.,C=USCN=thawte Primary Root CA - G3,OU=(c)
2008 thawte\, Inc. - For authorized use only,OU=Certification Services
Division,O=thawte\, Inc.,C=USCN=thawte Primary Root CA - G2,OU=(c) 2007
thawte\, Inc. - For authorized use only,O=thawte\, Inc.,C=USCN=Deutsche
Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom
AG,C=DECN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The
USERTRUST Network,L=Salt Lake City,ST=UT,C=USCN=GeoTrust Primary
Certification Authority,O=GeoTrust Inc.,C=USCN=Baltimore CyberTrust Code
Signing Root,OU=CyberTrust,O=Baltimore,C=IEOU=Class 1 Public Primary
Certification Authority,O=VeriSign\, Inc.,C=USCN=Baltimore CyberTrust
Root,OU=CyberTrust,O=Baltimore,C=IEOU=Starfield Class 2 Certification
Authority,O=Starfield Technologies\, Inc.,C=USCN=Chambers of Commerce
Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF
A82743287,C=EUCN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust
Center,O=T-Systems Enterprise Services GmbH,C=DECN=VeriSign Class 3
Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For
authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USCN=T-
TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems
Enterprise Services GmbH,C=DECN=TC TrustCenter Universal CA I,OU=TC
TrustCenter Universal CA,O=TC TrustCenter GmbH,C=DECN=VeriSign Class 3
Public Primary Certification Authority - G4,OU=(c) 2007 VeriSign\, Inc. - For
authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU=(c) 1999
VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust
Network,O=VeriSign\, Inc.,C=USCN=Class 3P Primary CA,O=Certplus,C=FR
CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto
Technologies S.A.,C=PLOU=VeriSign Trust Network,OU=(c) 1998 VeriSign\,
Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority
- G2,O=VeriSign\, Inc.,C=USCN=GlobalSign,O=GlobalSign,OU=GlobalSign
Root CA - R3CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The
USERTRUST Network,L=Salt Lake City,ST=UT,C=USOU=Security
Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JPCN=GTE
CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE
Corporation,C=USOU=Security Communication RootCA1,O=SECOM
Trust.net,C=JPCN=TC TrustCenter Class 4 CA II,OU=TC TrustCenter Class 4
CA,O=TC TrustCenter GmbH,C=DECN=VeriSign Universal Root Certification
Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign
Trust Network,O=VeriSign\, Inc.,C=US
CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2CN=Class 2
Primary CA,O=Certplus,C=FRCN=DigiCert Global Root
CA,OU=www.digicert.com,O=DigiCert Inc,C=USCN=GlobalSign Root
CA,OU=Root CA,O=GlobalSign nv-sa,C=BECN=thawte Primary Root
Page 23
Audit Report
Affected Nodes: Additional Information:
CA,OU=(c) 2006 thawte\, Inc. - For authorized use only,OU=Certification
Services Division,O=thawte\, Inc.,C=USCN=GeoTrust Global CA,O=GeoTrust
Inc.,C=USCN=Sonera Class2 CA,O=Sonera,C=FICN=Thawte Timestamping
CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA
CN=Sonera Class1 CA,O=Sonera,C=FICN=QuoVadis Root Certification
Authority,OU=Root Certification Authority,O=QuoVadis Limited,C=BM
1.2.840.113549.1.9.1=#1611696e666f4076616c69636572742e636f6d,CN=http:
//www.valicert.com/,OU=ValiCert Class 2 Policy Validation
Authority,O=ValiCert\, Inc.,L=ValiCert Validation NetworkCN=AAA Certificate
Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
CN=AddTrust Qualified CA Root,OU=AddTrust TTP Network,O=AddTrust
AB,C=SECN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR
CN=America Online Root Certification Authority 2,O=America Online Inc.,C=US
CN=AddTrust External CA Root,OU=AddTrust External TTP
Network,O=AddTrust AB,C=SECN=VeriSign Class 2 Public Primary
Certification Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use
only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USCN=America Online
Root Certification Authority 1,O=America Online Inc.,C=USOU=VeriSign Trust
Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=Class 2
Public Primary Certification Authority - G2,O=VeriSign\, Inc.,C=US
CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. -
For authorized use only,O=GeoTrust Inc.,C=USCN=GeoTrust Primary
Certification Authority - G2,OU=(c) 2007 GeoTrust Inc. - For authorized use
only,O=GeoTrust Inc.,C=USCN=SwissSign Gold CA - G2,O=SwissSign
AG,C=CHCN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net
Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.),O=Entrust.netCN=GTE CyberTrust Root 5,OU=GTE CyberTrust
Solutions\, Inc.,O=GTE Corporation,C=USCN=Global Chambersign Root -
2008,O=AC Camerfirma S.A.,2.5.4.5=#1309413832373433323837,L=Madrid
(see current address at www.camerfirma.com/address),C=EUCN=Chambers of
Commerce Root - 2008,O=AC Camerfirma
S.A.,2.5.4.5=#1309413832373433323837,L=Madrid (see current address at
www.camerfirma.com/address),C=EUCN=Entrust.net Secure Server
Certification Authority,OU=(c) 1999 Entrust.net
Limited,OU=www.entrust.net/CPS incorp. by ref. (limits
liab.),O=Entrust.net,C=USOU=Go Daddy Class 2 Certification Authority,O=The
Go Daddy Group\, Inc.,C=USCN=VeriSign Class 1 Public Primary Certification
Authority - G3,OU=(c) 1999 VeriSign\, Inc. - For authorized use
only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=USOU=Security
Communication EV RootCA1,O=SECOM Trust Systems CO.\,LTD.,C=JP
OU=VeriSign Trust Network,OU=(c) 1998 VeriSign\, Inc. - For authorized use
only,OU=Class 1 Public Primary Certification Authority - G2,O=VeriSign\,
Inc.,C=US
References:
None
Page 24
Audit Report
Vulnerability Solution:
Obtain a new certificate signed by a trusted CA, such as Thawte or Verisign.
The exact instructions for obtaining a new certificate depend on your organization's requirements. Generally, you will need to generate
a certificate request and save the request as a file. This file is then sent to a Certificate Authority (CA) for processing. After you have
received a new certificate file from the Certificate Authority, you will have to install it on the TLS/SSL server. The exact instructions for
installing a certificate differ for each product. Follow their documentation.
3.2.12. Database Open Access (database-open-access)
Description:

The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because
databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a
violation of PCI DSS section 1.3.7 to have databases listening on ports accessible from the Internet, even when protected with secure
authentication mechanisms.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:3306 Running MySQL service
References:
Source Reference
URL https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
Vulnerability Solution:
Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the
database in an internal network zone, segregated from the DMZ
3.2.13. CVE-2011-4313: BIND 9 Resolver crashes after logging an error in query.c (dns-bind-cve-2011-4313)
Description:

query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0
through 9.8.1, and 9.9.0a1 through 9.9.0b1 allows remote attackers to cause a denial of service (assertion failure and named exit) via
unknown vectors related to recursive DNS queries, error logging, and the caching of an invalid record by the resolver.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-
RedHat-9.3.6-20.P1.el5_8.6

Page 25
Audit Report
References:
Source Reference
APPLE APPLE-SA-2012-09-19-2
BID 50690
CERT-VN 606539
CVE CVE-2011-4313
DEBIAN DSA-2347
OSVDB 77159
OVAL OVAL14343
REDHAT RHSA-2011:1458
REDHAT RHSA-2011:1459
REDHAT RHSA-2011:1496
SECUNIA 46536
SECUNIA 46829
SECUNIA 46887
SECUNIA 46890
SECUNIA 46905
SECUNIA 46906
SECUNIA 46943
SECUNIA 46984
SECUNIA 47043
SECUNIA 47075
URL https://kb.isc.org/article/AA-00544/74/CVE-2011-4313%3A-BIND-9-Resolver-crashes-after-logging-an-
error-in-query.c.html
XF 71332
Vulnerability Solution:
Apply patch to mitigate BIND 9 resolver crash
Patches mitigating this issue are available at:
https://www.isc.org/software/bind/981-p1
https://www.isc.org/software/bind/974-p1
https://www.isc.org/software/bind/96-esv-r5-p1
https://www.isc.org/software/bind/94-esv-r5-p1

Upgrade to ISC BIND version 9.4-ESV-R5-P1
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.4-ESV-R5-P1/bind-9.4-ESV-R5-P1.tar.gz
Upgrade to ISC BIND version 9.4-ESV-R5-P1. The source code and binaries for this release can be downloaded from BIND website

Page 26
Audit Report

Upgrade to ISC BIND version 9.6-ESV-R5-P1
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R5-P1/bind-9.6-ESV-R5-P1.tar.gz
Upgrade to ISC BIND version 9.6-ESV-R5-P1. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.7.4-P1
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.4-P1/bind-9.7.4-P1.tar.gz
Upgrade to ISC BIND version 9.7.4-P1. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.8.1-P1
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.8.1-P1/bind-9.8.1-P1.tar.gz
Upgrade to ISC BIND version 9.8.1-P1. The source code and binaries for this release can be downloaded from BIND website

3.2.14. PHP Vulnerability: CVE-2014-0237 (php-cve-2014-0237)
Description:

The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote
attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-0237
URL http://www.php.net/ChangeLog-5.php
URL https://bugs.php.net/bug.php?id=67328
Vulnerability Solution:
Upgrade to PHP version 5.4.29
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.13
Download and apply the upgrade from: http://www.php.net/releases/
3.2.15. PHP Vulnerability: CVE-2014-0238 (php-cve-2014-0238)
Description:

Page 27
Audit Report

The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote
attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too
long.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-0238
URL http://www.php.net/ChangeLog-5.php
URL https://bugs.php.net/bug.php?id=67327
Vulnerability Solution:
Upgrade to PHP version 5.4.29
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.13
Download and apply the upgrade from: http://www.php.net/releases/
3.2.16. PHP Vulnerability: CVE-2014-3478 (php-cve-2014-3478)
Description:

Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and
5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a
FILE_PSTRING conversion.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-3478
SECUNIA 59794

Page 28
Audit Report
Source Reference
SECUNIA 59831
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.14
Download and apply the upgrade from: http://www.php.net/releases/
3.2.17. PHP Vulnerability: CVE-2014-4670 (php-cve-2014-4670)
Description:

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting
environments.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-4670
SECUNIA 59831
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.15
Download and apply the upgrade from: http://www.php.net/releases/
3.2.18. PHP Vulnerability: CVE-2014-4698 (php-cve-2014-4698)
Description:

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-
hosting environments.

Page 29
Audit Report
Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-4698
SECUNIA 59831
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.15
Download and apply the upgrade from: http://www.php.net/releases/
3.2.19. TCP Sequence Number Approximation Vulnerability (tcp-seq-num-approximation)
Description:

TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service
(connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived
connections, such as BGP.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178 TCP reset with incorrect sequence number triggered this fault on
192.169.82.178:465: Connection reset by peer
References:
Source Reference
BID 10183
CERT TA04-111A
CERT-VN 415294
CVE CVE-2004-0230
MS MS05-019
MS MS06-064
NETBSD NetBSD-SA2004-006

Page 30
Audit Report
Source Reference
OSVDB 4030
OVAL OVAL2689
OVAL OVAL270
OVAL OVAL3508
OVAL OVAL4791
OVAL OVAL5711
SECUNIA 11440
SECUNIA 11458
SECUNIA 22341
SGI 20040403-01-A
URL ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2004-006.txt.asc
URL http://tools.ietf.org/html/draft-ietf-tcpm-tcpsecure-12
URL http://www.uniras.gov.uk/vuls/2004/236929/index.htm
XF 15886
Vulnerability Solution:
Enable TCP MD5 Signatures
Enable the TCP MD5 signature option as documented in RFC 2385. It was designed to reduce the danger from certain security
attacks on BGP, such as TCP resets.

Microsoft Windows 2000 SP4 OR SP3 (x86), Microsoft Windows 2000 Professional SP4 OR SP3 (x86), Microsoft Windows 2000
Server SP4 OR SP3 (x86), Microsoft Windows 2000 Advanced Server SP4 OR SP3 (x86), Microsoft Windows 2000 Datacenter Server
SP4 OR SP3 (x86)
MS05-019: Security Update for Windows 2000 (KB893066)
Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=36661
Microsoft Windows Server 2003 < SP1 (x86), Microsoft Windows Server 2003, Standard Edition < SP1 (x86), Microsoft Windows
Server 2003, Enterprise Edition < SP1 (x86), Microsoft Windows Server 2003, Datacenter Edition < SP1 (x86), Microsoft Windows
Server 2003, Web Edition < SP1 (x86), Microsoft Windows Small Business Server 2003 < SP1 (x86)
MS05-019: Security Update for Windows Server 2003 (KB893066)
Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=36661
Microsoft Windows XP Professional SP2 OR SP1 (x86), Microsoft Windows XP Home SP2 OR SP1 (x86)
MS05-019: Security Update for Windows XP (KB893066)
Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=36661
Microsoft Windows XP Professional SP1 OR SP2 (x86), Microsoft Windows XP Home SP1 OR SP2 (x86)
MS06-064: Security Update for Windows XP (KB922819)
Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=73864
Microsoft Windows Server 2003 SP1 (x86_64), Microsoft Windows Server 2003, Standard Edition SP1 (x86_64), Microsoft Windows
Server 2003, Enterprise Edition SP1 (x86_64), Microsoft Windows Server 2003, Datacenter Edition SP1 (x86_64), Microsoft Windows

Page 31
Audit Report
Server 2003, Web Edition SP1 (x86_64), Microsoft Windows Small Business Server 2003 SP1 (x86_64)
MS06-064: Security Update for Windows Server 2003 x64 Edition (KB922819)
Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=73864
Microsoft Windows XP Professional SP1 (x86_64)
MS06-064: Security Update for Windows XP x64 Edition (KB922819)
Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=73864
Microsoft Windows Server 2003 SP1 OR < SP1 (ia64), Microsoft Windows Server 2003, Standard Edition SP1 OR < SP1 (ia64),
Microsoft Windows Server 2003, Enterprise Edition SP1 OR < SP1 (ia64), Microsoft Windows Server 2003, Datacenter Edition SP1
OR < SP1 (ia64), Microsoft Windows Server 2003, Web Edition SP1 OR < SP1 (ia64), Microsoft Windows Small Business Server 2003
SP1 OR < SP1 (ia64)
MS06-064: Security Update for Windows Server 2003 for Itanium-based Systems (KB922819)
Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=73864
Microsoft Windows Server 2003 SP1 OR < SP1 (x86), Microsoft Windows Server 2003, Standard Edition SP1 OR < SP1 (x86),
Microsoft Windows Server 2003, Enterprise Edition SP1 OR < SP1 (x86), Microsoft Windows Server 2003, Datacenter Edition SP1 OR
< SP1 (x86), Microsoft Windows Server 2003, Web Edition SP1 OR < SP1 (x86), Microsoft Windows Small Business Server 2003 SP1
OR < SP1 (x86)
MS06-064: Security Update for Windows Server 2003 (KB922819)
Download and apply the patch from: http://go.microsoft.com/fwlink/?LinkId=73864
Locate and fix vulnerable traffic inspection devices along the route to the target
In many situations, target systems are, by themselves, patched or otherwise unaffected by this vulnerability. In certain configurations,
however, unaffected systems can be made vulnerable if the path between an attacker and the target system contains an affected and
unpatched network device such as a firewall or router and that device is responsible for handling TCP connections for the target. In this
case, locate and apply remediation steps for network devices along the route that are affected.
3.2.20. CVE-2010-3613: cache incorrectly allows a ncache entry and a rrsig for the same type (dns-bind-cve-2010-3613)
Description:

named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the
combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a
denial of service (daemon crash) via a query for cached data.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-
RedHat-9.3.6-20.P1.el5_8.6
References:
Source Reference

Page 32
Audit Report
Source Reference
APPLE APPLE-SA-2011-10-12-3
BID 45133
CERT-VN 706148
CVE CVE-2010-3613
DEBIAN DSA-2130
NETBSD NetBSD-SA2011-001
OSVDB 69558
OVAL OVAL12601
REDHAT RHSA-2010:0975
REDHAT RHSA-2010:0976
REDHAT RHSA-2010:1000
SECUNIA 42374
SECUNIA 42459
SECUNIA 42522
SECUNIA 42671
SECUNIA 42707
SECUNIA 43141
URL https://kb.isc.org/article/AA-00938/187/CVE-2010-3613%3A-cache-incorrectly-allows-a-ncache-entry-and-
a-rrsig-for-the-same-type.html
Vulnerability Solution:
Upgrade to ISC BIND version 9.4-ESV-R4
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.4-ESV-R4/bind-9.4-ESV-R4.tar.gz
Upgrade to ISC BIND version 9.4-ESV-R4. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.6-ESV-R3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6-ESV-R3/bind-9.6-ESV-R3.tar.gz
Upgrade to ISC BIND version 9.6-ESV-R3. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.7.2-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.7.2-P3/bind-9.7.2-P3.tar.gz
Upgrade to ISC BIND version 9.7.2-P3. The source code and binaries for this release can be downloaded from BIND website

3.2.21. CVE-2009-0696: BIND Dynamic Update DoS (dns-bind-remote-dynamic-update-message-dos)
Description:

Page 33
Audit Report
The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1,
when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an
ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-
RedHat-9.3.6-20.P1.el5_8.6
References:
Source Reference
CERT-VN 725188
CVE CVE-2009-0696
NETBSD NetBSD-SA2009-013
OVAL OVAL10414
OVAL OVAL12245
OVAL OVAL7806
SECUNIA 36035
SECUNIA 36038
SECUNIA 36050
SECUNIA 36053
SECUNIA 36056
SECUNIA 36063
SECUNIA 36086
SECUNIA 36098
SECUNIA 36192
SECUNIA 37471
SECUNIA 39334
URL https://kb.isc.org/article/AA-00926/187/CVE-2009-0696%3A-BIND-Dynamic-Update-DoS.html
Vulnerability Solution:
Upgrade to ISC BIND version 9.4.3-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz
Upgrade to ISC BIND version 9.4.3-P3. The source code and binaries for this release can be downloaded from BIND website

Page 34
Audit Report
Upgrade to ISC BIND version 9.5.1-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz
Upgrade to ISC BIND version 9.5.1-P3. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.6.1-P1
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz
Upgrade to ISC BIND version 9.6.1-P1. The source code and binaries for this release can be downloaded from BIND website

3.2.22. PHP Vulnerability: CVE-2011-1398 (php-cve-2011-1398)
Description:

The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka
carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted
URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and
Google Chrome.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2011-1398
REDHAT RHSA-2013:1307
SECUNIA 55078
Vulnerability Solution:
Upgrade to PHP version 5.3.11
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.4.0
Download and apply the upgrade from: http://www.php.net/releases/
3.2.23. PHP Fixed possible attack in SSL sockets with SSL 3.0 / TLS 1.0 (php-cve-2011-3389)
Description:

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google
Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-
middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in
Page 35
Audit Report
conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight
WebClient API, aka a "BEAST" attack.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
APPLE APPLE-SA-2011-10-12-1
APPLE APPLE-SA-2011-10-12-2
APPLE APPLE-SA-2012-02-01-1
APPLE APPLE-SA-2012-05-09-1
APPLE APPLE-SA-2012-07-25-2
APPLE APPLE-SA-2012-09-19-2
APPLE APPLE-SA-2013-10-22-3
BID 49388
BID 49778
CERT TA12-010A
CERT-VN 864643
CVE CVE-2011-3389
MS MS12-006
OSVDB 74829
OVAL OVAL14752
REDHAT RHSA-2011:1384
REDHAT RHSA-2012:0006
REDHAT RHSA-2013:1455
SECUNIA 45791
SECUNIA 48692
SECUNIA 48915
SECUNIA 48948
SECUNIA 49198
SECUNIA 55322

Page 36
Audit Report
Source Reference
SECUNIA 55350
SECUNIA 55351
Vulnerability Solution:
Download and apply the upgrade from: http://www.php.net/releases/
3.2.24. PHP Vulnerability: CVE-2013-4248 (php-cve-2013-4248)
Description:

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly
handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-
2009-2408.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2013-4248
DEBIAN DSA-2742
REDHAT RHSA-2013:1307
REDHAT RHSA-2013:1615
SECUNIA 54478
SECUNIA 54657
SECUNIA 55078
SECUNIA 59652
Vulnerability Solution:
Upgrade to PHP version 5.4.18
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.2
Download and apply the upgrade from: http://www.php.net/releases/
3.2.25. PHP Vulnerability: CVE-2014-0207 (php-cve-2014-0207)

Page 37
Audit Report
Description:

The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before
5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-0207
SECUNIA 59794
SECUNIA 59831
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.14
Download and apply the upgrade from: http://www.php.net/releases/
3.2.26. PHP Vulnerability: CVE-2014-3479 (php-cve-2014-3479)
Description:

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x
before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a
crafted stream offset in a CDF file.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-3479
SECUNIA 59794

Page 38
Audit Report
Source Reference
SECUNIA 59831
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.14
Download and apply the upgrade from: http://www.php.net/releases/
3.2.27. PHP Vulnerability: CVE-2014-3480 (php-cve-2014-3480)
Description:

The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before
5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a
crafted CDF file.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-3480
SECUNIA 59794
SECUNIA 59831
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.14
Download and apply the upgrade from: http://www.php.net/releases/
3.2.28. PHP Vulnerability: CVE-2014-3487 (php-cve-2014-3487)
Description:

The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14,
does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted
CDF file.

Page 39
Audit Report

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-3487
SECUNIA 59794
SECUNIA 59831
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.14
Download and apply the upgrade from: http://www.php.net/releases/
3.3. Moderate Vulnerabilities
3.3.1. CVE-2009-4022: BIND 9 Cache Update from Additional Section (dns-bind9-dnssec-cache-poisoning)
Description:

Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta
before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning
attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not
properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:53 Running DNS serviceProduct BIND exists -- BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6Vulnerable version of product BIND found -- BIND 9.3.6-P1-
RedHat-9.3.6-20.P1.el5_8.6
References:
Source Reference
APPLE APPLE-SA-2011-10-12-3

Page 40
Audit Report
Source Reference
BID 37118
CERT-VN 418861
CVE CVE-2009-4022
OSVDB 60493
OVAL OVAL10821
OVAL OVAL11745
OVAL OVAL7261
OVAL OVAL7459
REDHAT RHSA-2009:1620
SECUNIA 37426
SECUNIA 37491
SECUNIA 38219
SECUNIA 38240
SECUNIA 38794
SECUNIA 38834
SECUNIA 39334
SECUNIA 40730
URL https://kb.isc.org/article/AA-00931/187/CVE-2009-4022%3A-BIND-9-Cache-Update-from-Additional-
Section.html
XF 54416
Vulnerability Solution:
Upgrade to ISC BIND version 9.4.3-P5
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.4.3-P5/bind-9.4.3-P5.tar.gz
Upgrade to ISC BIND version 9.4.3-P5. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.5.2-P2
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.5.2-P2/bind-9.5.2-P2.tar.gz
Upgrade to ISC BIND version 9.5.2-P2. The source code and binaries for this release can be downloaded from BIND website

Upgrade to ISC BIND version 9.6.1-P3
Download and apply the upgrade from: http://ftp.isc.org/isc/bind9/9.6.1-P3/bind-9.6.1-P3.tar.gz
Upgrade to ISC BIND version 9.6.1-P3. The source code and binaries for this release can be downloaded from BIND website

3.3.2. PHP Vulnerability: CVE-2014-3981 (php-cve-2014-3981)

Page 41
Audit Report
Description:

acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack
on the /tmp/phpglibccheck file.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-3981
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.14
Download and apply the upgrade from: http://www.php.net/releases/
3.3.3. PHP Vulnerability: CVE-2014-4721 (php-cve-2014-4721)
Description:

The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data
type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent
attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type
confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with
mod_ssl and a PHP 5.3.x mod_php.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:443 Running HTTPS serviceProduct HTTPD exists -- Apache HTTPDVulnerable
version of component PHP found -- PHP 5.3.28
References:
Source Reference
CVE CVE-2014-4721
SECUNIA 59794

Page 42
Audit Report
Source Reference
SECUNIA 59831
Vulnerability Solution:
Upgrade to PHP version 5.4.30
Download and apply the upgrade from: http://www.php.net/releases/
Upgrade to PHP version 5.5.14
Download and apply the upgrade from: http://www.php.net/releases/
3.3.4. OpenSSH CBC Mode Information Disclosure Vulnerability (ssh-openssh-cbc-mode-info-disclosure)
Description:

Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3
through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS
5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly
other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to
recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:22 OpenBSD OpenSSH 4.3 on Linux 2.6.18
References:
Source Reference
APPLE APPLE-SA-2009-11-09-1
BID 32319
CERT-VN 958563
CVE CVE-2008-5161
OSVDB 49872
OSVDB 50035
OSVDB 50036
OVAL OVAL11279
REDHAT RHSA-2009:1287
SECUNIA 32740
SECUNIA 32760
SECUNIA 32833
SECUNIA 33121

Page 43
Audit Report
Source Reference
SECUNIA 33308
SECUNIA 34857
SECUNIA 36558
URL http://www.ssh.com/company/news/article/953/
XF 46620
Vulnerability Solution:
OpenBSD OpenSSH < 5.2
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.
These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the
packages if they are available for your operating system.
3.3.5. ICMP timestamp response (generic-icmp-timestamp)
Description:

The remote host responded to an ICMP timestamp request. The ICMP timestamp response contains the remote host's date and time.
This information could theoretically be used against some systems to exploit weak time-based random number generators in other
services.

In addition, the versions of some operating systems can be accurately fingerprinted by analyzing their responses to invalid ICMP
timestamp requests.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178 Remote system time: 09:33:01.396 GMT+00:00
References:
Source Reference
CVE CVE-1999-0524
OSVDB 95
XF 306
XF 322
Vulnerability Solution:
HP-UX
Disable ICMP timestamp responses on HP/UX
Execute the following command:
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

Page 44
Audit Report
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).

Cisco IOS
Disable ICMP timestamp responses on Cisco IOS
Use ACLs to block ICMP types 13 and 14. For example:
deny icmp any any 13
deny icmp any any 14
Note that it is generally preferable to use ACLs that block everything by default and then selectively allow certain types of traffic in. For
example, block everything and then only allow ICMP unreachable, ICMP echo reply, ICMP time exceeded, and ICMP source quench:
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any source-quench
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).

SGI Irix
Disable ICMP timestamp responses on SGI Irix
IRIX does not offer a way to disable ICMP timestamp responses. Therefore, you should block ICMP on the affected host using ipfilterd,
and/or block it at any external firewalls.
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).

Linux
Disable ICMP timestamp responses on Linux
Linux offers neither a sysctl nor a /proc/sys/net/ipv4 interface to disable ICMP timestamp responses. Therefore, you should block ICMP
on the affected host using iptables, and/or block it at the firewall. For example:
ipchains -A input -p icmp --icmp-type timestamp-request -j DROP
ipchains -A output -p icmp --icmp-type timestamp-reply -j DROP
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).

Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server,
Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition
Disable ICMP timestamp responses on Windows NT 4
Windows NT 4 does not provide a way to block ICMP packets. Therefore, you should block them at the firewall.
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).

Page 45
Audit Report
OpenBSD
Disable ICMP timestamp responses on OpenBSD
Set the "net.inet.icmp.tstamprepl" sysctl variable to 0.
sysctl -w net.inet.icmp.tstamprepl=0
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).

Cisco PIX
Disable ICMP timestamp responses on Cisco PIX
A properly configured PIX firewall should never respond to ICMP packets on its external interface. In PIX Software versions 4.1(6) until
5.2.1, ICMP traffic to the PIX's internal interface is permitted; the PIX cannot be configured to NOT respond. Beginning in PIX Software
version 5.2.1, ICMP is still permitted on the internal interface by default, but ICMP responses from its internal interfaces can be
disabled with the icmp command, as follows, where <inside> is the name of the internal interface:
icmp deny any 13 <inside>
icmp deny any 14 <inside>
Don't forget to save the configuration when you are finished.
See Cisco's support document Handling ICMP Pings with the PIX Firewall for more information.
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).

Sun Solaris
Disable ICMP timestamp responses on Solaris
Execute the following commands:
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).

Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced
Server, Microsoft Windows 2000 Datacenter Server
Disable ICMP timestamp responses on Windows 2000
Use the IPSec filter feature to define and apply an IP filter list that blocks ICMP types 13 and 14. Note that the standard TCP/IP
blocking capability under the "Networking and Dialup Connections" control panel is NOT capable of blocking ICMP (only TCP and
UDP). The IPSec filter features, while they may seem strictly related to the IPSec standards, will allow you to selectively block these
ICMP packets. See http://support.microsoft.com/kb/313190 for more information.
The easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13
(timestamp request) and 14 (timestamp response).

Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft
Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003,
Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003
Disable ICMP timestamp responses on Windows XP/2K3
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.

1.
2.
3.
4.
5.
6.

Page 46
Audit Report
ICMP timestamp responses can be disabled by deselecting the "allow incoming timestamp request" option in the ICMP configuration
panel of Windows Firewall.
Go to the Network Connections control panel.
Right click on the network adapter and select "properties", or select the internet adapter and select File->Properties.
Select the "Advanced" tab.
In the Windows Firewall box, select "Settings".
Select the "General" tab.
Enable the firewall by selecting the "on (recommended)" option.
Select the "Advanced" tab.
In the ICMP box, select "Settings".
Deselect (uncheck) the "Allow incoming timestamp request" option.
Select "OK" to exit the ICMP Settings dialog and save the settings.
Select "OK" to exit the Windows Firewall dialog and save the settings.
Select "OK" to exit the internet adapter dialog.
For more information, see: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/hnw_understanding_firewall.mspx?mfr=true

Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft
Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition,
Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition,
Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition,
Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008
Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows
Essential Business Server 2008
Disable ICMP timestamp responses on Windows Vista/2008
ICMP timestamp responses can be disabled via the netsh command line utility.
Go to the Windows Control Panel.
Select "Windows Firewall".
In the Windows Firewall box, select "Change Settings".
Enable the firewall by selecting the "on (recommended)" option.
Open a Command Prompt.
Enter "netsh firewall set icmpsetting 13 disable"
For more information, see: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/hnw_understanding_firewall.mspx?mfr=true

Disable ICMP timestamp responses
Disable ICMP timestamp replies for the device. If the device does not support this level of configuration, the easiest and most effective
solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14
(timestamp response).

Page 47
Audit Report
3.3.6. OpenSSH "X11UseLocalhost" X11 Forwarding Session Hijacking Vulnerability (ssh-openssh-x11uselocalhost-x11-
forwarding-session-hijack)
Description:

OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which
allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX
platform.

Affected Nodes:
Affected Nodes: Additional Information:
192.169.82.178:22 OpenBSD OpenSSH 4.3 on Linux 2.6.18
References:
Source Reference
BID 30339
CVE CVE-2008-3259
SECUNIA 31179
XF 43940
Vulnerability Solution:
OpenBSD OpenSSH < 5.1
Download and apply the upgrade from: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH
While you can always build OpenSSH from source, many platforms and distributions provide pre-built binary packages for OpenSSH.
These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the
packages if they are available for your operating system.

Page 48
Audit Report
4. Discovered Services
4.1. <unknown>
4.1.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 17611 0
4.2. DNS
DNS, the Domain Name System, provides naming services on the Internet. DNS is primarily used to convert names, such as
www.rapid7.com to their corresponding IP address for use by network programs, such as a browser.
4.2.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 udp 53 6
BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6
4.3. DNS-TCP
DNS, the Domain Name System, provides naming services on the Internet. DNS is primarily used to convert names, such as
www.rapid7.com to their corresponding IP address for use by network programs, such as a browser. This service is used primarily for
zone transfers between DNS servers. It can, however, be used for standard DNS queries as well.
4.3.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 53 0
BIND 9.3.6-P1-RedHat-9.3.6-
20.P1.el5_8.6
4.4. FTP
FTP, the File Transfer Protocol, is used to transfer files between systems. On the Internet, it is often used on web pages to download
files from a web site using a browser. FTP uses two connections, one for control connections used to authenticate, navigate the FTP
server and initiate file transfers. The other connection is used to transfer data, such as files or directory listings.
4.4.1. General Security Issues
Cleartext authentication
The original FTP specification only provided means for authentication with cleartext user ids and passwords. Though FTP has added
support for more secure mechanisms such as Kerberos, cleartext authentication is still the primary mechanism. If a malicious user is in
a position to monitor FTP traffic, user ids and passwords can be stolen.
4.4.2. Discovered Instances of this Service

Page 49
Audit Report
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 21 1
ftp.banner: 220---------- Welcome to
Pure-FTPd [privsep] [TLS] ----------
ftp.plaintext.authentication: true
ftp.supports-starttls: true
4.5. HTTP
HTTP, the HyperText Transfer Protocol, is used to exchange multimedia content on the World Wide Web. The multimedia files
commonly used with HTTP include text, sound, images and video.
4.5.1. General Security Issues
Simple authentication scheme
Many HTTP servers use BASIC as their primary mechanism for user authentication. This is a very simple scheme that uses base 64 to
encode the cleartext user id and password. If a malicious user is in a position to monitor HTTP traffic, user ids and passwords can be
stolen by decoding the base 64 authentication data. To secure the authentication process, use HTTPS (HTTP over TLS/SSL)
connections to transmit the authentication data.
4.5.2. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 80 0
Apache HTTPD
http.banner: Apache
http.banner.server: Apache
verbs-1: GET
verbs-2: HEAD
verbs-3: OPTIONS
verbs-4: POST
verbs-count: 4
192.169.82.178 tcp 2077 0
cPanel
http.banner: cPanel
http.banner.server: cPanel
192.169.82.178 tcp 2082 0
cpsrvd 11.44.1.17
http.banner: cpsrvd/11.44.1.17
http.banner.server: cpsrvd/11.44.1.17
192.169.82.178 tcp 2086 0
cpsrvd 11.44.1.17
http.banner: cpsrvd/11.44.1.17
http.banner.server: cpsrvd/11.44.1.17
192.169.82.178 tcp 2095 0
cpsrvd 11.44.1.17
http.banner: cpsrvd/11.44.1.17

Page 50
Audit Report
Device Protocol Port Vulnerabilities Additional Information
http.banner.server: cpsrvd/11.44.1.17
4.6. HTTPS
HTTPS, the HyperText Transfer Protocol over TLS/SSL, is used to exchange multimedia content on the World Wide Web using
encrypted (TLS/SSL) connections. Once the TLS/SSL connection is established, the standard HTTP protocol is used. The multimedia
files commonly used with HTTP include text, sound, images and video.
4.6.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 443 6
Apache HTTPD
PHP: 5.3.28
http.banner: Apache
http.banner.server: Apache
http.banner.x-powered-by: PHP/5.3.28
ssl: true
ssl.cert.issuer.dn: CN=thawte EV SSL
CA - G2, O="thawte, Inc.", C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 28 Jul
2015 23:59:59 GMT+00:00
ssl.cert.not.valid.before: Mon, 28 Jul
2014 00:00:00 GMT+00:00
ssl.cert.selfsigned: false
ssl.cert.serial.number:
100077727732222274903927816937
957920598
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn:
CN=www.sciencesuppliesdirect.com,
OU=Sales, L=london, ST=london,
C=GB, SERIALNUMBER=07629738,
O=Northbank Trading LTD,
OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.3=GB
ssl.cert.validchain: true
192.169.82.178 tcp 2078 1
cPanel
http.banner: cPanel
http.banner.server: cPanel

Page 51
Audit Report
Device Protocol Port Vulnerabilities Additional Information
ssl: true
ssl.cert.issuer.dn: CN=thawte EV SSL
CA - G2, O="thawte, Inc.", C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 28 Jul
2015 23:59:59 GMT+00:00
ssl.cert.not.valid.before: Mon, 28 Jul
2014 00:00:00 GMT+00:00
ssl.cert.selfsigned: false
ssl.cert.serial.number:
100077727732222274903927816937
957920598
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn:
CN=www.sciencesuppliesdirect.com,
OU=Sales, L=london, ST=london,
C=GB, SERIALNUMBER=07629738,
O=Northbank Trading LTD,
OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.3=GB
ssl.cert.validchain: true
192.169.82.178 tcp 2083 1
cpsrvd 11.44.1.17
http.banner: cpsrvd/11.44.1.17
http.banner.server: cpsrvd/11.44.1.17
ssl: true
ssl.cert.issuer.dn: CN=thawte EV SSL
CA - G2, O="thawte, Inc.", C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 28 Jul
2015 23:59:59 GMT+00:00
ssl.cert.not.valid.before: Mon, 28 Jul
2014 00:00:00 GMT+00:00
ssl.cert.selfsigned: false
ssl.cert.serial.number:
100077727732222274903927816937
957920598
ssl.cert.sig.alg.name: SHA1withRSA

Page 52
Audit Report
Device Protocol Port Vulnerabilities Additional Information
ssl.cert.subject.dn:
CN=www.sciencesuppliesdirect.com,
OU=Sales, L=london, ST=london,
C=GB, SERIALNUMBER=07629738,
O=Northbank Trading LTD,
OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.3=GB
ssl.cert.validchain: true
ssl.version.ssl20: true
192.169.82.178 tcp 2087 1
cpsrvd 11.44.1.17
http.banner: cpsrvd/11.44.1.17
http.banner.server: cpsrvd/11.44.1.17
ssl: true
ssl.cert.issuer.dn: CN=thawte EV SSL
CA - G2, O="thawte, Inc.", C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 28 Jul
2015 23:59:59 GMT+00:00
ssl.cert.not.valid.before: Mon, 28 Jul
2014 00:00:00 GMT+00:00
ssl.cert.selfsigned: false
ssl.cert.serial.number:
100077727732222274903927816937
957920598
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn:
CN=www.sciencesuppliesdirect.com,
OU=Sales, L=london, ST=london,
C=GB, SERIALNUMBER=07629738,
O=Northbank Trading LTD,
OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.3=GB
ssl.cert.validchain: true
ssl.version.ssl20: true
192.169.82.178 tcp 2096 1
cpsrvd 11.44.1.17
http.banner: cpsrvd/11.44.1.17
http.banner.server: cpsrvd/11.44.1.17
ssl: true

Page 53
Audit Report
Device Protocol Port Vulnerabilities Additional Information
ssl.cert.issuer.dn: CN=thawte EV SSL
CA - G2, O="thawte, Inc.", C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 28 Jul
2015 23:59:59 GMT+00:00
ssl.cert.not.valid.before: Mon, 28 Jul
2014 00:00:00 GMT+00:00
ssl.cert.selfsigned: false
ssl.cert.serial.number:
100077727732222274903927816937
957920598
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn:
CN=www.sciencesuppliesdirect.com,
OU=Sales, L=london, ST=london,
C=GB, SERIALNUMBER=07629738,
O=Northbank Trading LTD,
OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.3=GB
ssl.cert.validchain: true
ssl.version.ssl20: true
4.7. IMAP
IMAP, the Interactive Mail Access Protocol or Internet Message Access Protocol, is used to access and manipulate electronic mail (e-
mail). IMAP servers can contain several folders, aka mailboxes, containing messages (e-mails) for users.
4.7.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 143 1
Dovecot
imap.banner: * OK [CAPABILITY
IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE
IDLE NAMESPACE STARTTLS
AUTH=PLAIN AUTH=LOGIN] Dovecot
ready.
imap.plaintext.authentication: true
4.8. IMAPS

Page 54
Audit Report
IMAPS, the Internet Message Access Protocol over TLS/SSL, is used to access and manipulate electronic mail (e-mail) using
encrypted (TLS/SSL) connections. Once the TLS/SSL connection is established, the standard IMAP protocol is used. IMAP servers can
contain several folders, aka mailboxes, containing messages (e-mails) for users.
4.8.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 993 0
Dovecot
imap.banner: * OK [CAPABILITY
IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE
IDLE NAMESPACE AUTH=PLAIN
AUTH=LOGIN] Dovecot ready.
imap.plaintext.authentication: false
ssl: true
ssl.cert.issuer.dn: CN=thawte EV SSL
CA - G2, O="thawte, Inc.", C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 28 Jul
2015 23:59:59 GMT+00:00
ssl.cert.not.valid.before: Mon, 28 Jul
2014 00:00:00 GMT+00:00
ssl.cert.selfsigned: false
ssl.cert.serial.number:
100077727732222274903927816937
957920598
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn:
CN=www.sciencesuppliesdirect.com,
OU=Sales, L=london, ST=london,
C=GB, SERIALNUMBER=07629738,
O=Northbank Trading LTD,
OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.3=GB
ssl.cert.validchain: true
4.9. MySQL
4.9.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information

Page 55
Audit Report
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 3306 1
4.10. POP
The Post Office Protocol allows workstations to retrieve e-mail dynamically from a mailbox server.
4.10.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 110 1
Dovecot
pop.banner: +OK Dovecot ready.
pop.plaintext.authentication: true
4.11. POPS
The Post Office Protocol allows workstations to retrieve e-mail dynamically from a mailbox server. POPS simply adds SSL support to
POP3.
4.11.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 995 0
Dovecot
pop.banner: +OK Dovecot ready.
pop.plaintext.authentication: true
ssl: true
ssl.cert.issuer.dn: CN=thawte EV SSL
CA - G2, O="thawte, Inc.", C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 28 Jul
2015 23:59:59 GMT+00:00
ssl.cert.not.valid.before: Mon, 28 Jul
2014 00:00:00 GMT+00:00
ssl.cert.selfsigned: false
ssl.cert.serial.number:
100077727732222274903927816937
957920598
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn:
CN=www.sciencesuppliesdirect.com,
OU=Sales, L=london, ST=london,
C=GB, SERIALNUMBER=07629738,
O=Northbank Trading LTD,

Page 56
Audit Report
Device Protocol Port Vulnerabilities Additional Information
OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.3=GB
ssl.cert.validchain: true
4.12. SMTP
SMTP, the Simple Mail Transfer Protocol, is the Internet standard way to send e-mail messages between hosts. Clients typically
submit outgoing e-mail to their SMTP server, which then forwards the message on through other SMTP servers until it reaches its final
destination.
4.12.1. General Security Issues
Installed by default
By default, most UNIX workstations come installed with the sendmail (or equivalent) SMTP server to handle mail for the local host (e.g.
the output of some cron jobs is sent to the root account via email). Check your workstations to see if sendmail is running, by telnetting
to port 25/tcp. If sendmail is running, you will see something like this: $ telnet mybox 25 Trying 192.168.0.1... Connected to mybox.
Escape character is '^]'. 220 mybox. ESMTP Sendmail 8.12.2/8.12.2; Thu, 9 May 2002 03:16:26 -0700 (PDT) If sendmail is running and
you don't need it, then disable it via /etc/rc.conf or your operating system's equivalent startup configuration file. If you do need SMTP for
the localhost, make sure that the server is only listening on the loopback interface (127.0.0.1) and is not reachable by other hosts. Also
be sure to check port 587/tcp, which some versions of sendmail use for outgoing mail submissions.
Promiscuous relay
Perhaps the most common security issue with SMTP servers is servers which act as a "promiscuous relay", or "open relay". This
describes servers which accept and relay mail from anywhere to anywhere. This setup allows unauthenticated 3rd parties (spammers)
to use your mail server to send their spam to unwitting recipients. Promiscuous relay checks are performed on all discovered SMTP
servers. See "smtp-general-openrelay" for more information on this vulnerability and how to fix it.
4.12.2. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 25 2
exim 4.82
advertise-esmtp: 1
advertised-esmtp-extension-count: 6
advertises-esmtp: TRUE
max-message-size: 52428800
smtp.banner: 220-
server.sciencesuppliesdirect.com
ESMTP Exim 4.82 #2 Thu, 28 Aug
2014 04:12:05 -0500 220-We do not
authorize the use of this system to
transport unsolicited, 220 and/or bulk
e-mail.
smtp.plaintext.authentication: true
ssl.cert.chainerror: Path does not

Page 57
Audit Report
Device Protocol Port Vulnerabilities Additional Information
chain with any of the trust anchors
ssl.cert.issuer.dn: CN=thawte EV SSL
CA - G2, O="thawte, Inc.", C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 28 Jul
2015 23:59:59 GMT+00:00
ssl.cert.not.valid.before: Mon, 28 Jul
2014 00:00:00 GMT+00:00
ssl.cert.selfsigned: false
ssl.cert.serial.number:
100077727732222274903927816937
957920598
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn:
CN=www.sciencesuppliesdirect.com,
OU=Sales, L=london, ST=london,
C=GB, SERIALNUMBER=07629738,
O=Northbank Trading LTD,
OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.3=GB
ssl.cert.validchain: false
supported-auth-method-count: 2
supported-auth-method:1: PLAIN
supported-auth-method:2: LOGIN
supports-8bitmime: TRUE
supports-auth: TRUE
supports-debug: FALSE
supports-expand: FALSE
supports-help: TRUE
supports-pipelining: TRUE
supports-size: TRUE
supports-starttls: TRUE
supports-turn: FALSE
supports-verify: FALSE
192.169.82.178 tcp 587 2
exim 4.82
advertise-esmtp: 1
advertised-esmtp-extension-count: 6
advertises-esmtp: TRUE

Page 58
Audit Report
Device Protocol Port Vulnerabilities Additional Information
max-message-size: 52428800
smtp.banner: 220-
server.sciencesuppliesdirect.com
ESMTP Exim 4.82 #2 Thu, 28 Aug
2014 04:17:52 -0500 220-We do not
authorize the use of this system to
transport unsolicited, 220 and/or bulk
e-mail.
smtp.plaintext.authentication: true
ssl.cert.chainerror: Path does not
chain with any of the trust anchors
ssl.cert.issuer.dn: CN=thawte EV SSL
CA - G2, O="thawte, Inc.", C=US
ssl.cert.key.alg.name: RSA
ssl.cert.key.rsa.modulusBits: 2048
ssl.cert.not.valid.after: Tue, 28 Jul
2015 23:59:59 GMT+00:00
ssl.cert.not.valid.before: Mon, 28 Jul
2014 00:00:00 GMT+00:00
ssl.cert.selfsigned: false
ssl.cert.serial.number:
100077727732222274903927816937
957920598
ssl.cert.sig.alg.name: SHA1withRSA
ssl.cert.subject.dn:
CN=www.sciencesuppliesdirect.com,
OU=Sales, L=london, ST=london,
C=GB, SERIALNUMBER=07629738,
O=Northbank Trading LTD,
OID.2.5.4.15=Private Organization,
OID.1.3.6.1.4.1.311.60.2.1.3=GB
ssl.cert.validchain: false
supported-auth-method-count: 2
supported-auth-method:1: PLAIN
supported-auth-method:2: LOGIN
supports-8bitmime: TRUE
supports-auth: TRUE
supports-debug: FALSE
supports-expand: FALSE
supports-help: TRUE

Page 59
Audit Report
Device Protocol Port Vulnerabilities Additional Information
supports-pipelining: TRUE
supports-size: TRUE
supports-starttls: TRUE
supports-turn: FALSE
supports-verify: FALSE
4.13. SMTPS
SMTPS, the Simple Mail Transfer Protocol over TLS/SSL, is used to send e-mail messages between hosts using encrypted (TLS/SSL)
connections. Once the TLS/SSL connection is established, the standard SMTP protocol is used. Clients typically submit outgoing e-mail
to their SMTP server, which then forwards the message on through other SMTP servers until it reaches its final destination.
4.13.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 465 0
4.14. SSH
SSH, or Secure SHell, is designed to be a replacement for the aging Telnet protocol. It primarily adds encryption and data integrity to
Telnet, but can also provide superior authentication mechanisms such as public key authentication.
4.14.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 tcp 22 4
OpenBSD OpenSSH 4.3
ssh.banner: SSH-2.0-OpenSSH_4.3
ssh.protocol.version: 2.0
ssh.rsa.pubkey.fingerprint:
D5A4877B7D17B0CCAF8A433487C1
E5FE
4.15. zeroconf (Rendezvous)
4.15.1. Discovered Instances of this Service
Device Protocol Port Vulnerabilities Additional Information
192.169.82.178 udp 5353 0
Page 60
Audit Report
5. Discovered Users and Groups
No user or group information was discovered during the scan.
Page 61
Audit Report
6. Discovered Databases
No database information was discovered during the scan.
Page 62
Audit Report
7. Discovered Files and Directories
No file or directory information was discovered during the scan.
Page 63
Audit Report
8. Policy Evaluations
No policy evaluations were performed.
Page 64
Audit Report
9. Spidered Web Sites
No web sites were spidered during the scan.