Nessus Scan Report

Nessus Scan Report

This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test	1
Number of security holes found	1
Number of security warnings found	3

Host List
Host(s)	Possible Issue
192.168.0.50	Security hole(s) found

[ return to top ]

Analysis of Host
Address of Host	Port/Service	Issue regarding Port
192.168.0.50	smtp (25/tcp)	Security hole found
192.168.0.50	http (80/tcp)	Security warning(s) found
192.168.0.50	nntp (119/tcp)	Security notes found
192.168.0.50	pop3 (110/tcp)	Security notes found
192.168.0.50	general/tcp	Security notes found

Security Issues and Fixes: 192.168.0.50
Type	Port	Issue and Fix
Vulnerability	smtp (25/tcp)	This system appears to be running a version of the Microsoft Exchange SMTP service that is vulnerable to a flaw in the XEXCH50 extended verb. This flaw can be used to completely crash Exchange 5.5 as well as execute arbitrary code on Exchange 2000. Solution : See http://www.microsoft.com/technet/security/bulletin/MS03-046.mspx Risk factor : High CVE : CVE-2003-0714 BID : 8838 Other references : IAVA:2003-A-0031, IAVA:2003-a-0016 Nessus ID : 11889
Warning	smtp (25/tcp)	A security vulnerability results because of an unchecked buffer in the IMC code that generates the response to the EHLO protocol command. If the buffer were overrun with data it would result in either the failure of the IMC or could allow the attacker to run code in the security context of the IMC, which runs as Exchange5.5 Service Account. ** Nessus only uses the banner header to determine if this vulnerability exists and does not check for or attempt an actual overflow. Solution : see http://www.microsoft.com/technet/security/bulletin/MS02-037.mspx Risk factor : Medium CVE : CVE-2002-0698 BID : 5306 Nessus ID : 11053
Informational	smtp (25/tcp)	An SMTP server is running on this port Here is its banner : 220 server_nt.DEMO.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready Nessus ID : 10330
Informational	smtp (25/tcp)	Synopsis : An SMTP server is listening on the remote port. Description : The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it. Solution : Disable this service if you do not use it, or filter incoming traffic to this port. Risk factor : None Plugin output : Remote SMTP server banner : 220 server_nt.DEMO.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready Nessus ID : 10263
Warning	http (80/tcp)	It is possible to browse the information of the OWA server by accessing as an anonymous user with the following URL: http://www.example.com/exchange/root.asp?acs=anon After this access, the anonymous user can search for valid users in the OWA server and can enumerate all users by accessing the following URL: http://www.example.com/exchange/finduser/details.asp?obj=XXX (where XXX is a string of 65 hexadecimal numbers) Data that can be accessed by an anonymous user may include: usernames, server names, email name accounts, phone numbers, departments, office, management relationships... This information will help an attacker to make social engineering attacks with the knowledge gained. This attack can be easily automated since, even if direct access to search is not possible, you only need the cookie given on the anonymous login access. Administrators might be interested in consulting the following URL: http://support.microsoft.com/support/exchange/content/whitepapers/owaguide.doc Solution: Disable anonymous access to OWA. Follow these steps: 1. In Microsoft Exchange Administrator open the Configuration container. 2. Choose Protocols, and then double-click HTTP (Web) Site Settings 3. Unselect the 'Allow anonymous users to access the anonymous public folders' check box. 4. Select the Folder Shortcuts tab. 5. Remove all folders which are allowed anonymous viewing. 6. Choose OK. 7. Remove the anonymous access from the login web pages. Risk factor : Medium CVE : CVE-2001-0660 BID : 3301 Nessus ID : 10781
Warning	http (80/tcp)	The remote host is running Outlook Web Access on Exchange version 5.5 SP 4. OWA is a web-based interface to Microsoft Exchange Server and allows remote users to access email, calendar, and folders over the Internet Nessus ID : 14255
Informational	http (80/tcp)	A web server is running on this port Nessus ID : 10330
Informational	http (80/tcp)	The following directories were discovered: /_vti_bin, /exchange, /forms, /help, /images, /lib While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 Nessus ID : 11032
Informational	http (80/tcp)	The following CGI have been discovered : Syntax : cginame (arguments [default value]) /exchange/LogonFrm.asp (isnewwindow [0] mailbox [] ) Nessus ID : 10662
Informational	http (80/tcp)	Synopsis : This web server leaks a private IP address through its HTTP headers. Description : This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server. There is a known issue with IIS 4.0 doing this in its default configuration. See also : http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion. Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) Plugin output : This web server leaks the following private IP address : 192.168.30.2 CVE : CVE-2000-0649 BID : 1499 Nessus ID : 10759
Informational	http (80/tcp)	Synopsis : Frontpage extensions are enabled. Description : The remote web server appears to be running with the Frontpage extensions. Frontpage allows remote web developers and administrators to modify web content from a remote location. While this is a fairly typical scenario on an internal Local Area Network, the Frontpage extensions should not be available to anonymous users via the Internet (or any other untrusted 3rd party network). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) Plugin output : The remote frontpage server leaks information regarding the name anonymous user By knowing the name of the anonymous user, more sophisticated attacks may be launched We could gather that the name of the anonymous user is : IUSR_SERVER_NT CVE : CVE-2000-0114 Nessus ID : 10077
Informational	nntp (119/tcp)	An NNTP server is running on this port Nessus ID : 10330
Informational	nntp (119/tcp)	This NNTP server does not allows unauthenticated connections As no good username/password was provided, we cannot send our test messages Nessus ID : 11033
Informational	nntp (119/tcp)	Synopsis : A NNTP server is listening on the remote port Description : The remote host is running a news server (NNTP). Make sure that hosting such a server is authorized by your company policy. Solution : Disable this service if you do not use it. Risk factor : None Plugin output : Remote server banner : 200 Microsoft Exchange Internet News Service Version 5.5.2653.23 (posting allowed) Nessus ID : 10159
Informational	pop3 (110/tcp)	A pop3 server is running on this port Nessus ID : 10330
Informational	general/tcp	Nessus was not able to reliably identify the remote operating system. It might be: Microsoft Windows 2000 Server Service Pack 4 Nessus ID : 11936

This file was generated by Nessus, the open-sourced security scanner.