def gen(cb):
appendices = []
description = str()
plugin_ids = ["Cacheable HTTPS response"]
name = "Cache-Control / Pragma"
risk_description = "The cache-control and pragma HTTP headers have not been correctly set by the web servers. This enables the user's browser and any proxies to cache the content of secure pages, which could enable sensitive information disclosure. Content that should only be accessible to an authenticated user can therefore be recovered after the session has terminated through the local cache or by pressing the 'back' button in the browser.\n\nThis was verified by viewing sensitive content, which should only be accessible to an authenticated user, through the cached web pages located in the 'Temporary Internet Files' in the system used by the tester."
recommendation = "Web servers should be configured to return caching directives instructing browsers not to store local copies of any sensitive data. This can be achieved using HTTP headers:\n\nSet the Cache-Control HTTP Header with no-cache, no-store, must-revalidate, private.\nSet the pragma HTTP Header with no-cache."
notes = "<url>https://www.owasp.org/index.php/Session_Management_Cheat_Sheet%23Web_Content_Caching</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
# New plugin_ids HSTS(BurpPlugin):
plugin_ids = ["Strict transport security not enforced"]
name = "Strict-Transport-Security"
risk_description = "The application does not set the Strict-Transport-Security header. This header, once observed by a browser, prevents the browser from opening any subsequent connections to the server via unencrypted HTTP connections until the time in the max-age value provided by the header has expired. This prevents leakage of information, such as session cookies, via unencrypted connections."
recommendation = "Enable HTTP Strict Transport Security (HSTS) by adding a response header with the name 'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in seconds that browsers should remember that the site should only be accessed using HTTPS. Consider adding the 'includeSubDomains' flag if appropriate."
notes = "<url>https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
# New plugin_ids XFrameOptions(BurpPlugin):
plugin_ids = ["Frameable response (potential Clickjacking)"]
name = "X-Frame-Options"
risk_description = "The web server does not set the X-Frame-Options HTTP header. It may be possible for a web page controlled by an attacker to load the content of this response within an IFrame on the attacker's page. This may enable a 'clickjacking' attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker. By inducing victim users to perform actions such as mouse clicks and keystrokes, the attacker could cause them to unwittingly carry out actions within the application that is being targeted. This technique allows the attacker to circumvent defences against cross-site request forgery and may result in unauthorised actions."
recommendation = "Ensure the X-Frame-Options HTTP header is set on all web pages returned by the server. If the page will be framed by other pages on the server, then it should be set with SAMEORIGIN. Otherwise, if the page should never be framed, it should be set to DENY."
notes = "<url>https://www.owasp.org/index.php/Clickjacking</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
# New plugin_ids XXSSProtection(BurpPlugin):
plugin_ids = ["Browser cross-site scripting filter misconfiguration"]
name = "X-XSS-Protection"
risk_description = "The web server does not set the X-XSS-Protection header. This header enables cross-site scripting (XSS) filters within certain web browsers that check if the URL contains possible harmful XSS payloads and if these are reflected in the response page. If such a condition is recognised, the injected code is prevented from executing."
recommendation = "It is recommended that X-XSS-Protection header is set by the server with a value of '1; mode=block'"
notes = "<url>https://www.owasp.org/index.php/OWASP_Secure_Headers_Project</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = [35372]
name = "DNS Dynamic Updates"
description = "DNS services were identified which permit their records for specific zones to be dynamically updated. This can be used to facilitate man-in-the-middle attacks."
risk_description = "DNS services were found to permit the dynamic updating of their records. This functionality can be used to create or alter DNS records, enabling an attacker to redirect traffic away from a legitimate host to one under their control. This could be used to intercept sensitive service traffic or direct users to malicious resources/applications, through which an attacker may attempt to compromise user hosts or account credentials.\n\nIt should be noted that this finding can reflect a legitimate configuration if testing of these services was conducted from within a network subnet which is required to perform dynamic updates by the DNS services."
recommendation = "Limit the sources addresses that are allowed to perform dynamic updates against these services (e.g. with BIND's 'allow-update' option) or implement the signing of DNS traffic (e.g. TSIG or SIG(0))."
notes = "<url>https://technet.microsoft.com/en-us/library/cc753751(v=ws.11).aspx</url>"
notes += "\n<url>https://technet.microsoft.com/en-us/library/cc725703(v=ws.11).aspx</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
# New plugin_ids CacheSnooping(VulnerabilityPlugin):
plugin_ids = ["DNS Server Cache Snooping Remote Information Disclosure"]
name = "DNS Cache Snooping"
description = str()
risk_description = "At least one DNS server responds to queries for third-party domains that do not have the recursion bit set. This configuration can may allow a remote attacker to determine which domains have recently been resolved via a name server, and therefore which hosts have been recently visited. This can lead to the identification of user browsing habits (e.g. what sites they visit) and the identification of software in use within the network (e.g. anti-virus software) based on the domain names which are cached by a DNS server.\n\nThis issue presents a reduced risk for internal DNS servers as such attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported.\n\nIt should be noted that this configuration is default within a number of DNS services, including Microsoft Windows DNS."
recommendation = "If recursion is required, this configuration must remain in place to avoid impacting functionality. The only approach in which this issue can fully be addressed requires recursion to be disabled completely."
notes = "<bold_italic>" + name + "</bold_italic>"
notes += "\n<url>https://technet.microsoft.com/en-us/library/cc771738.aspx</url>"
notes += "\n<url>https://support.microsoft.com/kb/2678371</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
# New plugin_ids RequestAmpDos(VulnerabilityPlugin):
plugin_ids = ["DNS Server Spoofed Request Amplification DDoS"
] ## wasn't set originally
name = "DNS Server Spoofed Request Amplification DDoS"
description = str()
risk_description = "A DNS server responds to any request. It is possible to query the name servers (NS) of the root zone ('.') and get an answer that is bigger than the original request. By spoofing the source IP address, a remote attacker can leverage this 'amplification' to launch a denial of service attack against another host using the remote DNS server. For internally hosted DNS servers with no Internet access, this issue is limited to hosts within the internal network. Externally presented DNS services can present a threat to other third-party hosted services."
recommendation = "Reconfigure the service to reject such queries. This may require removing entries for root zones from the service."
notes = "<bold_italic>" + name + "</bold_italic>"
notes += "\n<url>https://technet.microsoft.com/en-us/security/hh972393.aspx</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = [11213]
name = "HTTP TRACE Method"
description = "A web debugging function is enabled on a number of web servers. This HTTP method is often used by developers in order to debug issues with web applications, but has been associated with web attack vectors in the past, including those which can bypass the protection offered by the use of httpOnly cookies."
risk_description = "The affected web servers appear to support the HTTP TRACE method. TRACE is a method that is used to debug web server connections and can provide valuable information to application developers."
risk_description += "\n\nThe TRACE method has also historically been utilised in web-based attacks known as cross-site tracing and should be used with caution. The HTTP TRACE method replies to any request, together with all the headers in the response, including the cookie header. If session cookies do not have the httpOnly flag set, they may be vulnerable to session-hijacking attacks; the httpOnly flag prevents this by blocking access to the value of the cookie. With the TRACE method enabled, an attacker can send a request, e.g. XMLHttprequest (AJAX), to the target server."
risk_description += "\n\nThe user's web browser will attach the cookies to the request and the server will echo them in its response, thus defeating the httpOnly flag. The risk may be considered low, as many browsers simply disallow sending requests with TRACE method. A risk still exists, however, as plugins that receive cookies from the browser, such as Flash, Silverlight and Java, may use them for sending TRACE requests."
risk_description += "\n\nThe risk given to this issue is Low because currently most browsers block TRACE in an XMLHttpRequest (XHR), which would need to be made by a client. Still, there are possible attacks leveraging corner case situations, but these are difficult to mount. A complete explanation is presented in the referenced links."
recommendation = "If not required by development users, disable this method. For Apache servers, edit the /etc/apache2/conf.d/security file:\n\nDisable TRACE:\nTraceEnable Off\nReload Apache:\n/etc/init.d/apache2 reload\n\nFor IIS, change the EnableTraceMethod entry in the following Registry Path to a value of 0:\nHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3S"
notes = "<bold>Bypassing httpOnly Using TRACE Method</bold>"
notes += "\n<url>http://jeremiahgrossman.blogspot.ro/2007/04/xst-lives-bypassing-httponly.html</url>"
notes += "\n\n<bold>Cross-Site Tracing</bold>"
notes += "\n<url>https://www.owasp.org/index.php/Cross Site Tracing</url>"
notes += "\n\n<bold>Test for HTTP TRACE Method</bold>"
notes += "\n<url>https://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST %28OWASP-CM-008%29</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ["Microsoft Windows SMBv1 Multiple Vulnerabilities"]
name = "Microsoft Windows SMBv1 Support"
description = "Hosts running deployments of Microsoft Windows operating systems each present a Server Message Block (SMB) service which supports connections made using version 1 of the protocol. Several vulnerabilities were identified to affected services configured in such a manner, leaving each host susceptible to various attack vectors."
risk_description = "Each identified Windows host has support for Microsoft Server Message Block 1.0 (SMBv1) enabled. It can be considered vulnerable to multiple issues due to the improper handling of SMBv1 packets and requests. Such issues include information disclosure, denial of service and arbitrary code execution from a remote unauthenticated attacker, all leveraged through crafted SMBv1 packets."
risk_description += "\n\nThis issue affects all Microsoft Windows Operating System releases, including Windows Server 2016 and Windows 10. It should also be noted that whilst updates have been released for these issues for supported Windows releases, continued use of/support for SMBv1 is not recommended."
recommendation = "Review each host as an authenticated user and ensure the relevant security update for the operating system version present has been applied:"
recommendation += "\n- Windows Server 2008 : KB4018466"
recommendation += "\n- Windows 7 : KB4019264"
recommendation += "\n- Windows Server 2008 R2 : KB4019264"
recommendation += "\n- Windows Server 2012 : KB4019216"
recommendation += "\n- Windows 8.1 / RT 8.1. : KB4019215"
recommendation += "\n- Windows Server 2012 R2 : KB4019215"
recommendation += "\n- Windows 10 : KB4019474"
recommendation += "\n- Windows 10 Version 1511 : KB4019473"
recommendation += "\n- Windows 10 Version 1607 : KB4019472"
recommendation += "\n- Windows 10 Version 1703 : KB4016871"
recommendation += "\n- Windows Server 2016 : KB4019472"
notes = "<url>https://support.microsoft.com/help/4016871</url>"
notes += "\n<url>https://support.microsoft.com/help/4018466</url>"
notes += "\n<url>https://support.microsoft.com/help/4019213</url>"
notes += "\n<url>https://support.microsoft.com/help/4019214</url>"
notes += "\n<url>https://support.microsoft.com/help/4019215</url>"
notes += "\n<url>https://support.microsoft.com/help/4019216</url>"
notes += "\n<url>https://support.microsoft.com/help/4019263</url>"
notes += "\n<url>https://support.microsoft.com/help/4019264</url>"
notes += "\n<url>https://support.microsoft.com/help/4019472</url>"
notes += "\n<url>https://support.microsoft.com/help/4019473</url>"
notes += "\n<url>https://support.microsoft.com/help/4019474</url>"
notes += "\n<url>https://support.microsoft.com/help/4016871</url>"
notes += "\n<url>https://support.microsoft.com/help/4018466</url>"
notes += "\n<url>https://support.microsoft.com/help/4019213</url>"
notes += "\n<url>https://support.microsoft.com/help/4019214</url>"
notes += "\n<url>https://support.microsoft.com/help/4019215</url>"
notes += "\n<url>https://support.microsoft.com/help/4019216</url>"
notes += "\n<url>https://support.microsoft.com/help/4019263</url>"
notes += "\n<url>https://support.microsoft.com/help/4019264</url>"
notes += "\n<url>https://support.microsoft.com/help/4019472</url>"
notes += "\n<url>https://support.microsoft.com/help/4019473</url>"
notes += "\n<url>https://support.microsoft.com/help/4019474</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
# New plugin_ids
description = "Server Message Block (SMB) Issues\nConfiguration issues within the Server Message Block (SMB) service on multiple hosts could enable information disclosure or traffic interception. Successful interception of traffic from the SMB service could enable the retrieval of Windows domain user credentials that could be used to gain privileged access within the internal network."
plugin_ids = ['SMB Signing Disabled', 'SMB Signing Required']
name = "SMB Signing Disabled"
risk_description = str()
risk_description += "The configuration of SMB services on a number of hosts does not enforce SMB message signing, which can allow attackers to replay SMB authentication handshakes to bypass authentication. In order to successfully exploit this issue, an attacker must capture a valid handshake, which would require a user to be tricked into connecting to a shared service. SMB authentication can tie directly into either a Windows Active Directory domain or local user accounts, enabling the potential compromise of user accounts, the host or domain."
recommendation = "Message signing should be enforced in each host's configuration. This can be found within Local Security Policy of an affected host or applied as part of a domain Group Policy under:\nSecurity Options - Microsoft network client: Digitally sign communications\nSecurity Options - Microsoft network server: Digitally sign communications"
notes = "<bold_italic>" + name + "</bold_italic>\n"
notes += "<url>https://technet.microsoft.com/en-us/library/jj852186(v=ws.10).aspx</url>\n"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
# New plugin_ids
plugin_ids = ['Microsoft Windows SMB NULL Session Authentication']
name = "SMB NULL Sessions Permitted"
risk_description = "The affected hosts are running versions of Microsoft Windows. It is possible to log into them using a NULL session (i.e. without any credentials). Depending on the configuration of each host, it may be possible for an unauthenticated, remote attacker to leverage this issue to retrieve useful information."
recommendation = "Suitable changes can be enforced using Local Group Policy and altering the values for Computer Configuration\\Windows Settings\\SecuritySettings\\Local Policies\\SecurityOptions\nDisable the following options within the \"Network access\" security options, either on each host or as part of a domain policy:\nAllow anonymous SID/Name translation\nLet \"Everyone\" permissions apply to anonymous users\n\nEnable the following options within the \"Network access\" security options, either on each host or as part of a domain policy:\n\nDo not allow anonymous enumeration of SAM accounts\nDo not allow anonymous enumeration of SAM accounts and shares\n\nEnable the following options within the \"Network access\" security options, either on each host or as part of a domain policy, and configure them with a NULL/empty value:\n\nNamed Pipes that can be accessed anonymously\nShares that can be accessed anonymously"
notes = "<bold_italic>" + name + "</bold_italic>\n"
notes += "<url>http://support.microsoft.com/kb/143474/</url>\n"
notes += "<url>https://technet.microsoft.com/en-us/library/jj852268(v=ws.10).aspx</url>\n"
notes += "<url>https://technet.microsoft.com/en-us/library/jj852166(v=ws.10).aspx</url>\n"
notes += "<url>https://technet.microsoft.com/en-us/library/jj852230(v=ws.10).aspx</url>\n"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ['Apache 1.% Multiple Vulnerabilities']
name = "Apache Web Server 1.3.x Multiple Vulnerabilities"
description = "The Apache web server (HTTPD) software is used to host web sites and applications, allowing users to gain access to the relevant functionality provided by these services and their hosted resources. A deployment of this software on a host appears to be missing software updates or presents default resources that could be manipulated to affect the availability of the underlying host or allow access to information regarding the deployment."
risk_description = "The deployed version of the Apache HTTP 1.3.x web server is potentially affected by several vulnerabilities, including cross-site scripting, buffer overflow, local file inclusion and information disclosure, which have since been addressed by updates to the Apache HTTPD 1.3.x branch. The existence of several of these vulnerabilities depends on the presence of the specific Apache modules that are affected and on the current installation not having received any backported patches, which is typical practice for software managed as part of other repositories."
recommendation = "If this deployment is not running a version which utilises backported security updates then it should be upgraded to the most recent version of the Apache 1.3.x distribution. It should be noted that the final version of this branch has been made availabled, indicating that no future updates will be made to it.\n\nAs these issues often only affect deployments using specific Apache modules, a review of each Apache server and the modules it uses is recommended.\n\nThis deployment may also be part of a wider software installation provided by a third party. In this case, guidance for updating the software should be sought from the relevant vendor."
notes = "<url>http://httpd.apache.org</url>\n<url>http://httpd.apache.org/security/vulnerabilities_13.html</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ['CodeMeter < 5.20 Local Privilege Escalation Vulnerability']
name = "CodeMeter Privilege Escalation"
description = "The Apache web server (HTTPD) software is used to host web sites and applications, allowing users to gain access to the relevant functionality provided by these services and their hosted resources. A deployment of this software on a host appears to be missing software updates or presents default resources that could be manipulated to affect the availability of the underlying host or allow access to information regarding the deployment."
risk_description = "Based on the self-reported version recovered from responses from CodeMeter WebAdmin server instances, a number of deployments are running versions prior to 5.20a (5.20.1458.500). Such versions are affected by insecure read/write permissions for the 'codemeter.exe' service which a local attacker can exploit to gain elevated privileges using a crafted file.\n\nThis issue was identified remotely during the assessment and requires access to the underlying host in order to leverage it, limiting its immediate risk."
recommendation = "This issue was addressed in CodeMeter version 5.20a (5.20.1458.500), so upgrading each deployment to the most recent release should address this issue.\n\nAlterantively, permissions set on the 'codemeter.exe' service executable and service could be revised to prevent non-privileged users from altering the service configuration or replacing the executable."
notes = "<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8419</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ['SSH Protocol Version 1 Session Key Retrieval']
name = "SSH Protocol Version 1 Support"
description = "Secure Shell services are used to provide secure remote access to network-connected hosts to allow administrative actions to be performed remotely while ensuring the confidentiality of the service traffic. Historical versions of the SSH protocol suffer from cryptographic flaws, reducing the computational effort required to decrypt communications secured using older protocols. Successful decryption of traffic could facilitate a host compromise."
risk_description = "The SSH service on these devices support connections made using version 1.5 of the SSH protocol. This protocol has known cryptographic flaws that affect the encryption mechanism used to secure the service traffic. As a result, the effort required to compromise traffic (through interception and decryption) secured by a service using SSH v1 is significantly reduced, thus increasing the likelihood and risk of such an attack occurring.\n\nMore recent iterations of SSH services offer support for variations of SSH versions 1.5, 1.99 and 2.0 that can be controlled by configuration settings, so the tester has assumed that typical SSH connections are established using SSH v2 and that an attacker would have to manipulate a client attempting to establish a connection to the service in order to force a weaker SSH v1 connection to be established.\n\n"
recommendation = "Disable compatibility with version 1 of the protocol. References for implementing this change on Cisco devices and Linux hosts are available in the Notes Section."
notes = "<url>http://www.cisco-faq.com/178/disablesshv1sshversion2.html</url>\n<url>http://www.skullbox.net/disablessh1.php</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = [22127]
name = "eIQnetworks Enterprise Security Analyzer"
description = "A security event/logging analysis application is installed on at least one host that is vulnerable to remote buffer overflow attacks."
risk_description = "Variants of the eIQnetworks Enterprise/Network Security Analyzer software installed on hosts is known to be affected by multiple stack-based buffer overflows in the Syslog service. Using a long argument to any of several commands, an unauthenticated, remote attacker may be able to leverage this issue to execute arbitrary code on the affected host with LOCAL SYSTEM privileges, leading to its complete compromise. If the underlying host is a domain member, this could provide attackers with additional resources through which other domain resources can be compromised.\n\nIt should be noted that exploits for these issues are publicly available."
recommendation = "This issue has been addressed in more recent releases of the Enterprise/Network Security Analyzer software (2.1.14 and 4.5.4). Affected deployments should be brought into line with the most recent, supported release or decommissioned."
notes = "<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3838</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ["SSL cookie without Secure flag set"]
name = "Cookies Not Set With Secure Flag"
description = "Secure is an additional flag included in a Set-Cookie HTTP response header. Using the Secure flag when generating a cookie helps mitigate the risk of interception of cookies sent over encrypted communications, as otherwise they could be accessed outside of the Secure session."
risk_description = "If the Secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic.\n\nIf the Secure flag is not set, then the cookie will be transmitted in cleartext whenever the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site.\n\nEven if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack."
recommendation = "The Secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications."
notes = "<url>https://www.owasp.org/index.php/SecureFlag</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = [10722]
name = "LDAP NULL BASE Search Access"
description = "LDAP services support requests with NULL base objects, which can be used to extract information about the directory structure."
risk_description = "LDAP server services were identified which support search requests with a NULL, or empty, base object. This configuration allows information to be retrieved from the services without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query the service and recover information from the directory (e.g. users, address details etc).\n\nIt should be noted that valid reasons to allow queries with a NULL base do exist. The most recent iteration of the LDAP protocol, version 3, provides access to the root DSA-Specific Entry (DSE), with information about the supported naming context, authentication types, and the like. It also means that legitimate users can find information in the directory without any prior knowledge of its structure."
recommendation = "If the affected LDAP servers support a version of the LDAP protocol prior to v3, consider disabling NULL BASE queries."
notes = "<url>http://support.microsoft.com/kb/837964</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ['Oracle WebLogic Server%']
name = "Oracle WebLogic Server"
description = "The Oracle WebLogic web server software is used to host Java J2EE applications. A deployment of this software within the assessed environment appears to be missing software updates."
risk_description = "At least one installation of Oracle WebLogic server on a host was seen to be running on an outdated version. WebLogic has previously been affected by various instances of remote code exectuion, including a prominent issue relating to the Apache Commons Collections library as well as similar issues affecting other subcomponents and libraries used by WebLogic. Other previous issues knonw to affect older WebLogic versions have included unauthorised data modification and denial of service."
recommendation = "It is recommended that the deployment be upgraded to the most recent release made available by Oracle. Quarterly Critical Patch Updates (CPUs) are made available for Oracle products which are actively supported. Applying the most recent of these releases should address any issues affecting the identified deployments."
notes = "<url>https://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = [10043]
name = "Chargen Service - DoS"
description = "Chargen is a historic service used for debugging TCP/UDP connections. No longer commonly used, the chargen service can be manipulated into performing a denial-of-service attack against assets."
risk_description = "The chargen service was found on hosts during the assessment. This service responds to connections with random characters (e.g. all the characters in the alphabet). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, the service will continue sending packets containing such characters until the client closes the connection.\n\nThis service was used to mostly test the TCP/IP protocol by itself, to ensure that all packets were arriving at their destination unaltered. An attacker could craft packets to be sent to this service, manipulating the source of the request. The service would then attempt to send traffic back to the manipulated source, consuming network resources and those of the underying hosts."
recommendation = "If in use, filter access to this service to only necessary sources.\n\nDisable this service where not required. On Unix/Linux systems this is commonly done by commenting out the chargen line in /etc/inetd.conf and restarting the inetd service.\n\nFor Windows hosts, disable the \"Simple TCP Services\" service or set the following registry entries under <italic>HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\</italic> to 0 and restart the \"simptcp\" service:\n\n<italic>EnableTcpChargen</italic>\n<italic>EnableUdpChargen</italic>"
notes = "<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0103</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ['IBM Rational ClearQuest %']
name = "IBM Rational ClearQuest"
description = "Hosts have versions of the IBM Rational ClearQuest software installed that are affected by multiple vulnerabilities."
risk_description = "Authenticated assessment has identified that the version of IBM Rational ClearQuest installed on a number of hosts predates more recent releases. Such installations are affection by a number of web application attacks, including those associated with default/sample scripts (e.g. snoop), cross-site scripting vulnerabilities, information disclosure issues (Including those relating to passwords) and privilege escalation attacks as well as a number of issues for which details remain undisclosed."
recommendation = "Upgrade to the most recent, supported release of the IBM Rational ClearQuest branch in use."
notes = "<url>http://www-01.ibm.com/support/docview.wss?uid=swg21606319</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg21606385</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg21605840</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg21605839</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg21605838</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg21606318</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg1PM15146</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg1PM01811</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg1PM20172</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg1PM22186</url>\n<url>http://www-01.ibm.com/support/docview.wss?uid=swg21470998</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
name = "VMware ESX/ESXi"
plugin_ids = ['VMware ESX%', 'VMware ESXi%', 'ESXi 5.%', 'ESX%']
description = "The VMWare vSphere ESX/ESXi hypervisor software solutions provides functionality with which organisations are able to deploy a multitude of virtual assets, including servers and networking devices. As these hypervisors are typically used to host the majority of infrastructure assets due to the flexibility a virtual environment can offer, vulnerabilities within the deployed ESX/ESXi software versions could have a potentially critical impact on an environment if exploited."
risk_description = "Issues are known to be associated with the identified deployments of the VMware ESX/ESXi software running on hosts throughout the assessed network. These issues range from information disclosure issues to buffer overflow vulnerabilities with publicly available exploits. Each instance of an issue could provide an attacker with useful information that could benefit further attacks or, in the more severe cases, could be used to remotely compromise a host with SYSTEM/root level privileges.\n\nIt should be noted that a number of these issues require that specific functionality be enabled and utilised by the software (e.g. Network File Copy or virtual iSCSI devices) or that the attacker has access to a valid user account on the deployment, reducing the likelihood of such issues being exploited."
recommendation = "Update each ESX/ESXi deployment to the most recent supported release for its current branch."
notes = "<url>http://www.vmware.com/security/advisories.html</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ['Oracle TNS Listener Remote Poisoning']
name = 'Oracle TNS Listener Poisoning'
description = "The Oracle TNS listener service listening on a number of hosts as part of their underlying Oracle Database deployments may be vulnerable to a man-in-the-middle attack. As Oracle Database deployments are typically used to store large volumes of data for processing and presentation by applications, some of which may handle sensitive data, this issue could present a significant threat to the security of the affected databases and the data housed within them."
risk_description = "A number of Oracle Database server deployments appear to present TNS listener services which allow service registration from a remote host. Commonly referred to as the \"TNS Poison\" vulnerability, this issue could permit a suitably positioned attacker to route some TNS listener traffic through a malicious/compromised host, which could allow for session hijacking of a database connection or denial-of-service attacks against each host and the listener service. Such activity could enable the compromise of the data hosted within the Oracle Database deployments or facilitate the compromise of the underlying host. These attacks would be difficult to detect, as all incoming connections would appear to be from authorised hosts/users.\n\nThis issue is known to affect versions of Oracle Database from 8i to 11g. More recent releases, such as 12c, have had this issue addressed."
recommendation = "Sources indicate that Oracle have provided workarounds to customers with existing support contracts to address this issue, either in the form of a patch or reconfiguration of the service.\n\nIt is recommended that a review of the references included within the Notes section be undertaken and any relevant workarounds be applied to each affected deployment. This activity should only be undertaken after significant research and review has been undertaken to ensure that such actions will not have a detrimental impact on the hosts or services.\n\nIf no suitable workarounds are available for a deployment, it will likely require an upgrade of the underlying Oracle software.\n\nAccess to these listener services could be restricted through segregation in order to minimise their exposure to scrutiny from other network assets."
notes = "<url>http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html</url>\n<url>https://forums.oracle.com/thread/2385622</url>\n<url>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1675</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ['ImageMagick <%']
name = "ImageMagick"
description = "Hosts have versions of the ImageMagick software installed that are affected by multiple vulnerabilities. Exploitation of such issues typically requires a user to be tricked into accessing a malicious resource and could enable the remote compromise of a host."
risk_description = "Authenticated assessment has identified that the version of ImageMagick installed on a number of hosts predates more recent releases. Such installations are affected by a number of denial of service, buffer overflow and arbitrary code execution vulnerabilities which can be leveraged through tricking a user into opening crafted files. The more severe of these issues could result in the remote compromise of the underlying host, potentially introducing further avenues of attack against the host and other assets."
recommendation = "Upgrade the ImageMagick software to the most recent release or remove it from the system if not required. Vulnerable versions may have to be removed from the system."
notes = str()
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = [32315]
description = "Hosts have been identified with Firebird Database services listening on them which are using default credentials. These services, underlying hosts and data held by services could be at risk of remote compromise."
name = "Default Credentials"
risk_description = "Deployments of Firebird on the affected hosts use default credentials to control access to the database. Knowing these, an attacker can gain administrative access to any affected applications. Whilst the tester was able to authenticate to the service, without knowing a valid Firebird Database file, they are unable to recover any data from the service."
recommendation = "Use the application\'s \'gsec\' utility to change the password for the \'SYSDBA\' account."
notes = "<url>http://www.firebirdsql.org/manual/qsg2-config.html</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = [10205]
name = "rlogin Services"
description = "Instances of obsolete Inetd services were seen on hosts within the network. These can be used to gain remote access or execute commands with administrative rights on an affected host. Such services are considered obsolete and have been deprecated and replaced by more secure alternatives due to the lack of security, such as traffic encryption, and vulnerabilities related to them."
risk_description = "This finding relates to two Inetd obsolete services, rlogin and rexec, instances of which were observed on hosts during the course of the review. Whilst it is not possible for the tester to be certain as to the functional requirements of each affected host, the presence these services is likely surplus to requirements and increases the threat surface of the host.\n\nThe availability of rlogin and rexec services also highlights a collection of more dangerous issues. Each of these services can grant a user remote access to the host, providing they have the correct authentication details. These services do not secure their traffic, transmitting all data in cleartext, making it significantly easier to acquire credentials via interception (Man-in-the-Middle).\n\nVulnerabilities have also affected rlogin and rexec in the past, including the ability to bypass the authentication requirements of each service. Whilst no evidence of such issues was seen during this review, the continued availability of such services undermines the security of each affected host."
recommendation = "Disable rlogin and rexec and enforce the use of the SSH service.\nComment out the relevant lines (\"login\" and \"exec\") in the /etc/inetd.conf file on each host before restarting the inetd service to disable these services."
notes = "<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0651</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb): appendices = [] plugin_ids=['IBM GCM16 / GCM32 Global Console Manager KVM Switch Firmware Version%'] name="IBM GCM KVM Switch Firmware" description="The web interface for IBM KVM switches is reported to be affected by multiple vulnerabilities." risk_description="Based on the reported version number returned by hosted web services, each affected host is an IBM Global Console Manager (GCM32) KVM switch using a dated firmware version (xxxxx). More recent versions have been made available to fix the following issues which could enable the compromise of the host. Mitigating factors, such as an authentication prerequisite for exploitation, have been noted.\n\n##########Issues###########" recommendation="Upgrade the firmware to the most recent version." notes=str() ap = genFile.genr(cb, plugin_ids, name, description, risk_description, recommendation, notes) if not ap is None: appendices += ap if appendices: return appendices
def gen(cb):
appendices = []
plugin_ids = ['Microsoft Malware Protection Engine < %']
# include_strings=[" Product name"," Path"," Version"," Engine version"," Antivirus signature version"," Antispyware signature version"]
name = "Microsoft Malware Protection Engine"
description = "A number of Windows hosts have been identified with an outdated variant of Microsoft Malware Protection Engine (MMPE) software installed. Outdated versions of this software are unable to identify newer malware threats, weakening the security posture of each affected host. Issues affecting the MMPE software directly have also been reported, some of which can be used to fully compromise the underlying host."
risk_description = "Hosts were found to have issues within the configuration of their Microsoft Malware Protection Engine (MMPE) installations. A lack of regular updates for the engine in use by these deployments are seen to prevent hosts from being able to detect more recently identified malicious content/activity and thus leaving them more susceptible to compromise in the event malicious content is accessed on the host. Additional issues affecting MMPE include those which can permit code execution or denial of service. An attacker capable of placing a crafted file on a host (e.g. by ticking a user into downloading it) could use such issues to remotely compromise the underlying host."
recommendation = "Ensure each deployment is kept in line with the most recent release. Microsoft typically release updates for this solution on a monthly basis."
notes = str()
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb): appendices = [] plugin_ids=['Microsoft Windows Update Reboot Required'] name="Microsoft Windows Update Reboot Required" description="At least one host has been identified which requires a reboot in order to apply recently installed updates. As such updates commonly include security fixes, leaving a host in this state leaves it persistently vulnerable to issues which have already been remedied." risk_description="Authenticated assessment of hosts has identified that a number require a reboot in order to apply outstanding updates. Without rebooting each host will be unable to apply these updates, including any security fixes, leaving each host vulnerable to issues which have otherwise been addressed." recommendation="Force a manual reboot of each affected host when possible to ensure that any pending updates are suitably applied." notes="<url>https://technet.microsoft.com/library/cc960241.aspx</url>" ap = genFile.genr(cb, plugin_ids, name, description, risk_description, recommendation, notes) if not ap is None: appendices += ap if appendices: return appendices
def gen(cb):
appendices = []
plugin_ids = [10759]
name = "Web Server Internal IP Disclosure"
description = "Web servers have been identified which leak a private IP address through their returned HTTP headers."
risk_description = "Sending HTTP requests of a specific format (e.g. a request missing the Host header, such as \"GET / HTTP/1.0\") to web servers resulted in private IP addresses being returned within the Location or Content-Location header within the HTTP response. This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server, providing an attacker with additional knowledge about an organisation's networks.\n\nThis issue is known to affect older variations of Microsoft IIS its default configuration, as well as other web servers, web applications, web proxies, load balancers, and through a variety of misconfigurations related to redirection."
recommendation = "Vendor-specific solutions may be available through updates for the underlying web server software. Alternative solutions may include configuring software/application logic to manually set header values being sent with each HTTP response."
notes = "<url>https://support.microsoft.com/en-gb/kb/967342</url>"
notes += "<url>https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0649</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = [35372]
name = "DNS Dynamic Updates"
description = "DNS services were identified which permit their records for specific zones to be dynamically updated. This can be used to facilitate man-in-the-middle attacks."
risk_description = "DNS services were found to permit the dynamic updating of their records. This functionality can be used to create or alter DNS records, enabling an attacker to redirect traffic away from a legitimate host to one under their control. This could be used to intercept sensitive service traffic or direct users to malicious resources/applications, through which an attacker may attempt to compromise user hosts or account credentials.\n\nIt should be noted that this finding can reflect a legitimate configuration if testing of these services was conducted from within a network subnet which is required to perform dynamic updates by the DNS services."
recommendation = "Limit the sources addresses that are allowed to perform dynamic updates against these services (e.g. with BIND's 'allow-update' option) or implement the signing of DNS traffic (e.g. TSIG or SIG(0))."
notes = "<url>https://technet.microsoft.com/en-us/library/cc753751(v=ws.11).aspx</url>"
notes += "\n<url>https://technet.microsoft.com/en-us/library/cc725703(v=ws.11).aspx</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
plugin_ids = ['OpenSSL < 0.9.7%']
name = "OpenSSL 0.9.7 Services"
description = "Several hosts have been observed to present at least one services which utilises an older version of the OpenSSL 0.9.7 library to secure their traffic. Such versions are commonly superseded as a result of a number of issues affecting them, some of which can be seen to carry a significant threat to data and host security from unauthenticated attackers with access to the services or the network being used by a connecting client. Such versions are also now no longer supported, preventing them from receiving updates for any identified issues."
risk_description = "The version of the OpenSSL software seen to be utilised by at least one service on several hosts has been superseded by several more recent releases, each of which has addressed security vulnerabilities of varying risk/impact, and the overall branch (0.9.7) is no longer supported, identifying a long term threat posed by software no longer receiving security updates. The use of older software versions leaves the services, their traffic and the underlying hosts vulnerable to vulnerable to exploitation, with issues threatening the security of encrypted service traffic, service availability (through possible denial-of-service attacks), authentication bypass and code execution vulnerabilities which threaten the underlying host.\n\nIt should be noted that update backporting often takes place within software deployments such as OpenSSL for different operating systems or software deployments. This finding is reported as a result of version information regarding OpenSSL being revealed in responses from the service (e.g. in web server headers)."
recommendation = "As the deployed branch is no longer publicly supported, the OpenSSL installations should be migrated to a supported branch and kept up to date in line with future releases. If an affected service/installation is provided as part of a third party product deployment, discuss a supported upgrade path with the vendor."
notes = "<url>https://www.openssl.org/policies/releasestrat.html</url>"
notes += "\n<url>https://www.openssl.org/news/openssl-0.9.7-notes.html</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb): appendices = [] plugin_ids=['Unencrypted Telnet Server'] name="Telnet Services" description="Hosts throughout the network were observed to be running a Telnet server service. Telnet is a historical remote terminal service used for configuring and managing devices remotely, but does it not typically enforce suitable security mechanisms to protect its data when in transit. As a result, Telnet traffic is usually sent in cleartext between a client and server, leaving it vulnerable to interception. As this traffic can include user credentials and system commands, its presence poses a considerable risk to each host it is deployed on." risk_description="Each of the hosts listed within the Affected Components section was seen to be running a Telnet service that transmits unencrypted (cleartext) traffic. An attacker who is able to successfully intercept this traffic, most likely by performing a Man-in-the-Middle (MitM) attack against a client or the server, will be able to read every exchange of data between the Telnet client and server. Depending on the function of each host, this could allow an attacker to intercept user credentials for remote access purposes, configuration alterations (which may include passwords) and sensitive information, such as firewall configurations.\n\nThe tester notes that whilst some Telnet deployments can support traffic encryption using SSL/TLS, these deployments were not seen to utilise this functionality." recommendation="Disable the Telnet service on each host and make use of a more secure alternative remote access solution, such as SSH.\n\nIf a host will not support SSH, force all Telnet communications to be encrypted using SSL/TLS.\n\nThe presence of any host that does not support SSH instead of Telnet should be reviewed, and if its presence is not a requirement, the host should be decommissioned. If the host must remain in place, filter access to these services from non-management assets." notes="<url>https://catn.com/2010/03/23/why-do-we-use-ssh-over-telnet/</url>" ap = genFile.genr(cb, plugin_ids, name, description, risk_description, recommendation, notes) if not ap is None: appendices += ap if appendices: return appendices
def gen(cb):
appendices = []
plugin_ids = [90509]
name = "Samba Badlock Vulnerability"
description = "Samba services are running versions which are vulnerable to man-in-the-middle and denial-of-service issues, commonly referenced as the \"Badlock\" vulnerability."
risk_description = "The version of Samba, a CIFS/SMB server for Linux and Unix, running on hosts is affected by a flaw, known as Badlock. This issue exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A man-in-the-middle attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory (AD) database or disabling critical services."
recommendation = "This issue has been addressed in more recent releases of the Samba software. Ensure that affected installations are updated in line with the most recent, supported release. Installations provided as part of other third-party software deployments will require a vendor-provided update to address this issue."
notes = "<url>http://badlock.org</url>"
notes += "\n<url>https://www.samba.org/samba/security/CVE-2016-2118.html</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb):
appendices = []
include_strings = [" Server banner", " Installed version"]
plugin_ids = ['MiniUPnP < 1.%']
name = "MiniUPnP 1.x Deployments"
description = "Services running on MiniUPnP versions in the 1.x major release were identified on the network. Used for enabling connectivity for various network clients/services behind NAT'd connections, the software versions on services identified appear to be dated."
risk_description = "Banners retrieved from MiniUPnP services have identified them to be running older releases of MiniUPnP 1.x which are associated with known vulnerabilities.\n\nIssues affecting such releases have included buffer overflows leading to code execution or denial of service through service crashes and attacks which can be used to invoke client-side scripts on connecting client devices. Leveraging code execution attacks would result in the remote compromise of the underlying host."
recommendation = "Upgrade the MiniUPnP version to the most recent supported release. For deployments which are implemented as part of third-party software/device firmware, contact the vendor to identify if more recent releases are available to address this issue."
notes = "<url>http://miniupnp.free.fr/files/</url>"
ap = genFile.genr(cb, plugin_ids, name, description, risk_description,
recommendation, notes)
if not ap is None:
appendices += ap
if appendices:
return appendices
def gen(cb): appendices = [] plugin_ids=['Linux Kernel TCP Sequence Number Generation Security Weakness'] name="Linux Kernel TCP Sequence Number Generation" description="It may be possible to predict TCP/IP Initial Sequence Numbers for a host." risk_description="The Linux kernel is prone to a security weakness related to TCP sequence number generation. Attackers can exploit this issue to inject arbitrary packets into TCP sessions using a brute-force attack. An attacker may use this vulnerability to create a denial of service condition or invoke a man-in-the-middle attack." recommendation="Contact the OS vendor for a Linux kernel update / patch." notes="<url>https://github.com/torvalds/linux/commit/6e5714eaf77d79ae1c8b47e3e040ff5411b717ec</url>" ap = genFile.genr(cb, plugin_ids, name, description, risk_description, recommendation, notes) if not ap is None: appendices += ap if appendices: return appendices
def gen(cb): appendices = [] plugin_ids=['IBM DB2 10.5 <%'] name="IBM DB2 10.5 Deployments" description="Several hosts present IBM DB2 services which are running on a dated version. As updates are made available to address both functional and security issues, such deployments are seen to present a risk." risk_description="The versions of the IBM DB2 database software running services on a number of hosts has been superseded by more recent releases to the relevant branch (10.5). Each released update addressed security vulnerabilities of varying risk/impact. The use of older software versions leaves the services, their traffic and the underlying hosts vulnerable to exploitation, with issues threatening the security of service traffic, service availability (through possible denial-of-service attacks), authentication bypass and code execution vulnerabilities which threaten the underlying host." recommendation="Ensure that each DB2 instance is kept suitably updated, in line with the agreed patching policy." notes=str() ap = genFile.genr(cb, plugin_ids, name, description, risk_description, recommendation, notes) if not ap is None: appendices += ap if appendices: return appendices
