Risk Score 0 Vulnerabilities

Please find information and recommendations on 0 Risk Score vulnerabilities.

Useful Links:
How to engage VSR Team, - SNOW request
How to engage Server Support for a CHG - SNOW request
How to engage SE - SNOW request
How to raise a Windows Break Glass - SNOW request

Vulnerability Recommendation Owner

Name

CIFS Account You can safely ignore that vulnerability.

Password Never
Expires The setting on domain joined (Americas, Corp) servers is irrelevant as the domain joined servers have local admin
passwords managed and rotated by LAPS via AD and GPO. It is merely a cosmetic vuln as Nexpose/Kenna does not
CIFS Account have the insight into the actual password age, just the registry key.
Lockout Policy Not
Enforced IT Infrastructure has compliance settings in place in SCCM as well to track any with password NOT rotating.

CIFS Share “Everyone” has “Read” permission on a share, it should be updated to only required users have access to it. App
Readable By Team
Everyone This action can be performed by app teams, if they don't have access to the servers, they can raise a Windows Break
Glass or Engage SE (Links on the top of this page)

CIFS Share “Everyone” has “Write” permission on a share, it should be updated to only required users have access to it. App
Writeable By Team
Everyone This action can be performed by app teams, if they don't have access to the servers, they can raise a Windows Break
Glass or Engage SE (Links on the top of this page)

Database Open Port: 1521 (Oracle) - to remediate this vulnerability app/dev teams should change their connection from port 1521 to App
Access port 1523 (SSL connection) Team

Port 1433 (SQL) - PSE ongoing

DBA
/SRO
HTTP OPTIONS App
Method Enabled Apache HTTPD team

Disable HTTP OPTIONS Method for Apache

Disable the OPTIONS method by including the following in the Apache configuration:

<Limit OPTIONS>
Order deny,allow
Deny from all
</Limit>

Microsoft IIS

Disable HTTP OPTIONS Method for IIS

Disable the OPTIONS method by doing the following in the IIS manager

1. Select relevant site

2. Select Request filtering and change to HTTP verb tab
3. Select Deny Verb from the actions pane
4. Type OPTIONS into the provided text box and press OK

nginx nginx

Disable HTTP OPTIONS Method for nginx

Disable the OPTIONS method by adding the following line to your server block, you can add other HTTP
methods to be allowed to run after POST

limit_except GET POST { deny all; }

Partition Mounting Cannot be fixed without breaking applications. You can ignore this vulnerability.
Weakness

User home There’s a PSE under discussion

directory mode
unsafe

World writable App teams should check which file is been vulnerable and fix permissions: App
files exist Team
Remove world write permissions:

For each world-writable file, determine whether there is a good reason for it to be world writable. If not, remove world
write permissions for the file.

For world writable files, “chmod 750 <filename>” will fix it but you can also do “chmod o-w <filename>” which leaves
world readable and executable if set but just removes writable. In some cases, removing any extra can break an app.

This action can be performed by app teams, if they don't have access to the servers, they can raise a Windows Break
Glass or Engage SE (Links on the top of this page)
TLS/SSL Windows: App
Vulnerabilities 3DE Team
S Cipher Solution available at Software center:

TLS/SSL Server is https://confluence.dell.com/pages/viewpage.action?pageId=296211589

enabling the
BEAST attack

TLS/SSL Birthday How to manually disable SSLv2, SSLv3, and TLS 1.0. The best solution is to only have TLS 1.2 enabled:
attacks on 64-bit
block ciphers TLS_Upgrade_Steps.docx
(SWEET32)

Dell standards for TLS/SSL:

https://inside.dell.com/docs/DOC-349778

Linux:

There's a solution created for OEL6 and OEL7 / RHEL6 and RHEL7

VSR team can be engaged by SNOW request to perform this remediation.

For SSL/TLS Strong encryption configuration, please follow the recommendation bellow according each app server:

Apache: https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

Tomcat: https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Weblogic: https://docs.oracle.com/middleware/1213/wls/SECMG/ssl_version.htm#SECMG634

This action can be performed by app teams, if they don't have access to the servers, they can raise a Windows Break
Glass or Engage VSR (Links on the top of this page)

Untrusted TLS This is a known certificate issue (port 3389) and it’s been taken care of by SE/SRO and Microsoft on the resolution. SRO
/SSL server X.509 There’s no ETA so far.
certificate
TCP port 5986 - WinRM is also under review with the SRO team.
Self-signed TLS
/SSL certificate

SHA-1-based
Signature in TLS
/SSL Server X.509
Certificate

Character https://confluence.dell.com/pages/viewpage.action?pageId=338789873 App

Generator Traffic Team /
Amplification This action can be performed by app teams, if they don't have access to the servers, they can raise a Windows Break VSR
Glass or Engage VSR (Links on the top of this page)

Quote of the Day https://confluence.dell.com/pages/viewpage.action?pageId=325783661 App

Traffic Team /
Amplification This action can be performed by app teams, if they don't have access to the servers, they can raise a Windows Break VSR
Glass or Engage VSR (Links on the top of this page)

Anonymous root Anonymous root login is NOT allowed at dell. App

login is allowed If a server has this vulnerability it should be configured to not accept Anonymous Root Login according to below: Team

Edit '/etc/securetty' entries

Remove all the entries in /etc/securetty except console, tty[0-9]* and vc\[0-9]*

Note: ssh does not use /etc/securetty. To disable root login through ssh, use the "PermitRootLogin" setting in /etc/ssh
/sshd_config and restart the ssh daemon.

This action can be performed by app teams, if they don't have access to the servers, they can Engage SE (Links on
the top of this page)
Weak LAN This is related to NTLMv1 protocol that was already disabled on the servers through the deprecated protocol project.
Manager hashing
permitted

NetBIOS NBSTAT Will be fixed when WINS configuration is disabled on the servers. This has been done by Network and VSR teams. Network
Traffic Team /
Amplification VSR

SUID Bit Set Upon The SUID bit should be removed from the script. App
Script File Team
This action can be performed by app teams, if they don't have access to the servers, they can Engage SE (Links on
the top of this page)

Windows Vulnerability related to Microsoft Help Viewer 1.1. This s part of Visual Studio App
Unquoted Search Team
https://docs.microsoft.com/en-us/visualstudio/help-viewer/installation?view=vs-2019
Solution: Update Visual Studio or remove it.

2° option: Set "cotes" on the path

The UninstallString for Microsoft Help Viewer 1.1 in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Help Viewer 1.1 has an
unquoted path containing whitespace: C:\Program Files\Microsoft Help Viewer\v1.0\Microsoft Help Viewer 1.1\install.
exe

This action can be performed by app teams, if they don't have access to the servers, they can raise a Windows Break
Glass (Links on the top of this page)

Microsoft IIS Remove the default page or stop/disable the IIS server App
default installation Team
/welcome page If this server is required to provide the necessary functionality, then the default page should be replaced with relevant
installed content. Otherwise, this server should be removed from the network, following the security principle of minimum
complexity.

If the server is not needed, it can be disabled in the following way: in the Services window of the Control Panel's
Administrative Tools section, right-click on the 'World Wide Web Server' entry and select 'Stop'. Set its startup type to
'Manual' so that it does not restart if the machine is rebooted (this is done by selecting 'Properties' in the right-click
menu).

This action can be performed by app teams, if they don't have access to the servers, they can raise a Windows Break
Glass (Links on the top of this page)

SMBv2 signing not App

required FIX available at Software Center: Team /
VSR

We also provided the Rollback in case it's needed.

In case app teams want to apply the fix manually:

If there isn`t any share restriction or access to storages, the users may give a try updating the details using the
following options

reg add “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters” /v

“RequireSecuritySignature” /t REG_DWORD /d 1 /f
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Enable Microsoft network server: Digitally sign communications (always).
By registry
from local policy settings (https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-
settings/microsoft-network-server-digitally-sign-communications-always)

ICMP redirection Working with SE on the solution

enabled
Obsolete version 1.Upgrade to MSXML-6 HERE App
of Microsoft Team
MSXML4 2.Open an administrator command window. To do this, right-click cmd.exe and choose Run as administrator. /VSR

3.Navigate to the folder containing msxml4.dll.

By default:

32-bit systems - C:\Windows\System32

64-bit systems - C:\Windows\SysWOW64
?Unregister msxml4.dll using the following command:

regsvr32 /u msxml4.dll

A message is displayed showing that the DLL has been unregistered.

Delete the following files:

msxml4.dll
msxml4.inf
msxml4a.dll
msxml4r.dll

This action can be performed by app teams, if they don't have access to the servers, they can raise a Windows Break
Glass or Engage VSR (Links on the top of this page)