Scribd Logo
Upload

Welcome to Scribd!

  • SCA Scan Vulnerabilities On Nutanix Ilos

    Uploaded by

    Toonkraft Scheffer
    54 views24 pages

    Original Title

    SCA scan vulnerabilities on nutanix ilos

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    54 views24 pages

    SCA Scan Vulnerabilities On Nutanix Ilos

    Uploaded by

    Toonkraft Scheffer

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Hostname IP Address CVSS Severity Port Protocol Vulnerability

    mopsesxi02-ilo.nswcfcu.dom 10.7.3.12 10 Critical 22 tcp Dropbear SSH


    Nutanix iLO Server < 2016.72
    Multiple
    Vulnerabilities
    mopsesxi01-ilo.nswcfcu.dom 10.7.3.11 7.8 High 623 udp IPMI v2.0 Password
    Hash Disclosure
    mopsesxi03-ilo.nswcfcu.dom 10.7.3.13 7.8 High 623 udp IPMI v2.0 Password
    Hash Disclosure

    mopsesxi02-ilo.nswcfcu.dom 10.7.3.12 5 Medium 123 udp Network Time


    Protocol Daemon
    (ntpd)
    read_mru_list()
    Remote DoS
    mopsesxi02-ilo.nswcfcu.dom 10.7.3.12 5 Medium 123 udp Network Time
    Protocol (NTP)
    Mode 6 Scanner

    mopsesxi01-ilo.nswcfcu.dom 10.7.3.11 6.4 Medium 443 tcp SSL Self-Signed


    Certificate
    mopsesxi01-ilo.nswcfcu.dom 10.7.3.11 6.4 Medium 443 tcp SSL Certificate
    Cannot Be Trusted
    mopsesxi01-ilo.nswcfcu.dom 10.7.3.11 5 Medium 123 udp Network Time
    Protocol (NTP)
    Mode 6 Scanner

    mopsesxi03-ilo.nswcfcu.dom 10.7.3.13 5 Medium 123 udp Network Time


    Protocol Daemon
    (ntpd)
    read_mru_list()
    Remote DoS
    mopsesxi03-ilo.nswcfcu.dom 10.7.3.13 5 Medium 123 udp Network Time
    Protocol (NTP)
    Mode 6 Scanner

    mopsesxi01-ilo.nswcfcu.dom 10.7.3.11 2.6 Low 22 tcp SSH Weak MAC


    Algorithms Enabled
    mopsesxi02-ilo.nswcfcu.dom 10.7.3.12 2.6 Low 22 tcp SSH Weak MAC
    Algorithms Enabled
    Description Recommendation

    According to its self-reported version in its banner, Dropbear SSH running on Upgrade to Dropbear
    the remote host is prior to 2016.74. It is, therefore, affected by the following SSH version 2016.74 or
    vulnerabilities : later.

    - A format string flaw exists due to improper handling of string format


    specifiers (e.g., %s and %x) in usernames and host arguments. An
    unauthenticated, remote attacker can exploit this to execute arbitrary code
    with root privileges. (CVE-2016-7406)

    - A flaw exists in dropbearconvert due to improper handling of specially


    crafted OpenSSH key files. An unauthenticated, remote attacker can exploit
    this to execute arbitrary code. (CVE-2016-7407)

    - A flaw exists in dbclient when handling the -m or -c arguments in scripts.


    An unauthenticated, remote attacker can exploit this, via a specially crafted
    script, to execute arbitrary code. (CVE-2016-7408)

    - A flaw exists in dbclient or dropbear server if they are compiled with the
    DEBUG_TRACE option and then run using the -v switch. A local attacker can
    exploit this to disclose process memory. (CVE-2016-7409)
    The remote host supports IPMI v2.0. The Intelligent Platform Management There is no patch for
    Interface (IPMI) protocol is affected by an information disclosure vulnerability this vulnerability; it is
    due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) an inherent problem
    authentication. A remote attacker can obtain password hash information for with the specification
    valid user accounts via the HMAC from a RAKP message 2 response from a BMC. for IPMI v2.0.
    Suggested mitigations
    include :

    - Disabling IPMI over


    LAN if it is not needed.

    - Using strong
    passwords to limit the
    successfulness of off-
    line dictionary attacks.

    - Using Access Control


    Lists (ACLs) or isolated
    networks to limit
    access to your IPMI
    management
    interfaces.
    The remote host supports IPMI v2.0. The Intelligent Platform Management There is no patch for
    Interface (IPMI) protocol is affected by an information disclosure vulnerability this vulnerability; it is
    due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) an inherent problem
    authentication. A remote attacker can obtain password hash information for with the specification
    valid user accounts via the HMAC from a RAKP message 2 response from a BMC. for IPMI v2.0.
    Suggested mitigations
    include :

    - Disabling IPMI over


    LAN if it is not needed.

    - Using strong
    passwords to limit the
    successfulness of off-
    line dictionary attacks.

    - Using Access Control


    Lists (ACLs) or isolated
    networks to limit
    access to your IPMI
    management
    interfaces.

    The remote NTP server is affected by a denial of service vulnerability due to Upgrade to NTP
    improper validation of mrulist queries. An unauthenticated, remote attacker version 4.2.8p9 or
    can exploit this, via a specially crafted NTP mrulist query packet, to terminate later.
    the ntpd process.

    Note that the NTP server is reportedly affected by additional vulnerabilities as


    well; however, Nessus has not tested for these.
    The remote NTP server responds to mode 6 queries. Devices that respond to Restrict NTP mode 6
    these queries have the potential to be used in NTP amplification attacks. An queries.
    unauthenticated, remote attacker could potentially exploit this, via a specially
    crafted mode 6 query, to cause a reflected denial of service condition.

    The X.509 certificate chain for this service is not signed by a recognized Purchase or generate a
    certificate authority. If the remote host is a public host in production, this proper certificate for
    nullifies the use of SSL as anyone could establish a man-in-the-middle attack this service.
    against the remote host.

    Note that this plugin does not check for certificate chains that end in a
    certificate that is not self-signed, but is signed by an unrecognized certificate
    authority.
    The server's X.509 certificate cannot be trusted. This situation can occur in Purchase or generate a
    three different ways, in which the chain of trust can be broken, as stated proper certificate for
    below : this service.

    - First, the top of the certificate chain sent by the server might not be
    descended from a known public certificate authority. This can occur either
    when the top of the chain is an unrecognized, self-signed certificate, or
    when intermediate certificates are missing that would connect the top of the
    certificate chain to a known public certificate authority.

    - Second, the certificate chain may contain a certificate that is not valid at
    the time of the scan. This can occur either when the scan occurs before one
    of the certificate's 'notBefore' dates, or after one of the certificate's
    'notAfter' dates.

    - Third, the certificate chain may contain a signature that either didn't match
    the certificate's information or could not be verified. Bad signatures can be
    fixed by getting the certificate with the bad signature to be re-signed by its
    issuer. Signatures that could not be verified are the result of the certificate's
    issuer using a signing algorithm that Nessus either does not support or does
    not recognize.

    If the remote host is a public host in production, any break in the chain makes it
    more difficult for users to verify the authenticity and identity of the web server.
    This could make it easier to carry out man-in-the-middle attacks against the
    remote host.
    The remote NTP server responds to mode 6 queries. Devices that respond to Restrict NTP mode 6
    these queries have the potential to be used in NTP amplification attacks. An queries.
    unauthenticated, remote attacker could potentially exploit this, via a specially
    crafted mode 6 query, to cause a reflected denial of service condition.

    The remote NTP server is affected by a denial of service vulnerability due to Upgrade to NTP
    improper validation of mrulist queries. An unauthenticated, remote attacker version 4.2.8p9 or
    can exploit this, via a specially crafted NTP mrulist query packet, to terminate later.
    the ntpd process.

    Note that the NTP server is reportedly affected by additional vulnerabilities as


    well; however, Nessus has not tested for these.
    The remote NTP server responds to mode 6 queries. Devices that respond to Restrict NTP mode 6
    these queries have the potential to be used in NTP amplification attacks. An queries.
    unauthenticated, remote attacker could potentially exploit this, via a specially
    crafted mode 6 query, to cause a reflected denial of service condition.

    The remote SSH server is configured to allow either MD5 or 96-bit MAC Contact the vendor or
    algorithms, both of which are considered weak. consult product
    documentation to
    Note that this plugin only checks for the options of the SSH server, and it does disable MD5 and 96-bit
    not check for vulnerable software versions. MAC algorithms.
    The remote SSH server is configured to allow either MD5 or 96-bit MAC Contact the vendor or
    algorithms, both of which are considered weak. consult product
    documentation to
    Note that this plugin only checks for the options of the SSH server, and it does disable MD5 and 96-bit
    not check for vulnerable software versions. MAC algorithms.
    Output CVE Status Comments2
    Explot
    Available

    CVE-
    Version source : SSH-2.0- 2016-
    dropbear_2013.60 7409
    Installed version : 2013.60
    Fixed version : 2016.74

    false Open
    CVE-
    Nessus detected that the 2013-
    remote server has IPMI v2.0 4786
    implemented.
    Remote unauthenticated
    users will be able to get
    password hashes
    for valid users.

    true Open
    CVE-
    Nessus detected that the 2013-
    remote server has IPMI v2.0 4786
    implemented.
    Remote unauthenticated
    users will be able to get
    password hashes
    for valid users.

    true Open

    CVE-
    2016-
    7434

    Open
    Nessus elicited the
    following response from the
    remote
    host by sending an NTP
    mode 6 query :

    'version="ntpd
    4.2.8p3@1.3265 Wed Jul 20
    06:17:35 UTC 2016 (1)",
    processor="armv5tejl",
    system="Linux/2.6.28.9",
    leap=0, stratum=3,
    precision=-16,
    rootdelay=37.637,
    rootdisp=67.522,
    refid=199.38.183.232,
    reftime=0xe1067c0d.9507b
    8a0, Open
    clock=0xe1067e32.beb1202
    6, peer=60990,
    tc=10, mintc=3,
    offset=2.021406,
    frequency=-0.642,
    sys_jitter=5.099735,
    clk_jitter=4.444,
    clk_wander=0.340'

    The following certificate was


    found at the top of the
    certificate
    chain sent by the remote
    host, but is self-signed and
    was not
    found in the list of known
    certificate authorities :

    |-Subject :
    C=US/ST=California/O=Supe Open
    r Micro
    Computer/OU=Software/CN
    =IPMI
    The following certificate was
    at the top of the certificate
    chain sent by the remote
    host, but it is signed by an
    unknown
    certificate authority :

    |-Subject :
    C=US/ST=California/O=Supe
    r Micro
    Computer/OU=Software/CN
    =IPMI
    |-Issuer :
    C=US/ST=California/O=Supe
    r Micro
    Computer/OU=Software/CN
    =IPMI
    Open
    Nessus elicited the
    following response from the
    remote
    host by sending an NTP
    mode 6 query :

    'version="ntpd
    4.2.8p9@1.3265-o Fri Jun 15
    23:45:37 UTC 2018 (1)",
    processor="armv5tejl",
    system="Linux/2.6.28.9",
    leap=0, stratum=3,
    precision=-17,
    rootdelay=53.382,
    rootdisp=65.946,
    refid=162.248.221.109,
    reftime=0xe1067bfa.987096
    d3, Open
    clock=0xe106822b.14612a1
    2, peer=24627,
    tc=10, mintc=3, offset=-
    1.486991, frequency=4.273,
    sys_jitter=5.139807,
    clk_jitter=3.369,
    clk_wander=0.417'

    CVE-
    2016-
    7434

    Open
    Nessus elicited the
    following response from the
    remote
    host by sending an NTP
    mode 6 query :

    'version="ntpd
    4.2.8p3@1.3265 Wed Jul 20
    06:17:35 UTC 2016 (1)",
    processor="armv5tejl",
    system="Linux/2.6.28.9",
    leap=0, stratum=3,
    precision=-16,
    rootdelay=45.312,
    rootdisp=79.170,
    refid=162.248.221.109,
    reftime=0xe1067ef9.985d68
    46, Open
    clock=0xe10686a0.37c8e18
    e, peer=38273,
    tc=10, mintc=3,
    offset=0.731744,
    frequency=0.919,
    sys_jitter=2.843922,
    clk_jitter=0.518,
    clk_wander=0.104'

    The following client-to-


    server Message
    Authentication Code (MAC)
    algorithms
    are supported :

    hmac-sha1-96

    The following server-to-


    client Message
    Authentication Code (MAC) Open
    algorithms
    are supported :

    hmac-sha1-96
    The following client-to-
    server Message
    Authentication Code (MAC)
    algorithms
    are supported :

    hmac-md5
    hmac-sha1-96

    The following server-to-


    client Message
    Authentication Code (MAC) Open
    algorithms
    are supported :

    hmac-md5
    hmac-sha1-96

    You might also like