OpenVAS & PCI

 

The most common PCI Compliance Issues when using OpenVAS.

By Ralf Wiegand, Date: 2014-02-06

TCP Sequence Number Approximation Reset Denial of Service Vulnerability

Security Issues reported for xxx.yyy.zzz.aaa

  1. general/tcp

  2. Medium (CVSS: 5.0)

NVT: TCP Sequence Number Approximation Reset Denial of Service Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902815)

Summary:
The host is running TCP services and is prone to denial of service vulnerability.

Result:
Vulnerability detected.

Impact

Successful exploitation will allow remote attackers to guess sequence numbers and cause a denial of service to persistent TCP connections by repeatedly injecting a TCP RST packet.

Solution

Please see the referenced advisories for more information on obtaining and applying fixes.

Vulnerability Insight

The flaw is triggered when spoofed TCP Reset packets are received by the targeted TCP stack and will result in loss of availability for the attacked TCP services.

Vulnerability Detection Method

A TCP Reset packet with a different sequence number is sent to the target. A previously open connection is then checked to see if the target closed it or not.

References

CVE:

CVE-2004-0230

BID:

10183

CERT:

Warning: database not available

Other:

http://www.osvdb.org/4030

 

http://xforce.iss.net/xforce/xfdb/15886

 

http://www.us-cert.gov/cas/techalerts/TA04-111A.html

 

http://www-01.ibm.com/support/docview.wss?uid=isg1IY55949

 

http://www-01.ibm.com/support/docview.wss?uid=isg1IY55950

 

http://www-01.ibm.com/support/docview.wss?uid=isg1IY62006

 

http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx

 

http://www.microsoft.com/technet/security/bulletin/ms06-064.mspx

 

http://www.cisco.com/en/US/products/csa/cisco-sa-20040420-tcp-nonios.html

 

http://www.cisco.com/en/US/products/csa/cisco-sa-20040420-tcp-nonios.html

 

 

 

 

 

 

 

 

 

How to solve this:

https://security-tracker.debian.org/tracker/CVE-2004-0230

https://access.redhat.com/security/cve/CVE-2004-0230


TCP timestamps

  1. Medium(CVSS: 2.6)

NVT: TCP timestamps(OID: 1.3.6.1.4.1.25623.1.0.80091)

It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:

Paket 1: 1606318917

Paket 2: 1606319279

Impact

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

Solution

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is, to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment.

See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152

Vulnerability Insight

The remote host implements TCP timestamps, as defined by RFC1323.

Vulnerability Detection Method

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported.

References

CERT:

Warning: database not available

Other:

http://www.ietf.org/rfc/rfc1323.txt

   

 

 

 

 

How to solve this PCI Compliance problem:

Disable TCP timestamps on Linux

Written by Super User

Details:Category: Security| Published: 28 June 2013 | Hits: 4

Disable TCP timestamps on Linux

It is possible to estimate the current uptime of a Linux machine remotely. It's preferable to disable TCP timestamps on your systems. The less information attackers can get, the better of you are.

Sysctl

Todynamically disable TCPtime stamping,run the following command:

root@thunderchicken:~# echo 0 > /proc/sys/net/ipv4/tcp_timestamps

To make that change permenant though, you need to add the following line to /etc/sysctl.conf:

net.ipv4.tcp_timestamps = 0

IPTables

To be on the safe side, add the following 2 lines to your firewall script:

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP


Check for SSL Weak Ciphers

  1. Medium(CVSS: 4.3)

NVT: Check for SSL Weak Ciphers(OID: 1.3.6.1.4.1.25623.1.0.103440)

Server will not support SSLv2 Ciphers.

Server supports SSLv3 ciphers.

Server supports TLSv1 ciphers.

Medium ciphers are

SSL3_RSA_DES_192_CBC3_SHA : SSL_NOT_EXP

SSL3_EDH_RSA_DES_192_CBC3_SHA : SSL_NOT_EXP

SSL3_DHE_RSA_WITH_AES_128_SHA : SSL_NOT_EXP

SSL3_RSA_WITH_CAMELLIA_128_CBC_SHA : SSL_NOT_EXP

SSL3_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : SSL_NOT_EXP

SSL3_RSA_WITH_CAMELLIA_256_CBC_SHA : SSL_NOT_EXP

SSL3_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : SSL_NOT_EXP

SSL3_DHE_RSA_WITH_SEED_SHA : SSL_NOT_EXP

TLS1_RSA_DES_192_CBC3_SHA : SSL_NOT_EXP

TLS1_EDH_RSA_DES_192_CBC3_SHA : SSL_NOT_EXP

TLS1_DHE_RSA_WITH_AES_128_SHA : SSL_NOT_EXP

TLS1_RSA_WITH_CAMELLIA_128_CBC_SHA : SSL_NOT_EXP

TLS1_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA : SSL_NOT_EXP

TLS1_RSA_WITH_CAMELLIA_256_CBC_SHA : SSL_NOT_EXP

TLS1_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA : SSL_NOT_EXP

TLS1_RSA_WITH_SEED_SHA : SSL_NOT_EXP

TLS1_DHE_RSA_WITH_SEED_SHA : SSL_NOT_EXP

Weak ciphers are

SSL3_RSA_RC4_128_MD5 : SSL_NOT_EXP

SSL3_RSA_RC4_128_SHA : SSL_NOT_EXP

SSL3_RSA_WITH_SEED_SHA : SSL_NOT_EXP

TLS1_RSA_RC4_128_MD5 : SSL_NOT_EXP

TLS1_RSA_RC4_128_SHA : SSL_NOT_EXP

How to fix this PCI Compliance problem:

Auditor request SSL cipher RSA_RC4 to be used as addition validation. (2013-05)

General this cipher should be removed as well…


openssh-server Forced Command Handling Information Disclosure Vulnerabilitym(CVSS: 3.5)

NVT: openssh-server Forced Command Handling Information Disclosure Vulnerability(OID: 1.3.6.1.4.1.25623.1.0.103503)

According to its banner, the version of OpenSSH installed on the remote

host is older than 5.7:

ssh-2.0-openssh_5.3

Summary:

The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7

provides debug messages containing authorized_keys command options, which allows

remote authenticated users to obtain potentially sensitive information by

reading these messages, as demonstrated by the shared user account required by

Gitolite. NOTE: this can cross privilege boundaries because a user account may

intentionally have no shell or filesystem access, and therefore may have no

supported way to read an authorized_keys file in its own home directory.

OpenSSH before 5.7 is affected;

Solution:

Updates are available. Please see the references for more information.

References

CVE:

CVE-2012-0814

BID:

51702

CERT:

Warning: database not available

Other:

http://www.securityfocus.com/bid/51702

 

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445

 

http://packages.debian.org/squeeze/openssh-server

 

https://downloads.avaya.com/css/P8/documents/100161262

 
 
 

openssh-server Forced Command Handling Information Disclosure Vulnerability

ssh (22/tcp)

medium(CVSS: 3.5)

NVT: openssh-server Forced Command Handling Information Disclosure Vulnerability(OID: 1.3.6.1.4.1.25623.1.0.103503)

According to its banner, the version of OpenSSH installed on the remote

host is older than 5.7:

ssh-2.0-openssh_5.3

Summary:

The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7

provides debug messages containing authorized_keys command options, which allows

remote authenticated users to obtain potentially sensitive information by

reading these messages, as demonstrated by the shared user account required by

Gitolite. NOTE: this can cross privilege boundaries because a user account may

intentionally have no shell or filesystem access, and therefore may have no

supported way to read an authorized_keys file in its own home directory.

OpenSSH before 5.7 is affected;

Solution:

Updates are available. Please see the references for more information.

References

CVE:

CVE-2012-0814

BID:

51702

CERT:

Warning: database not available

Other:

http://www.securityfocus.com/bid/51702

 

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445

 

http://packages.debian.org/squeeze/openssh-server

 

https://downloads.avaya.com/css/P8/documents/100161262

 

 

 

 

 

 

How to fix this PCI Compliance problem:

Upgrade to the latest version of your OS. Upgrade depends on application availability and compatibility testing.


ETAG

Medium(CVSS: 4.3)

NVT: Apache Web Server ETag Header Information Disclosure Weakness(OID: 1.3.6.1.4.1.25623.1.0.103122)

Summary:

A weakness has been discovered in Apache web servers that are

configured to use the FileETag directive. Due to the way in which

Apache generates ETag response headers, it may be possible for an

attacker to obtain sensitive information regarding server files.

Specifically, ETag header fields returned to a client contain the

file's inode number.

Exploitation of this issue may provide an attacker with information

that may be used to launch further attacks against a target network.

OpenBSD has released a patch that addresses this issue. Inode numbers

returned from the server are now encoded using a private hash to avoid

the release of sensitive information.

Solution:

OpenBSD has released a patch to address this issue.

Novell has released TID10090670 to advise users to apply the available

workaround of disabling the directive in the configuration file for

Apache releases on NetWare. Please see the attached Technical

Information Document for further details.

Information that was gathered:

Inode: 2099595

Size: 177

References

CVE:

CVE-2003-1418

BID:

6939

CERT:

Warning: database not available

Other:

https://www.securityfocus.com/bid/6939

 

http://httpd.apache.org/docs/mod/core.html#fileetag

 

http://www.openbsd.org/errata32.html

 

http://support.novell.com/docs/Tids/Solutions/10090670.html

   

 

How to fix this PCI Compliance problem:

By removing the ETag header, you disable caches and browsers from being able to validate files, so they are forced to rely on your Cache-Control and Expires header. Basically you can remove If-Modified-Since and If-None-Match requests and their 304 Not Modified Responses.

Entity tags (ETags) are a mechanism to check for a newer version of a cached file.

root@montr-jumphost-ffm3:/etc/apache2/sites-enabled# more *
<VirtualHost *:80>
        ServerAdmin  webmaster@localhost>;;
        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
               
FileETag none
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
 

 

http TRACE XSS attack

High(CVSS: 5.8)                                                                                         https (443/tcp)

NVT: http TRACE XSS attack(OID: 1.3.6.1.4.1.25623.1.0.11213)

Summary:

Debugging functions are enabled on the remote HTTP server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK

are HTTP methods which are used to debug web server connections.  

It has been shown that servers supporting this method are subject to

cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when

used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give

him their credentials.

Solution:

Disable these methods.

Plugin output :

Solution:

Add the following lines for each virtual host in your configuration file :

   RewriteEngine on

   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

   RewriteRule .* - [F]

References

CVE:

CVE-2004-2320, CVE-2003-1567

BID:

9506, 9561, 11604

CERT:

Warning: database not available

Other:

http://www.kb.cert.org/vuls/id/867593

   

How to fix this PCI Compliance problem:

In this case the /etc/httpd/conf.d/ssl.conf file was modified. The in red/bold statement has to be placed within the “VirtualHost” statements. Restart apache and it should be gone be the next scan.

<VirtualHost>

……

.

..

         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

   RewriteEngine on

   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

   RewriteRule .* - [F]

</VirtualHost>

 

Infinity

Picture of the Day

Photography Articles

You have always a choice!

TML Technologies wants you to give Open Source a chance.

Try the many tools available today and safe money.

Features

netwars

Ralf's Biography

11227027 469662006556702 4286901489162897682 n

Contact Ralf Wiegand

20161014145358 IMG 0151