CIT 480 - Northern Kentucky University



CIT 480 Network Security AssessmentBy: Greg Vestring4/28/2016SummaryThe finds from this security assessment reveal important information regarding the security and vulnerability of each of the target systems. The server with the IP address of 10.2.243.52 reported the fewest number of total vulnerabilities followed by 10.2.243.51 and 10.2.243.53.The .51 server is utilizing a Linux 2.6.32 - 2.6.39 kernel. The server has several services running including: echo, discard, daytime, chargen, ftp, ssh, time, http, netbios-ssn, time, netbios-ns, and mdns. The purpose of this server appears to be as a web server, since it is operating Apache and has Simple PHP Blog running. This server is in the middle in terms of vulnerabilities when compared to the other 2 servers. This server is in the middle in terms of susceptibility to attack. It is in the middle in terms of the amount of vulnerabilities and validated vulnerabilities. This server also had only 5 items of medium or higher level of severity in the Nessus scan, including 1 item of critical nature. The .52 server is utilizing Microsoft Windows Server 2003 as its operating system. This server has the following services running: http, msrpc, netbios-ssn, tcpwrapped, dhcps, dhcpc, ntp, netbios-ns, netbios-dgm, isakmp, and nat-t-ike. The purpose of this server appears to be as a web server, since it is running IIS. The server also may serve as a dhcp server since it has this service running. This server appears to be the least susceptible to attack due to the fact that it has both the least amount of vulnerabilities and the least amount of validated vulnerabilities. This server also had only 5 items of medium or higher level of severity in the Nessus scan, including 3 items of critical nature.The .53 server is utilizing both a Microsoft Windows XP and Microsoft Windows Server 2003 operating system. This server has the following services running: ftp, smtp, http, msrpc, netbios-ssn, ris, ssl/http, microsoft-ds, mysql, ntp, netbios-ns, netbios-dgm, snmp, isakmp, blackjack, ms-sql, upnp, and nat-t-ike. This server appears to be the most susceptible to attack. This is due to the fact that it has the most amounts of vulnerabilities and the most amount of validated vulnerabilities. This server had 79 items of medium or higher level of severity reported from the Nessus scan, including 10 items of critical nature.IP AddressMAC AddressOperating SystemTotal VulnerabilitiesScanned Vulnerabilities10.2.243.5100:50:56:B1:7B:AA (VMware)Linux 2.6.32 - 2.6.39 – Vulnerability Scan reveals Ubuntu 11.04Linux 2.6.32 - 2.6.39 – 10Ubuntu 11.04 - 3510.2.243.5200:50:56:B1:5C:EA (VMware)Microsoft Windows 200318510.2.243.5300:50:56:b1:1a:33 (VMware)Microsoft Windows XP|2003Microsoft Windows XP SP2 - 6Microsoft Windows Server 2003 - 1879ProcedureThe procedure used in the security assessment included network scanning and enumeration, vulnerability research and vulnerability scanning. Each server was scanned using nmap. The following scan was used: nmap -A -sS -sU -PN -p 1-65535 -oN [file name] [IP Address]. The scan verified that the system was available and also provided the operating systems and names and versions of the services running on the system. All TCP and UDP ports were also scanned. The results were output to a file.Second, research was conducted utilizing the CVE Details website. All operating systems and services reported by nmap were analyzed to find vulnerabilities. Vulnerabilies with CVSS scores below 7 were ignored.Third, Nessus was used to scan each system utilizing an advanced network scan. Each target was verified to be operating before the scan was started by utilizing a ping.Next, DirBuster was used to identify the URLs on each server and to allow for further exploration. DirBuster was run on the following addresses: , , , , , , . This process revealed additional software and services, which were not found in the first few methods. This software and services were researched further and vulnerabilities were identified. Lastly, vulnerabilities were validated. The top 15 vulnerability levels of critical and high reported by Nessus were validated as well as all vulnerabilities found in the second part of the procedure (research utilizing CVE Details). All vulnerabilities that did not have a Metasploit exploit were searched utilizing . If an exploit was not found utilizing , then the vulnerability was researched further utilizing the CVE Details web site. If the vulnerability was verified using this database it was considered validated.Assessment of System at IP 10.2.243.51This server reported only 1 critical level alert from the Nessus scan (severity level of critical). This server also reported the fewest level of operating system vulnerabilities (Ubuntu Linux 11.04). The server has 19 open ports and is running one web server (Apache) on port 80. The nmap scan revealed an unknown service running on port udp port 50866. The server has 38 total vulnerabilities. Of these vulnerabilities, 33 were validated. The server also allows anonymous FTP access. This can create security issues such as reading and writing confidential information, depending on the level of access in directories. In addition, the version of Samba on the server has many security holes as documented below. Lastly, the version of Linux Ubuntu (11.04) is no longer supported. This creates a system that is vulnerable to current and future security problems.PortServiceVersionReported VulnerabilitiesValidated Vulnerabilities7/tcpecho9/tcpdiscard?13/tcpdaytime19/tcpchargenxinetd chargenCVE-2013-4342, CVE-2001-0825, CVE-2000-0536yesyesyes21/tcpftpvsftpd 2.3.222/tcpsshOpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)37/tcptime80/tcp httpApache httpd 2.2.17 ((Ubuntu))CVE-2013-2249, CVE-2006-1243, CVE-2005-2733, yesyesno139/tcp netbios-ssnSamba smbd 3.X (workgroup: WORKGROUP)CVE-2015-0240, CVE-2013-4408, CVE-2012-1182, CVE-2011-2411, CVE-2007-2446yesyesnonoyes445/tcp netbios-ssnSamba smbd 3.X (workgroup: WORKGROUP)CVE-2015-0240, CVE-2013-4408, CVE-2012-1182, CVE-2011-2411, CVE-2007-2446yesyesnonono7/udpecho9/udpdiscard13/udpdaytime19/udpchargen37/udptime 137/udpnetbios-nsSamba nmbd (workgroup: WORKGROUP)CVE-2015-0240, CVE-2013-4408, CVE-2012-1182, CVE-2011-2411, CVE-2007-2446yesyesnonono138/udpnetbios-dgm5353/udpmdns 50866/udpunknownxinetd chargenCVE-2013-4342ValidatedDescription:The services are run as root because xinetd does not enforce the user and group configuration for TCPMUX services. This makes it easier for remote attackers to gain privleges by leveraging another vulnerability in a service.ValidationVerified in CVE Details at attackers are able to execute arbitrary commands via a length argument of zero or less, which disables the length check.ValidationVerified in CVE Details at are not properly restricted if hostnames are used for access control and the connecting host does not have a reverse DNS entry.ValidationVerified in CVE Details at httpd 2.2.17 ((Ubuntu))CVE-2013-2249ValidatedDescription:Save operations for a session proceed without considering the dirty flag and the requirement for a new session ID. This has an unspecified impact and remote attack vectors.ValidationVerified in CVE Details at PHP Blog 0.4.0CVE-2006-1243ValidatedDescription:A directory traversal vulnerability that allows remote attackers to include and execute arbitrary local files via directory traversal sequences.ValidationVerified that vulnerability affects this version at and ValidatedDescription:Allows remote attackers to execute arbitrary code because file extensions are not properly restrictedValidationSamba smbd 3.X (version determined to be 3.5.8)CVE-2015-0240ValidatedDescription:Allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API.Performs a free operation on an uninitialized stack pointer.ValidationCVE-2013-4408ValidatedDescription:Allows remote AD domain controllers to execute arbitrary code via an invalid gragment length in a DCE-RPC packet through utilizing a heap-based buffer overflow.ValidationVerified that vulnerability affects this version at ValidatedDescription:Allows remote attackers to execute arbitrary code via a crafted RPC call. Improper validation of an array length in a manner consistent with validation of array memory allocation creates the issue.ValidationCVE-2011-2411Not ValidatedDescription:Allows remote authenticated users to execute arbitrary code via unknown vectors due to an unspecified vulnerability in HP NonStop Servers.ValidationVerified that vulnerability does not affect this server at ValidatedDescription:Allows authenticated users to bypass intended file permissions via standard filesystem operations with any client.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:May allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename.ValidationVerified that vulnerability does not affect this version at CVE-2008-1720Not ValidatedDescription:May allow remote attackers to execute arbitrary code via unknown vectors.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:Allows remote attackers to execute arbitrary code via a crafted SMB response via a heap-based overflow.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:Allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:Allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request via a stack-based overflow.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:Allows remote attackers to have an unknown impact via crafted GETDC mailsot requests, related to handling of GETDC logon server request via a stack-based overflow.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:Allows remote attackers to execute arbitrary code via MS-RPC requests via multiple heap-based overflows.ValidationCVE-2007-2444Not ValidatedDescription:Allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause daemon to transition to the root user via a logic error.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:Allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:May allow remote attackers to execute arbitrary code via a TRANSACT2_QFILEPATHINFO request with a small maximum data bytes value. ValidationVerified that vulnerability does not affect this version at ValidatedDescription:Trims certain directory names down to absolute paths, which could allow remote attackers to bypass the specified share restrictions and read, write, or list arbitrary files via "/.////" style sequences in pathnames.ValidationVerified that vulnerability affects this version at ValidatedDescription:Allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication via a buffer overflow.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:Allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted.ValidationVerified that vulnerability does not affect this version at ValidatedDescription:The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.ValidationVerified that vulnerability does not affect this version at Ubuntu 11.04CVE-2012-1166ValidatedDescription:The default keybindings for wwm in LTSP Display Manager (ldm) 2.2.x before 2.2.7 allow remote attackers to execute arbitrary commands via the KP_RETURN keybinding, which launches a terminal window.ValidationVerified that vulnerability affects this version at Ubuntu One Client for Ubuntu 10.04 LTS, 11.04, 11.10, and 12.04 LTS does not properly validate SSL certificates, which allows remote attackers to spoof a server and modify or read sensitive information via a man-in-the-middle (MITM) attack.ValidationVerified that vulnerability affects this version at cupshelpers scripts in system-config-printer in Ubuntu 11.04 and 11.10, as used by the automatic printer driver download service, uses an "insecure connection" for queries to the OpenPrinting database, which allows remote attackers to execute arbitrary code via a man-in-the-middle (MITM) attack that modifies packages or repositories.ValidationVerified that vulnerability affects this version at 2.6xCVE-2015-0312ValidatedDescription:Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors.ValidationVerified that vulnerability affects this version at vulnerability in HP Operations Manager 9.10 and 9.11 on UNIX allows remote attackers to execute arbitrary code via unknown vectors.ValidationVerified that vulnerability affects this version at overflow in Adobe Reader 9.x before 9.4.6 on Linux allows attackers to execute arbitrary code via unspecified vectors.ValidationVerified that vulnerability affects this version at do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X server.ValidationVerified that vulnerability affects this version at buffer overflows in the ndiswrapper module 1.53 for the Linux kernel 2.6 allow remote attackers to execute arbitrary code by sending packets over a local wireless network that specify long ESSIDs.ValidationVerified that vulnerability affects this version at overflow in the get_fdb_entries function in net/bridge/br_ioctl.c in the Linux kernel before 2.6.18.4 allows local users to execute arbitrary code via a large maxnum value in an ioctl request.ValidationVerified that vulnerability affects this version at elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.ValidationVerified that vulnerability affects this version at and - exploit indicates that the vulnerability does not exist in the 2.6 kernel tree, however 2.6.20 is listed on CVE Details.CVE-2004-1071ValidatedDescription:The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap function, which causes an incorrect mapped image and may allow local users to execute arbitrary code.ValidationVerified that vulnerability affects this version at load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly check return values from calls to the kernel_read function, which may allow local users to modify sensitive memory in a setuid program and execute arbitrary code.ValidationVerified that vulnerability affects this version at allows local users to execute arbitrary commands by setting the KDEDIR environmental variable to modify the search path that KDE uses to locate its executables.ValidationVerified that vulnerability affects this version at of System at IP 10.2.243.52This server reported 3 critical level alerts from the Nessus scan (severity level of critical). The server reported 18 vulnerabilities relating to the operating system (Microsoft Windows Server 2003). The server has 18 ports open and is running a web server on port 80 and port 9223. Two unknown services are running on udp ports 1027 and 2535. A total of 31 vulnerabilities were found, with 25 being validated. Lastly, the version of Windows Server (2003) is no longer supported. This creates a system that is vulnerable to current and future security problems.PortServiceVersionReported VulnerabilitiesValidated Vulnerabilities80/tcphttpMicrosoft IIS httpd 6.0CVE-2010-1256, CVE-2009-1535, CVE-2008-1446yesyesyes135/tcpmsrpcMicrosoft Windows RPCCVE-2015-2370yes139/tcpnetbios-ssnMicrosoft Windows 98 netbios-ssnCVE-2000-1079no445/tcptcpwrappedCVE-2008-4250yes1025/tcpmsrpcMicrosoft Windows RPCCVE-2015-2370yes1026/tcpmsrpcMicrosoft Windows RPCCVE-2015-2370yes1028/tcpmsrpcMicrosoft Windows RPCCVE-2015-2370yes9223/tcphttpMicrosoft IIS httpd 6.0CVE-2010-1256, CVE-2009-1535, CVE-2008-1446yesyesyes67/udpdhcpsCVE-2011-0997, CVE-2009-0692nono68/udpdhcpcCVE-2011-0997, CVE-2009-0692nono123/udpntpCVE-2014-9295, CVE-2014-9294, CVE-2014-9293nonono137/udpnetbios-nsMicrosoft Windows NT netbios-ssn (workgroup: WORKGROUP)CVE-2000-1079no138/udpnetbios-dgm445/udpmicrosoft-ds500/udpisakmpCVE-2005-3666yes1027/udpunknown2535/udpunknown4500/udpnat-t-ikeMicrosoft IIS httpd 6.0CVE-2010-1256ValidatedDescription:Unspecified vulnerability in Microsoft IIS 6.0, 7.0, and 7.5, when Extended Protection for Authentication is enabled, allows remote authenticated users to execute arbitrary code via unknown vectors related to "token checking" that trigger memory corruption, aka "IIS Authentication Memory Corruption Vulnerability."ValidationVerified in CVE Details at WebDAV extension in Microsoft Internet Information Services (IIS) 5.1 and 6.0 allows remote attackers to bypass URI-based protection mechanisms, and list folders or read, create, or modify files, via a %c0%af (Unicode / character) at an arbitrary position in the URI, as demonstrated by inserting %c0%af into a "/protected/" initial pathname component to bypass the password protection on the protected\ folder, aka "IIS 5.1 and 6.0 WebDAV Authentication Bypass Vulnerability," a different vulnerability than CVE-2009-1122.Validation and overflow in the Internet Printing Protocol (IPP) ISAPI extension in Microsoft Internet Information Services (IIS) 5.0 through 7.0 on Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 allows remote authenticated users to execute arbitrary code via an HTTP POST request that triggers an outbound IPP connection from a web server to a machine operated by the attacker, aka "Integer Overflow in IPP Service Vulnerability."ValidationVerified in CVE Details at Windows RPCCVE-2015-2370 ValidatedDescription:The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not prevent DCE/RPC connection reflection, which allows local users to gain privileges via a crafted application, aka "Windows RPC Elevation of Privilege Vulnerability."ValidationVerified in CVE Details at - exploit not for Windows Server 2003 - Windows 98 netbios-ssnCVE-2000-1079Not ValidatedDescription:Interactions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram.ValidationVerified in CVE Details that this version is not impacted unspecified format string vulnerabilities in multiple unspecified implementations of Internet Key Exchange version 1 (IKEv1) have multiple unspecified attack vectors and impacts, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. NOTE: due to the lack of information in the original sources, it is likely that this candidate will be REJECTed once it is known which implementations are actually vulnerable.ValidationVerified in CVE Details at ValidatedDescription:Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.ValidationVerified in CVE Details - Not sure of version ValidatedDescription:util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.ValidationVerified in CVE Details - Not sure of version ValidatedDescription:The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.ValidationVerified in CVE Details - Not sure of version ValidatedDescription:dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.ValidationVerified in CVE Details - Not sure of version ValidatedDescription:Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.ValidationVerified in CVE Details - Not sure of version Windows Server 2003CVE-2015-1727ValidatedDescription:Buffer overflow in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Win32k Pool Buffer Overflow Vulnerability."ValidationVerified in CVE Details at - Exploit DB does not give version information - vulnerability in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Microsoft Windows Kernel Brush Object Use After Free Vulnerability."ValidationVerified in CVE Details at - Exploit DB does not give version information - overflow in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Win32k Buffer Overflow Vulnerability."ValidationVerified in CVE Details at Exploit DB does not give version information - and vulnerability in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Microsoft Windows Kernel Object Use After Free Vulnerability."ValidationVerified in CVE Details at Exploit DB does not give version information - vulnerability in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Microsoft Windows Station Use After Free Vulnerability."ValidationVerified in CVE Details at Exploit DB does not give version information - vulnerability in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Microsoft Windows Kernel Bitmap Handling Use After Free Vulnerability."ValidationVerified in CVE Details at - Exploit DB does not give version information - and vulnerability in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Microsoft Windows Kernel Use After Free Vulnerability."ValidationVerified in CVE Details at Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to execute arbitrary code via a crafted Enhanced Metafile (EMF) image, aka "EMF Processing Remote Code Execution Vulnerability."ValidationVerified in CVE Details at Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "Windows MS-DOS Device Name Vulnerability."ValidationVerified in CVE Details at Windows Server 2003 R2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "NtCreateTransactionManager Type Confusion Vulnerability."ValidationVerified in CVE Details at search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."ValidationVerified in CVE Details at Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0091, and CVE-2015-0092.ValidationVerified in CVE Details at Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0091, and CVE-2015-0093.ValidationVerified in CVE Details at Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0092, and CVE-2015-0093.ValidationVerified in CVE Details at Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093.ValidationVerified in CVE Details at Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0090, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093.ValidationVerified in CVE Details at overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows Telnet Service Buffer Overflow Vulnerability."ValidationVerified in CVE Details at User Profile Service (aka ProfSvc) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges by conducting a junction attack to load another user's UsrClass.dat registry hive, aka MSRC ID 20674 or "Microsoft User Profile Service Elevation of Privilege Vulnerability."ValidationVerified in CVE Details at Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability."ValidationVerified in CVE Details at in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."ValidationDoS cannot be validated - Verified in CVE Details at of System at IP 10.2.243.53This server reported 10 critical level alerts from the Nessus scan (severity level of critical). This server had the highest operating system vulnerabilities due to the fact that it is running 2 operating systems (Microsoft Windows XP SP2 and Windows Server 2003). The server has 20 open ports. In addition, the server has 2 web servers running (Apache – port 80 and Apache – port 443). Also, the server has 2 databases running (MySQL – port 3306 and Microsoft SQL Server – port 1434). It is noteworthy that the server is running ftp on port 21 and mail on port 25. Running all of these services on this server increases the surface level of attack and creates more risk for the system. Vulnerabilities for these services may not exist now, but the possibility remains for vulnerabilities to be discovered in the future. In addition, both operating systems on the server are no longer supported, which creates current and future security problems.PortServiceVersionReported VulnerabilitiesValidated Vulnerabilities21/tcpftpFileZilla ftpd 0.9.32 betaCVE-2007-2318, CVE-2006-2403nono25/tcpsmtpSLmail smtpd 5.5.0.443380/tcphttpApache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0)CVE-2012-1823, CVE-2010-0425,CVE-2012-5159, CVE-2014-0224, CVE-2012-2376yesyesyesyesno135/tcpmsrpcMicrosoft Windows RPCCVE-2015-2370yes139/tcpnetbios-ssnMicrosoft Windows 98 netbios-ssnCVE-2000-1079180/tcpris?443/tcpssl/httpApache httpd 2.2.12 ((Win32) DAV/2 mod_ssl/2.2.12 OpenSSL/0.9.8k mod_autoindex_color PHP/5.3.0 mod_perl/2.0.4 Perl/v5.10.0)CVE-2012-1823, CVE-2010-0425,CVE-2012-5159, CVE-2014-0224, CVE-2012-2376yesyesyesyesno445/tcpmicrosoft-ds Microsoft Windows XP microsoft-dsCVE-2006-3439,CVE-2008-4114noyes3306/tcpmysqlMySQL (unauthorized)CVE-2008-0226,CVE-2004-0835, CVE-2004-0627, CVE-2003-0780, CVE-2003-0150yesnononono123/udpntpCVE-2014-9295, CVE-2014-9294, CVE-2014-9293nonono137/udpnetbios-nsMicrosoft Windows NT netbios-ssn (workgroup: WORKGROUP)CVE-2000-1079no138/udpnetbios-dgm161/udpsnmpSNMPv1 server (public)445/udpmicrosoft-ds500/udpisakmpCVE-2005-3666yes1025/udpblackjack1186/udpunknown1434/udpms-sql-mMicrosoft SQL Server 9.00.1399.06 (ServerName: CS-6B8F28CC69A7; TCPPort: 1433)CVE-2009-3126, CVE-2009-2528, CVE-2009-2504, CVE-2009-2503, CVE-2009-2502yesyesyesyesyes1900/udpupnp4500/udpnat-t-ikeFileZilla ftpd 0.9.32 betaCVE-2007-2318Not ValidatedDescription:Multiple format string vulnerabilities in FileZilla before 2.2.32 allow remote attackers to execute arbitrary code via format string specifiers in (1) FTP server responses or (2) data sent by an FTP server. NOTE: some of these details are obtained from third party information.ValidationVerified in CVE Details at does not impact this version ValidatedDescription:Buffer overflow in FileZilla before 2.2.23 allows remote attackers to execute arbitrary commands via unknown attack vectors.ValidationVerified in CVE Details at does not impact this version httpd 2.2.12CVE-2013-2249ValidatedDescription:mod_session_dbd.c in the mod_session_dbd module in the Apache HTTP Server before 2.4.5 proceeds with save operations for a session without considering the dirty flag and the requirement for a new session ID, which has unspecified impact and remote attack vectors.ValidationVerified in CVE Details at in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers."ValidationVerified in CVE Details at ValidatedDescription:Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.ValidationDoes not impact this version - Verified in CVE Details at mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11.ValidationVerified in CVE Details at ValidatedDescription:Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SERVER:DML.ValidationVersion not known - Verified in CVE Details at Not ValidatedDescription:Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.30, has unspecified impact and attack vectors, a different vulnerability than CVE-2012-0553.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Information Schema.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.64 and earlier, and 5.5.26 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Protocol.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:Unspecified vulnerability in MySQL 5.5.x before 5.5.23 has unknown impact and attack vectors related to a "Security Fix", aka Bug #59533. NOTE: this might be a duplicate of CVE-2012-1689, but as of 20120816, Oracle has not commented on this possibility.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:Buffer overflow in yaSSL, as used in MySQL 5.5.20 and possibly other versions including 5.5.x before 5.5.22 and 5.1.x before 5.1.62, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VulnDisco Pack Professional 9.17. NOTE: as of 20120224, this disclosure has no actionable information. However, because the module author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. NOTE: due to lack of details, it is not clear whether this issue is a duplicate of CVE-2012-0492 or another CVE.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.28, has unspecified impact and attack vectors, a different vulnerability than CVE-2013-1492.ValidationVersion not known - Verified in CVE Details at buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.Validation ValidatedDescription:SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities.ValidationVersion not known - Verified in CVE Details at DB - DoSCVE-2004-0627Not ValidatedDescription:The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string.ValidationVersion not known - Verified in CVE Details at DB - not sure how to runCVE-2003-0780Not ValidatedDescription:Buffer overflow in get_salt_from_password from sql_ for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field.ValidationVersion not known - Verified in CVE Details at DB - not sure how to run - not sure how to runCVE-2003-0150Not ValidatedDescription:MySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying f.ValidationVersion not known - Verified in CVE Details at DB - not sure how to runCVE-2002-1923Not ValidatedDescription:The default configuration in MySQL 3.20.32 through 3.23.52, when running on Windows, does not have logging enabled, which could allow remote attackers to conduct activities without detection.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:The default configuration of MySQL 3.20.32 through 3.23.52, when running on Windows, does set the bind address to the loopback interface, which allows remote attackers to connect to the database.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:The default configuration of the Windows binary release of MySQL 3.23.2 through 3.23.52 has a NULL root password, which could allow remote attackers to gain unauthorized root access to the MySQL database.ValidationVersion not known - Verified in CVE Details at DB - not sure how to runCVE-2002-1375Not ValidatedDescription:The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x to 4.0.6, allows remote attackers to execute arbitrary code via a long response.ValidationVersion not known - Verified in CVE Details at DB - not sure how to runCVE-2002-1374Not ValidatedDescription:The COM_CHANGE_USER command in MySQL 3.x before 3.23.54, and 4.x before 4.0.6, allows remote attackers to gain privileges via a brute force attack using a one-character password, which causes MySQL to only compare the provided password against the first character of the real password.ValidationVersion not known - Verified in CVE Details at DB - not sure how to runCVE-2001-1454Not ValidatedDescription:Buffer overflow in MySQL before 3.23.33 allows remote attackers to execute arbitrary code via a long drop database request.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:Buffer overflow in libmysqlclient.so in MySQL 3.23.33 and earlier allows remote attackers to execute arbitrary code via a long host parameter.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:MySQL before 3.23.31 allows users with a MySQL account to use the SHOW GRANTS command to obtain the encrypted administrator password from the mysql.user table and possibly gain privileges via password cracking.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:MySQL Database Engine uses a weak authentication method which leaks information that could be used by a remote attacker to recover the password.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:MySQL 3.22 allows remote attackers to bypass password authentication and access a database via a short check string.ValidationVersion not known - Verified in CVE Details at ValidatedDescription:Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.ValidationVerified in CVE Details - Not sure of version ValidatedDescription:util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.ValidationVerified in CVE Details - Not sure of version ValidatedDescription:The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.ValidationVerified in CVE Details - Not sure of version SQL Server 9.00.1399.06CVE-2009-3126ValidatedDescription:Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted PNG image file, aka "GDI+ PNG Integer Overflow Vulnerability."ValidationVerified in CVE Details - in Microsoft Office XP SP3 does not properly handle malformed objects in Office Art Property Tables, which allows remote attackers to execute arbitrary code via a crafted Office document that triggers memory corruption, aka "Memory Corruption Vulnerability."ValidationVerified in CVE Details integer overflows in unspecified APIs in GDI+ in Microsoft .NET Framework 1.1 SP1, .NET Framework 2.0 SP1 and SP2, Windows XP SP2 and SP3, Windows Server 2003 SP2, Vista Gold and SP1, Server 2008 Gold, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allow remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP), (2) a crafted application, or (3) a crafted .NET Framework application, aka "GDI+ .NET API Vulnerability."ValidationVerified in CVE Details in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 does not properly allocate an unspecified buffer, which allows remote attackers to execute arbitrary code via a crafted TIFF image file that triggers memory corruption, aka "GDI+ TIFF Memory Corruption Vulnerability."ValidationVerified in CVE Details overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted TIFF image file, aka "GDI+ TIFF Buffer Overflow Vulnerability."ValidationVerified in CVE Details buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted PNG image file, aka "GDI+ PNG Heap Overflow Vulnerability."ValidationVerified in CVE Details overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted WMF image file, aka "GDI+ WMF Integer Overflow Vulnerability."ValidationVerified in CVE Details Windows RPCCVE-2015-2370 ValidatedDescription:The authentication implementation in the RPC subsystem in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not prevent DCE/RPC connection reflection, which allows local users to gain privileges via a crafted application, aka "Windows RPC Elevation of Privilege Vulnerability."ValidationVerified in CVE Details at - exploit not for Windows Server 2003 - Windows 98 netbios-ssnCVE-2000-1079Not ValidatedDescription:Interactions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram.ValidationVerified in CVE Details that this version is not impacted 0.9.8kCVE-2011-4109ValidatedDescription:Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.ValidationVerified in CVE Details that this version affected at before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.ValidationVerified in CVE Details that this version affected at race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.ValidationVerified in CVE Details that this version affected at Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.ValidationVerified in CVE Details that this version affected at before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.ValidationVerified in CVE Details that this version affected at before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.Validation unspecified format string vulnerabilities in multiple unspecified implementations of Internet Key Exchange version 1 (IKEv1) have multiple unspecified attack vectors and impacts, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. NOTE: due to the lack of information in the original sources, it is likely that this candidate will be REJECTed once it is known which implementations are actually vulnerable.ValidationVerified in CVE Details at 5.3.0CVE-2014-9427ValidatedDescription:sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.ValidationVerified in CVE Details at in PHP before 5.3.22 and 5.4.x before 5.4.13 does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.ValidationVerified in CVE Details at vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."ValidationVerified in CVE Details at ValidatedDescription:Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments that trigger incorrect handling of COM object VARIANT types, as exploited in the wild in May 2012.ValidationVerified in CVE Details at DB - version – 5.4 (5.4.3)CVE-2012-2311ValidatedDescription:sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.ValidationVerified in CVE Details at DB - in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.ValidationVerified in CVE Details at overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483.ValidationVerified in CVE Details at vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function.ValidationVerified in CVE Details at (1) sqlite_single_query and (2) sqlite_array_query functions in ext/sqlite/sqlite.c in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to execute arbitrary code by calling these functions with an empty SQL query, which triggers access of uninitialized memory.ValidationVerified in CVE Details at DB - proc_open function in ext/standard/proc_open.c in PHP before 5.2.11 and 5.3.x before 5.3.1 does not enforce the (1) safe_mode_allowed_env_vars and (2) safe_mode_protected_env_vars directives, which allows context-dependent attackers to execute programs with an arbitrary environment via the env parameter, as demonstrated by a crafted value of the LD_LIBRARY_PATH environment variable.ValidationVerified in CVE Details at and ValidatedDescription:** DISPUTED ** main/streams/plain_wrapper.c in PHP 5.3.x before 5.3.1 does not recognize the safe_mode_include_dir directive, which allows context-dependent attackers to have an unknown impact by triggering the failure of PHP scripts that perform include or require operations, as demonstrated by a script that attempts to perform a require_once on a file in a standard library directory. NOTE: a reliable third party reports that this is not a vulnerability, because it results in a more restrictive security policy.ValidationVerified in CVE Details at _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.x before 5.3.1, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information.ValidationVerified in CVE Details at resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting the hash_update_file function via a userspace (1) error or (2) stream handler, which can then be used to destroy and modify internal resources. NOTE: it was later reported that PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 are also affected.ValidationVerified in CVE Details at v5.10.0CVE-2012-6329Not ValidatedDescription:The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.Validation 3.2.0.1-10.2.243.53CVE-2012-5159ValidatedDescription:phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.ValidationVerified in CVE Details at in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.ValidationVerified in CVE Details at DB - injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters.ValidationVerified in CVE Details at Windows XP Professional SP2CVE-2013-3876ValidatedDescription:DirectAccess in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly verify server X.509 certificates, which allows man-in-the-middle attackers to spoof servers and read encrypted domain credentials via a crafted certificate.ValidationVerified in CVE Details at Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT allow remote attackers to execute arbitrary code via a malformed asynchronous RPC request, aka "Remote Procedure Call Vulnerability."ValidationVerified in CVE Details at kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT, and .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, and 4.5, allow remote attackers to execute arbitrary code via a crafted OpenType font (OTF) file, aka "OpenType Font Parsing Vulnerability."ValidationVerified in CVE Details at underflow in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows local users to gain privileges via a crafted application that triggers an incorrect truncation of a 64-bit integer to a 32-bit integer, aka "Windows Kernel Integer Underflow Vulnerability."ValidationVerified in CVE Details at condition in Microsoft Internet Explorer 6 SP1; 6 and 7 for Windows XP SP2 and SP3; 6 and 7 for Server 2003 SP2; 7 for Vista Gold, SP1, and SP2; and 7 for Server 2008 SP2 allows remote attackers to execute arbitrary code or perform other actions upon a page transition, with the permissions of the old page and the content of the new page, as demonstrated by setInterval functions that set location.href within a try/catch expression, aka the "bait & switch vulnerability" or "Race Condition Cross-Domain Information Disclosure Vulnerability."ValidationVerified in CVE Details at vulnerability in Microsoft Windows 2000, XP, and Server 2003 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors. NOTE: this information is based upon a vague pre-advisory with no actionable information. However, the advisory is from a reliable source.ValidationVerified in CVE Details at ValidatedDescription:Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability."ValidationDoes not impact this version - Verified in CVE Details at ValidatedDescription:Buffer overflow in the Server Service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers, including anonymous users, to execute arbitrary code via a crafted RPC message, a different vulnerability than CVE-2006-1314.Validation Windows Server 2003has same vulnerabilities as the .51 serverCVE-2015-0096ValidatedDescription:Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."ValidationVerified in CVE Details at in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."ValidationDoS cannot be validated - Verified in CVE Details at security assessment has shown that all servers (10.2.243.51, 10.2.243.52 and 10.2.243.53) have security vulnerabilities that need to be addressed. Two servers (10.2.243.51 and 10.2.243.52 are close in their level of vulnerability, while 10.2.243.53 is the most vulnerable to attack. Steps should be taken to correct these vulnerabilities before the systems are compromised (assuming they haven’t been already).Mitigation for each server is described below.10.2.243.51Linux Ubuntu 11.04Upgrade to the latest version Ubuntu 16.04 LTSApache httpd 2.2.17Upgrade to Apache 2.4.20 – Stable release ()vsftpd 2.3.2Remove ftp service - move to OpenSSH Server, which will allow the use of SSH File Transfer ProtocolSamba smbd 3.xUpgrade to Samba 4.4.2 – current stable release ()Simple PHP Blog 0.4.0 Upgrade to Simple PHP Blog 0.8.4, which did not report any security vulnerabilities - port – 50866Investigate the unknown service running on this port and close the port.Overall RecommendationMake sure all other software and services are running the latest stable release. 10.2.243.52Windows Server 2003Upgrade to the Windows Server 2012 R2Microsoft IIS httpd 6.0Upgrade to IIS 8.5 – available on Windows Server 2012 R2udp port 1027Investigate the unknown service running on this port and close the port.udp port 2535Investigate the unknown service running on this port and close the port.Overall RecommendationMake sure all other software or services are running the latest stable release. 10.2.243.53Windows Server 2003 and Windows XP SP2Upgrade to the Windows Server 2012 R2Apache httpd 2.2.12Upgrade to IIS 8.5 – available on Windows Server 2012 R2 or Upgrade to Apache 2.4.20 – Stable release ()FileZilla ftpd 0.9.32Move to SSH File Transfer Protocol - WinSCP 5.7.7SLmailInvestigate if mail is still need. If it is still needed utilize SMTP on Windows Server 2012.Openssl 0.9.8kUpgrade to OpenSSL 0.9.8za or later.PHP 5.3.0Upgrade to PHP 7.0.5 - - no security vulnerabilities via CVE Details - MySQL and Microsoft SQL ServerInvestigate the mysql service running on tcp port 3306, it reports as unauthorized. Investigate to see if both are needed. If both are needed upgrade to the latest stable versions (MySQL 5.7) and (Microsoft SQL Server 2012)Perl v5.10.0Upgrade to Perl 5.22.1 – the latest stable release - - no security vulnerabilities via CVE Details 3.2.0.1-10.2.243.53Upgrade to phpMyAdmin 4.6.0 - Servers (port 80 and port 443)Investigate if both are needed. If not close one port (probably port 80 since 443 handles ssl/http).udp port 1186Investigate the unknown service running on this port and close the port.Overall RecommendationMake sure all other software or services are running the latest stable release. Also investigate moving some of these services to other servers if possible. In other words, utilize multiple virtual servers to separate the services.ReferencesCVE Details – The ultimate security vulnerability datasource Unleashed - The ultimate guide to the Metasploit Framework Database – Offensive Security Exploit Database Archive Website Security ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download