Firewall Vulnerability and Security Report
Start Time: Mon Apr 02 10:24:18 2007 Finish Time: Mon Apr 02 10:30:53 2007
10.1.172.5
10.1.172.5
 12 Open Ports, 20 Notes, 1 Warnings, 1 Holes.
10.1.172.5 [Return to top]
telnet (23/tcp)

Synopsis :

A telnet server is listening on the remote port

Description :

The remote host is running a telnet server.
Using telnet is not recommended as logins, passwords and commands
are transferred in clear text.

An attacker may eavesdrop on a telnet session and obtain the
credentials of other users.

Solution:

Disable this service and use SSH instead

Risk Factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)

Plugin output:

Remote telnet banner:
?[2J?[Hname:
Plugin ID : 10281

Port is open
Plugin ID : 11219

A telnet server seems to be running on this port
Plugin ID : 10330

pptp (1723/tcp)
Port is open
Plugin ID : 11219

Synopsis :

A VPN server is listening on the remote port.

Description :

The remote host is running a PPTP (Point-to-Point Tunneling Protocol)
server. It allows users to set up a tunnel between their host and the
network the remote host is attached to.

Make sure the use of this software is done in accordance with your
corporate security policy.

Solution:

Disable this software if you do not use it

Risk Factor :

None

Plugin output :

It was possible to extract the following information from the remote PPTP server :
Firmware Version : 1
Vendor Name : Netopia
Host name : server

Plugin ID : 10622

domain (53/udp)
Port is open
Plugin ID : 11219

bootps (67/udp)
Port is open
Plugin ID : 11219

netbios-ns (137/udp)
Port is open
Plugin ID : 11219

netbios-dgm (138/udp)
Port is open
Plugin ID : 11219

snmp (161/udp)

Synopsis :

The community name of the remote SNMP server can be guessed.

Description :

It is possible to obtain the default community names of the remote
SNMP server.

An attacker may use this information to gain more knowledge about
the remote host, or to change the configuration of the remote
system (if the default community allow such modifications).

Solution:

Disable the SNMP service on the remote host if you do not use it,
filter incoming UDP packets going to this port, or change the
default community string.

Risk Factor :

High

Plugin output :

The remote SNMP server replies to the following default community
strings :

public

CVE : CVE-1999-0517, CVE-1999-0186, CVE-1999-0254, CVE-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Plugin ID : 10264

Port is open
Plugin ID : 11219

Synopsis :

The System Information of the remote host can be obtained via SNMP.

Description :

It is possible to obtain the system information about the remote
host by sending SNMP requests with the OID 1.3.6.1.2.1.1.1.

An attacker may use this information to gain more knowledge about
the target host.

Solution:

Disable the SNMP service on the remote host if you do not use it,
or filter incoming UDP packets going to this port.

Risk Factor :

Low

Plugin output :

System information :
sysDescr : Netopia R7100-C v4.11.3
sysObjectID : 1.3.6.1.4.1.304.2.2.19.7100
sysUptime : 4d 1h 52m 10s
sysContact :
sysName :
sysLocation :
sysServices : 4


Plugin ID : 10800

Synopsis :

The list of network interfaces cards of the remote host can be obtained via
SNMP.

Description :

It is possible to obtain the list of the network interfaces installed
on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.2.1.0

An attacker may use this information to gain more knowledge about
the target host.

Solution:

Disable the SNMP service on the remote host if you do not use it,
or filter incoming UDP packets going to this port.

Risk Factor :

Low

Plugin output :

Interface 1 information :
ifIndex : 1
ifDescr : Eth0
ifPhysAddress : 0000f581c3b8

Interface 2 information :
ifIndex : 2
ifDescr : lp1
ifPhysAddress :

Interface 3 information :
ifIndex : 3
ifDescr : WAN 1
ifPhysAddress : 0000f581c3b88

Interface 4 information :
ifIndex : 4
ifDescr : WAN11
ifPhysAddress :

Interface 5 information :
ifIndex : 5
ifDescr : WAN10
ifPhysAddress :

Interface 6 information :
ifIndex : 6
ifDescr : WAN 3
ifPhysAddress :

Interface 7 information :
ifIndex : 7
ifDescr : WAN 4
ifPhysAddress :

Interface 8 information :
ifIndex : 8
ifDescr : WAN 8
ifPhysAddress :

Interface 9 information :
ifIndex : 9
ifDescr : WAN 9
ifPhysAddress :


Plugin ID : 10551

isakmp (500/udp)
Port is open
Plugin ID : 11219

efs (520/udp)
Port is open
Plugin ID : 11219

atmp (5150/udp)
Port is open
Plugin ID : 11219

general/tcp
Nessus snmp scanner was able to retrieve the open port list with the community name public
Plugin ID : 14274

10.1.172.5 resolves as 10-1-172-5dsl.yourisp.net.
Plugin ID : 12053

Synopsis :

It is possible to crash the remote host by sending it an SCTP packet.

Description :

There is a flaw in the SCTP code included in Linux kernel versions
2.6.16.x that results in a kernel panic when an SCTP packet with an
unexpected ECNE chunk is received in a CLOSED state. An attacker can
leverage this flaw to crash the remote host with a single, possibly
forged, packet.

See Also :

http://labs.musecurity.com/advisories/MU-200605-01.txt
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17

Solution:

Upgrade to Linux kernel version 2.6.17 or later.

Risk Factor :

Low / CVSS Base Score : 3.3
(AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:N)
CVE : CVE-2006-2271
BID : 17910
Plugin ID : 21560

mach (6631/tcp)
Port is open
Plugin ID : 11219

pcanywheredata (5631/tcp)
Port is open
Plugin ID : 11219

general/udp
For your information, here is the traceroute from 192.168.10.102 to 10.1.172.5 :
192.16810.102
192.1681.0.10
...

Plugin ID : 10287