[4eyes] FW: [UCSB-OIT #469842] Vulnerabilities Found on 128.111.28.100

Matthew Turk mturk at cs.ucsb.edu
Thu Oct 25 14:22:01 PDT 2012 

FYI - please check on this - is your IP address 128.111.28.100??

-----Original Message-----
From: Todd Atkins via RT [mailto:vsc at oit.ucsb.edu] 
Sent: Wednesday, October 24, 2012 10:05 AM
To: support at cs.ucsb.edu
Subject: [UCSB-OIT #469842] Vulnerabilities Found on 128.111.28.100

Greetings:

Our vulnerability scanner has found a potentially vulnerable host on your network.  You should consider taking the recommended actions mentioned in this report in order to reduce the chances of this host being abused by an attacker.  If you believe any part of this report to be incorrect, please let us know so that we can work to improve our reporting accuracy.

Here is information about the vulnerabilities that were found:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IP : 128.111.28.100
Scan Time : Tue Oct 23 20:53:31 2012
Service : ms-wbt-server (3389/tcp)
Plugin ID : 57690
Synopsis :

The remote host is using weak cryptography.

Description :

The remote Terminal Services service is not configured to use strong cryptography. 

Using weak cryptography with this service may allow an attacker to eavesdrop on the communications more easily and obtain screenshots and/or keystrokes.

Solution :

Change RDP encryption level to one of :

 3. High

 4. FIPS Compliant

CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Plugin output :

The terminal services encryption level is set to :

2. Medium
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IP : 128.111.28.100
Scan Time : Tue Oct 23 20:53:31 2012
Service : ms-wbt-server (3389/tcp)
Plugin ID : 58453
Synopsis :

The remote Terminal Services doesn't use Network Level Authentication.

Description :

The remote Terminal Services is not configured to use Network Level Authentication (NLA). NLA uses the Credential Security Support Provider (CredSSP) protocol to perform strong server authentication either through TLS/SSL or Kerberos mechanisms, which protect against man-in-the-middle attacks. In addition to improving authentication, NLA also helps protect the remote computer from malicious users and software by completing user authentication before a full RDP connection is established.

See also :

http://technet.microsoft.com/en-us/library/cc732713.aspx
http://www.nessus.org/u?e2628096

Solution :

Enable Network Level Authentication (NLA) on the remote RDP server. This is generally done on the 'Remote' tab of the 'System' settings on Windows.

CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


--
E. Todd Atkins
Office of Information Technology
University of California, Santa Barbara

**********************************************************************
The NOC's list of network contacts is used to determine who should receive email such as this.  Please direct any requests for changes to this list of network contacts to noc at ucsb.edu.
**********************************************************************

More information about the Ilab-users mailing list