[4eyes] FW: [COE #60209] [UCSB-OIT #626428] Vulnerabilities Found on 128.111.28.116

Matthew Turk mturk at cs.ucsb.edu
Thu Jun 26 23:33:53 PDT 2014 

Here is the second vulnerability notice....

-----Original Message-----
From: Tier II Support Issues via CoE Support [mailto:help at engineering.ucsb.edu] 
Sent: Wednesday, June 25, 2014 8:10 PM
To: holl at cs.ucsb.edu; mturk at cs.ucsb.edu
Subject: [COE #60209] [UCSB-OIT #626428] Vulnerabilities Found on 128.111.28.116

The following reply has been made regarding CoE Support ticket #60209:

Please forward this one as well.

Thanks,

Jeff


On Wed Jun 25 12:09:18 2014, vsc at oit.ucsb.edu wrote:
> Greetings:
>
> Our vulnerability scanner has found a potentially vulnerable host on 
> your network. You should consider taking the recommended actions 
> mentioned in this report in order to reduce the chances of this host 
> being abused by an attacker. If you believe any part of this report to 
> be incorrect, please let us know so that we can work to improve our 
> reporting accuracy.
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Here is information about potential vulnerabilities that were found:
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP : 128.111.28.116
> Name : ilab-116.cs.ucsb.edu
> Scan Time : Tue Jun 24 14:03:35 2014
> Service : http (80/tcp)
> Script ID : 10677
> Synopsis :
>
> The remote web server discloses information about its status.
>
> Description :
>
> It is possible to obtain an overview of the remote Apache web 
> server's activity and performance by requesting the URL 
> '/server- status'. This overview includes information such 
> as current hosts and requests being processed, the number of workers 
> idle and service requests, and CPU utilization.
>
> Solution :
>
> If required, update Apache's configuration file(s) to either 
> disable mod_status or ensure that access is limited to valid users / 
> hosts.
>
> CVSS Base Score : 5.0
> (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
>
> Other references : OSVDB:561
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP : 128.111.28.116
> Name : ilab-116.cs.ucsb.edu
> Scan Time : Tue Jun 24 14:03:35 2014
> Service : https (443/tcp)
> Script ID : 74326
> Synopsis :
>
> The remote host is affected by a vulnerability that could allow 
> sensitive data to be decrypted.
>
> Description :
>
> The OpenSSL service on the remote host is vulnerable to a 
> man-in-the-middle (MiTM) attack, based on its response to two 
> consecutive 'ChangeCipherSpec' messages during the incorrect 
> phase of an SSL/TLS handshake.
>
> This flaw could allow a MiTM attacker to decrypt or forge SSL messages 
> by telling the service to begin encrypted communications before key 
> material has been exchanged, which causes predictable keys to be used 
> to secure future traffic.
>
> Note that Nessus has only tested for an SSL/TLS MiTM vulnerability 
> (CVE-2014-0224). However, Nessus has inferred that the OpenSSL service 
> on the remote host is also affected by six additional vulnerabilities 
> that were disclosed in OpenSSL's June 5th, 2014 security advisory
> :
>
> - An error exists in the function 'ssl3_read_bytes' that 
> could allow data to be injected into other sessions or allow denial of 
> service attacks. Note this issue is only exploitable if 
> 'SSL_MODE_RELEASE_BUFFERS' is enabled. (CVE-2010-5298)
>
> - An error exists related to the implementation of the Elliptic Curve 
> Digital Signature Algorithm (ECDSA) that could allow nonce disclosure 
> via the 'FLUSH+RELOAD' cache side-channel attack. 
> (CVE-2014-0076)
>
> - A buffer overflow error exists related to invalid DTLS fragment 
> handling that could lead to execution of arbitrary code. Note this 
> issue only affects OpenSSL when used as a DTLS client or server. 
> (CVE-2014-0195)
>
> - An error exists in the function 'do_ssl3_write' that could 
> allow a null pointer to be dereferenced leading to denial of service 
> attacks. Note this issue is exploitable only if 
> 'SSL_MODE_RELEASE_BUFFERS' is enabled. (CVE-2014-0198)
>
> - An error exists related to DTLS handshake handling that could lead 
> to denial of service attacks. Note this issue only affects OpenSSL 
> when used as a DTLS client.
> (CVE-2014-0221)
>
> - An unspecified error exists related to anonymous ECDH ciphersuites 
> that could allow denial of service attacks. Note this issue only 
> affects OpenSSL TLS clients. (CVE-2014-3470)
>
> OpenSSL did not release individual patches for these vulnerabilities, 
> instead they were all patched under a single version release. Note 
> that the service will remain vulnerable after patching until the 
> service or host is restarted.
>
> See also :
>
> http://www.nessus.org/u?d5709faa
> https://www.imperialviolet.org/2014/06/05/earlyccs.html
> https://www.openssl.org/news/secadv_20140605.txt
>
> Solution :
>
> OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 
> 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should 
> upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) 
> should upgrade to 1.0.1h.
>
> CVSS Base Score : 9.3
> (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
> CVSS Temporal Score : 8.1
> (CVSS2#E:ND/RL:OF/RC:C)
> Public Exploit Available : true
>
> Plugin output :
>
> The remote service accepted an SSL ChangeCipherSpec message at an 
> incorrect point in the handshake leading to weak keys being used, and 
> then attempted to decrypt an SSL record using those weak keys.
>
> CVE : CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE- 
> 2014-0221, CVE-2014-0224, CVE-2014-3470 BID : 66363, 66801, 67193, 
> 67898, 67899, 67900, 67901 Other references : OSVDB:104810, 
> OSVDB:105763, OSVDB:106531, OSVDB:107729, OSVDB:107730, OSVDB:107731, 
> OSVDB:107732, CERT:978508, IAVA:2014-A-0083
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP : 128.111.28.116
> Name : ilab-116.cs.ucsb.edu
> Scan Time : Tue Jun 24 14:03:35 2014
> Service : mdns (5353/udp)
> Script ID : 12218
> Synopsis :
>
> It is possible to obtain information about the remote host.
>
> Description :
>
> The remote service understands the Bonjour (also known as ZeroConf or
> mDNS) protocol, which allows anyone to uncover information from the 
> remote host such as its operating system type and exact version, its 
> hostname, and the list of services it is running.
>
> This plugin attempts to discover mDNS used by hosts that are not on 
> the network segment on which Nessus resides.
>
> Solution :
>
> Filter incoming traffic to UDP port 5353, if desired.
>
> CVSS Base Score : 5.0
> (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
>
> Plugin output :
>
> Nessus was able to extract the following information :
>
> - mDNS hostname : 128.local.
>
> - Advertised services :
> o Service name : 128
> [00:21:9b:05:e7:48]._workstation._tcp.local.
> Port number : 9
> o Service name : 128._udisks-ssh._tcp.local.
> Port number : 22
>
> - CPU type : I686
> - OS : LINUX
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>

More information about the Ilab-users mailing list