[4eyes] FW: [COE #60207] [UCSB-OIT #626410] Vulnerabilities Found on 128.111.28.119

Thu Jun 26 23:33:53 PDT 2014

Two vulnerabilities have been found in ilab machines - below is #1, and I'll forward #2 next. Will people in the lab please check on these and let Tobias and me know the outcome?

Thanks,
	Matthew

-----Original Message-----
From: Tier II Support Issues via CoE Support [mailto:help at engineering.ucsb.edu] 
Sent: Wednesday, June 25, 2014 8:09 PM
To: holl at cs.ucsb.edu; mturk at cs.ucsb.edu
Subject: [COE #60207] [UCSB-OIT #626410] Vulnerabilities Found on 128.111.28.119

The following reply has been made regarding CoE Support ticket #60207:

Hi Matthew and Tobias,

please forward to your students and let us know when the problem has been resolved.

Thanks,

Jeff

On Wed Jun 25 11:18:25 2014, vsc at oit.ucsb.edu wrote:
> Greetings:
>
> Our vulnerability scanner has found a potentially vulnerable host on 
> your network. You should consider taking the recommended actions 
> mentioned in this report in order to reduce the chances of this host 
> being abused by an attacker. If you believe any part of this report to 
> be incorrect, please let us know so that we can work to improve our 
> reporting accuracy.
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Here is information about potential vulnerabilities that were found:
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP : 128.111.28.119
> Name : ilab-119.cs.ucsb.edu
> Scan Time : Tue Jun 24 14:03:35 2014
> Service : general (0/tcp)
> Script ID : 33850
> Synopsis :
>
> The remote host is running an obsolete operating system.
>
> Description :
>
> According to its version, the remote Unix operating system is obsolete 
> and is no longer maintained by its vendor or provider.
>
> Lack of support implies that no new security patches will be released 
> for it.
>
> Solution :
>
> Upgrade to a newer version.
>
> CVSS Base Score : 10.0
> (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
>
> Plugin output :
>
> Ubuntu 12.10 support ended on 2014-05-16.
> Upgrade to Ubuntu 14.04.
>
> For more information, see : https://wiki.ubuntu.com/Releases
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP : 128.111.28.119
> Name : ilab-119.cs.ucsb.edu
> Scan Time : Tue Jun 24 14:03:35 2014
> Service : http-alt (8080/tcp)
> Script ID : 70414
> Synopsis :
>
> The remote web server is affected by a remote code execution 
> vulnerability.
>
> Description :
>
> The 'EBJInvokerServlet' and 'JMXInvokerServlet' 
> servlets hosted on the web server on the remote host are accessible to 
> unauthenticated users and can be used to deploy arbitrary web 
> application archive
> (WAR) files to the remote host. This could allow a remote, 
> unauthenticated attacker to execute arbitrary Java code on the host by 
> sending a specially crafted marshalled object.
>
> Note that this issue is known to affect McAfee Web Reporter versions 
> prior to or equal to version 5.2.1 as well as Symantec Workspace 
> Streaming version 7.5.0.493 and possibly earlier.
>
> See also :
>
> http://www.nessus.org/u?74979c27
> http://zerodayinitiative.com/advisories/ZDI-13-229/
> http://retrogod.altervista.org/9sg_ejb.html
> http://seclists.org/bugtraq/2013/Oct/126
> http://www.securityfocus.com/archive/1/530241/30/0/threaded
> http://seclists.org/bugtraq/2013/Dec/att-133/ESA-2013-094.txt
>
> Solution :
>
> If using EMC Data Protection Advisor, either upgrade to version 6.x or 
> apply the workaround for 5.x.
>
> Otherwise, contact the vendor or remove any affected JBoss servlets.
>
> CVSS Base Score : 10.0
> (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
> CVSS Temporal Score : 10.0
> (CVSS2#E:ND/RL:U/RC:ND)
> Public Exploit Available : true
>
> Plugin output :
>
> Nessus was able to verify the issue exists using the following URLs :
>
> http://ilab-119.cs.ucsb.edu:8080/invoker/EJBInvokerServlet
> http://ilab-119.cs.ucsb.edu:8080/invoker/JMXInvokerServlet
>
> CVE : CVE-2012-0874, CVE-2013-4810
> BID : 57552, 62854
> Other references : OSVDB:100829, OSVDB:89583, OSVDB:97153, 
> OSVDB:98979, EDB-ID:28713, EDB-ID:30211
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP : 128.111.28.119
> Name : ilab-119.cs.ucsb.edu
> Scan Time : Tue Jun 24 14:03:35 2014
> Service : http (80/tcp)
> Script ID : 10677
> Synopsis :
>
> The remote web server discloses information about its status.
>
> Description :
>
> It is possible to obtain an overview of the remote Apache web 
> server's activity and performance by requesting the URL 
> '/server- status'. This overview includes information such 
> as current hosts and requests being processed, the number of workers 
> idle and service requests, and CPU utilization.
>
> Solution :
>
> If required, update Apache's configuration file(s) to either 
> disable mod_status or ensure that access is limited to valid users / 
> hosts.
>
> CVSS Base Score : 5.0
> (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
>
> Other references : OSVDB:561
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP : 128.111.28.119
> Name : ilab-119.cs.ucsb.edu
> Scan Time : Tue Jun 24 14:03:35 2014
> Service : https (443/tcp)
> Script ID : 74326
> Synopsis :
>
> The remote host is affected by a vulnerability that could allow 
> sensitive data to be decrypted.
>
> Description :
>
> The OpenSSL service on the remote host is vulnerable to a 
> man-in-the-middle (MiTM) attack, based on its response to two 
> consecutive 'ChangeCipherSpec' messages during the incorrect 
> phase of an SSL/TLS handshake.
>
> This flaw could allow a MiTM attacker to decrypt or forge SSL messages 
> by telling the service to begin encrypted communications before key 
> material has been exchanged, which causes predictable keys to be used 
> to secure future traffic.
>
> Note that Nessus has only tested for an SSL/TLS MiTM vulnerability 
> (CVE-2014-0224). However, Nessus has inferred that the OpenSSL service 
> on the remote host is also affected by six additional vulnerabilities 
> that were disclosed in OpenSSL's June 5th, 2014 security advisory
> :
>
> - An error exists in the function 'ssl3_read_bytes' that 
> could allow data to be injected into other sessions or allow denial of 
> service attacks. Note this issue is only exploitable if 
> 'SSL_MODE_RELEASE_BUFFERS' is enabled. (CVE-2010-5298)
>
> - An error exists related to the implementation of the Elliptic Curve 
> Digital Signature Algorithm (ECDSA) that could allow nonce disclosure 
> via the 'FLUSH+RELOAD' cache side-channel attack. 
> (CVE-2014-0076)
>
> - A buffer overflow error exists related to invalid DTLS fragment 
> handling that could lead to execution of arbitrary code. Note this 
> issue only affects OpenSSL when used as a DTLS client or server. 
> (CVE-2014-0195)
>
> - An error exists in the function 'do_ssl3_write' that could 
> allow a null pointer to be dereferenced leading to denial of service 
> attacks. Note this issue is exploitable only if 
> 'SSL_MODE_RELEASE_BUFFERS' is enabled. (CVE-2014-0198)
>
> - An error exists related to DTLS handshake handling that could lead 
> to denial of service attacks. Note this issue only affects OpenSSL 
> when used as a DTLS client.
> (CVE-2014-0221)
>
> - An unspecified error exists related to anonymous ECDH ciphersuites 
> that could allow denial of service attacks. Note this issue only 
> affects OpenSSL TLS clients. (CVE-2014-3470)
>
> OpenSSL did not release individual patches for these vulnerabilities, 
> instead they were all patched under a single version release. Note 
> that the service will remain vulnerable after patching until the 
> service or host is restarted.
>
> See also :
>
> http://www.nessus.org/u?d5709faa
> https://www.imperialviolet.org/2014/06/05/earlyccs.html
> https://www.openssl.org/news/secadv_20140605.txt
>
> Solution :
>
> OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 
> 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should 
> upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) 
> should upgrade to 1.0.1h.
>
> CVSS Base Score : 9.3
> (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
> CVSS Temporal Score : 8.1
> (CVSS2#E:ND/RL:OF/RC:C)
> Public Exploit Available : true
>
> Plugin output :
>
> The remote service accepted an SSL ChangeCipherSpec message at an 
> incorrect point in the handshake leading to weak keys being used, and 
> then attempted to decrypt an SSL record using those weak keys.
>
> CVE : CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE- 
> 2014-0221, CVE-2014-0224, CVE-2014-3470 BID : 66363, 66801, 67193, 
> 67898, 67899, 67900, 67901 Other references : OSVDB:104810, 
> OSVDB:105763, OSVDB:106531, OSVDB:107729, OSVDB:107730, OSVDB:107731, 
> OSVDB:107732, CERT:978508, IAVA:2014-A-0083
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP : 128.111.28.119
> Name : ilab-119.cs.ucsb.edu
> Scan Time : Tue Jun 24 14:03:35 2014
> Service : mdns (5353/udp)
> Script ID : 12218
> Synopsis :
>
> It is possible to obtain information about the remote host.
>
> Description :
>
> The remote service understands the Bonjour (also known as ZeroConf or
> mDNS) protocol, which allows anyone to uncover information from the 
> remote host such as its operating system type and exact version, its 
> hostname, and the list of services it is running.
>
> This plugin attempts to discover mDNS used by hosts that are not on 
> the network segment on which Nessus resides.
>
> Solution :
>
> Filter incoming traffic to UDP port 5353, if desired.
>
> CVSS Base Score : 5.0
> (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
>
> Plugin output :
>
> Nessus was able to extract the following information :
>
> - mDNS hostname : ajax.local.
>
> - Advertised services :
> o Service name : ajax
> [00:25:90:27:75:b0]._workstation._tcp.local.
> Port number : 9
> o Service name : ajax._udisks-ssh._tcp.local.
> Port number : 22
>
> - CPU type : X86_64
> - OS : LINUX
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>