[From nobody Tue Nov 1 17:41:10 2011 Received: from rt.engr.ucsb.edu (rt.engr.ucsb.edu [128.111.27.55]) by letters.cs.ucsb.edu (8.14.4/8.14.4) with ESMTP id pA1Le8kt030048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 1 Nov 2011 14:40:10 -0700 Received: from rt.engr.ucsb.edu (localhost [127.0.0.1]) by rt.engr.ucsb.edu (8.14.4/8.14.4) with ESMTP id pA1Le6Zo013964 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 1 Nov 2011 14:40:07 -0700 Received: (from apache@localhost) by rt.engr.ucsb.edu (8.14.4/8.14.4/Submit) id pA1Le6Cs013963; Tue, 1 Nov 2011 14:40:06 -0700 From: <help@engineering.ucsb.edu> To: <mturk@cs.ucsb.edu>, <holl@cs.ucsb.edu> Subject: Fwd: [COE #40748] [UCSB-OIT #323763] Vulnerabilities Found on 128.111.28.104 Date: Tue, 1 Nov 2011 14:40:06 -0700 Message-ID: <201111012140.pA1Le6Cs013963@rt.engr.ucsb.edu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0058_01CC98BD.72D95B70" X-Mailer: MIME-tools 5.428 (Entity 5.428) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on stamps.cs.ucsb.edu X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none shortcircuit=no autolearn=unavailable version=3.3.2 Thread-Index: AcyY3tReE5XJ/OPkSuiTyouYKD4PSw== This is a multi-part message in MIME format. ------=_NextPart_000_0058_01CC98BD.72D95B70 Content-Type: text/plain; boundary="----------=_1320183606-11237-1"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit This is forward of transaction #535854 of a ticket #40748 ------=_NextPart_000_0058_01CC98BD.72D95B70 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: attachment Received: from oit.ucsb.edu ([128.111.12.3]) by ucsb.edu with esmtps TLSv1:AES256-SHA:256 id 1RLKwn-000GGT-Oh for support@cs.ucsb.edu; Tue, 01 Nov 2011 13:28:37 -0700 Received: from ucsb.edu (ucsb.edu [128.111.24.40]) by letters.cs.ucsb.edu (8.14.4/8.14.4) with ESMTP id pA1KSbxH025126 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <support@cs.ucsb.edu>; Tue, 1 Nov 2011 13:28:39 -0700 Received: from www-data by rt.oit.ucsb.edu with local (Exim 4.71) (envelope-from <www-data@rt.oit.ucsb.edu>) id 1RLKwj-00047q-HM for support@cs.ucsb.edu; Tue, 01 Nov 2011 13:28:33 -0700 Received: from rt.oit.ucsb.edu ([128.111.12.53]) by oit.ucsb.edu with esmtpid 1RLKwl-0006ka-Dz for support@cs.ucsb.edu; Tue, 01 Nov 2011 13:28:37 -0700 Received: from letters.cs.ucsb.edu (letters.cs.ucsb.edu [128.111.41.13]) by rt.engr.ucsb.edu (8.14.4/8.14.4) with ESMTP id pA1KSe48013572 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <rt@rt.engr.ucsb.edu>; Tue, 1 Nov 2011 13:28:41 -0700 Return-Path: <www-data@rt.oit.ucsb.edu> Reply-To: <vsc@oit.ucsb.edu> From: "Todd Atkins via RT" <vsc@oit.ucsb.edu> To: <support@cs.ucsb.edu> References: <RT-Ticket-323763@oit.ucsb.edu> In-Reply-To: Subject: [UCSB-OIT #323763] Vulnerabilities Found on 128.111.28.104 Date: Tue, 1 Nov 2011 13:28:33 -0700 Message-ID: <rt-3.8.1-3630-1320179313-1436.323763-6-0@oit.ucsb.edu> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on rt.engr.ucsb.edu X-Spam-Level: X-Spam-Status: No, score=-3.0 required=5.0 tests=AWL,RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD autolearn=ham version=3.3.2 Thread-Index: AcyY1Nfs49vVhlmmRlm6Dtdn3/zhjw== Greetings: Our vulnerability scanner has found a potentially vulnerable host on = your network. You should consider taking the recommended actions = mentioned in this report in order to reduce the chances of this host = being abused by an attacker. If you believe any part of this report to = be incorrect, please let us know so that we can work to improve our = reporting accuracy. Here is information about the vulnerabilities that were found: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IP : 128.111.28.104 Scan Time : Fri Oct 28 16:38:29 2011 Service : ms-wbt-server (3389/tcp) Plugin ID : 18405 Synopsis : It may be possible to get access to the remote host. Description : The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP = client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack. See also : http://www.oxid.it/downloads/rdp-gbu.pdf http://technet.microsoft.com/en-us/library/cc782610.aspx Solution : - Force the use of SSL as a transport layer for this service if = supported, or/and - Select the 'Allow connections only from computers running Remote = Desktop with=20 Network Level Authentication' setting if it is available. CVSS Base Score : 5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSS Temporal Score : 4.6 (CVSS2#E:F/RL:W/RC:ND) Public Exploit Available : true CVE : CVE-2005-1794 BID : 13818 Other references : OSVDB:17131 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --=20 E. Todd Atkins Office of Information Technology University of California, Santa Barbara **********************************************************************=20 The NOC's list of network contacts is used to determine who should receive email such as this. Please direct any requests for changes=20 to this list of network contacts to noc@ucsb.edu. **********************************************************************=20 ------=_NextPart_000_0058_01CC98BD.72D95B70-- ]