[From nobody Tue Nov 1 17:41:10 2011 Received: from rt.engr.ucsb.edu (rt.engr.ucsb.edu [128.111.27.55]) by letters.cs.ucsb.edu (8.14.4/8.14.4) with ESMTP id pA1Ld4aJ029994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 1 Nov 2011 14:39:06 -0700 Received: from rt.engr.ucsb.edu (localhost [127.0.0.1]) by rt.engr.ucsb.edu (8.14.4/8.14.4) with ESMTP id pA1Ld2fZ013944 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 1 Nov 2011 14:39:02 -0700 Received: (from apache@localhost) by rt.engr.ucsb.edu (8.14.4/8.14.4/Submit) id pA1Ld28K013943; Tue, 1 Nov 2011 14:39:02 -0700 From: <help@engineering.ucsb.edu> To: <mturk@cs.ucsb.edu>, <holl@cs.ucsb.edu> Subject: Fwd: [COE #40749] [UCSB-OIT #323767] Vulnerabilities Found on 128.111.28.111 Date: Tue, 1 Nov 2011 14:39:02 -0700 Message-ID: <201111012139.pA1Ld28K013943@rt.engr.ucsb.edu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_005E_01CC98BD.72D9F7B0" X-Mailer: MIME-tools 5.428 (Entity 5.428) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on stamps.cs.ucsb.edu X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none shortcircuit=no autolearn=unavailable version=3.3.2 Thread-Index: AcyY3q4437fXF1OHT0eBJkvG16ma5Q== This is a multi-part message in MIME format. ------=_NextPart_000_005E_01CC98BD.72D9F7B0 Content-Type: text/plain; boundary="----------=_1320183542-8891-7"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit This is forward of ticket #40749 ------=_NextPart_000_005E_01CC98BD.72D9F7B0 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: attachment MIME-Version: 1.0 Content-Type: text/plain; boundary="----------=_1320183542-8891-6"; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: MIME-tools 5.428 (Entity 5.428) Thread-Index: AcyY95ADL4vLlgJwSgW2NRXgryI3Zw== Greetings: Our vulnerability scanner has found a potentially vulnerable host on = your network. You should consider taking the recommended actions = mentioned in this report in order to reduce the chances of this host = being abused by an attacker. If you believe any part of this report to = be incorrect, please let us know so that we can work to improve our = reporting accuracy. Here is information about the vulnerabilities that were found: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IP : 128.111.28.111 Scan Time : Fri Oct 28 16:38:29 2011 Service : ms-wbt-server (3389/tcp) Plugin ID : 18405 Synopsis : It may be possible to get access to the remote host. Description : The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP = client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack. See also : http://www.oxid.it/downloads/rdp-gbu.pdf http://technet.microsoft.com/en-us/library/cc782610.aspx Solution : - Force the use of SSL as a transport layer for this service if = supported, or/and - Select the 'Allow connections only from computers running Remote = Desktop with=20 Network Level Authentication' setting if it is available. CVSS Base Score : 5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSS Temporal Score : 4.6 (CVSS2#E:F/RL:W/RC:ND) Public Exploit Available : true CVE : CVE-2005-1794 BID : 13818 Other references : OSVDB:17131 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --=20 E. Todd Atkins Office of Information Technology University of California, Santa Barbara **********************************************************************=20 The NOC's list of network contacts is used to determine who should receive email such as this. Please direct any requests for changes=20 to this list of network contacts to noc@ucsb.edu. **********************************************************************=20 ------=_NextPart_000_005E_01CC98BD.72D9F7B0-- ]