Nessus and Woody beta
Hi,
I've upgraded my test of woody (ppc) to the 2.4 kernel on to be able to
use iptables and getting more acquainted with Debian. After the upgrade I
ran nessus against the new set up and found the only two questionable
items[1]
First was the use of non-random IP IDS:
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
Is this something that can be fixed in the distro? Here's the package
info for the kernel:
ii kernel-image-2 2.4.18-1 Linux kernel binary image.
ii pciutils 2.1.9-4 Linux PCI Utilities (for 2.[1234].x kernels)
Granted, Nessus gives it low priority, but Kevin Mitnick was quite proud
of being able to exploit this weakness.
Second, the remote host answers to ICMP timestamp requests. If
iptables or ipchains comes with a sample filter, then perhaps it could
come with a chain/rule/comment to address this.
-Lars
--
Lars Noodén
Lektor
Institutt for dokumentasjonsvitenskap
HUM-FAK, Universitetet i Tromsø
Breivika, N-9037 Tromsoe, Norway
[1] Only one caused by the distro. I accidentally added a few because of
local customizations.
<results>
<result>
<host>
<name>129.242.xx.xx</name>
<ip>ip of 129.242.xx.xx</ip>
</host>
<date>
<start>Fri Apr 19 14:25:42 2002</start>
<end>Fri Apr 19 14:33:13 2002</end>
</date>
<ports>
<name>ntp</name>
<number>123</number>
<proto>udp</proto>
</ports>
<port>
<information>
<severity>Security Warning</severity>
<id>10647</id>
<data>
An NTP server is running on the remote host. Make sure that
you are running the latest version of your NTP server,
has some versions have been found out to be vulnerable to
buffer overflows.
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
If you happen to be vulnerable : upgrade
Solution : Upgrade
Risk factor : High
CVE : CVE-2001-0414
</data>
</information>
</port>
</ports>
<ports>
<name>general/udp</name>
<number>0</number>
<proto>udp</proto>
</ports>
<port>
<information>
<severity>Security Note</severity>
<id>10287</id>
<data>
For your information, here is the traceroute to 129.242.xx.xx :
129.242.xx.xx
</data>
</information>
</port>
</ports>
<ports>
<name>general/tcp</name>
<number>0</number>
<proto>tcp</proto>
</ports>
<port>
<information>
<severity>Security Note</severity>
<id>10271</id>
<data>
The plugin stream.nasl was too slow to finish - the server killed it
</data>
</information>
</port>
<port>
<information>
<severity>Security Warning</severity>
<id>10201</id>
<data>
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.
Solution : Contact your vendor for a patch
Risk factor : Low
</data>
</information>
</port>
</ports>
<ports>
<name>general/icmp</name>
<number>0</number>
<proto>icmp</proto>
</ports>
<port>
<information>
<severity>Security Warning</severity>
<id>10114</id>
<data>
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
</data>
</information>
</port>
</ports>
</result>
</results>
</scan>
Reply to: