Vulnerabilities found by Nessus

To: debian-security@lists.debian.org
Subject: Vulnerabilities found by Nessus
From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Tue, 15 Oct 2002 13:33:38 +0200
Message-id: <[🔎] 200210151333.38607.kjetil@kjernsmo.net>

Hi everybody!

Now, I have finally configured all the security features that I wanted, 
so last night, I launched a full Nessus attack against my server, 
hammering on it with the possibly harmful plugins too. It survived 
that, but it also reports two vulnerabilities on the port 25. I've got 
Exim running there. 

I was a careless when I upgraded to Woody, so I managed to upgrade to 
testing instead this summer... And I haven't been able to downgrade 
(hints are welcome! :-) ), but I do not have any testing or unstable 
sources in my sources.list right now. Anyway, the Exim version is 
3.35-1.

Well, this is what Nessus said:
--------- nessus report -----------------

 . Vulnerability found on port smtp (25/tcp) :


    There is a buffer overflow
    when this MTA is issued the 'HELO' command
    issued by a too long argument.

    This problem may allow an attacker to
    execute arbitrary code on this computer,
    or to disable your ability to send or
    receive emails.

    Solution : contact your vendor for a
    patch.

    Risk factor : High
    CVE : CAN-1999-0284

 . Vulnerability found on port smtp (25/tcp) :



    It was possible to crash the remote SMTP server
    by opening a great amount of sockets on it.


    This problem allows crackers to make your
    SMTP server crash, thus preventing you
    from sending or receiving e-mails, which
    will affect your work.

    Solution :
    If your SMTP server is contrained to a maximum
    number of processes, i.e. it's not running as
    root and as a ulimit 'max user processes' of
    256, you may consider upping the limit with 'ulimit -u'.

    If your server has the ability to protect itself from
    SYN floods, you should turn on that features, i.e. Linux's
     CONFIG_SYN_COOKIES

    The best solution may be cisco's 'TCP intercept' feature.


    Risk factor : Serious
    CVE : CAN-1999-0846
----------- end nessus report -------------

Well, I don't know if I should be alarmed, I guess the whole reason for 
running nessus is to be alarmed, so I am... :-) And it seems it found 
these holes to be real (as opposed to a Qpopper hole it also reported, 
but that was based on the version number only, and I guess the patch 
there hsa been backported), so I'm seeking advice on what to do with 
this.... 

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/

Reply to:

Follow-Ups:
- Re: Vulnerabilities found by Nessus
  - From: Yven Leist <leist@beldesign.de>
- Re: Vulnerabilities found by Nessus
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: Named daemon and port 32770? (and port 32985 on restart)
Next by Date: Re: Vulnerabilities found by Nessus
Previous by thread: Re: Named daemon and port 32770? (and port 32985 on restart)
Next by thread: Re: Vulnerabilities found by Nessus
Index(es):
- Date
- Thread