nessus 介紹及報表分析姓名：呂芳發. computer center, national central university....

Nessus 介紹及報表分析姓名：呂芳發

Computer Center, National Central University.

大綱

Nessus 介紹報表分析風險評分標準及相關資料庫案例


系統弱點掃描

網路上作業系統或應用軟體存在許多漏洞利用工具發現系統弱點改善系統弱點 , 確保系統安全


Nessus主要特點 R. Deraison 成立一個計劃，命名為 Nessus ，在透過許多同好

的協助與網路社群討論修改，於 1998 年 4 月首次發表 Nessus 免費下載、功能強大、架構完整、更新迅速且相當容易使用的主

機安全稽核掃瞄軟體發展目的是幫助系統管理者搜尋系統主機的弱點所在，讓系統管

理者對主機進行錯誤的更正或防護，以避免被入侵者攻擊 Nessus 的可延伸性使得掃描更具有發展空間，因為它隨意增加

原本所沒有的偵測模式，而外掛模組 (Plugins) 就是對每個安全漏洞的描述和稽核，因此擴充外掛模組就可提升軟體的稽核能力


Nessus主要特點外掛 Plugins ：使用者可依需求修改外掛模組，而不需修改內部

核心的程式碼時常性更新弱點資料庫： Nessus 的開發維護人員每天專注於檢

查最新的安全漏洞支援作業平台包括： Linux, FreeBSD, Solaris, Windows 等


系統弱點掃描工具軟體 :Nessus-3.0.6.1(http://

www.nessus.org/)


Nessus 使用


Nessus 掃描結果說明

掃瞄位址：顯示目前掃描及狀況分析的主機 IP

訊息代碼 (Plugin information) ：顯示此弱點代表的ID 碼，透過這個 ID 碼可以到 Nessus 網站找到此弱點更詳細的說明

弱點 (Vulnerability) ：顯示風險等級，若是” hole”狀況，請立即處理相關安全問題

狀況描述 (Description) ：描述這個弱點發生的原因解決方法 (Solution) ：提供管理人員解決上述弱點的

解決方案與建議。


Nessus Report


Nessus Report

Nessus 的分析報告包含三種安全等級：安全紀錄（ Notes ）：透過測試的結果，可以獲得某些系統資訊。

安全警告（ Warning ）：測試的結果，可能影響系統安全。

安全漏洞（ Hole ）：測試的結果，嚴重影響到系統安全。


Common Vulnerability Scoring System （ CVSS ）

弱點（ vulnerabilities ）是網絡安全中的一個重要因素 , 通用弱點評價系統（ CVSS）是由美國國家基礎建設諮詢委員會 (NIAC) 開發的一個開放並且能夠被產品廠商免費採用的標準。

使用標準的數學方程式，來判定威脅的嚴重性，列入評估標準的因素，還包括安全弱點能否被遠端利用，或是攻擊者是否需要登入，才能利用此一弱點。

利用該標準，可以對弱點進行評分，幫助我們判斷修復不同弱點的優先等級。



如果漏洞既可遠程利用，又可以本地利用，取值應該為遠程利用的值。

攻擊複雜度的值為低 / 中 /高。需要認證的例子，如需要預先有

Email 、 FTP

帳號等。



BaseScore = round_to_1_decimal(10 * AccessVector * AccessComplexity * Authentication * ((ConfImpact * ConfImpactBias) + (IntegImpact * IntegImpactBias) + (AvailImpact * AvailImpactBias)))



Medium / CVSS Base Score : 5 (AV:R/AC:L/Au:NR/C:P/A:N/I:P/B:N)

該漏洞的影響為中， CVSS 基本評價分值為 5 分，其中分項取值表格 -------------------------------------------------- -- BASE METRIC EVALUATION SCORE -------------------------------------------------- --

Access Vector [Remote](1.00) Access Complexity [Low] (1.00)

Authentication[Not-Required](1.00) Confidentiality Impact[Partial] (0.70)

Integrity Impact[Partial] (0.70) Availability Impact [None](0.00)

Impact Bias [Normal](0.333) -------------------------------------------------- --

BASE FORMULABASE SCORE -------------------------------------------------- --

round(10 * 1.0 * 1.0 * 1.0 * (0.7 * 0.333) + (0.7 * 0.333) + (1.0 * 0.333)) == (4.66)


IAVs

IAVA-

Information Assurance Vulnerability Alert

alerts of high priority ,must be eradicated from the network

IAVB- bulletins of medium priority , do not pose an immediate threat

IAVT- technical notes on vulnerabilities , without remediation urgency


CVE

Common Vulnerabilities and Exposures

free for public use

CVE is a dictionary of publicly known information security vulnerabilities and exposures.

http://cve.mitre.org/data/downloads/allcves.html


OSVDB

開放原始碼弱點資料庫（ The Open Source Vulnerability Database ，簡稱 OSVDB ）將網際網路相關軟體的安全瑕疵分類，供使用者查詢。

http://osvdb.org/


Nessus Report

rtsp (554/tcp)Synopsis :

The remote RTSP(Real Time Streaming Protocol) server is prone to a buffer overflow attack.

Description :The remote host is running Helix Server or Helix DNA Server, a mediastreaming server. The version of the Helix server installed on the remote hostreportedly contains a heap overflow that is triggered using an RTSPcommand with multiple 'Require' headers. An unauthenticated remoteattacker can leverage this flaw to execute arbitrary code subject tothe privileges under which it operates, by default LOCAL SYSTEM onWindows.

Solution:Upgrade to Helix Server / Helix DNA Server version 11.1.4 or later.

Risk Factor :Critical / CVSS Base Score : 10.0(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)


Nessus Report

mysql (3306/tcp)Synopsis :

An unpassworded database server is listening on the remote port.

Description :The remote host is running MySQL, an open-source database server. Itis possible to connect to the remote database using one of thefollowing unpassworded accounts :

- root - anonymous

This may allow an attacker to launch further attacks against thedatabase.

Solution:Disable the anonymous account or set a password for the root account.

Risk Factor :High / CVSS Base Score : 7 (AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)


Nessus Report

ftp (21/tcp)Synopsis :

You seem to be running an FTP server which is vulnerable.An attacker may use this problem to execute arbitrary commands on this host.

Solution: Upgrade your ftp server software to the latest version.

Risk Factor : High

CVE : CVE-2001-0249, CVE-2001-0550BID : 2550, 3581Other references : IAVA:2001-b-0004, OSVDB:686, OSVDB:8681Plugin ID : 10821


Nessus Report


Nessus Report

ftp (21/tcp)The remote FTP server is vulnerable to a SQL injection when

it processes the USER command.

An attacker may exploit this flaw to log into the remote hostas any user.

Solution: If the remote server is ProFTPd, upgrade to ProFTPD 1.2.10 whenavailable, or switch the SQL backend to PostgreSQL.

Risk Factor : HighBID : 7974Plugin ID : 11768


Nessus Report

http (80/tcp) The following URLs seem to be vulnerable to BLIND SQL injection

techniques : /internal/news.php?-=&user_id='+AND+'b'>'a&password=/internal/news.php?-=&user_id=+AND+1=1&password=/internal/news.php?-=&user_id=+AND+1=1)&password=/internal/news.php?-=&user_id=/**/&password=

An attacker may exploit this flaws to bypass authenticationor to take the control of the remote database.

Solution: Modify the relevant CGIs so that they properly escape arguments

Risk Factor : High

See Also : http://www.securitydocs.com/library/2651

Plugin ID : 11139


Nessus Report

SQL Injection 是使用者輸入的資料中夾帶 SQL 指令，在設計不良的程式忽略了檢查，這些夾帶進去的指令就會被資料庫伺服器誤認為是正常的 SQL指令而執行，因此招致到破壞。

利用 SQL Injection 可植入惡意程式。


Nessus Report

http (80/tcp) The following URLs seem to be vulnerable to various SQL injection techniques :

/doclink/formlink01.asp?-='+OR+'a'<'b&link_cat=校園環保業務相關表單及範例/doclink/formlink01.asp?-=')+OR+('b'))/*&link_cat=校園環保業務相關表單及範例/doclink/formlink01.asp?-=&link_cat='+OR+'))/*An attacker may exploit this flaws to bypass authenticationor to take the control of the remote database.

Solution: Modify the relevant CGIs so that they properly escape arguments

Risk Factor : High

See Also : http://www.securiteam.com/securityreviews/5DP0N1P76E.htmlPlugin ID : 11139


Nessus Report

http (80/tcp) The remote host is using a version vulnerable of mod_ssl which is

older than 2.8.19. There is a format string condition in thelog functions of the remote module which may allow an attacker toexecute arbitrary code on the remote host.

Solution: Upgrade to version 2.8.19 or newer

Risk Factor : HighCVE : CVE-2004-0700BID : 10736Other references : OSVDB:7929Plugin ID : 13651


Nessus Report

http (80/tcp)

The remote host is running a version of PHP which is older than 5.0.3 or4.3.10.

The remote version of this software is vulnerable to various securityissues which may, under certain circumstances, to execute arbitrary codeon the remote host, provided that we can pass arbitrary data to somefunctions.See Also : http://www.php.net/ChangeLog-5.php#5.0.3

Solution: Upgrade to PHP 5.0.3 or 4.3.10

Risk Factor : HighCVE : CVE-2004-1018, CVE-2004-1019, CVE-2004-1020, CVE-2004-1063, CVE-2004-1064, CVE-2004-1065BID : 11964, 11981, 11992, 12045Other references : OSVDB:12410Plugin ID : 15973


Nessus Report

http (80/tcp) The remote host appears to be running a version of Apache which is older

than 1.3.29

There are several flaws in this version, which may allow an attacker to possibly execute arbitrary code through mod_alias and mod_rewrite.

You should upgrade to 1.3.29 or newer.

Note that Nessus solely relied on the version numberof the remote server to issue this warning. This mightbe a false positive

Solution: Upgrade to version 1.3.29

See Also : http://www.apache.org/dist/httpd/Announcement.html

Risk Factor : HighCVE : CVE-2003-0542BID : 8911Other references : OSVDB:2733, OSVDB:7611Plugin ID : 11915


Nessus Report

http (80/tcp)

We could DELETE the file '/puttest1.html'on your web serverThis allows an attacker to destroy some of your pages

Description:

Synopsis :The remote web server allows PUT and/or DELETE method(s).

Solution: Disable PUT and/or DELETE method(s) in the web server configuration.

Risk Factor : HighBID : 12141Other references : OSVDB:397, OSVDB:5646, OWASP:OWASP-CM-001Plugin ID : 10498


Nessus Report

http (80/tcp) This host is running the Microsoft IIS web server. This web server contains

a configuration flaw that allows the retrieval of the global.asa file.

This file may contain sensitive information such as database passwords, internal addresses, and web application configuration options. This vulnerability may be caused by a missing ISAPI map of the .asa extension to asp.dll.

Solution To restore the .asa map:

Open Internet Services Manager. Right-click on the affected web server and choose Properties from the context menu. Select Master Properties, then Select WWW Service --> Edit --> Home Directory --> Configuration. Click the Add button, specify C:\winnt\system32\inetsrv\asp.dll as the executable (may be different depending on your installation), enter .asa as the extension,

limit the verbs to GET,HEAD,POST,TRACE, ensure the Script Engine box is checked and click OK.

Risk Factor : High

Plugin ID : 10991


Nessus Report

http (80/tcp) The remote host is using a version of OpenSSL which is

older than 0.9.6m or 0.9.7d

There are several bug in this version of OpenSSL which may allowan attacker to cause a denial of service against the remote host.

Solution: Upgrade to version 0.9.6m (0.9.7d) or newer

Risk Factor : HighCVE : CVE-2004-0079, CVE-2004-0081, CVE-2004-0112BID : 9899Other references : IAVA:2004-B-0006, OSVDB:4316, OSVDB:4317, OSVDB:4318Plugin ID : 12110


Nessus Report

snmp (161/udp)Synopsis :

The community name of the remote SNMP server can be guessed.

Description :It is possible to obtain the default community names of the remoteSNMP server.An attacker may use this information to gain more knowledge aboutthe remote host, or to change the configuration of the remotesystem .

Solution: Disable the SNMP service on the remote host if you do not use it,filter incoming UDP packets going to this port, or change the default community string.

Risk Factor : High / CVSS Base Score : 7.5(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Plugin output :The remote SNMP server replies to the following default communitystrings :private ,public ,cisco

Plugin ID : 10264


Nessus Report

compaq-evm (619/tcp)The remote NFS server allows users to use a 'cd ..' command

to access other directories besides the NFS file system.The listing of /cdrom is :- .- ..After having sent a 'cd ..' request, the list of files is : - dev – backup – home – tmp - usr- var – stand – etc – cdrom – bin – boot – lib - libexec- mnt – proc – rescue – root – sbin – sys - .cshrc- .profile – COPYRIGHT – compat - entropyAn attacker may use this flaw to read every file on this host

Solution: Contact your vendor for a patch

Risk Factor : HighCVE : CVE-1999-0166Plugin ID : 11357


Thank You!

nessus 介紹及報表分析 姓名：呂芳發. computer center, national central university....

Documents

nessus 介紹及報表分析姓名：呂芳發. computer center, national central university....