Section 22.4.1, Port dns (53/tcp): DNS Server Zone Transfer Information Disclosure (AXFR)
Section 22.4.2, Port dns (53/udp):DNS Server Recursive Query Cache Poisoning Weakness
Section 22.4.3, Port dns (53/udp): DNS Server Cache Snooping Remote Information Disclosure
Section 22.4.4, Port dns (53/udp): Multiple Vendor DNS Query ID Field Prediction Cache Poisoning
Section 22.4.9, Port ssh (22/tcp): SSH Protocol Version 1 Session Key Retrieval
Section 22.4.10, Port (524/tcp): Novell NetWare ncp Service NDS Object Enumeration
Section 22.4.11, Port www (443/tcp): SSL Certificate signed with an unknown Certificate Authority
Section 22.4.12, Port www (443/tcp): SSL Version 2 (v2) Protocol Detection
Section 22.4.13, Port www (tcp): SSL Weak Cipher Suites Supported
Section 22.4.14, Port www (tcp): SSL Medium Strength Cipher Suites Supported
Nessus Plug in: 10595
Port: DNS service on port 53
Synopsis: The remote name server permits zone transfers.
Description: A zone transfer lets a remote attacker instantly populate a list of potential targets. In addition, companies often use a naming convention that can give hints as to a server’s primary application, for example, proxy.example.com, payroll.example.com, b2b.example.com, etc.
Information like this is of great use to an attacker, who may use it to gain information about the topology of the network and spot new targets.
Resolution:
Limit DNS zone transfers to only the servers that need the information. The Security Chapter for DNS includes the required information to restrict zones, allow-update and queries and the security factors. See Security Considerations for DNS
in the OES 11 SP3: Novell DNS/DHCP Services for Linux Administration Guide.
Nessus Plug in: 10539
Port: DNS on port 53
Synopsis: The remote name server allows recursive queries to be performed by the host running nessusd.
Description: It is possible to query the remote name server for third party names.
If this is your internal name server, then the attack vector may be limited to employees or guest access if allowed. If you are probing a remote name server, then it allows anyone to use it to resolve third party names, such as www.novell.com.This allows attackers to perform cache poisoning attacks against this name server.
If the host allows these recursive queries via UDP, then the host can be used to bounce
denial-of-service attacks against another network or system.
Resolution: Restrict recursive queries to the hosts that should use this name server, such as those of the LAN connected to it.
The Security Chapter for Novell DNS includes the required information to restrict zones, allow-update and queries and the security factors. See Security Considerations for DNS
in the OES 11 SP3: Novell DNS/DHCP Services for Linux Administration Guide.
Nessus Plug in: 12217
Port: DNS on port 53
Synopsis: The remote DNS server is vulnerable to cache snooping attacks.
Description: The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more.
NOTE:If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees, consultants, and potential users on a guest network or WiFi connection if supported.
Resolution:
The Security Chapter for Novell DNS includes the required information to restrict zones, allow-update and queries and the security factors. See Security Considerations for DNS
in the OES 11 SP3: Novell DNS/DHCP Services for Linux Administration Guide.
Nessus Plug in: 33447
Port: DNS on Port 53
Synopsis: The remote name resolver (or the server it uses upstream) may be vulnerable to DNS cache poisoning.
Description: The remote DNS resolver does not use random ports when making queries to third party DNS servers. This problem might be exploited by an attacker to poison the remote DNS server more easily, and therefore divert legitimate traffic to arbitrary sites.
Resolution: Nessus might report this if the OES server is configured to use a non-OES DNS server that has the above vulnerability. Configure DNS with Novell-DNS instead of the third-party server that is vulnerable.
Nessus Plug in: 10079
Port: FTP service on port 21
Synopsis: Anonymous logins are allowed on the remote FTP server.
Description: This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing a password or unique credentials. This allows a user to access any files made available on the FTP server.
Resolution: Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is not available.
Nessus Plug in: 10990
Port: FTP service on port 21
Synopsis: A random username and password can be used to authenticate to the remote FTP server.
Description: The FTP server running on the remote host can be accessed using a random username and password. Nessus has enabled some countermeasures to prevent other plug ins from reporting vulnerabilities incorrectly because of this.
Resolution: Contact the FTP server's documentation so that the service handles authentication requests properly.
Nessus Plugin: 10722
Port: LDAP on 389, DSfW LDAPS on 1636, msft-gc on 3268
Synopsis: The remote LDAP server may disclose sensitive information.
Description: The remote LDAP server supports search requests with a null, or empty, base object. This allows information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user may be able to query your LDAP server using a tool such as LdapMiner.
NOTE:There are valid reasons to allow queries with a null base. For example, it is required in version 3 of the LDAP protocol to provide access to the root DSA-Specific Entry (DSE), with information about the supported naming context, authentication types, and the like. It also means that legitimate users can find information in the directory without any a prior knowledge of its structure.
For these reasons, this finding may be a false-positive.
Resolution: If the remote LDAP server supports a version of the LDAP protocol before v3, consider whether to disable NULL BASE queries on your LDAP server LDAP NULL BASE search access might be required by many OES services.
For more details see, TID 7000737.
Neesus Plug in : 56210
Synopsis: It is possible to obtain the host SID for the remote host, without credentials.
Description: By emulating the call to LsaQueryInformationPolicy(), it is possible to obtain the host SID (Security Identifier), without credentials. The host SID can then be used to get the list of local users.
Resolution: Novell-Cifs sends a dummy response with an SID value of 0. Therefore, this is not a security vulnerability.
Nessus Plug in: 10882
Port: SSH service on port 22
Synopsis: The remote service offers an insecure cryptographic protocol.
Description: The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe, so they should not be used.
Resolution: Disable compatibility with SSH 1.x.
Nessus Plug in: 10988
Port: NCP server on port 524
Synopsis: Remote directory server leaks information.
Description: This host is a Novell NetWare (eDirectory) server, and has browse rights on the PUBLIC object. It is possible to enumerate all NDS objects, including users, with crafted queries. An attacker can use this to gain information about this host.
Resolution: This feature is required by many OES services for their normal operation.
If this is an external system, block Internet access to port 524.
Nessus Plug in: 51192
Port: Apache (443), LDAPS (636), DSfW LDAPS (1636), msft-gc-ssl (3269), wbem (5989), NRM (8009), iMonitor (8030)
Synopsis: The SSL certificate for this service is signed by an unknown certificate authority.
Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL because anyone could establish a man-in-the-middle attack against the remote host.
Resolution:
Purchase or generate a proper certificate for this service. For more information about generating certificates using the NetIQ Certificate Server, see Using eDirectory Certificates with External Applications
in the NetIQ Certificate Server Administration Guide.
Nessus Plug in: 20007
Port: Apache port www (443)
Synopsis: The remote service encrypts traffic using a protocol with known weaknesses.
Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.
Resolution: Consult the Apache documentation to disable SSL 2.0 and use SSL3.0 or TLS 1.0 instead.
Nessus Plug in: 26928
Port: Apache (443), NRM (8009), LDAPS (636), DSfW LDAPS (1636), msft-gc-ssl (3269)
Synopsis: The remote service supports the use of weak SSL ciphers.
Description: The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
NOTE:This is considerably easier to exploit if the attacker is on the same physical network.
Resolution:
Change the weak SSLCipherSuite setting for Apache in the /etc/apache2/vhosts.d/vhost-ssl.conf file from:
to
Restart Apache by entering the following at the terminal prompt:
rcapache2 restart
Nessus Plug in: 42873
Port: Apache (443), NRM (8009), LDAPS (636), DSfW LDAPS (1636), msft-gc-ssl (3269)
Synopsis: The remote service supports the use of medium strength SSL ciphers.
Description: The remote host supports the use of SSL ciphers that offer medium-strength encryption (key lengths at least 56 bits and less than 112 bits).
NOTE:This is considerably easier to exploit if the attacker is on the same physical network.
Resolution: Open the /etc/opt/novell/httpstkd.conf file in a text editor, then do the following:
Find the following section.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Cipher strength determines the bit strength for the SSL key ; that is required to access Novell Remote Manager(NRM). ; The default will be all ; ; If you modify the setting it will be necessary to restart NRM. ; ; Options: all, low, medium, high ; ; all - allows any negotiated encryption level. ; low - allows less than 56-bit encryption ; medium - allows 56-bit up to 112-bit encryption ; high - allows 112-bit or greater encryption ; ; Example: ; cipher high ; ; ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; cipher all
Change cipher all to cipher high.
Save the file.
Restart httpstkd by entering rcnovell-httpstkd restart at a terminal prompt.