WOC 中危漏洞该怎么修复

某公司 19大安全检查，发现某公司woc设备有如下漏洞，请问该如何修复
Host 10.100.253.10

Scanning of this host started at:	Wed Oct 18 11:16:23 2017 UTC
Number of results:	92

Port Summary for Host 10.100.253.10

Service (Port)	Threat Level
6016/tcp	Log
6017/tcp	Log
6025/tcp	Log
6007/tcp	Log
10001/tcp	Log
general/icmp	Log
6004/tcp	Log
85/tcp	Medium
6030/tcp	Log
80/tcp	Medium
6027/tcp	Log
6022/tcp	Log
8000/tcp	Medium
6014/tcp	Log
6009/tcp	Log
6012/tcp	Log
6020/tcp	Log
6018/tcp	Log
6026/tcp	Log
6008/tcp	Log
general/tcp	Low
6015/tcp	Log
6005/tcp	Log
6031/tcp	Log
6024/tcp	Log
6006/tcp	Log
53/tcp	Log
6003/tcp	Log
6029/tcp	Log
443/tcp	Medium
6028/tcp	Log
6011/tcp	Log
general/CPE-T	Log
6013/tcp	Log
6019/tcp	Log
6021/tcp	Log

Security Issues for Host 10.100.253.10

80/tcp

Medium (CVSS: 5.0)

NVT: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)

SummaryAn information leak occurs on 某公司 based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.

Vulnerability Detection ResultVulnerability was detected according to the Vulnerability Detection Method.

Solution1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under 某公司 -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf: ErrorDocument 404 http://localhost/sample.html ErrorDocument 403 http://localhost/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html

Vulnerability Detection MethodDetails: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)
Version used: $Revision: 6063 $

References

CVE:	CVE-2001-1013
BID:	3335
CERT:	CB-K14/0304 , DFN-CERT-2014-0315

85/tcp

Medium (CVSS: 5.0)

NVT: Missing `httpOnly` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)

SummaryThe application is missing the 'httpOnly' cookie attribute

Vulnerability Detection ResultThe cookies:Set-Cookie: sf_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22acd5671ceaa41e0d↵c3fb90b12501f18a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2210.100.4.102%22%3Bs%3A10%3A%↵22user_agent%22%3Bs%3A40%3A%22Mozilla%2F5.0+%5Ben%5D+%28X11%2C+U%3B+OpenVAS+8.0.8%29%22%3B↵s%3A13%3A%22last_activity%22%3Bi%3A1508326962%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3↵B%7Deb04956e91a1451e9b11714acfbcda31; path=/ are missing the "httpOnly" attribute.
SolutionSolution type: Mitigation
Set the 'httpOnly' attribute for any session cookie.

Affected Software/OSApplication with session handling in cookies.

Vulnerability InsightThe flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

Vulnerability Detection MethodCheck all cookies sent by the application for a missing 'httpOnly' attribute
Details: Missing `httpOnly` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)
Version used: $Revision: 5270 $

References

Other:	https://www.owasp.org/index.php/HttpOnly
	https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

85/tcp

Medium (CVSS: 5.0)

NVT: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)

SummaryAn information leak occurs on 某公司 based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.

Vulnerability Detection ResultVulnerability was detected according to the Vulnerability Detection Method.

Solution1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under 某公司 -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf: ErrorDocument 404 http://localhost/sample.html ErrorDocument 403 http://localhost/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html

Vulnerability Detection MethodDetails: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)
Version used: $Revision: 6063 $

References

CVE:	CVE-2001-1013
BID:	3335
CERT:	CB-K14/0304 , DFN-CERT-2014-0315

443/tcp

Medium (CVSS: 5.0)

NVT: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS (OID: 1.3.6.1.4.1.25623.1.0.108031)

SummaryThis routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.

Vulnerability Detection Result'Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol:TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
SolutionSolution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed cipher suites anymore.
Please see the references for more resources supporting you with this task.

Affected Software/OSServices accepting vulnerable SSL/TLS cipher suites via HTTPS.

Vulnerability InsightThese rules are applied for the evaluation of the vulnerable cipher suites:
- 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).

Vulnerability Detection MethodDetails: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS (OID: 1.3.6.1.4.1.25623.1.0.108031)
Version used: $Revision: 5232 $

References

CVE:	CVE-2016-2183, CVE-2016-6329
CERT:	CB-K17/1055 , CB-K17/1026 , CB-K17/0939 , CB-K17/0917 , CB-K17/0915 , CB-K17/0877 , CB-K17/0796 , CB-K17/0724 , CB-K17/0661 , CB-K17/0657 , CB-K17/0582 , CB-K17/0581 , CB-K17/0506 , CB-K17/0504 , CB-K17/0467 , CB-K17/0345 , CB-K17/0098 , CB-K17/0089 , CB-K17/0086 , CB-K17/0082 , CB-K16/1837 , CB-K16/1830 , CB-K16/1635 , CB-K16/1630 , CB-K16/1624 , CB-K16/1622 , CB-K16/1500 , CB-K16/1465 , CB-K16/1307 , CB-K16/1296 , DFN-CERT-2017-1785 , DFN-CERT-2017-1626 , DFN-CERT-2017-1326 , DFN-CERT-2017-1239 , DFN-CERT-2017-1238 , DFN-CERT-2017-1090 , DFN-CERT-2017-1060 , DFN-CERT-2017-0968 , DFN-CERT-2017-0947 , DFN-CERT-2017-0946 , DFN-CERT-2017-0904 , DFN-CERT-2017-0816 , DFN-CERT-2017-0746 , DFN-CERT-2017-0677 , DFN-CERT-2017-0675 , DFN-CERT-2017-0611 , DFN-CERT-2017-0609 , DFN-CERT-2017-0522 , DFN-CERT-2017-0519 , DFN-CERT-2017-0482 , DFN-CERT-2017-0351 , DFN-CERT-2017-0090 , DFN-CERT-2017-0089 , DFN-CERT-2017-0088 , DFN-CERT-2017-0086 , DFN-CERT-2016-1943 , DFN-CERT-2016-1937 , DFN-CERT-2016-1732 , DFN-CERT-2016-1726 , DFN-CERT-2016-1715 , DFN-CERT-2016-1714 , DFN-CERT-2016-1588 , DFN-CERT-2016-1555 , DFN-CERT-2016-1391 , DFN-CERT-2016-1378
Other:	https://bettercrypto.org/
	https://mozilla.github.io/server-side-tls/ssl-config-generator/
	https://sweet32.info/

8000/tcp

Medium (CVSS: 5.0)

NVT: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)

SummaryAn information leak occurs on 某公司 based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.

Vulnerability Detection ResultVulnerability was detected according to the Vulnerability Detection Method.

Solution1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under 某公司 -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf: ErrorDocument 404 http://localhost/sample.html ErrorDocument 403 http://localhost/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html

Vulnerability Detection MethodDetails: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)
Version used: $Revision: 6063 $

References

CVE:	CVE-2001-1013
BID:	3335
CERT:	CB-K14/0304 , DFN-CERT-2014-0315

8000/tcp

Medium (CVSS: 4.3)

NVT: SSL/TLS: Report Weak Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.103440)

SummaryThis routine reports all Weak SSL/TLS cipher suites accepted by a service.
NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure cleartext communication.

Vulnerability Detection Result'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:TLS_RSA_WITH_RC4_128_SHA
SolutionSolution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore.
Please see the references for more resources supporting you with this task.

Vulnerability InsightThese rules are applied for the evaluation of the cryptographic strength:
- RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808).
- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak (CVE-2015-4000).
- 1024 bit RSA authentication is considered to be insecure and therefore as weak.
- Any cipher considered to be secure for only the next 10 years is considered as medium
- Any other cipher is considered as strong

Vulnerability Detection MethodDetails: SSL/TLS: Report Weak Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.103440)
Version used: $Revision: 5525 $

References

CVE:	CVE-2013-2566, CVE-2015-2808, CVE-2015-4000
CERT:	CB-K16/1593 , CB-K16/1552 , CB-K16/1102 , CB-K16/0617 , CB-K16/0599 , CB-K16/0168 , CB-K16/0121 , CB-K16/0090 , CB-K16/0030 , CB-K15/1751 , CB-K15/1591 , CB-K15/1550 , CB-K15/1517 , CB-K15/1514 , CB-K15/1464 , CB-K15/1442 , CB-K15/1334 , CB-K15/1269 , CB-K15/1136 , CB-K15/1090 , CB-K15/1059 , CB-K15/1022 , CB-K15/1015 , CB-K15/0986 , CB-K15/0964 , CB-K15/0962 , CB-K15/0932 , CB-K15/0927 , CB-K15/0926 , CB-K15/0907 , CB-K15/0901 , CB-K15/0896 , CB-K15/0889 , CB-K15/0877 , CB-K15/0850 , CB-K15/0849 , CB-K15/0834 , CB-K15/0827 , CB-K15/0802 , CB-K15/0764 , CB-K15/0733 , CB-K15/0667 , CB-K14/0935 , CB-K13/0942 , DFN-CERT-2016-1692 , DFN-CERT-2016-1648 , DFN-CERT-2016-1168 , DFN-CERT-2016-0665 , DFN-CERT-2016-0642 , DFN-CERT-2016-0184 , DFN-CERT-2016-0135 , DFN-CERT-2016-0101 , DFN-CERT-2016-0035 , DFN-CERT-2015-1853 , DFN-CERT-2015-1679 , DFN-CERT-2015-1632 , DFN-CERT-2015-1608 , DFN-CERT-2015-1542 , DFN-CERT-2015-1518 , DFN-CERT-2015-1406 , DFN-CERT-2015-1341 , DFN-CERT-2015-1194 , DFN-CERT-2015-1144 , DFN-CERT-2015-1113 , DFN-CERT-2015-1078 , DFN-CERT-2015-1067 , DFN-CERT-2015-1038 , DFN-CERT-2015-1016 , DFN-CERT-2015-1012 , DFN-CERT-2015-0980 , DFN-CERT-2015-0977 , DFN-CERT-2015-0976 , DFN-CERT-2015-0960 , DFN-CERT-2015-0956 , DFN-CERT-2015-0944 , DFN-CERT-2015-0937 , DFN-CERT-2015-0925 , DFN-CERT-2015-0884 , DFN-CERT-2015-0881 , DFN-CERT-2015-0879 , DFN-CERT-2015-0866 , DFN-CERT-2015-0844 , DFN-CERT-2015-0800 , DFN-CERT-2015-0737 , DFN-CERT-2015-0696 , DFN-CERT-2014-0977
Other:	https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/warnmeldung_cb-k16-1465_update_6.html
	https://bettercrypto.org/
	https://mozilla.github.io/server-side-tls/ssl-config-generator/

443/tcp

Medium (CVSS: 4.0)

NVT: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880)

SummaryThe remote service is using a SSL/TLS certificate chain that has been signed using a cryptographically weak hashing algorithm.

Vulnerability Detection ResultThe following certificates are part of the certificate chain but using insecure signature ↵algorithms:Subject:              CN=10.100.253.10Signature Algorithm:  sha1WithRSAEncryption
SolutionSolution type: Mitigation
Servers that use SSL/TLS certificates signed using an SHA-1 signature will need to obtain new SHA-2 signed SSL/TLS certificates to avoid these web browser SSL/TLS certificate warnings.

Vulnerability InsightSecure Hash Algorithm 1 (SHA-1) is considered cryptographically weak and not secure enough for ongoing use. Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft and Google will begin warning users when users visit web sites that use SHA-1 signed Secure Socket Layer (SSL) certificates.

Vulnerability Detection MethodCheck which algorithm was used to sign the remote SSL/TLS Certificate.
Details: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880)
Version used: $Revision: 4781 $

References

Other:

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

8000/tcp

Medium (CVSS: 4.0)

NVT: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880)

SummaryThe remote service is using a SSL/TLS certificate chain that has been signed using a cryptographically weak hashing algorithm.

Vulnerability Detection ResultThe following certificates are part of the certificate chain but using insecure signature ↵algorithms:Subject:              1.2.840.113549.1.9.1=#73736C4073616E67666F722E636F6D,CN=sslvpn,OU=ss↵lvpn,O=sangfor,L=shenzhen,ST=guangdong,C=CNSignature Algorithm:  sha1WithRSAEncryption
SolutionSolution type: Mitigation
Servers that use SSL/TLS certificates signed using an SHA-1 signature will need to obtain new SHA-2 signed SSL/TLS certificates to avoid these web browser SSL/TLS certificate warnings.

Vulnerability InsightSecure Hash Algorithm 1 (SHA-1) is considered cryptographically weak and not secure enough for ongoing use. Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft and Google will begin warning users when users visit web sites that use SHA-1 signed Secure Socket Layer (SSL) certificates.

Vulnerability Detection MethodCheck which algorithm was used to sign the remote SSL/TLS Certificate.
Details: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880)
Version used: $Revision: 4781 $

References

Other:

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

您好 麻烦提供设备的详细版本信息
谢谢

有中文版的吗？貌似国内官方语言是中文啊。

请问是哪个厂家设备检查出来的，这是开放的端口。很正常啊

请问是哪个厂家设备检查出来的，这是开放的端口。很正常啊