某公司 19大安全检查,发现某公司woc设备有如下漏洞,请问该如何修复
Host 10.100.253.10Scanning of this host started at: | Wed Oct 18 11:16:23 2017 UTC | Number of results: | 92 | Port Summary for Host 10.100.253.10Service (Port) | Threat Level | 6016/tcp | Log | 6017/tcp | Log | 6025/tcp | Log | 6007/tcp | Log | 10001/tcp | Log | general/icmp | Log | 6004/tcp | Log | 85/tcp | Medium | 6030/tcp | Log | 80/tcp | Medium | 6027/tcp | Log | 6022/tcp | Log | 8000/tcp | Medium | 6014/tcp | Log | 6009/tcp | Log | 6012/tcp | Log | 6020/tcp | Log | 6018/tcp | Log | 6026/tcp | Log | 6008/tcp | Log | general/tcp | Low | 6015/tcp | Log | 6005/tcp | Log | 6031/tcp | Log | 6024/tcp | Log | 6006/tcp | Log | 53/tcp | Log | 6003/tcp | Log | 6029/tcp | Log | 443/tcp | Medium | 6028/tcp | Log | 6011/tcp | Log | general/CPE-T | Log | 6013/tcp | Log | 6019/tcp | Log | 6021/tcp | Log | Security Issues for Host 10.100.253.1080/tcp
Medium (CVSS: 5.0)NVT: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)
SummaryAn information leak occurs on 某公司 based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.
Vulnerability Detection ResultVulnerability was detected according to the Vulnerability Detection Method.
Solution1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under 某公司 -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf: ErrorDocument 404 http://localhost/sample.html ErrorDocument 403 http://localhost/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Vulnerability Detection MethodDetails: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)
Version used: $Revision: 6063 $
References
CVE: | CVE-2001-1013 | BID: | 3335 | CERT: | CB-K14/0304 , DFN-CERT-2014-0315 |
85/tcp
Medium (CVSS: 5.0)NVT: Missing `httpOnly` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)
SummaryThe application is missing the 'httpOnly' cookie attribute
Vulnerability Detection ResultThe cookies:Set-Cookie: sf_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22acd5671ceaa41e0d↵c3fb90b12501f18a%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%2210.100.4.102%22%3Bs%3A10%3A%↵22user_agent%22%3Bs%3A40%3A%22Mozilla%2F5.0+%5Ben%5D+%28X11%2C+U%3B+OpenVAS+8.0.8%29%22%3B↵s%3A13%3A%22last_activity%22%3Bi%3A1508326962%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3↵B%7Deb04956e91a1451e9b11714acfbcda31; path=/ are missing the "httpOnly" attribute.
SolutionSolution type: Mitigation
Set the 'httpOnly' attribute for any session cookie.
Affected Software/OSApplication with session handling in cookies.
Vulnerability InsightThe flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.
Vulnerability Detection MethodCheck all cookies sent by the application for a missing 'httpOnly' attribute
Details: Missing `httpOnly` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)
Version used: $Revision: 5270 $
References
Other: | https://www.owasp.org/index.php/HttpOnly |
| https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002) |
85/tcp
Medium (CVSS: 5.0)NVT: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)
SummaryAn information leak occurs on 某公司 based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.
Vulnerability Detection ResultVulnerability was detected according to the Vulnerability Detection Method.
Solution1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under 某公司 -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf: ErrorDocument 404 http://localhost/sample.html ErrorDocument 403 http://localhost/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Vulnerability Detection MethodDetails: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)
Version used: $Revision: 6063 $
References
CVE: | CVE-2001-1013 | BID: | 3335 | CERT: | CB-K14/0304 , DFN-CERT-2014-0315 |
443/tcp
Medium (CVSS: 5.0)NVT: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS (OID: 1.3.6.1.4.1.25623.1.0.108031)
SummaryThis routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.
Vulnerability Detection Result'Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol:TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
SolutionSolution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed cipher suites anymore.
Please see the references for more resources supporting you with this task.
Affected Software/OSServices accepting vulnerable SSL/TLS cipher suites via HTTPS.
Vulnerability InsightThese rules are applied for the evaluation of the vulnerable cipher suites:
- 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).
Vulnerability Detection MethodDetails: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS (OID: 1.3.6.1.4.1.25623.1.0.108031)
Version used: $Revision: 5232 $
References
CVE: | CVE-2016-2183, CVE-2016-6329 | CERT: | CB-K17/1055 , CB-K17/1026 , CB-K17/0939 , CB-K17/0917 , CB-K17/0915 , CB-K17/0877 , CB-K17/0796 , CB-K17/0724 , CB-K17/0661 , CB-K17/0657 , CB-K17/0582 , CB-K17/0581 , CB-K17/0506 , CB-K17/0504 , CB-K17/0467 , CB-K17/0345 , CB-K17/0098 , CB-K17/0089 , CB-K17/0086 , CB-K17/0082 , CB-K16/1837 , CB-K16/1830 , CB-K16/1635 , CB-K16/1630 , CB-K16/1624 , CB-K16/1622 , CB-K16/1500 , CB-K16/1465 , CB-K16/1307 , CB-K16/1296 , DFN-CERT-2017-1785 , DFN-CERT-2017-1626 , DFN-CERT-2017-1326 , DFN-CERT-2017-1239 , DFN-CERT-2017-1238 , DFN-CERT-2017-1090 , DFN-CERT-2017-1060 , DFN-CERT-2017-0968 , DFN-CERT-2017-0947 , DFN-CERT-2017-0946 , DFN-CERT-2017-0904 , DFN-CERT-2017-0816 , DFN-CERT-2017-0746 , DFN-CERT-2017-0677 , DFN-CERT-2017-0675 , DFN-CERT-2017-0611 , DFN-CERT-2017-0609 , DFN-CERT-2017-0522 , DFN-CERT-2017-0519 , DFN-CERT-2017-0482 , DFN-CERT-2017-0351 , DFN-CERT-2017-0090 , DFN-CERT-2017-0089 , DFN-CERT-2017-0088 , DFN-CERT-2017-0086 , DFN-CERT-2016-1943 , DFN-CERT-2016-1937 , DFN-CERT-2016-1732 , DFN-CERT-2016-1726 , DFN-CERT-2016-1715 , DFN-CERT-2016-1714 , DFN-CERT-2016-1588 , DFN-CERT-2016-1555 , DFN-CERT-2016-1391 , DFN-CERT-2016-1378 | Other: | https://bettercrypto.org/ |
| https://mozilla.github.io/server-side-tls/ssl-config-generator/ |
| https://sweet32.info/ |
8000/tcp
Medium (CVSS: 5.0)NVT: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)
SummaryAn information leak occurs on 某公司 based web servers whenever the UserDir module is enabled. The vulnerability allows an external attacker to enumerate existing accounts by requesting access to their home directory and monitoring the response.
Vulnerability Detection ResultVulnerability was detected according to the Vulnerability Detection Method.
Solution1) Disable this feature by changing 'UserDir public_html' (or whatever) to 'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under 某公司 -- this works even if there is no such entry in the password file, e.g.: RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf: ErrorDocument 404 http://localhost/sample.html ErrorDocument 403 http://localhost/sample.html (NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Vulnerability Detection MethodDetails: 某公司 UserDir Sensitive Information Disclosure (OID: 1.3.6.1.4.1.25623.1.0.10766)
Version used: $Revision: 6063 $
References
CVE: | CVE-2001-1013 | BID: | 3335 | CERT: | CB-K14/0304 , DFN-CERT-2014-0315 |
8000/tcp
Medium (CVSS: 4.3)NVT: SSL/TLS: Report Weak Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.103440)
SummaryThis routine reports all Weak SSL/TLS cipher suites accepted by a service.
NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure cleartext communication.
Vulnerability Detection Result'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:TLS_RSA_WITH_RC4_128_SHA
SolutionSolution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore.
Please see the references for more resources supporting you with this task.
Vulnerability InsightThese rules are applied for the evaluation of the cryptographic strength:
- RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808).
- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak (CVE-2015-4000).
- 1024 bit RSA authentication is considered to be insecure and therefore as weak.
- Any cipher considered to be secure for only the next 10 years is considered as medium
- Any other cipher is considered as strong
Vulnerability Detection MethodDetails: SSL/TLS: Report Weak Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.103440)
Version used: $Revision: 5525 $
References
CVE: | CVE-2013-2566, CVE-2015-2808, CVE-2015-4000 | CERT: | CB-K16/1593 , CB-K16/1552 , CB-K16/1102 , CB-K16/0617 , CB-K16/0599 , CB-K16/0168 , CB-K16/0121 , CB-K16/0090 , CB-K16/0030 , CB-K15/1751 , CB-K15/1591 , CB-K15/1550 , CB-K15/1517 , CB-K15/1514 , CB-K15/1464 , CB-K15/1442 , CB-K15/1334 , CB-K15/1269 , CB-K15/1136 , CB-K15/1090 , CB-K15/1059 , CB-K15/1022 , CB-K15/1015 , CB-K15/0986 , CB-K15/0964 , CB-K15/0962 , CB-K15/0932 , CB-K15/0927 , CB-K15/0926 , CB-K15/0907 , CB-K15/0901 , CB-K15/0896 , CB-K15/0889 , CB-K15/0877 , CB-K15/0850 , CB-K15/0849 , CB-K15/0834 , CB-K15/0827 , CB-K15/0802 , CB-K15/0764 , CB-K15/0733 , CB-K15/0667 , CB-K14/0935 , CB-K13/0942 , DFN-CERT-2016-1692 , DFN-CERT-2016-1648 , DFN-CERT-2016-1168 , DFN-CERT-2016-0665 , DFN-CERT-2016-0642 , DFN-CERT-2016-0184 , DFN-CERT-2016-0135 , DFN-CERT-2016-0101 , DFN-CERT-2016-0035 , DFN-CERT-2015-1853 , DFN-CERT-2015-1679 , DFN-CERT-2015-1632 , DFN-CERT-2015-1608 , DFN-CERT-2015-1542 , DFN-CERT-2015-1518 , DFN-CERT-2015-1406 , DFN-CERT-2015-1341 , DFN-CERT-2015-1194 , DFN-CERT-2015-1144 , DFN-CERT-2015-1113 , DFN-CERT-2015-1078 , DFN-CERT-2015-1067 , DFN-CERT-2015-1038 , DFN-CERT-2015-1016 , DFN-CERT-2015-1012 , DFN-CERT-2015-0980 , DFN-CERT-2015-0977 , DFN-CERT-2015-0976 , DFN-CERT-2015-0960 , DFN-CERT-2015-0956 , DFN-CERT-2015-0944 , DFN-CERT-2015-0937 , DFN-CERT-2015-0925 , DFN-CERT-2015-0884 , DFN-CERT-2015-0881 , DFN-CERT-2015-0879 , DFN-CERT-2015-0866 , DFN-CERT-2015-0844 , DFN-CERT-2015-0800 , DFN-CERT-2015-0737 , DFN-CERT-2015-0696 , DFN-CERT-2014-0977 | Other: | https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/warnmeldung_cb-k16-1465_update_6.html |
| https://bettercrypto.org/ |
| https://mozilla.github.io/server-side-tls/ssl-config-generator/ |
443/tcp
Medium (CVSS: 4.0)NVT: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880)
SummaryThe remote service is using a SSL/TLS certificate chain that has been signed using a cryptographically weak hashing algorithm.
Vulnerability Detection ResultThe following certificates are part of the certificate chain but using insecure signature ↵algorithms:Subject: CN=10.100.253.10Signature Algorithm: sha1WithRSAEncryption
SolutionSolution type: Mitigation
Servers that use SSL/TLS certificates signed using an SHA-1 signature will need to obtain new SHA-2 signed SSL/TLS certificates to avoid these web browser SSL/TLS certificate warnings.
Vulnerability InsightSecure Hash Algorithm 1 (SHA-1) is considered cryptographically weak and not secure enough for ongoing use. Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft and Google will begin warning users when users visit web sites that use SHA-1 signed Secure Socket Layer (SSL) certificates.
Vulnerability Detection MethodCheck which algorithm was used to sign the remote SSL/TLS Certificate.
Details: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880)
Version used: $Revision: 4781 $
References
Other: | https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ |
8000/tcp
Medium (CVSS: 4.0)NVT: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880)
SummaryThe remote service is using a SSL/TLS certificate chain that has been signed using a cryptographically weak hashing algorithm.
Vulnerability Detection ResultThe following certificates are part of the certificate chain but using insecure signature ↵algorithms:Subject: 1.2.840.113549.1.9.1=#73736C4073616E67666F722E636F6D,CN=sslvpn,OU=ss↵lvpn,O=sangfor,L=shenzhen,ST=guangdong,C=CNSignature Algorithm: sha1WithRSAEncryption
SolutionSolution type: Mitigation
Servers that use SSL/TLS certificates signed using an SHA-1 signature will need to obtain new SHA-2 signed SSL/TLS certificates to avoid these web browser SSL/TLS certificate warnings.
Vulnerability InsightSecure Hash Algorithm 1 (SHA-1) is considered cryptographically weak and not secure enough for ongoing use. Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft and Google will begin warning users when users visit web sites that use SHA-1 signed Secure Socket Layer (SSL) certificates.
Vulnerability Detection MethodCheck which algorithm was used to sign the remote SSL/TLS Certificate.
Details: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880)
Version used: $Revision: 4781 $
References
Other: | https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ |
|