Security Assessment INTERNAL NETWORK VULNERABILITIES SUMMARY REPORT

CONFIDENTIALITY NOTE: The information contained in this report is for the exclusive use of the client specified above and may contain Prepared for: Your Customer / confidential, privileged, and non-disclosable information. If you are Prospect not the client or addressee, you are strictly prohibited from reading, photocopying, distributing, or otherwise using this report or its Prepared by: Your Company Name contents in any way. 23-Feb-2021 Scan Date: 12-Feb-2021

Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Internal Network Vulnerabilities Summary

The Management Plan ranks individual issues based upon their potential risk to the network while providing guidance on which issues to address by priority. Fixing issues with lower Risk Scores will not lower the global Risk Score, but will reduce the global Issue Score. To mitigate global risk and improve the health of the network, address issues with higher Risk Scores first.

Appliances Used: 1. NDA1-5488JF 2. NDA1-7584JY 3. NDA1-9644PG

High Risk

CVSS RECOMMENDATION

10 Trojan horses Summary An unknown service runs on this port. It is sometimes opened by Trojan horses. Unless you know for sure what is behind it, you'd better check your system.

Solution If a trojan horse is running, run a good antivirus scanner.

Affected Nodes 10.200.1.16(myco-bdr)1

10 IPMI Cipher Zero Authentication Bypass Vulnerability Summary Intelligent Platform Management Interface is prone to an authentication- bypass vulnerability.

Solution Ask the Vendor for an update.

Affected Nodes 10.1.1.82 (sourcesvr) 1

7.5 CERN httpd CGI name heap overflow Summary It was possible to kill the remote web server by requesting GET /cgi-bin/A.AAAA[...]A HTTP/1.0 This is known to trigger a heap overflow in some servers like CERN HTTPD.

Solution Page 2 of 9

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

CVSS RECOMMENDATION Ask your vendor for a patch or move to another server

Affected Nodes 10.2.1.132

7.5 Lighttpd Multiple vulnerabilities Summary This host is running Lighttpd and is prone to multiple vulnerabilities

Solution Upgrade to 1.4.35 or higher, For updates refer to http://www.lighttpd.net/download

Affected Nodes 10.1.1.301, 10.1.1.311

7.5 Report default community names of the SNMP Agent Summary Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE).

Solution Determine if the detected community string is a private community string. Determine whether a public community string exposes sensitive information. Disable the SNMP service if you don't use it or change the default community string.

Affected Nodes 10.1.1.11, 10.1.1.41, 10.1.1.151, 10.1.1.301, 10.1.1.1902, 10.1.1.2502, 10.2.1.103, 10.2.1.1323

Medium Risk

CVSS RECOMMENDATION

6.9 Format string on HTTP method name Summary The remote web server seems to be vulnerable to a format string attack on the method name. An attacker might use this flaw to make it crash or even execute arbitrary code on this host.

Solution upgrade your software or contact your vendor and inform him of this vulnerability

Affected Nodes 10.1.1.2422, 10.2.1.2542

Page 3 of 9

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

CVSS RECOMMENDATION

6.8 SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability Summary OpenSSL is prone to security-bypass vulnerability.

Solution Updates are available.

Affected Nodes 10.1.1.301, 10.1.1.311

6.4 SSL/TLS: Missing `secure` Cookie Attribute Summary The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.

Solution Set the 'secure' attribute for any cookies that are sent over a SSL/TLS connection.

Affected Nodes 10.1.1.21, 10.1.1.51

5 Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injection Vulnerability Summary Acme 'thttpd' and 'mini_httpd' are prone to a command-injection vulnerability because they fail to adequately sanitize user-supplied input in logfiles. Attackers can exploit this issue to execute arbitrary commands in a terminal. This issue affects thttpd 2.25b and mini_httpd 1.19 other versions may also be affected.

Solution

Affected Nodes 10.1.1.151

5 SSL/TLS: Certificate Expired Summary The remote server's SSL/TLS certificate has already expired.

Solution Replace the SSL/TLS certificate by a new one.

Affected Nodes 10.1.1.101, 10.1.1.221, 10.1.1.2501, 10.2.1.2532, 10.2.1.254 10.2.1.2542

Page 4 of 9

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

CVSS RECOMMENDATION

5 BrowseGate HTTP headers overflows Summary It was possible to kill the BrowseGate proxy by sending it an invalid request with too long HTTP headers (Authorization and Referer) A cracker may exploit this vulnerability to make your web server crash continually or even execute arbirtray code on your system.

Solution upgrade your software or protect it with a filtering reverse proxy

Affected Nodes 10.1.1.82

5 Missing `httpOnly` Cookie Attribute Summary The application is missing the 'httpOnly' cookie attribute

Solution Set the 'httpOnly' attribute for any session cookie.

Affected Nodes 10.1.1.21, 10.1.1.51

5 SSL/TLS: Report Vulnerable Cipher Suites for HTTPS Summary This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.

Solution The configuration of this services should be changed so that it does not accept the listed cipher suites anymore. Please see the references for more resources supporting you with this task.

Affected Nodes 10.1.1.21, 10.1.1.51, 10.1.1.101, 10.1.1.301, 10.1.1.311, 10.1.1.1712, 10.1.1.2502, 10.2.1.2532, 10.2.1.2541

5 SSL/TLS: Untrusted Certificate Authorities Summary The service is using a SSL/TLS certificate from a known untrusted certificate authority. An attacker could use this for MitM attacks, accessing sensible data and other attacks.

Solution Replace the SSL/TLS certificate with one signed by a trusted certificate authority.

Affected Nodes 10.1.1.5

Page 5 of 9

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

CVSS RECOMMENDATION

5 Mongoose Content-Length HTTP Header Remote Denial Of Service Vulnerability Summary Mongoose is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted input.

Solution

Affected Nodes 10.1.1.151

4.8 Cleartext Transmission of Sensitive Information via HTTP Summary The host / application transmits sensitive information (username, passwords) in cleartext via HTTP.

Solution Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally make sure the host / application is redirecting all users to the secured SSL/TLS connection before allowing to input sensitive data into the mentioned functions.

Affected Nodes 10.1.1.21, 10.1.1.51, 10.1.1.1901, 10.1.1.2422, 10.1.1.2502, 10.2.1.2532

4.3 SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection Summary It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.

Solution It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the TLSv1+ protocols. Please see the references for more information.

Affected Nodes 10.1.1.301, 10.1.1.311, 10.2.1.2532, 10.2.1.2542

4.3 SSL/TLS: Report Weak Cipher Suites Summary This routine reports all Weak SSL/TLS cipher suites accepted by a service. NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure cleartext communication.

Solution The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore. Please see the references for more resources supporting you with this task.

Affected Nodes Page 6 of 9

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

CVSS RECOMMENDATION 10.1.1.301, 10.1.1.311, 10.1.1.1202, 10.1.1.2502, 10.2.1.2532, 10.2.1.2542, 10.200.1.12(dc01.myco-bdr) 2, 10.200.1.13(dc02.myco-bdr) 2, 10.200.1.14(app01.myco-bdr) 2, 10.200.1.15(exch01.myco-bdr) 2, 10.200.1.16(myco-bdr) 2, 10.200.1.17(sql01.myco-bdr) 2

4.3 SSH Weak Encryption Algorithms Supported Summary The remote SSH server is configured to allow weak encryption algorithms.

Solution Disable the weak encryption algorithms.

Affected Nodes 10.1.1.22, 10.1.1.302, 10.1.1.312, 10.1.1.822, 10.1.1.1442, 10.1.1.1681, 10.1.1.1712, 10.1.1.2502

4.3 SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability (POODLE) Summary This host is prone to an information disclosure vulnerability.

Solution Possible Mitigations are: - Disable SSLv3 - Disable cipher suites supporting CBC cipher modes - Enable TLS_FALLBACK_SCSV if the service is providing TLSv1.0+

Affected Nodes 10.1.1.301, 10.1.1.311, 10.2.1.2532, 10.2.1.2542

4.3 SSL/TLS: RSA Temporary Key Handling RSA_EXPORT Downgrade Issue (FREAK) Summary This host is accepting 'RSA_EXPORT' cipher suites and is prone to man in the middle attack.

Solution - Remove support for 'RSA_EXPORT' cipher suites from the service. - If running OpenSSL update to version 0.9.8zd or 1.0.0p or 1.0.1k or later For updates refer to https://www.openssl.org

Affected Nodes 10.2.1.2532, 10.2.1.2542

4 SSL/TLS: Certificate Signed Using A Weak Signature Algorithm Summary The remote service is using a SSL/TLS certificate in the certificate chain that has been signed using a cryptographically weak hashing algorithm.

Solution Servers that use SSL/TLS certificates signed with a weak SHA-1, MD5, MD4 or MD2

Page 7 of 9

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

CVSS RECOMMENDATION hashing algorithm will need to obtain new SHA-2 signed SSL/TLS certificates to avoid web browser SSL/TLS certificate warnings.

Affected Nodes 10.1.1.301, 10.1.1.311, 10.1.1.1681, 10.1.1.1712, 10.1.1.2502, 10.2.1.2532, 10.2.1.2542

4 SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability Summary The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).

Solution Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use a 2048-bit or stronger Diffie-Hellman group. (see https://weakdh.org/sysadmin.html). For Apache Web Servers: Beginning with version 2.4.7, mod_ssl will use DH parameters which include primes with lengths of more than 1024 bits.

Affected Nodes 10.1.1.21, 10.1.1.51, 10.1.1.301, 10.1.1.311, 10.1.1.1202, 10.1.1.2502, 10.200.1.15(exch01.myco-bdr) 3, 10.200.1.17(sql01.myco-bdr) 1

Low Risk

CVSS RECOMMENDATION

2.6 SSH Weak MAC Algorithms Supported Summary The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.

Solution Disable the weak MAC algorithms.

Affected Nodes 10.1.1.301, 10.1.1.311, 10.1.1.1442, 10.1.1.1683, 10.1.1.1712,

2.6 TCP timestamps Summary The remote host implements TCP timestamps and therefore allows to compute the uptime.

Solution To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152

Page 8 of 9

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

CVSS RECOMMENDATION Affected Nodes 10.1.1.21, 10.1.1.41, 10.1.1.51, 10.1.1.151, 10.1.1.201, 10.1.1.231, 10.1.1.241, 10.1.1.301, 10.1.1.311, 10.1.1.821, 10.1.1.1102, 10.1.1.1202, 10.1.1.1442, 10.1.1.1632, 10.1.1.1682, 10.1.1.1712, 10.1.1.1902, 10.1.1.2422, 10.2.1.103, 10.2.1.1323, 10.200.1.12(dc01.myco-bdr) 3, 10.200.1.13(dc02.myco-bdr) 3, 10.200.1.14(app01.myco-bdr) 3, 10.200.1.15(exch01.myco-bdr) 3, 10.200.1.16(myco-bdr) 3, 10.200.1.17(sql01.myco-bdr) 3

Page 9 of 9

PROPRIETARY & CONFIDENTIAL