Security Assessment Internal Vulnerability Scan Detail by Issue Report

CONFIDENTIALITY NOTE: The information contained in this report is for the exclusive use of the client specified above and may contain Prepared for: Your Customer / confidential, privileged, and non-disclosable information. If you are Prospect not the client or addressee, you are strictly prohibited from reading, photocopying, distributing, or otherwise using this report or its Prepared by: Your Company Name contents in any way. 23-Feb-2021 Scan Date: 12-Feb-2021

Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Table of Contents

Summary 01

Details 02 2.1 Trojan horses 2.2 IPMI Cipher Zero Authentication Bypass Vulnerability 2.3 Lighttpd Multiple vulnerabilities 2.4 Report default community names of the SNMP Agent 2.5 CERN httpd CGI name heap overflow 2.6 Format string on HTTP method name 2.7 SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability 2.8 SSL/TLS: Missing `secure` Cookie Attribute 2.9 Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injection Vulnerability 2.10 BrowseGate HTTP headers overflows 2.11 Missing `httpOnly` Cookie Attribute 2.12 SSL/TLS: Report Vulnerable Cipher Suites for HTTPS 2.13 SSL/TLS: Untrusted Certificate Authorities 2.14 SSL/TLS: Certificate Expired 2.15 Mongoose Content-Length HTTP Header Remote Denial Of Service Vulnerability 2.16 Cleartext Transmission of Sensitive Information via HTTP 2.17 SSL/TLS: Report Weak Cipher Suites 2.18 SSL/TLS: RSA Temporary Key Handling RSA_EXPORT Downgrade Issue (FREAK) 2.19 SSH Weak Encryption Algorithms Supported 2.20 SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection 2.21 SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability (POODLE) 2.22 SSL/TLS: Certificate Signed Using A Weak Signature Algorithm 2.23 SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH

Page 2 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Group Strength Vulnerability 2.24 TCP timestamps 2.25 SSH Weak MAC Algorithms Supported

Page 3 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

1 - Summary

This report gives details on hosts that were tested and issues that were found during the Internal Vulnerability Scan. The findings are grouped by category.

Appliances Used: 1. NDA1-5488JF 2. NDA1-7584JY 3. NDA1-9644PG

Host Issue Summary

Host Open Ports High Med Low False Highest CVSS 10.1.1.11 3 1 0 0 0 7.5 10.1.1.21 4 0 7 1 0 6.4 10.1.1.41 2 1 0 1 0 7.5 10.1.1.51 4 0 8 1 0 6.4 10.1.1.81 10 0 0 0 0 0.0 10.1.1.91 6 0 0 0 0 0.0 10.1.1.101 7 0 2 0 0 5.0 10.1.1.151 4 1 3 1 0 7.5 10.1.1.201 8 0 0 1 0 2.6 10.1.1.221 5 0 2 0 0 5.0 10.1.1.231 3 0 0 1 0 2.6 10.1.1.241 3 0 0 1 0 2.6 10.1.1.301 4 3 8 2 0 7.5 10.1.1.311 3 2 8 2 0 7.5 10.1.1.821 5 1 2 1 0 10.0 10.1.1.1102 4 0 0 1 0 2.6 10.1.1.1202 8 0 2 1 0 4.3 10.1.1.1442 4 0 1 2 0 4.3 10.1.1.1632 4 0 0 1 0 2.6 10.1.1.1682 4 0 2 2 0 4.3 10.1.1.1712 4 0 3 2 0 5.0 10.1.1.1902 4 1 1 1 0 7.5 10.1.1.2002 4 0 0 0 0 0.0 10.1.1.2422 7 0 2 1 0 6.9 10.1.1.2502 5 1 7 1 0 7.5 10.2.1.12 1 0 0 0 0 0.0 10.2.1.102 11 1 0 1 0 7.5 10.2.1.502 1 0 0 0 0 0.0 10.2.1.512 1 0 0 0 0 0.0

Page 4 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Host Open Ports High Med Low False Highest CVSS 10.2.1.522 1 0 0 0 0 0.0 10.2.1.552 2 0 0 0 0 0.0 10.2.1.602 1 0 0 0 0 0.0 10.2.1.1013 3 0 0 0 0 0.0 10.2.1.1103 3 0 0 0 0 0.0 10.2.1.1173 0 0 0 0 0 0.0 10.2.1.1223 0 0 0 0 0 0.0 10.2.1.1323 2 2 0 1 0 7.5 10.2.1.1433 3 0 0 0 0 0.0 10.2.1.1443 3 0 0 0 0 0.0 10.2.1.1713 3 0 0 0 0 0.0 10.2.1.1843 3 0 0 0 0 0.0 10.2.1.1893 0 0 0 0 0 0.0 10.2.1.1903 4 0 0 0 0 0.0 10.2.1.2533 2 0 8 0 0 5.0 10.2.1.2543 2 0 8 0 0 6.9 10.200.1.12 (dc01.myco-bdr.com)1 9 0 1 1 0 5.0 10.200.1.13 (dc02.myco-bdr.com)1 9 0 1 1 0 5.0 10.200.1.14 (app01.myco-bdr.com)1 5 0 1 1 0 5.0 10.200.1.15 (exch01.myco-bdr.com)1 5 0 2 1 0 5.0 10.200.1.16 (fs01.myco-bdr.com)1 7 1 1 1 0 10.0 10.200.1.17 (sql01.myco-bdr.com)1 5 0 2 1 0 5.0 Total: 51 205 15 82 32 0 10.0

Issues by Severity

Page 5 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

# Issues by NVT

ISSUE COUNT

TCP timestamps 26

SSL/TLS: Report Weak Cipher Suites 12

SSL/TLS: Report Vulnerable Cipher Suites for 10 HTTPS

SSL/TLS: Diffie-Hellman Key Exchange 8 Insufficient DH Group Strength Vulnerability

Page 6 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

ISSUE COUNT

SSH Weak Encryption Algorithms Supported 8

Report default community names of the SNMP 8 Agent

SSL/TLS: Certificate Signed Using A Weak 7 Signature Algorithm

SSH Weak MAC Algorithms Supported 6

SSL/TLS: Certificate Expired 6

Cleartext Transmission of Sensitive Information 6 via HTTP

SSL/TLS: SSLv3 Protocol CBC Cipher Suites 4 Information Disclosure Vulnerability (POODLE)

SSL/TLS: Deprecated SSLv2 and SSLv3 4 Protocol Detection

Lighttpd Multiple vulnerabilities 4

Missing `httpOnly` Cookie Attribute 3

SSL/TLS: RSA Temporary Key Handling 2 RSA_EXPORT Downgrade Issue (FREAK)

Format string on HTTP method name 2

SSL/TLS: OpenSSL CCS Man in the Middle 2 Security Bypass Vulnerability

Acme thttpd and mini_httpd Terminal Escape 2 Sequence in Logs Command Injection Vulnerability

SSL/TLS: Untrusted Certificate Authorities 2

SSL/TLS: Missing `secure` Cookie Attribute 2 # Issues by NVT (continued)

Page 7 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

ISSUE COUNT

Trojan horses 1

CERN httpd CGI name heap overflow 1

IPMI Cipher Zero Authentication Bypass 1 Vulnerability

BrowseGate HTTP headers overflows 1

Mongoose Content-Length HTTP Header 1 Remote Denial Of Service Vulnerability

Page 8 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

2 - Scan Details

This section details the issues discovered in order of severity. For each issue, the affected nodes are also listed.

Issues by Severity

2.1 - Trojan horses

HIGH: (CVSS: 10) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.11157 (HTTPS)

Summary An unknown service runs on this port. It is sometimes opened by Trojan horses. Unless you know for sure what is behind it, you'd better check your system.

Affected Nodes 10.200.1.16(fs01.myco-bdr.com)1

Vulnerability Detection Result An unknown service runs on this port. It is sometimes opened by this/these Trojan horse(s): - Tabdim - W32.Kelvir - Civcat - W32.Kiman

Solution If a trojan horse is running, run a good antivirus scanner.

Vulnerability Detection Method Details: Trojan horses (OID: 1.3.6.1.4.1.25623.1.0.11157)

2.2 - IPMI Cipher Zero Authentication Bypass Vulnerability

HIGH: (CVSS: 10) 623/TCP OID: 1.3.6.1.4.1.25623.1.0.103840

Summary Intelligent Platform Management Interface is prone to an authentication- bypass vulnerability.

Page 9 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Affected Nodes 10.1.1.821

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

Impact Attackers can exploit this issue to gain administrative access to the device and disclose sensitive information.

Solution Ask the Vendor for an update.

Vulnerability Insight The remote IPMI service accepted a session open request for cipher zero.

Vulnerability Detection Method Send a request with a zero cipher and check if this request was accepted. Details: IPMI Cipher Zero Authentication Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103840) Version used: $Revision: 7287 $

References http://fish2.com/ipmi/cipherzero.html

2.3 - Lighttpd Multiple vulnerabilities

HIGH: (CVSS: 7.5) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.802072 (HTTPS)

Summary This host is running Lighttpd and is prone to multiple vulnerabilities

Affected Nodes 10.1.1.301, 10.1.1.311

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

Impact Successful exploitation will allow remote attackers to execute arbitrary SQL commands and remote attackers to read arbitrary files via hostname. Impact Level: System/Application

Solution Upgrade to 1.4.35 or higher, For updates refer to http://www.lighttpd.net/download

Vulnerability Insight - mod_mysql_vhost module not properly sanitizing user supplied input passed via the hostname. - mod_evhost and mod_simple_vhost modules not properly sanitizing user supplied input via the hostname.

Vulnerability Detection Method Send a crafted HTTP GET request and check whether it responds with error message. Details: Lighttpd Multiple vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.802072) Version used: $Revision: 7577 $

References http://seclists.org/oss-sec/2014/q1/561, http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2014_01.txt

2.4 - Report default community names of the SNMP Agent Page 10 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

HIGH: (CVSS: 7.5) 161/UDP OID: 1.3.6.1.4.1.25623.1.0.10264 (SNMP)

Summary Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE).

Affected Nodes 10.1.1.11, 10.1.1.41, 10.1.1.151, 10.1.1.301, 10.1.1.1901, 10.1.1.2501, 10.2.1.101, 10.2.1.1322

Vulnerability Detection Result SNMP Agent responded as expected when using the following community name: public Multiple results by host

Impact If an attacker is able to guess a PUBLIC community string, they would be able to read SNMP data (depending on which MIBs are installed) from the remote device. This information might include system time, IP addresses, interfaces, processes running, etc. If an attacker is able to guess a PRIVATE community string (WRITE or 'writeall' access), they will have the ability to change information on the remote machine. This could be a huge security hole, enabling remote attackers to wreak complete havoc such as routing network traffic, initiating processes, etc. In essence, 'writeall' access will give the remote attacker full administrative rights over the remote machine. Note that this test only gathers information and does not attempt to write to the remote device. Thus it is not possible to determine automatically whether the reported community is public or private. Also note that information made available through a guessable community string might or might not contain sensitive data. Please review the information available through the reported community string to determine the impact of this disclosure.

Solution Determine if the detected community string is a private community string. Determine whether a public community string exposes sensitive information. Disable the SNMP service if you don't use it or change the default community string.

Vulnerability Detection Method Details: Report default community names of the SNMP Agent (OID: 1.3.6.1.4.1.25623.1.0.10264) Version used: $Revision: 7319 $

2.5 - CERN httpd CGI name heap overflow

HIGH: (CVSS: 7.5) 80/TCP OID: 1.3.6.1.4.1.25623.1.0.17231 (HTTP)

Summary It was possible to kill the remote web server by requesting GET /cgi-bin/A.AAAA[...]A HTTP/1.0 This is known to trigger a heap overflow in some servers like CERN HTTPD.

Affected Nodes 10.2.1.1322

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

Impact A cracker may use this flaw to disrupt your server. It *might* also be exploitable to run malicious code on the machine.

Solution Ask your vendor for a patch or move to another server

Page 11 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Vulnerability Detection Method Details: CERN httpd CGI name heap overflow (OID: 1.3.6.1.4.1.25623.1.0.17231) Version used: $Revision: 6693 $

2.6 - Format string on HTTP method name

MEDIUM: (CVSS: 6.9) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.11801 (HTTPS)

Summary The remote web server seems to be vulnerable to a format string attack on the method name. An attacker might use this flaw to make it crash or even execute arbitrary code on this host.

Affected Nodes 10.1.1.2423, 10.2.1.2542

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

Solution upgrade your software or contact your vendor and inform him of this vulnerability

Vulnerability Detection Method Details: Format string on HTTP method name (OID: 1.3.6.1.4.1.25623.1.0.11801) Version used: $Revision: 9348 $

2.7 - SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability

MEDIUM: (CVSS: 6.8) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.105042 (HTTPS)

Summary OpenSSL is prone to security-bypass vulnerability.

Affected Nodes 10.1.1.301, 10.1.1.311

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

Impact Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.

Solution Updates are available.

Vulnerability Insight OpenSSL does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.

Vulnerability Detection Method

Page 12 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Send two SSL ChangeCipherSpec request and check the response. Details: SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.105042) Version used: $Revision: 7578 $

References http://www.securityfocus.com/bid/67899, http://openssl.org/

2.8 - SSL/TLS: Missing `secure` Cookie Attribute

MEDIUM: (CVSS: 6.4) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.902661 (HTTPS)

Summary The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.

Affected Nodes 10.1.1.21, 10.1.1.51

Vulnerability Detection Result The cookies: Set-Cookie: ncentral_version=***replaced***; Path=/; Expires=Thu, 23-Jan-2031 20:31:14 GMT; Max- Age=315360000 are missing the "secure" attribute. Multiple results by host

Solution Set the 'secure' attribute for any cookies that are sent over a SSL/TLS connection.

Vulnerability Insight The flaw is due to cookie is not using 'secure' attribute, which allows cookie to be passed to the server by the client over non- secure channels (http) and allows attacker to conduct session hijacking attacks. Impact Level: Application

Vulnerability Detection Method Details: SSL/TLS: Missing `secure` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.902661) Version used: $Revision: 5543 $

References https://www.owasp.org/index.php/SecureFlag, http://www.ietf.org/rfc/rfc2965.txt, https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)

2.9 - Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injection Vulnerability

MEDIUM: (CVSS: 5) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.100447 (HTTPS)

Summary Acme 'thttpd' and 'mini_httpd' are prone to a command-injection vulnerability because they fail to adequately sanitize user- supplied input in logfiles. Attackers can exploit this issue to execute arbitrary commands in a terminal. This issue affects thttpd 2.25b and mini_httpd 1.19 other versions may also be affected.

Affected Nodes 10.1.1.151

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

Page 13 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Vulnerability Detection Method Details: Acme thttpd and mini_httpd Terminal Escape Sequence in Logs Command Injectio... (OID: 1.3.6.1.4.1.25623.1.0.100447) Version used: $Revision: 8338 $

References http://www.securityfocus.com/bid/37714, http://www.acme.com/software/mini_httpd/, http://www.acme.com/software/thttpd/, http://www.securityfocus.com/archive/1/508830

2.10 - BrowseGate HTTP headers overflows

MEDIUM: (CVSS: 5) 80/TCP OID: 1.3.6.1.4.1.25623.1.0.11130 (HTTP)

Summary It was possible to kill the BrowseGate proxy by sending it an invalid request with too long HTTP headers (Authorization and Referer) A cracker may exploit this vulnerability to make your web server crash continually or even execute arbirtray code on your system.

Affected Nodes 10.1.1.822

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

Solution upgrade your software or protect it with a filtering reverse proxy

Vulnerability Detection Method Details: BrowseGate HTTP headers overflows (OID: 1.3.6.1.4.1.25623.1.0.11130) Version used: $Revision: 9348 $

2.11 - Missing `httpOnly` Cookie Attribute

MEDIUM: (CVSS: 5) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.105925 (HTTPS)

Summary The application is missing the 'httpOnly' cookie attribute

Affected Nodes 10.1.1.21, 10.1.1.51

Vulnerability Detection Result The cookies: Set-Cookie: ncentral_version=***replaced***; Path=/; Expires=Thu, 23-Jan-2031 20:31:14 GMT; Max- Age=315360000 are missing the "httpOnly" attribute. Multiple results by host

Solution Set the 'httpOnly' attribute for any session cookie.

Vulnerability Insight The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

Page 14 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Vulnerability Detection Method Check all cookies sent by the application for a missing 'httpOnly' attribute Details: Missing `httpOnly` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925) Version used: $Revision: 5270 $

References https://www.owasp.org/index.php/HttpOnly, https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

2.12 - SSL/TLS: Report Vulnerable Cipher Suites for HTTPS

MEDIUM: (CVSS: 5) 10000/TCP OID: 1.3.6.1.4.1.25623.1.0.108031 (WEBMIN)

Summary This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.

Affected Nodes 10.1.1.21, 10.1.1.51, 10.1.1.101, 10.1.1.301, 10.1.1.311, 10.1.1.1712, 10.1.1.2502, 10.2.1.2532, 10.2.1.2542

Vulnerability Detection Result 'Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol: TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) 'Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol: TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) 'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol: TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) Multiple results by host

Solution The configuration of this services should be changed so that it does not accept the listed cipher suites anymore. Please see the references for more resources supporting you with this task.

Vulnerability Insight These rules are applied for the evaluation of the vulnerable cipher suites: - 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).

Vulnerability Detection Method Details: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS (OID: 1.3.6.1.4.1.25623.1.0.108031) Version used: $Revision: 5232 $

References https://bettercrypto.org/, https://mozilla.github.io/server-side-tls/ssl-config-generator/, https://sweet32.info/

2.13 - SSL/TLS: Untrusted Certificate Authorities

MEDIUM: (CVSS: 5) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.113054 (HTTPS)

Summary The service is using a SSL/TLS certificate from a known untrusted certificate authority. An attacker could use this for MitM attacks, accessing sensible data and other attacks.

Affected Nodes 10.1.1.51

Page 15 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Vulnerability Detection Result The certificate of the remote service is signed by the following untrusted Certificate Authority: Issuer: O=SolarWinds MSP Canada ULC.,L=Ottawa,ST=Ontario,C=CA,CN=localhost Certificate details: subject ...: O=SolarWinds MSP Canada ULC.,L=Ottawa,ST=Ontario,C=CA,CN=localhost subject alternative names (SAN): localhost, localhost.localdomain, localhost4, localhost4.localdomain4, localhost6, localhost6.localdomain6 issued by .: O=SolarWinds MSP Canada ULC.,L=Ottawa,ST=Ontario,C=CA,CN=localhost serial ....: 00E3BCCB8DCCB8E030 valid from : 2019-01-31 15:01:58 UTC valid until: 2029-01-31 15:01:58 UTC fingerprint (SHA-1): F3BB5F16547DBE8BEEC1605F2658E78B666CE06F fingerprint (SHA-256): 785A06DA6AD2E1BC296688B295379776D08019EBEAE3D53973CF701606FCE0D0

Solution Replace the SSL/TLS certificate with one signed by a trusted certificate authority.

Vulnerability Detection Method The script reads the certificate used by the target host and checks if it was signed by an untrusted certificate authority. Details: SSL/TLS: Untrusted Certificate Authorities (OID: 1.3.6.1.4.1.25623.1.0.113054) Version used: $Revision: 8740 $

2.14 - SSL/TLS: Certificate Expired

MEDIUM: (CVSS: 5) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.103955 (HTTPS)

Summary The remote server's SSL/TLS certificate has already expired.

Affected Nodes 10.1.1.101, 10.1.1.221, 10.1.1.2502, 10.2.1.2532, 10.2.1.2542

Vulnerability Detection Result The certificate of the remote service expired on 2020-05-10 15:54:23. Certificate details: subject ...: CN=pluto.mbts2.it subject alternative names (SAN): pluto.mbts2.it issued by .: CN=pluto.mbts2.it serial ....: 4297500B1AFFEC94443125E7A7F82119 valid from : 2019-05-10 15:34:23 UTC valid until: 2020-05-10 15:54:23 UTC fingerprint (SHA-1): E42DF8E03166329685E2E2F4B53523665A2459EC fingerprint (SHA-256): FE6B296A627379797FD3D187C5567D97B04F0324117363AD1B1F5639B017EA3F Multiple results by host

Solution Replace the SSL/TLS certificate by a new one.

Vulnerability Insight This script checks expiry dates of certificates associated with SSL/TLS-enabled services on the target and reports whether any have already expired.

Vulnerability Detection Method Details: SSL/TLS: Certificate Expired (OID: 1.3.6.1.4.1.25623.1.0.103955) Version used: $Revision: 7248 $

2.15 - Mongoose Content-Length HTTP Header Remote Denial Of Service Vulnerability

MEDIUM: (CVSS: 5) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.103004 (HTTPS)

Summary

Page 16 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Mongoose is prone to a remote denial-of-service vulnerability because it fails to handle specially crafted input.

Affected Nodes 10.1.1.151

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

Impact Successfully exploiting this issue will allow an attacker to crash the affected application, denying further service to legitimate users.

Vulnerability Detection Method Details: Mongoose 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103004) Version used: $Revision: 7015 $

References https://www.securityfocus.com/bid/45602, http://www.johnleitch.net/Vulnerabilities/Mongoose.2.11.Denial.Of.Service/74, http://mongoose.googlecode.com/files/mongoose-2.11.exe

2.16 - Cleartext Transmission of Sensitive Information via HTTP

MEDIUM: (CVSS: 4.8) 80/TCP OID: 1.3.6.1.4.1.25623.1.0.108440 (HTTP)

Summary The host / application transmits sensitive information (username, passwords) in cleartext via HTTP.

Affected Nodes 10.1.1.21, 10.1.1.51, 10.1.1.1902, 10.1.1.2422, 10.1.1.2502, 10.2.1.2532

Vulnerability Detection Result The following input fields where identified (URL:input name): http://10.1.1.2https://10.1.1.2:10000:password Multiple results by host

Impact An attacker could use this situation to compromise or eavesdrop on the HTTP communication between the client and the server using a man-in-the-middle attack to get access to sensitive data like usernames or passwords.

Solution Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally make sure the host / application is redirecting all users to the secured SSL/TLS connection before allowing to input sensitive data into the mentioned functions.

Vulnerability Detection Method Evaluate previous collected information and check if the host / application is not enforcing the transmission of sensitive data via an encrypted SSL/TLS connection. The script is currently checking the following: - HTTP Basic Authentication (Basic Auth) - HTTP Forms (e.g. Login) with input field of type 'password' Details: Cleartext Transmission of Sensitive Information via HTTP (OID: 1.3.6.1.4.1.25623.1.0.108440) Version used: $Revision: 9501 $

References https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management, https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure, https://cwe.mitre.org/data/definitions/319.html

2.17 - SSL/TLS: Report Weak Cipher Suites

Page 17 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

MEDIUM: (CVSS: 4.3) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.103440 (HTTPS)

Summary This routine reports all Weak SSL/TLS cipher suites accepted by a service. NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure cleartext communication.

Affected Nodes 10.1.1.301, 10.1.1.311, 10.1.1.1201, 10.1.1.2502, 10.2.1.2532, 10.2.1.2542, 10.200.1.12(dc01.myco-bdr.com)@NDA1-5488JF, 10.200.1.13(dc02.myco-bdr.com)@NDA1-5488JF, 10.200.1.14(app01.myco-bdr.com)@NDA1-5488JF, 10.200.1.15(exch01.myco-bdr.com)@NDA1-5488JF, 10.200.1.16(fs01.myco-bdr.com)@NDA1-5488JF, 10.200.1.17(sql01.myco-bdr.com)@NDA1-5488JF10.200.1.12(dc01.myco-bdr.com)1, 10.200.1.13(dc02.myco-bdr.com)1, 10.200.1.14(app01.myco-bdr.com)1, 10.200.1.15(exch01.myco-bdr.com)1, 10.200.1.16(fs01.myco-bdr.com)1, 10.200.1.17(sql01.myco-bdr.com)1

Vulnerability Detection Result 'Weak' cipher suites accepted by this service via the SSLv3 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA Multiple results by host

Solution The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore. Please see the references for more resources supporting you with this task.

Vulnerability Insight These rules are applied for the evaluation of the cryptographic strength: - RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808). - Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak (CVE-2015-4000). - 1024 bit RSA authentication is considered to be insecure and therefore as weak. - Any cipher considered to be secure for only the next 10 years is considered as medium - Any other cipher is considered as strong

Vulnerability Detection Method Details: SSL/TLS: Report Weak Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.103440) Version used: $Revision: 5525 $

References https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/warnmeldung_cb-k16-1465_update_6.html, https://bettercrypto.org/, https://mozilla.github.io/server-side-tls/ssl-config-generator/

2.18 - SSL/TLS: RSA Temporary Key Handling RSA_EXPORT Downgrade Issue (FREAK)

MEDIUM: (CVSS: 4.3) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.805142 (HTTPS)

Summary This host is accepting 'RSA_EXPORT' cipher suites and is prone to man in the middle attack.

Affected Nodes 10.2.1.2532, 10.2.1.2542

Vulnerability Detection Result 'RSA_EXPORT' cipher suites accepted by this service via the SSLv3 protocol: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 'RSA_EXPORT' cipher suites

Page 18 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021 accepted by this service via the TLSv1.0 protocol: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5

Impact Successful exploitation will allow remote attacker to downgrade the security of a session to use 'RSA_EXPORT' cipher suites, which are significantly weaker than non-export cipher suites. This may allow a man-in-the-middle attacker to more easily break the encryption and monitor or tamper with the encrypted stream. Impact Level: Application

Solution - Remove support for 'RSA_EXPORT' cipher suites from the service. - If running OpenSSL update to version 0.9.8zd or 1.0.0p or 1.0.1k or later For updates refer to https://www.openssl.org

Vulnerability Insight Flaw is due to improper handling RSA temporary keys in a non-export RSA key exchange cipher suite.

Vulnerability Detection Method Check previous collected cipher suites saved in the KB. Details: SSL/TLS: RSA Temporary Key Handling 'RSA_EXPORT' Downgrade Issue (FREAK) (OID: 1.3.6.1.4.1.25623.1.0.805142) Version used: $Revision: 4781 $

References https://freakattack.com, http://secpod.org/blog/?p=3818, http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak- or-factoring-nsa.html

2.19 - SSH Weak Encryption Algorithms Supported

MEDIUM: (CVSS: 4.3) 22/TCP OID: 1.3.6.1.4.1.25623.1.0.105611 (SSH)

Summary The remote SSH server is configured to allow weak encryption algorithms.

Affected Nodes 10.1.1.21, 10.1.1.301, 10.1.1.311, 10.1.1.821, 10.1.1.1443, 10.1.1.1683, 10.1.1.171, 10.1.1.2502

Vulnerability Detection Result The following weak client-to-server encryption algorithms are supported by the remote service: aes128-cbc The following weak server-to-client encryption algorithms are supported by the remote service: aes128-cbc Multiple results by host

Solution Disable the weak encryption algorithms.

Vulnerability Insight The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems with weak keys, and should not be used anymore. The `none` algorithm specifies that no encryption is to be done. Note that this method provides no confidentiality protection, and it is NOT RECOMMENDED to use it. A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.

Vulnerability Detection Method Check if remote ssh service supports Arcfour, none or CBC ciphers. Details: SSH Weak Encryption Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105611) Version used: $Revision: 4490 $

References https://tools.ietf.org/html/rfc4253#section-6.3, https://www.kb.cert.org/vuls/id/958563

Page 19 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

2.20 - SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection

MEDIUM: (CVSS: 4.3) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.111012 (HTTPS)

Summary It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.

Affected Nodes 10.1.1.301, 10.1.1.311, 10.2.1.2532, 10.2.1.2542

Vulnerability Detection Result In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Weak and Supported Ciphers' (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.

Impact An attacker might be able to use the known cryptographic flaws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection.

Solution It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the TLSv1+ protocols. Please see the references for more information.

Vulnerability Insight The SSLv2 and SSLv3 protocols containing known cryptographic flaws like: - Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566) - Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016- 0800)

Vulnerability Detection Method Check the used protocols of the services provided by this system. Details: SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012) Version used: $Revision: 5547 $

References https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report, https://bettercrypto.org/, https://mozilla.github.io/server-side-tls/ssl-config-generator/, https://drownattack.com/, https://www.imperialviolet.org/2014/10/14/poodle.html

2.21 - SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability (POODLE)

MEDIUM: (CVSS: 4.3) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.802087 (HTTPS)

Summary This host is prone to an information disclosure vulnerability.

Affected Nodes 10.1.1.301, 10.1.1.311, 10.2.1.2532, 10.2.1.2542

Vulnerability Detection Result

Page 20 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

Vulnerability was detected according to the Vulnerability Detection Method.

Impact Successful exploitation will allow a man-in-the-middle attackers gain access to the plain text data stream. Impact Level: Application

Solution Possible Mitigations are: - Disable SSLv3 - Disable cipher suites supporting CBC cipher modes - Enable TLS_FALLBACK_SCSV if the service is providing TLSv1.0+

Vulnerability Insight The flaw is due to the block cipher padding not being deterministic and not covered by the Message Authentication Code

Vulnerability Detection Method Evaluate previous collected information about this service. Details: SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerabili... (OID: 1.3.6.1.4.1.25623.1.0.802087) Version used: $Revision: 4749 $

References https://www.openssl.org/~bodo/ssl-poodle.pdf, https://www.imperialviolet.org/2014/10/14/poodle.html, https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html, http://googleonlinesecurity.blogspot.in/2014/10/this- poodle-bites-exploiting-ssl-30.html

2.22 - SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

MEDIUM: (CVSS: 4) 443/TCP OID: 1.3.6.1.4.1.25623.1.0.105880 (HTTPS)

Summary The remote service is using a SSL/TLS certificate in the certificate chain that has been signed using a cryptographically weak hashing algorithm.

Affected Nodes 10.1.1.301, 10.1.1.311, 10.1.1.1681, 10.1.1.1711, 10.1.1.2503, 10.2.1.2532, 10.2.1.2542

Vulnerability Detection Result The following certificates are part of the certificate chain but using insecure signature algorithms: Subject: O=RAID GUI Signature Algorithm: sha1WithRSAEncryption Multiple results by host

Solution Servers that use SSL/TLS certificates signed with a weak SHA-1, MD5, MD4 or MD2 hashing algorithm will need to obtain new SHA-2 signed SSL/TLS certificates to avoid web browser SSL/TLS certificate warnings.

Vulnerability Insight The following hashing algorithms used for signing SSL/TLS certificates are considered cryptographically weak and not secure enough for ongoing use: - Secure Hash Algorithm 1 (SHA-1) - Message Digest 5 (MD5) - Message Digest 4 (MD4) - Message Digest 2 (MD2) Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft and Google will begin warning users when visiting web sites that use SHA-1 signed Secure Socket Layer (SSL) certificates. NOTE: The script preference allows to set one or more custom SHA-1 fingerprints of CA certificates which are trusted by this routine. The fingerprints needs to be passed comma-separated and case-insensitive: Fingerprint1 or fingerprint1,Fingerprint2

Vulnerability Detection Method Check which hashing algorithm was used to sign the remote SSL/TLS certificate. Details: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880) Version used: $Revision: 8810 $

Page 21 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

References https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

2.23 - SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability

MEDIUM: (CVSS: 4) 10000/TCP OID: 1.3.6.1.4.1.25623.1.0.106223 (WEBMIN)

Summary The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).

Affected Nodes 10.1.1.21, 10.1.1.51, 10.1.1.301, 10.1.1.311, 10.1.1.1201, 10.1.1.2502, 10.200.1.15(exch01.myco-bdr.com)@NDA1-5488JF, 10.200.1.17(sql01.myco-bdr.com)@NDA1-5488JF10.200.1.15(exch01.myco-bdr.com)1, 10.200.1.17(sql01.myco-bdr.com)1

Vulnerability Detection Result Server Temporary Key Size: 1024 bits

Impact An attacker might be able to decrypt the SSL/TLS communication offline.

Solution Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use a 2048-bit or stronger Diffie-Hellman group. (see https://weakdh.org/sysadmin.html). For Apache Web Servers: Beginning with version 2.4.7, mod_ssl will use DH parameters which include primes with lengths of more than 1024 bits.

Vulnerability Insight The Diffie-Hellman group are some big numbers that are used as base for the DH computations. They can be, and often are, fixed. The security of the final secret depends on the size of these parameters. It was found that 512 and 768 bits to be weak, 1024 bits to be breakable by really powerful attackers like governments.

Vulnerability Detection Method Checks the DHE temporary public key size. Details: SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerab... (OID: 1.3.6.1.4.1.25623.1.0.106223) Version used: $Revision: 7578 $

References https://weakdh.org/, https://weakdh.org/sysadmin.html

2.24 - TCP timestamps

LOW: (CVSS: 2.6)

OID: 1.3.6.1.4.1.25623.1.0.80091

Summary The remote host implements TCP timestamps and therefore allows to compute the uptime.

Affected Nodes 10.1.1.21, 10.1.1.41, 10.1.1.51, 10.200.1.13(dc02.myco-bdr.com)1, 10.200.1.14(app01.myco-bdr.com)1, 10.200.1.15(exch01.myco-bdr.com)1, 10.200.1.16(fs01.myco-bdr.com)1, 10.200.1.17(sql01.myco-bdr.com)1

Vulnerability Detection Result

Page 22 of 23

PROPRIETARY & CONFIDENTIAL Your Company Name Prepared for: MSP WEBSITE URL Your Customer / Prospect MSP PHONE Scan Date: MSP EMAIL 12-Feb-2021

It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in- between: Packet 1: 967364567 Packet 2: 967365658 Multiple results by host

Impact A side effect of this feature is that the uptime of the remote host can sometimes be computed.

Solution To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152

Vulnerability Insight The remote host implements TCP timestamps, as defined by RFC1323.

Vulnerability Detection Method Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091) Version used: $Revision: 10411 $

References http://www.ietf.org/rfc/rfc1323.txt

2.25 - SSH Weak MAC Algorithms Supported

LOW: (CVSS: 2.6) 22/TCP OID: 1.3.6.1.4.1.25623.1.0.105610 (SSH)

Summary The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.

Affected Nodes 10.1.1.301, 10.1.1.311, 10.1.1.1442, 10.1.1.1682, 10.1.1.1712, 10.1.1.2503

Vulnerability Detection Result The following weak client-to-server MAC algorithms are supported by the remote service: hmac-md5 hmac-sha1-96 The following weak server-to-client MAC algorithms are supported by the remote service: hmac-md5 hmac-sha1-96 Multiple results by host

Solution Disable the weak MAC algorithms.

Vulnerability Detection Method Details: SSH Weak MAC Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105610) Version used: $Revision: 4490 $

Page 23 of 23

PROPRIETARY & CONFIDENTIAL