NESSUS scan results against iChain 2.2 and iChain 2.3

Typical vulnerabilities reported on a NESSUS scan:

Issue:

Informational ftp (21/tcp) An unknown service is running on this port. It is usually reserved for FTP Informational ftp (21/tcp) Remote FTP server banner :

220 Service Ready

Response:
FTP is required for many administration duties. The port should be filtered via anexternal firewall and administration should be restricted to specific clients.

Issue:
Informational telnet (23/tcp) A telnet server seems to be running on this port.

Response:

Enabled for administration purposes. From a firewall or packet filter perspective port 23 (telnet) should be blocked to all iChain IP addresses to protect this service from unauthorized access. Additionally, in iChain 2.2 build 2.2.116 and later TELNET can be disabled using a SET command at the Command Line Interface (CLI). To change settings use: set listener telnet enable=YES|NO at the iChain CLI. TELENT is disabled by default in iChain 2.2 SP3 and iChain 2.3.

Issue:

The remote host seems to be vulnerable to a security problem in CGIEmail (cgicso).

Response:

iChain runs a stripped down Web Server designed for very limited functionality such as displaying error messages. iChain has no scripting capabilities nor does it run any sort of web application server. This vulnerability does not apply. The test returns a false positive because iChain responds to the initial request. iChain will always respond to a request with a re-direct to login.

Issue:

The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability. Older versions of JServ (including the version shipped with Oracle9i App Server v1.0.2) are vulnerable to a cross site scripting attack using a request for a non-existent .JSP file.

Response:

One XSS vulnerability was identified in the "url=" parameter being passed on the failed login page. The issue is addressed in iChain 2.3 and iChain 2.2 builds 2.2.113 and later.

Issue:

The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS).

Response:

One XSS vulnerability was identified in the "url=" parameter being passed on the failed login page. The issue is addressed in iChain 2.3 and iChain 2.2 builds 2.2.113 and later.

Issue:

Your web server seems to accept unlimited requests. It may be vulnerable to the 'WWW infinite request' attack, which allows a cracker to consume all available memory on your system.

*** Note that Nessus was unable to crash the web server

*** so this might be a false alert.

Response:

iChain has no global setting to limit simultaneous sessions. However, concurrent sessions can be set on a per-user basis.

Novell's TCP/IP stack has many DoS (Denial of Service) attack features built in by default (SYN attack detection, etc.) Apparently NESSUS did not reach what was determined to be a level that the hardware/software combination could not handle

Issue:

Server Name: ICS_SERVER

NDS Tree Name: ICS_TREE

NDS Users: ADMIN, CONFIG, ICHAINADMIN, NISUSER, VIEW

(ICS_TREE / eDirectory information available via PORT 524)

Response:

By default, NCP is disabled on all interfaces and this should not occur unless NCP has been enabled in the TUNE.NCF file. Either disable NCP or block access via firewall filtering (PORT 524).

Issue:

SNMP Agent responded as expected with community name:

public

CVE : CAN-1999-0186

Response:

A fresh install and configuration of iChain 2.3 will not be subject to this issue. For earlier versions of iChain (2.2 or a 2.3 server that has been configured by importing a .nas file from a 2.2 server) use the iChain Administration Web Interface to change the monitor state to"No community may read" under the System | SNMP tab. Additionally, the administrator can load TCPCON at the NetWare System Console and change the community name to something other than public. Another precaution would be to block SNMP traffic from a firewall or packet filter perspective.

Issue:

It was possible to obtain the list of network interfaces of the remote host via SNMP :

. Netware Virtual SR-Bridge LAN IP0200.G01

. Compaq Ethernet or Fast Ethernet NIC

. Compaq Ethernet or Fast Ethernet NIC

An attacker may use this information to gain more knowledge about the target host.

Solution : disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port

Response:

As per the NESSUS recommendation, disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port.

Issue:

The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host.

Response:

There is no obvious advantage to being able to predict the IP ID's.

Issue:

The remote host is running 'My Little Forum', a free CGI suite to manage discussion forums.

Response:

This vulnerability does not apply. 'My Little Forum' is not present on iChain. The test returns a false positive because iChain responds to the initial request. iChain will always respond to a request with a re-direct to login.

Issue:

Agora is a CGI based e-commerce package. Due to poor input validation, Agora allows an attacker to execute cross-site scripting attacks.

Response:

This vulnerability does not apply. Agora is not present on iChain. The test returns a false positive because iChain responds to the initial request. iChain will always respond to a request with a re-direct to login.

Issue:

results|151.155.165|151.155.165.220|www (80/tcp)|10815|

Security Warning

The web server on the remote host suffers from a cross-site scripting (XSS) vulnerability because the result returned when a non-existing file is requested contains Javascript code passed along with the initial GET request.

The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code. Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).

Sample url : http://ia220.nsrd.lab.novell.com:80/foo.jsp?param=.jsp

Risk factor : Medium

Solutions:

http://www.macromedia.com/software/jrun/download/update/

http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html

CVE : CVE-2002-1060

BID : 5305, 7344, 7353, 8037, 9245, 14473

Respond:

iChain is a Proxy server, it has to pass everything it received from the browser to the back end web server, and up to the web server to decide what to do with it. Also, if the back end web server is a protected resource, iChain will do a redirect to the iChain Login page first, if the authentication is correct, and/or it match the ACL Check verify, then the script will be passed to the back end web server. Even the script could be invalid. It request the back end web server to implement the fixes for prevent the Cross-site Script security vulnerability.

The program also detected the same issues for Port 1959, 2222 and 443. To prevent the Port 1959 and 2222, need to shutdown the Admin GUI for public Interface as manual documented. For port 443, it will be the same respond as above port 80.

Scan run against iChain configured with a single accelerator with SSL and authentication enabled. If the scan is run against an unsecured, accelerated web server, then the security is only as strong as the security on the web server.