SUMMARY
Below are some common false positive results from security scans.
DESCRIPTION
Unitrends vulnerability responses for some common false positive scan results | ||||
Short Description | Severity | CVE | Family | Unitrends Risk |
Microsoft Windows SMB Guest Account Local User Access | Medium | CVE-1999-0505 | Windows | none *1 |
SMB Signing Disabled | Medium | Misc. | none *2 | |
SSH Server CBC Mode Ciphers Enabled | Low | CVE-2008-5161 | Misc. | none *3, *4 |
SSH Weak MAC Algorithms Enabled | Low | Misc. | none *3 | |
SSH Weak Algorithms Supported | Medium | Misc. | none *3 | |
Samba Badlock Vulnerability | Medium | CVE-2016-2118 | General | none *5 |
Null Session/Password NetBIOS Access | Medium | CVE-1999-0519 | Windows | none *6 |
NetBIOS Shared Folder List Available | Low | Windows | none *7 | |
NFS exports system-critical data to the world, e.g. / or a password file | Medium | CVE-1999-0554 | Misc. | none *8 |
Extra long export lists over 256 characters in some mount daemons allows NFS directories to be mounted by anyone | Low | CVE-1999-0211 | Misc. | none *8 |
Remote attackers can mount an NFS file system in Ultrix or OSF, even if it is denied on the access list. | Low | CVE-1999-0170 | Misc. | none *8 |
RESOLUTION
*1 = False positive. This vulnerability only applies to Windows, and this system is Linux, so Windows login does not apply.
*2 = False positive. Included in updates: Unitrends security updates enable server signing, as shown in /etc/samba/smb.conf: 'server signing = auto' and ' client signing = enabled'
*3 = False positive. Included in updates: The Unitrends security updates configure /etc/ssh/sshd_config Ciphers for secure algorithms
*4 = False positive: The default ssh version in RHEL6/CentOS6 is not vulnerable to this CVE, see https://access.redhat.com/security/cve/cve-2008-5161
*5 = False positive. Included in updates: See Unitrends KB for CVE-2016-2118 at CVE-2016-2118: Samba Badlock vulnerability
*6 = False positive. Only applies to Windows. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0519. This would only impact a Unitrends system if it were leveraging Windows authentication/domain services on that system, which it does not.
*7 = False positive. Only applicable to Windows servers (as described in the scan report).
*8 = False Positive. Unitrends systems do not have any NFS exports. Not a very common scan mistake.
Some scan engines report these false positives below for the postgresql 5432 port, for which only trusted connections are allowed after the security updates. The 5432 port is still visible, but does not accept database connections.
SSL/TLS: Report 'Null' Cipher Suites | (OID: 1.3.6.1.4.1.25623.1.0.108022) | Medium | 5432/tcp |
SSL/TLS: 'DHE_EXPORT' Man in the Middle Security Bypass Vulnerability (LogJam) | (OID: 1.3.6.1.4.1.25623.1.0.805188) | Medium | 5432/tcp |
SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection | (OID: 1.3.6.1.4.1.25623.1.0.111012) | Medium | 5432/tcp |
SSL/TLS: RSA Temporary Key Handling 'RSA_EXPORT' Downgrade Issue (FREAK) | (OID: 1.3.6.1.4.1.25623.1.0.805142) | Medium | 5432/tcp |
SSL/TLS: Report Weak Cipher Suites | (OID: 1.3.6.1.4.1.25623.1.0.103440) | Medium | 5432/tcp |
SSL/TLS: Certificate Signed Using A Weak Signature Algorithm | (OID: 1.3.6.1.4.1.25623.1.0.105880) | Medium | 5432/tcp |
SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability | (OID: 1.3.6.1.4.1.25623.1.0.106223) | Medium | 5432/tcp |
LINK TO ADVISORIES