SUMMARY
The Qualys security software reports more false positives than other software, so typical responses are included.
DESCRIPTION
Sample Scan Results using Qualys scan engine against a Unitrends system are shown below. The Qualys scan engine includes a list of 'potential' vulnerabilities (issues that might be typical for this type of system) but these have not been detected. |
|||||
Note that most of these vulnerabilities are false positives (no risk). Any vulnerabilities of Type 'Potential' are almost always incorrect on Linux distributions. | |||||
*1= Any applicable vulnerabilities have been addressed in the security updates. See Unitrends security KB for details at https://helpdesk.kaseya.com/hc/en-gb/articles/4407512592273 |
|||||
RESOLUTION
OS | IP Status | QID | Type | Severity | Title | CVE ID | Unitrends Response |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 70003 | Vuln | 4 | Null Session/Password NetBIOS Access | CVE-1999-0519 | False positive. Only applies to Windows. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0519 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 11 | Vuln | 2 | Hidden RPC Services | Negligible risk. Refer to this for a good explanation http://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_rpc_portmapper | |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 38172 | Vuln | 2 | SSL Certificate - Improper Usage Vulnerability | Certificate is known, however a custom Certificate Authority may be applied. | |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 38169 | Vuln | 2 | SSL Certificate - Self-Signed Certificate | Certificate is known, however a custom Certificate Authority may be applied. | |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 38173 | Vuln | 2 | SSL Certificate - Signature Verification Failed Vulnerability | Certificate is known, however a custom Certificate Authority may be applied. | |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 38170 | Vuln | 2 | SSL Certificate - Subject Common Name Does Not Match Server FQDN | Certificate is known, however a custom Certificate Authority may be applied. | |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 82024 | Vuln | 2 | UDP Constant IP Identification Field Fingerprinting Vulnerability | CVE-2002-0510 | No risk. See Red Hat statement at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0510 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 70001 | Vuln | 1 | NetBIOS Shared Folder List Available | False positive. Only applicable to Windows servers (as described in the scan report). | |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 105666 | Potential | 5 | EOL/Obsolete Software: Samba 3.x Detected | Potential, but No risk. See KB *1 | |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 70075 | Potential | 5 | Samba "TALLOC_FREE" Funtion Remote Code Execution Vulnerability | CVE-2015-0240 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 66040 | Potential | 5 | Statd Format Bug Vulnerability | CVE-2000-0666, CVE-2000-0800 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 86490 | Potential | 4 | Apache HTTP Server Prior to 2.2.29 Multiple Vulnerabilities | CVE-2014-0231, CVE-2013-5704, CVE-2014-0118, CVE-2014-0226 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 86490 | Potential | 4 | Apache HTTP Server Prior to 2.2.29 Multiple Vulnerabilities | CVE-2014-0231, CVE-2013-5704, CVE-2014-0118, CVE-2014-0226 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 12500 | Potential | 3 | Apache HTTP Server APR "apr_fnmatch()" Denial of Service Vulnerability | CVE-2011-0419 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 86908 | Potential | 3 | Apache HTTP Server mod_cache and mod_dav Undisclosed DoS Vulnerability | CVE-2010-1452 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 12529 | Potential | 3 | Apache HTTP Server mod_proxy_ajp Denial of Service Vulnerability | CVE-2011-3348 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 87242 | Potential | 3 | Apache HTTP Server Multiple Denial of Service Vulnerabilities | CVE-2012-4557, CVE-2012-0021 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 87242 | Potential | 3 | Apache HTTP Server Multiple Denial of Service Vulnerabilities | CVE-2012-4557, CVE-2012-0021 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 87133 | Potential | 3 | Apache HTTP Server Prior to 2.2.23/2.4.2 Multiple Vulnerabilities | CVE-2012-2687, CVE-2012-0883 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 87233 | Potential | 3 | Apache HTTP Server Prior to 2.2.25 Multiple Vulnerabilities | CVE-2013-1896, CVE-2013-1862 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 87233 | Potential | 3 | Apache HTTP Server Prior to 2.2.25 Multiple Vulnerabilities | CVE-2013-1896, CVE-2013-1862 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 86172 | Potential | 3 | Apache HTTP Server Prior to 2.4.16/2.2.31 Multiple Vulnerabilities | CVE-2015-0228, CVE-2015-0253, CVE-2015-3183, CVE-2015-3185 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 86172 | Potential | 3 | Apache HTTP Server Prior to 2.4.16/2.2.31 Multiple Vulnerabilities | CVE-2015-0228, CVE-2015-0253, CVE-2015-3183, CVE-2015-3185 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 87156 | Potential | 3 | Apache Prior to 2.4.4 and 2.2.24 Multiple Vulnerabilities | CVE-2012-3499, CVE-2012-4558 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 87156 | Potential | 3 | Apache Prior to 2.4.4 and 2.2.24 Multiple Vulnerabilities | CVE-2012-3499, CVE-2012-4558 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 42382 | Potential | 3 | OpenSSH Commands Information Disclosure Vulnerability | CVE-2012-0814 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 42384 | Potential | 3 | OpenSSH J-PAKE Session Key Retrieval Vulnerability | CVE-2010-4478 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 42413 | Potential | 3 | OpenSSH LoginGraceTime Denial of Service Vulnerability | CVE-2010-5107 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 38623 | Potential | 3 | OpenSSH Xauth Command Injection Vulnerability | CVE-2016-3115 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 38467 | Potential | 3 | OpenVPN Failed Authentication Denial of Service Vulnerability | CVE-2005-2531 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 38464 | Potential | 3 | OpenVPN MAC Address Spoofing Denial of Service Vulnerability | CVE-2005-2533 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 38463 | Potential | 3 | OpenVPN Packet Decryption Failure Denial of Service Vulnerability | CVE-2005-2532 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 38465 | Potential | 3 | OpenVPN Same Client Certificate Denial of Service Vulnerability | CVE-2005-2534 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 70071 | Potential | 3 | Samba Denial of Service Vulnerabilities | CVE-2014-0244, CVE-2014-3493 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 70076 | Potential | 3 | Samba Multiple Vulnerabilities (BADLOCK) | CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 86920 | Potential | 2 | Apache HTTP Server APR-util Multiple Denial of Service Vulnerabilities | CVE-2009-3560, CVE-2009-3720, CVE-2010-1623 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 19568 | Potential | 2 | Database Instance Detected | Potential, but No risk. See KB *1 | |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 42428 | Potential | 2 | OpenSSH "child_set_env()" Security Bypass Issue | CVE-2014-2532 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 70073 | Potential | 2 | Samba Uninitialized Memory Exposure Vulnerability | CVE-2014-0178 | Potential, but No risk. See KB *1 |
Ubuntu / Linux 2.6.x | host scanned, found vuln | 90043 | Potential | 2 | SMB Signing Disabled or SMB Signing Not Required | Potential, but No risk. See KB *1 |
LINK TO ADVISORIES