Dear Debian People,
I got the following security audit of a machine I recently installed
Debian 2.2r3 on. I have run apt-get update and apt-get upgrade on it. The
most serious problem appears to be with ssh. What should I do about this,
if anything?
Should I upgrade to a more recent version of ssh from testing? The current
version of Openssh1.is at 1.2.3-9.3 and the most recent version is 2.9. In
any case, I thought security vulnerabilities were supposed to be fixed in
stable.
And does anyone have thoughts about the other warnings reported?
Sincerely, Faheem Mitha.
Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 1
- Number of security holes found : 1
- Number of security warnings found : 2
- Number of security notes found : 4
DETAILS
. List of open ports :
o smtp (25/tcp) (Security notes found)
o ssh (22/tcp) (Security hole found)
o daytime (13/tcp) (Security warnings found)
o discard (9/tcp)
o time (37/tcp)
o sunrpc (111/tcp)
o unknown (1024/tcp)
o x11 (6000/tcp)
o general/udp (Security notes found)
o general/tcp (Security notes found)
o general/icmp (Security warnings found)
. Information found on port smtp (25/tcp)
Remote SMTP server banner :
ESMTP Exim 3.12 #1 Mon, 02 Jul 2001 05:12:07 -0400
214-Commands supported:214- HELO EHLO MAIL RCPT DATA AUTH
214 NOOP QUIT RSET HELP VRFY
. Vulnerability found on port ssh (22/tcp) :
You are running a version of SSH which is
older than version 1.2.32,
or a version of OpenSSH which is older than
2.3.0.
This version is vulnerable to a flaw which
allows an attacker to insert arbitrary commands
in a ssh stream.
Solution :
Upgrade to version 1.2.32 of SSH which solves this problem,
or to version 2.3.0 of OpenSSH
More information:
http://www.core-sdi.com/english/ssh/
Risk factor :
High
. Information found on port ssh (22/tcp)
Remote SSH version :
ssh-1.5-openssh-1.2.3
. Warning found on port daytime (13/tcp)
The daytime service is running.
The date format issued by this service
may sometimes help an attacker to guess
the operating system type.
In addition to that, when the UDP version of
daytime is running, an attacker may link it
to the echo port using spoofing, thus creating
a possible denial of service.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
CVE : CVE-1999-0103
. Information found on port general/udp
For your information, here is the traceroute to :
. Information found on port general/tcp
QueSO has found out that the remote host OS is
* Standard: Solaris 2.x, Linux 2.1.???, Linux 2.2, MacOS
CVE : CAN-1999-0454
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
