PCI远程扫描漏洞补丁如何解决-问答-阿里云开发者社区-阿里云

开发者社区> 问答> 正文

PCI远程扫描漏洞补丁如何解决

1298117508539047 2018-08-14 16:10:04 3554

您好:求助一下,一下问题如何解决

2018-08-07

 

Scan ID

8238876

Max CVSS

10.0

Scan State

Completed

Scan Compliance Status

Failing

Scan Start

2018-08-06 05:07:59

Duration

0:28:48

Scan Finish

2018-08-06 05:36:47

Expiration Date

2018-11-07

 

View Open Ports

10.0

FAIL

3389TCPmsrdpMS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) (uncredentialed check)less...

Title

MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) (uncredentialed check)

Synopsis

The remote Windows host is affected by a remote code execution vulnerability.

Impact

The remote Windows host is affected by a remote code execution vulnerability due to improper processing of packets by the Secure Channel (Schannel) security package. An attacker can exploit this issue by sending specially crafted packets to a Windows server. Note that this plugin sends a client Certificate TLS handshake message followed by a CertificateVerify message. Some Windows hosts will close the connection upon receiving a client certificate for which it did not ask for with a CertificateRequest message. In this case, the plugin cannot proceed to detect the vulnerability as the CertificateVerify message cannot be sent. See also : https://technet.microsoft.com/library/security/ms14-066

Resolution

Microsoft has released a set of patches for Windows 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2.

Data Received

CVEs

CVEScoreVector

CVE-2014-632110.0(AV:N/AC:L/Au:N/C:C/I:C/A:C)

10.0

FAIL

80TCPpossible_wlsPHP Unsupported Version Detectionless...

Title

PHP Unsupported Version Detection

Synopsis

The remote host contains an unsupported version of a web application scripting language.

Impact

According to its version, the installation of PHP on the remote host is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities. See also : http://php.net/eol.php https://wiki.php.net/rfc/releaseprocess

Resolution

Upgrade to a version of PHP that is currently supported.

Data Received

Source : Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45 Installed version : 5.4.45 End of support date : 2015/09/14 Announcement : http://php.net/supported-versions.php Supported versions : 7.1.x / 7.0.x / 5.6.x

6.4

FAIL

3389TCPmsrdpSSL Self-Signed Certificateless...

Title

SSL Self-Signed Certificate

Synopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Impact

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

Resolution

Purchase or generate a proper certificate for this service.

Data Received

The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : CN=iZ0fhyb9yyb8szZ

6.4

FAIL

3389TCPmsrdpMicrosoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weaknessless...

Title

Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness

Synopsis

It may be possible to get access to the remote host.

Impact

The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hard-coded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack. See also : http://www.oxid.it/downloads/rdp-gbu.pdf http://www.nessus.org/u?8033da0d http://technet.microsoft.com/en-us/library/cc782610.aspx

Resolution

- Force the use of SSL as a transport layer for this service if supported, or/and - Select the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting if it is available.

最新扫描详细信息下一个扫描2018-08-07 扫描 ID 8238876 最大 CVSS 10.0 扫描状态完成扫描符合性状态失败扫描开始 2018-08-06 05:07:59 持续时间0:28:48 扫描完成 2018-08-06 05:36:47 到期日期2018-11-07 查看打开端口10.0 失败

3389TCPmsrdpMS14-066: Schannel 中的漏洞可能允许远程代码执行 (2992611) (uncredentialed 检查) 减少..

标题 MS14-066: Schannel 中的漏洞可能允许远程代码执行 (2992611) (uncredentialed 检查) 简介远程 Windows 主机受远程代码执行漏洞的影响。

由于安全通道 (Schannel) 安全包不正确处理数据包, 远程 Windows 主机受到远程代码执行漏洞的影响。攻击者可以通过向 Windows 服务器发送特制的数据包来利用此问题。请注意, 此插件发送客户端证书 TLS 握手消息, 后跟 CertificateVerify 消息。某些 Windows 主机在接收到其不要求使用 CertificateRequest 消息的客户端证书时将关闭连接。在这种情况下, 由于无法发送 CertificateVerify 消息, 插件无法继续检测该漏洞。另请参见: https://technet.microsoft.com/library/security/ms14-066 解决方案 microsoft 已发布了一组用于 Windows 2003Vista200872008 R2820128.1 2012 R2 的补丁程序。

收到的数据 CVEs CVEScoreVector CVE 2014-632110.0 (AV: AC: i/o: c/s: c/c++: c) 10.0 失败80TCPpossible_wlsPHP 不支持的版本 Detectionless..

标题 PHP 不支持的版本检测简介远程主机包含不受支持的 web 应用程序脚本语言版本。

根据其版本的影响, 不再支持在远程主机上安装 PHP。缺少支持意味着供应商不会发布该产品的新安全修补程序。因此, 它很可能包含安全漏洞。另请参见: http://php.net/eol.php https://wiki.php.net/rfc/releaseprocess 分辨率升级到当前支持的 php 版本。

收到的数据来源: 服务器: Apache/2.4. 23 (Win32) OpenSSL/1.0. 2 j PHP/5.4. 45 安装版本: 5.4.45 支持结束日期: 2015/09/14 公告: http://php.net/supported-versions.php 支持版本: 7.1.x/7.0.x/5.6.x 6.4 失败

3389TCPmsrdpSSL 自签名公钥..

标题 ssl 自签名证书简介此服务的 SSL 证书链以无法识别的自签名证书结尾。

对此服务的 x 509 证书链的影响未被认可的证书颁发机构签名。如果远程主机是生产中的公用主机, 这就会使 SSL 的使用无效, 因为任何人都可以建立针对远程主机的人为中间攻击。请注意, 此插件不检查结束于未自签名的证书中的证书链, 而是由无法识别的证书颁发机构签名。

解决方案购买或生成此服务的适当证书。

收到的数据在远程主机发送的证书链的顶部找到了以下证书, 但它是自签名的, 在已知的证书颁发机构列表中找不到: |-主题: CN=iZ0fhyb9yyb8szZ 6.4 失败3389TCPmsrdpMicrosoft 窗口远程桌面协议服务器中间的 Weaknessless..

标题 Microsoft Windows 远程桌面协议服务器中级弱势简介可能会访问远程主机。

影响远程桌面协议服务器 (终端服务) 的远程版本容易受到中端 (MiTM) 攻击。RDP 客户端在设置加密时不努力验证服务器的身份。具有拦截 RDP 服务器通信量的攻击者可以在不被检测的情况下与客户端和服务器建立加密。这种性质的 MiTM 攻击将允许攻击者获得传输的任何敏感信息, 包括身份验证凭据。存在此缺陷的原因是 RDP 服务器在 mstlsapi.dll 库中存储硬编码的 RSA 私钥。任何访问此文件 (在任何 Windows 系统上) 的本地用户都可以检索该密钥并将其用于此攻击。另请参见: http://www.oxid.it/downloads/rdp-gbu.pdf http://www.nessus.org/u8033da0d http://technet.microsoft.com/en-us/library/cc782610.aspx 解决方案-强制使用 SSL 作为此服务的传输层 (如果支持), /-选择 "仅允许在运行远程桌面的计算机上使用网络级身份验证 "设置 (如果可用) 进行连接。

 

 

4.0

FAIL

80TCPpossible_wlsWeb Server Transmits Cleartext Credentialsless...

Title

Web Server Transmits Cleartext Credentials

Synopsis

The remote web server might transmit credentials in cleartext.

Impact

The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. An attacker eavesdropping the traffic between web browser and server may obtain logins and passwords of valid users.

Resolution

Make sure that every sensitive form transmits content over HTTPS.

Data Received

Page : / Destination Page: /l.php#bottom Page : /l.php Destination Page: /l.php#bottom Page : /phpmyadmin/ Destination Page: /phpmyadmin/index.php Page : /phpMyAdmin/ Destination Page: /phpMyAdmin/index.php Page : /phpmyadmin/url.php Destination Page: /phpmyadmin/index.php Page : /phpmyadmin/index.php Destination Page: /phpmyadmin/index.php Page : /phpMyAdmin/url.php Destination Page: /phpMyAdmin/index.php Page : /phpMyAdmin/index.php Destination Page: /phpMyAdmin/index.php

 

 

FTP Supports Cleartext Authenticationless...

Title

FTP Supports Cleartext Authentication

Synopsis

Authentication credentials might be intercepted.

Impact

The remote FTP server allows the user's name and password to be transmitted in cleartext, which could be intercepted by a network sniffer or a man-in-the-middle attack.

Resolution

Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that control connections are encrypted.

Data Received

This FTP server does not support 'AUTH TLS'.

 

 

 

View Open Ports

10.0

FAIL

3389TCPmsrdpMS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) (uncredentialed check)less...

Title

MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) (uncredentialed check)

Synopsis

The remote Windows host is affected by a remote code execution vulnerability.

Impact

The remote Windows host is affected by a remote code execution vulnerability due to improper processing of packets by the Secure Channel (Schannel) security package. An attacker can exploit this issue by sending specially crafted packets to a Windows server. Note that this plugin sends a client Certificate TLS handshake message followed by a CertificateVerify message. Some Windows hosts will close the connection upon receiving a client certificate for which it did not ask for with a CertificateRequest message. In this case, the plugin cannot proceed to detect the vulnerability as the CertificateVerify message cannot be sent. See also : https://technet.microsoft.com/library/security/ms14-066

Resolution

Microsoft has released a set of patches for Windows 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2.

Data Received

CVEs

CVEScoreVector

CVE-2014-632110.0(AV:N/AC:L/Au:N/C:C/I:C/A:C)

10.0

FAIL

80TCPpossible_wlsPHP Unsupported Version Detectionless...

Title

PHP Unsupported Version Detection

Synopsis

The remote host contains an unsupported version of a web application scripting language.

Impact

According to its version, the installation of PHP on the remote host is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities. See also : http://php.net/eol.php https://wiki.php.net/rfc/releaseprocess

Resolution

Upgrade to a version of PHP that is currently supported.

Data Received

Source : Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45 Installed version : 5.4.45 End of support date : 2015/09/14 Announcement : http://php.net/supported-versions.php Supported versions : 7.1.x / 7.0.x / 5.6.x

6.4

FAIL

3389TCPmsrdpSSL Self-Signed Certificateless...

Title

SSL Self-Signed Certificate

Synopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Impact

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

Resolution

Purchase or generate a proper certificate for this service.

Data Received

The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : CN=iZ0fhyb9yyb8szZ

6.4

FAIL

3389TCPmsrdpMicrosoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weaknessless...

Title

Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness

Synopsis

It may be possible to get access to the remote host.

Impact

The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hard-coded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack. See also : http://www.oxid.it/downloads/rdp-gbu.pdf http://www.nessus.org/u?8033da0d http://technet.microsoft.com/en-us/library/cc782610.aspx

Resolution

- Force the use of SSL as a transport layer for this service if supported, or/and - Select the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting if it is available.

Data Received

CVEs

CVEScoreVector

CVE-2005-17946.4(AV:N/AC:L/Au:N/C:P/I:P/A:N)

5.0

FAIL

3389TCPmsrdpSSL Certificate with Wrong Hostnameless...

Title

SSL Certificate with Wrong Hostname

Synopsis

The SSL certificate for this service is for a different host.

Impact

The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

Resolution

Purchase or generate a proper certificate for this service.

Data Received

The identity known by SecurityMetrics is : 47.94.130.59 The Common Name in the certificate is : iZ0fhyb9yyb8szZ

5.0

FAIL

3389TCPmsrdpSSL Medium Strength Cipher Suites Supportedless...

Title

SSL Medium Strength Cipher Suites Supported

Synopsis

The remote service supports the use of medium strength SSL ciphers.

Impact

The remote host supports the use of SSL ciphers that offer medium strength encryption. SecurityMetrics regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network. See also : https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Resolution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Data Received

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES) DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

5.0

FAIL

3389TCPmsrdpTLS Version 1.0 Protocol Detection (PCI DSS)less...

Title

TLS Version 1.0 Protocol Detection (PCI DSS)

Synopsis

The remote service encrypts traffic using a protocol with known weaknesses.

Impact

The remote service accepts connections encrypted using TLS 1.0. This version of TLS is affected by multiple cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

Resolution

All processing and third party entities - including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016. All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018.

Data Received

TLSv1 is enabled on port 3389 and the server supports at least one cipher.

5.0

FAIL

3389TCPmsrdpSSL 64-bit Block Size Cipher Suites Supported (SWEET32)less...

Title

SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

Synopsis

The remote service supports the use of 64-bit block ciphers.

Impact

The remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites. It is, therefore, affected by a vulnerability, known as SWEET32, due to the use of weak 64-bit block ciphers. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. Proof-of-concepts have shown that attackers can recover authentication cookies from an HTTPS session in as little as 30 hours. Note that the ability to send a large number of requests over the same TLS connection between the client and server is an important requirement for carrying out this attack. If the number of requests allowed for a single connection were limited, this would mitigate the vulnerability. This plugin requires report paranoia as SecurityMetrics has not checked for such a mitigation. See also : https://sweet32.info https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Resolution

Reconfigure the affected application, if possible, to avoid use of all 64-bit block ciphers. Alternatively, place limitations on the number of requests that are allowed to be processed over the same TLS connection to mitigate this vulnerability.

Data Received

List of 64-bit block cipher suites supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES) DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

CVEs

CVEScoreVector

CVE-2016-21835.0(AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-2016-63294.3(AV:N/AC:M/Au:N/C:P/I:N/A:N)

4.3

FAIL

80TCPpossible_wlsWeb Application Potentially Vulnerable to Clickjackingless...

Title

Web Application Potentially Vulnerable to Clickjacking

Synopsis

The remote web server may fail to mitigate a class of web application vulnerabilities.

Impact

The remote web server does not set an X-Frame-Options response header or a Content-Security-Policy 'frame-ancestors' response header in all content responses. This could potentially expose the site to a clickjacking or UI redress attack, in which an attacker can trick a user into clicking an area of the vulnerable page that is different than what the user perceives the page to be. This can result in a user performing fraudulent or malicious transactions. X-Frame-Options has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors. Content-Security-Policy (CSP) has been proposed by the W3C Web Application Security Working Group, with increasing support among all major browser vendors, as a way to mitigate clickjacking and other attacks. The 'frame-ancestors' policy directive restricts which sources can embed the protected resource. Note that while the X-Frame-Options and Content-Security-Policy response headers are not the only mitigations for clickjacking, they are currently the most reliable methods that can be detected through automation. Therefore, this plugin may produce false positives if other mitigation strategies (e.g., frame-busting JavaScript) are deployed or if the page does not perform any security-sensitive transactions. See also : http://www.nessus.org/u?399b1f56 https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet https://en.wikipedia.org/wiki/Clickjacking

Resolution

Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags.

Data Received

The following pages do not use a clickjacking mitigation response header and contain a clickable event : - http://47.94.130.59/ - http://47.94.130.59/l.php - http://47.94.130.59/phpMyAdmin/ - http://47.94.130.59/phpMyAdmin/index.php - http://47.94.130.59/phpMyAdmin/url.php - http://47.94.130.59/phpmyadmin/ - http://47.94.130.59/phpmyadmin/index.php - http://47.94.130.59/phpmyadmin/url.php

4.3

FAIL

3389TCPmsrdpSSL/TLS Services Support RC4 (PCI DSS)less...

Title

SSL/TLS Services Support RC4 (PCI DSS)

Synopsis

A service on the remote host supports RC4

Impact

At least one of the SSL or TLS services on the remote host supports the use of RC4 for encryption. RC4 does not meet the PCI definition of strong cryptography as defined by NIST Special Publication 800-57 Part 1. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts, the attacker may be able to derive the plaintext. See also : https://www.rc4nomore.com https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

Resolution

Consult the software's manual and reconfigure the service to disable support for RC4.

Data Received

The SSL/TLS service on port 3389 supports the following RC4 ciphers : High Strength Ciphers (>= 112-bit key) RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

CVEs

CVEScoreVector

CVE-2013-25664.3(AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2015-28084.3(AV:N/AC:M/Au:N/C:P/I:N/A:N)

4.3

FAIL

3389TCPmsrdpSSL RC4 Cipher Suites Supported (Bar Mitzvah)less...

Title

SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Synopsis

The remote service supports the use of the RC4 cipher.

Impact

The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts, the attacker may be able to derive the plaintext. See also : http://www.nessus.org/u?217a3666 http://cr.yp.to/talks/2013.03.12/slides.pdf http://www.isg.rhul.ac.uk/tls/ http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Resolution

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser and web server support.

Data Received

List of RC4 cipher suites supported by the remote server : High Strength Ciphers (>= 112-bit key) RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

CVEs

CVEScoreVector

CVE-2013-25664.3(AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-2015-28084.3(AV:N/AC:M/Au:N/C:P/I:N/A:N)

4.3

FAIL

3389TCPmsrdpTerminal Services Encryption Level is Medium or Lowless...

Title

Terminal Services Encryption Level is Medium or Low

Synopsis

The remote host is using weak cryptography.

Impact

The remote Terminal Services service is not configured to use strong cryptography. Using weak cryptography with this service may allow an attacker to eavesdrop on the communications more easily and obtain screenshots and/or keystrokes.

Resolution

Change RDP encryption level to one of : 3. High 4. FIPS Compliant

Data Received

The terminal services encryption level is set to : 2. Medium

4.3

FAIL

3389TCPmsrdpTerminal Services Doesn't Use Network Level Authentication (NLA) Onlyless...

Title

Terminal Services Doesn't Use Network Level Authentication (NLA) Only

Synopsis

The remote Terminal Services doesn't use Network Level Authentication only.

Impact

The remote Terminal Services is not configured to use Network Level Authentication (NLA) only. NLA uses the Credential Security Support Provider (CredSSP) protocol to perform strong server authentication either through TLS/SSL or Kerberos mechanisms, which protect against man-in-the-middle attacks. In addition to improving authentication, NLA also helps protect the remote computer from malicious users and software by completing user authentication before a full RDP connection is established. See also : http://technet.microsoft.com/en-us/library/cc732713.aspx http://www.nessus.org/u?e2628096

Resolution

Enable Network Level Authentication (NLA) on the remote RDP server. This is generally done on the 'Remote' tab of the 'System' settings on Windows.

Data Received

SecurityMetrics was able to negotiate non-NLA (Network Level Authentication) security.

4.0

FAIL

3306TCPMySQLOpen MySQL database portless...

Title

Open MySQL database port

Synopsis

An open MySQL database port was detected.

Impact

Resolution

Disable public-facing access to your MySQL database.

查看打开的端口10.0 失败 3389TCPmsrdpMS14-066: Schannel 中的漏洞可能允许远程代码执行 (2992611) (uncredentialed 检查) 减少..

标题 MS14-066: Schannel 中的漏洞可能允许远程代码执行 (2992611) (uncredentialed 检查) 简介远程 Windows 主机受远程代码执行漏洞的影响。

由于安全通道 (Schannel) 安全包不正确处理数据包, 远程 Windows 主机受到远程代码执行漏洞的影响。攻击者可以通过向 Windows 服务器发送特制的数据包来利用此问题。请注意, 此插件发送客户端证书 TLS 握手消息, 后跟 CertificateVerify 消息。某些 Windows 主机在接收到其不要求使用 CertificateRequest 消息的客户端证书时将关闭连接。在这种情况下, 由于无法发送 CertificateVerify 消息, 插件无法继续检测该漏洞。另请参见: https://technet.microsoft.com/library/security/ms14-066 解决方案 microsoft 已发布了一组用于 Windows 2003Vista200872008 R2820128.1 2012 R2 的补丁程序。

收到的数据 CVEs CVEScoreVector CVE 2014-632110.0 (AV: AC: i/o: c/s: c/c++: c) 10.0 失败80TCPpossible_wlsPHP 不支持的版本 Detectionless..

标题 PHP 不支持的版本检测简介远程主机包含不受支持的 web 应用程序脚本语言版本。

根据其版本的影响, 不再支持在远程主机上安装 PHP。缺少支持意味着供应商不会发布该产品的新安全修补程序。因此, 它很可能包含安全漏洞。另请参见: http://php.net/eol.php https://wiki.php.net/rfc/releaseprocess 分辨率升级到当前支持的 php 版本。收到的数据来源: 服务器: Apache/2.4. 23 (Win32) OpenSSL/1.0. 2 j PHP/5.4. 45 安装版本: 5.4.45 支持结束日期: 2015/09/14 公告: http://php.net/supported-versions.php 支持版本: 7.1.x/7.0.x/5.6.x 6.4 失败

3389TCPmsrdpSSL 自签名公钥..

标题 ssl 自签名证书简介此服务的 SSL 证书链以无法识别的自签名证书结尾。

对此服务的 x 509 证书链的影响未被认可的证书颁发机构签名。如果远程主机是生产中的公用主机, 这就会使 SSL 的使用无效, 因为任何人都可以建立针对远程主机的人为中间攻击。请注意, 此插件不检查结束于未自签名的证书中的证书链, 而是由无法识别的证书颁发机构签名。

解决方案购买或生成此服务的适当证书。

收到的数据在远程主机发送的证书链的顶部找到了以下证书, 但它是自签名的, 在已知的证书颁发机构列表中找不到: |-主题: CN=iZ0fhyb9yyb8szZ 6.4 失败3389TCPmsrdpMicrosoft 窗口远程桌面协议服务器中间的 Weaknessless..

标题 Microsoft Windows 远程桌面协议服务器中级弱势简介可能会访问远程主机。

影响远程桌面协议服务器 (终端服务) 的远程版本容易受到中端 (MiTM) 攻击。RDP 客户端在设置加密时不努力验证服务器的身份。具有拦截 RDP 服务器通信量的攻击者可以在不被检测的情况下与客户端和服务器建立加密。这种性质的 MiTM 攻击将允许攻击者获得传输的任何敏感信息, 包括身份验证凭据。存在此缺陷的原因是 RDP 服务器在 mstlsapi.dll 库中存储硬编码的 RSA 私钥。任何访问此文件 (在任何 Windows 系统上) 的本地用户都可以检索该密钥并将其用于此攻击。另请参见: http://www.oxid.it/downloads/rdp-gbu.pdf http://www.nessus.org/u8033da0d http://technet.microsoft.com/en-us/library/cc782610.aspx 解决方案-强制使用 SSL 作为此服务的传输层 (如果支持), /-选择 "仅允许在运行远程桌面的计算机上使用网络级身份验证 "设置 (如果可用) 进行连接。

收到的数据 CVEs CVEScoreVector CVE-2005-17946.4 (AV: n/交: n/: 邮编: p/: n) 5.0 失败3389TCPmsrdpSSL 证书, 错误 Hostnameless..

标题 SSL 证书错误的主机名简介此服务的 ssl 证书用于其他主机。

影响为该服务提供的 SSL 证书的 "commonName" (CN) 属性是针对另一台计算机的。

解决方案购买或生成此服务的适当证书。

收到的数据 SecurityMetrics 已知的身份是: 47.94.130.59 证书中的公用名称是: iZ0fhyb9yyb8szZ 5.0 失败3389TCPmsrdpSSL 中等强度密码套件 Supportedless..

标题 SSL 中等强度密码套件支持概要远程服务支持使用中等强度的 SSL 密码。

影响远程主机支持使用提供中等强度加密的 SSL 密码。SecurityMetrics 将中等强度视为使用密钥长度至少为64位和少于112位的加密, 否则使用3DES 加密套件。请注意, 如果攻击者位于同一物理网络上, 则避开中等强度加密会更容易。另请参见: 如果可能, https://www.openssl.org/blog/blog/2016/08/24/sweet32/决议重新配置受影响的应用程序, 以避免使用中等强度密码。已验证会话的 ijacking。概念证明表明攻击者可以在30小时内从 HTTPS 会话中恢复身份验证 cookie。请注意, 在客户端和服务器之间通过同一 TLS 连接发送大量请求的能力是执行此攻击的重要要求。如果单个连接所允许的请求数量有限, 则会减少此漏洞。这个插件需要报告偏执, 因为 SecurityMetrics 没有检查这样的缓解。另请参见: https://sweet32.info https://www.openssl.org/blog/blog/2016/08/24/sweet32/决议重新配置受影响的应用程序 (如果可能), 以避免使用所有64位块密码。或者, 对允许在同一 TLS 连接上处理的请求数进行限制, 以减轻此漏洞。

远程服务器支持的64位分组密码套件的数据接收列表: 中等强度密码 (>> 64 位和112位密钥, 3DES) DES-CBC3-SHA Kx = rsa Au Enc = 3 DES (168) Mac=SHA1 上面的字段是: {OpenSSL ciphername} Kx = {密钥交换} Au = {身份验证} Enc = {对称加密方法} Mac = {消息身份验证代码} {导出标志} CVEs CVEScoreVector CVE-2016-21835.0 (AV: n/: CVE: n/: n/2016-63294.3 (AV: n/ac: /: n/: n) 4.3 失败80TCPpossible_wlsWeb应用程序可能容易受到 Clickjackingless 的攻击..

标题 Web 应用程序可能易受点击劫持简介远程 web 服务器可能无法减轻类 Web 应用程序漏洞。

影响远程 web 服务器不会在所有内容响应中设置 X 帧选项响应头或内容安全策略 "框架-祖先" 响应标头。这可能会使站点暴露在点击劫持或 UI 纠正攻击中, 攻击者可以诱使用户单击与用户感知页面不同的易受攻击页面区域。这可能导致用户执行欺诈或恶意事务。"X " 选项已被 Microsoft 建议为一种减少点击劫持攻击的方法, 目前由所有主要浏览器供应商支持。内容安全策略 (CSP) 已由 W3C Web 应用程序安全工作组提出, 并在所有主要浏览器供应商中得到越来越多的支持, 以此来减轻点击劫持和其他攻击。"框架-祖先" 策略指令限制了哪些源可以嵌入受保护的资源。请注意, 虽然 X 帧选项和内容安全策略响应头不是点击劫持的唯一缓解措施, 但它们目前是可通过自动化检测到的最可靠的方法。因此, 如果部署了其他缓解策略 (例如, 帧破坏 JavaScript) 或者该页不执行任何安全敏感事务, 则此插件可能会产生误报。另请参见: http://www.nessus.org/u399b1f56 https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet https://en.wikipedia.org/wiki/Clickjacking 分辨率返回 X 帧选项或内容安全策略 (使用 "框架-祖先的指令) HTTP 标头与页的响应。这可防止在使用框架或 iframe HTML 标记时, 其他站点呈现页面内容。

收到的数据以下页不使用点击劫持缓解响应标头并包含可单击的事件:-http://47.94.130.59/-http://47.94.130.59/l.php-http://47.94.130.59/phpMyAdmin/-http://47.94.130.59/phpMyAdmin/index.php-http://47.94.130.59/phpMyAdmin/url. php-http://47.94.130.59/phpmyadmin/-http://47.94.130.59/phpmyadmin/index.php http://47.94.130.59/phpmyadmin/url.php 4.3 失败 3389 tcpmsrdpssl/TLS 服务支持 RC4 (PCI DSS) 较少。..

标题 SSL/TLS 服务支持 RC4 (PCI DSS) 简介远程主机上的服务支持 RC4 影响远程主机上至少有一个 SSL TLS 服务支持使用 RC4 进行加密。RC4 不符合 NIST 特别出版物800-57 部分1所定义的强加密的 PCI 定义。RC4 密码在其生成伪随机字节流时存在缺陷, 因此将大量的小偏差引入流中, 从而减少其随机性。如果明文被重复加密 (例如 HTTP cookie), 并且攻击者能够获得许多 (即数以百万计) ciphertexts, 则攻击者可能能够派生明文。另请参见: https://www.rc4nomore.com https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls 决议查阅软件手册并重新配置服务, 以禁用对 RC4 的支持。

接收到端口3389上的 SSL/TLS 服务的数据支持以下 RC4 密码: 高强度密码 (>> = 112 位密钥) RC4-MD5 Kx = rsa Au = rsa Enc = RC4 (128) Mac=MD5 RC4-SHA Kx = rsa au = rsa Enc = RC4 (128) Mac=SHA1 上面的字段为: {OpenSSL ciphername} Kx = {键交换} Au = {身份验证} Enc = {对称加密方法} Mac = {消息身份验证代码} {导出标志} CVEs CVEScoreVector CVE-2013-25664.3 (AV: n-/: CVE: n/: n/2015-28084.3 (AV: n/ac: /: n/: n) 4.3 失败

3389TCPmsrdpSSL. RC4 密码套件支持 (成人礼) ..

标题 SSL RC4 密码套件支持 (成人礼) 简介远程服务支持使用 RC4 密码。

影响远程主机支持在一个或多个密码套件中使用 RC4。RC4 密码在其生成伪随机字节流时存在缺陷, 因此将大量的小偏差引入流中, 从而减少其随机性。如果明文被重复加密 (例如 HTTP cookie), 并且攻击者能够获得许多 (即数以百万计) ciphertexts, 则攻击者可能能够派生明文。另请参见: http://www.nessus.org/u217a3666 http://cr.yp.to/talks/2013.03.12/slides.pdf http://www.isg.rhul.ac.uk/tls/http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf 解决方案可重新配置受影响的应用程序, 如果可能, 以避免使用 RC4 密码。考虑在浏览器和 web 服务器支持下使用 TLS 1.2 AES-GCM 套件。

远程服务器支持的 RC4 密码套件的数据接收列表: 高强度密码 (>> = 112 位密钥) RC4-MD5 Kx = rsa Au = rsa Enc = RC4 (128) Mac=MD5 RC4-SHA Kx = rsa au = rsa Enc = RC4 (128) Mac=SHA1 上面的字段为: {OpenSSL ciphername} Kx = {密钥交换} Au= {身份验证} Enc = {对称加密方法} Mac = {消息身份验证代码} {导出标志} CVEs CVEScoreVector CVE-2013-25664.3 (AV: n/: CVE: n/: n/: 2015-28084.3 (AV: n/ac: /: n/: n) 4.3 失败3389TCPmsrdpTerminal服务加密级别为中等或 Lowless..

标题终端服务加密级别为中或低简介远程主机使用弱加密。

影响远程终端服务服务未配置为使用强加密。使用此服务的弱加密可能使攻击者更容易窃听通信, 并获得截图和/或击键。

分辨率将 RDP 加密级别更改为: 3. 4。收到的 FIPS 兼容数据终端服务加密级别设置为: 2. 中型4.3 故障3389TCPmsrdpTerminal 服务不使用网络级身份验证 (NLA) Onlyless..

标题终端服务不使用网络级身份验证 (NLA) 仅简介远程终端服务不使用网络级身份验证。影响远程终端服务未配置为仅使用网络级身份验证 (NLA)NLA 使用凭据安全支持提供程序 (CredSSP) 协议通过 TLS/SSL Kerberos 机制执行强大的服务器身份验证, 这可以防止中间攻击。除了改进身份验证之外, NLA 还通过在建立完整的 RDP 连接之前完成用户身份验证, 帮助保护远程计算机免受恶意用户和软件的攻击。另请参见: http://technet.microsoft.com/en-us/library/cc732713.aspx http://www.nessus.org/ue2628096 分辨率在远程 RDP 服务器上启用网络级别身份验证 (NLA)。这通常在 Windows 上的 "系统" 设置的 "远程" 选项卡上完成。

收到的数据 SecurityMetrics 能够协商非 NLA (网络级身份验证) 安全性。

4.0 故障 3306TCPMySQLOpen MySQL 数据库 portless..

标题打开 mysql 数据库端口简介检测到一个打开的 mysql 数据库端口。

影响分辨率禁用对 MySQL 数据库的面向公众的访问。

弹性计算 云计算 云服务器 ECS
分享到
取消 提交回答
全部回答(0)
云计算
使用钉钉扫一扫加入圈子
+ 订阅

时时分享云计算技术内容,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。

推荐文章
相似问题