Vulnerability Scanning Report

According to its version, the installation of PHP on the remote host is no longer supported.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

According to its self-reported version number, the Unix operating system running on the remote host is no longer supported.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

The version of Samba running on the remote host is 4.13.x prior to 4.13.17, 4.14.x prior to 4.14.12, or 4.15.x prior to 4.15.5.  It is, therefore, affected by multiple vulnerabilities:

  - Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution. (CVE-2021-44142)

  - Information leak via symlinks of existence of	files or directories outside of the exported share. (CVE-2021-44141)

  - Samba AD users with permission to write to an account can impersonate arbitrary services. (CVE-2022-0336)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A denial of service (DoS) vulnerability exists in ISC BIND versions 9.11.18 / 9.11.18-S1 / 9.12.4-P2 / 9.13 / 9.14.11 / 9.15 / 9.16.2 / 9.17 / 9.17.1 and earlier. An unauthenticated, remote attacker can exploit this issue, via a specially-crafted message, to cause the service to stop responding.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is prior to 2.4.47. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.47 changelog:

  - Unexpected <Location> section matching with 'MergeSlashes OFF' (CVE-2021-30641)

  - mod_auth_digest: possible stack overflow by one nul byte while validating the Digest nonce. (CVE-2020-35452)

  - mod_session: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service     with a malicious backend server and SessionHeader. (CVE-2021-26691)

  - mod_session: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of Service.
    (CVE-2021-26690)

  - mod_proxy_http: Fix possible crash due to NULL pointer dereference, which could be used to cause a Denial of     Service. (CVE-2020-13950)

  - Windows: Prevent local users from stopping the httpd process (CVE-2020-13938)

  - mod_proxy_wstunnel, mod_proxy_http: Handle Upgradable protocols end-to-end negotiation. (CVE-2019-17567)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is prior to 2.4.49. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.49 changelog.

  - ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass     untrusted data to these functions, but third-party / external modules may. (CVE-2021-39275)

  - Malformed requests may cause the server to dereference a NULL pointer. (CVE-2021-34798)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is prior to 2.4.52. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.52 advisory.

  - A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL     pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for     requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This     issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). (CVE-2021-44224)

  - A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser     (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the     vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and     earlier. (CVE-2021-44790)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is prior to 2.4.53. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.53 advisory.

  - mod_lua Use of uninitialized value of in r:parsebodyA carefully crafted request body can cause a read to a     random memory area which could cause the process to crash.  This issue affects Apache HTTP Server 2.4.52     and earlier. Acknowledgements: Chamal De Silva (CVE-2022-22719)

  - HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlierApache HTTP Server 2.4.52 and     earlier fails to close inbound connection when errors are encountered discarding the request body,     exposing the server to HTTP Request Smuggling Acknowledgements: James Kettle <james.kettle     portswigger.net> (CVE-2022-22720)

  - core: Possible buffer overflow with very large or unlimited LimitXMLRequestBodyIf LimitXMLRequestBody is     set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow     happens which later causes out of bounds writes.  This issue affects Apache HTTP Server 2.4.52 and     earlier. Acknowledgements: Anonymous working with Trend Micro Zero Day Initiative (CVE-2022-22721)

  - mod_sed: Read/write beyond boundsOut-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows     an attacker to overwrite heap memory with possibly attacker provided data.  This issue affects Apache HTTP     Server 2.4 version 2.4.52 and prior versions. Acknowledgements: Ronald Crane (Zippenhop LLC)     (CVE-2022-23943)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, the version of Apache running on the remote host is 2.2.x prior to 2.2.33-dev or 2.4.x prior to 2.4.26. It is, therefore, affected by the following vulnerabilities :

  - An authentication bypass vulnerability exists due to     third-party modules using the ap_get_basic_auth_pw()     function outside of the authentication phase. An     unauthenticated, remote attacker can exploit this to     bypass authentication requirements. (CVE-2017-3167)

  - A NULL pointer dereference flaw exists due to     third-party module calls to the mod_ssl     ap_hook_process_connection() function during an HTTP     request to an HTTPS port. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2017-3169)

  - A NULL pointer dereference flaw exists in mod_http2 that     is triggered when handling a specially crafted HTTP/2     request. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition. Note that     this vulnerability does not affect 2.2.x.
    (CVE-2017-7659)

  - An out-of-bounds read error exists in the     ap_find_token() function due to improper handling of     header sequences. An unauthenticated, remote attacker     can exploit this, via a specially crafted header     sequence, to cause a denial of service condition.
    (CVE-2017-7668)

  - An out-of-bounds read error exists in mod_mime due to     improper handling of Content-Type response headers. An     unauthenticated, remote attacker can exploit this, via a     specially crafted Content-Type response header, to cause     a denial of service condition or the disclosure of     sensitive information. (CVE-2017-7679)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is prior to 2.4.46. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.46 advisory.

  - Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info     disclosure and possible RCE (CVE-2020-11984)

  - Apache HTTP Server versions 2.4.20 to 2.4.43 When     trace/debug was enabled for the HTTP/2 module and on     certain traffic edge patterns, logging statements were     made on the wrong connection, causing concurrent use of     memory pools. Configuring the LogLevel of mod_http2     above info will mitigate this vulnerability for     unpatched servers. (CVE-2020-11993)

  - Apache HTTP Server versions 2.4.20 to 2.4.43. A     specially crafted value for the 'Cache-Digest' header in     a HTTP/2 request would result in a crash when the server     actually tries to HTTP/2 PUSH a resource afterwards.
    Configuring the HTTP/2 feature via H2Push off will     mitigate this vulnerability for unpatched servers.
    (CVE-2020-9490)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.39. It is, therefore, affected by multiple vulnerabilities:

  - A privilege escalation vulnerability exists in     module scripts due to an ability to execute arbitrary     code as the parent process by manipulating the     scoreboard. (CVE-2019-0211)

  - An access control bypass vulnerability exists in     mod_auth_digest due to a race condition when running     in a threaded server. An attacker with valid credentials     could authenticate using another username. (CVE-2019-0217)

  - An access control bypass vulnerability exists in     mod_ssl when using per-location client certificate     verification with TLSv1.3. (CVE-2019-0215)

In addition, Apache httpd is also affected by several additional vulnerabilities including a denial of service, read-after-free and URL path normalization inconsistencies. 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws, including:

  - An insecure padding scheme with CBC ciphers.

  - Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so that these versions will be used only if the client or server support nothing better), many web browsers implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE). Therefore, it is recommended that these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong cryptography'.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.33. It is, therefore, affected by multiple vulnerabilities:

  - An out of bounds write vulnerability exists in mod_authnz_ldap     with AuthLDAPCharsetConfig enabled. An unauthenticated, remote     attacker can exploit this, via the Accept-Language header value,     to cause the application to stop responding. (CVE-2017-15710)  
  - An arbitrary file upload vulnerability exists in the FilesMatch     component where a malicious filename can be crafted to match the     expression check for a newline character. An unauthenticated,     remote attacker can exploit this, via newline character, to     upload arbitrary files on the remote host subject to the     privileges of the user. (CVE-2017-15715)

  - A session management vulnerability exists in the     mod_session component due to SessionEnv being enabled and     forwarding it's session data to the CGI Application. An     unauthenticated, remote attacker can exploit this, via     tampering the HTTP_SESSION and using a session header, to     influence content. (CVE-2018-1283)

  - An out of bounds access vulnerability exists when the size limit     is reached. An unauthenticated, remote attacker can exploit this,     to cause the Apache HTTP Server to crash. (CVE-2018-1301)

  - A write after free vulnerability exists in HTTP/2 stream due to     a NULL pointer being written to an area of freed memory. An     unauthenticated, remote attacker can exploit this to execute     arbitrary code. (CVE-2018-1302)   
  - An out of bounds read vulnerability exists in mod_cache_socache.
    An unauthenticated, remote attacker can exploit this, via a     specially crafted HTTP request header to cause the application     to stop responding. (CVE-2018-1303)

  - A weak digest vulnerability exists in the HTTP digest     authentication challenge.  An unauthenticated, remote attacker     can exploit this in a cluster of servers configured to use a     common digest authentication, to replay HTTP requests across     servers without being detected. (CVE-2018-1312)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is prior to 2.4.49. It is, therefore, affected by a vulnerability as referenced in the 2.4.49 changelog.

  - A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the   remote user. (CVE-2021-40438)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is prior to 2.4.41. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.41 advisory, including the following:

  - A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could     cause the link on the error page to be malformed and instead point to a page of their choice. This would     only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way     that the Proxy Error page was displayed. (CVE-2019-10092)

  - HTTP/2 (2.4.20 through 2.4.39) very early pushes, for example configured with H2PushResource, could lead     to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that     of the configured push link header values, not data supplied by the client. (CVE-2019-10081)

  - Some HTTP/2 implementations are vulnerable to unconstrained internal data buffering, potentially leading     to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint;
    however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the     wire. The attacker then sends a stream of requests for a large response object. Depending on how the     servers queue the responses, this can consume excess memory, CPU, or both. (CVE-2019-9517)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below :

  - First, the top of the certificate chain sent by the     server might not be descended from a known public     certificate authority. This can occur either when the     top of the chain is an unrecognized, self-signed     certificate, or when intermediate certificates are     missing that would connect the top of the certificate     chain to a known public certificate authority.

  - Second, the certificate chain may contain a certificate     that is not valid at the time of the scan. This can     occur either when the scan occurs before one of the     certificate's 'notBefore' dates, or after one of the     certificate's 'notAfter' dates.

  - Third, the certificate chain may contain a signature     that either didn't match the certificate's information     or could not be verified. Bad signatures can be fixed by     getting the certificate with the bad signature to be     re-signed by its issuer. Signatures that could not be     verified are the result of the certificate's issuer     using a signing algorithm that Nessus either does not     support or does not recognize.

If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.27. It is, therefore, affected by the following vulnerabilities :

  - A denial of service vulnerability exists in httpd due to     a failure to initialize or reset the value placeholder     in [Proxy-]Authorization headers of type 'Digest' before     or between successive key=value assignments by     mod_auth_digest. An unauthenticated, remote attacker can     exploit this, by providing an initial key with no '='     assignment, to disclose sensitive information or cause a     denial of service condition. (CVE-2017-9788)

  - A read-after-free error exists in httpd that is     triggered when closing a large number of connections. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact. (CVE-2017-9789)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The X.509 certificate chain for this service is not signed by a recognized certificate authority.  If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host. 

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.

The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used whenever possible.

As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.

PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits.

The remote host has IP forwarding enabled. An attacker can exploit this to route packets through the host and potentially bypass some firewalls / routers / NAC filtering.

Unless the remote host is a router, it is recommended that you disable IP forwarding.

The version of Apache httpd installed on the remote host is prior to 2.4.42. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.42 advisory.

  - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may     use uninitialized memory when proxying to a malicious     FTP server. (CVE-2020-1934)

  - In Apache HTTP Server 2.4.0 to 2.4.41, redirects     configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines and     redirect instead to an unexpected URL within the     request URL. (CVE-2020-1927)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.

Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.

According to its self-reported version, the instance of ISC BIND 9 running on the remote name server is affected by performance downgrade and Reflected DoS vulnerabilities. This is due to BIND DNS not sufficiently limiting the number fetches which may be performed while processing a referral response.

An unauthenticated, remote attacker can exploit this to cause degrade the service of the recursive server or to use the affected server as a reflector in a reflection attack.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.34. It is, therefore, affected by the following vulnerabilities:

  - By specially crafting HTTP/2 requests, workers would be     allocated 60 seconds longer than necessary, leading to     worker exhaustion and a denial of service. (CVE-2018-1333)

  - By specially crafting HTTP requests, the mod_md challenge     handler would dereference a NULL pointer and cause the     child process to segfault. This could be used to DoS the     server. (CVE-2018-8011)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.28. It is, therefore, affected by an HTTP vulnerability related to the <Limit {method}> directive in an .htaccess file.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.

The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. 

This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. 

For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.  Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more.

Note: If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.38. It is, therefore, affected by multiple vulnerabilities:

  - A denial of service (DoS) vulnerability exists in HTTP/2 steam     handling. An unauthenticated, remote attacker can exploit this     issue, via sending request bodies in a slow loris way to plain     resources, to occupy a server thread. (CVE-2018-17189)

  - A vulnerability exists in mod_sesion_cookie, as it does not     properly check the expiry time of cookies. (CVE-2018-17199) 

  - A denial of service (DoS) vulnerability exists in mod_ssl when     used with OpenSSL 1.1.1 due to an interaction in changes to     handling of renegotiation attempts. An unauthenticated, remote     attacker can exploit this issue to cause mod_ssl to stop     responding. (CVE-2019-0190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NTP server responds to mode 6 queries. Devices that respond to these queries have the potential to be used in NTP amplification attacks. An unauthenticated, remote attacker could potentially exploit this, via a specially crafted mode 6 query, to cause a reflected denial of service condition.

The version of ntpd running on the remote host has the 'monlist' command enabled. This command returns a list of recent hosts that have connected to the service. However, it is affected by a denial of service vulnerability in ntp_request.c that allows an unauthenticated, remote attacker to saturate network traffic to a specific IP address by using forged REQ_MON_GETLIST or REQ_MON_GETLIST_1 requests.
Furthermore, an attacker can exploit this issue to conduct reconnaissance or distributed denial of service (DDoS) attacks.

According to its self-reported version number, the version of PHP running on the remote web server is prior to 7.3.24. It is, therefore affected by multiple vulnerabilities

The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

The version of Apache httpd installed on the remote host is greater than 2.4.17 and prior to 2.4.49. It is, therefore, affected by a vulnerability as referenced in the 2.4.49 changelog. A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.

According to its self-reported version number, the version of PHP running on the remote web server is prior to 7.3.28.
It is, therefore affected by an email header injection vulnerability, due to a failure to properly handle CR-LF sequences in header fields. An unauthenticated, remote attacker can exploit this, by inserting line feed characters into email headers, to gain full control of email header content.

The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.

This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired.

The Apache web server running on the remote host is affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, by sending a crafted request, to display a listing of a remote directory, even if a valid index file exists in the directory.

For Apache web server later than 1.3.22, review listing directory configuration to avoid disclosing sensitive information

According to its Server response header, the installed version of nginx is prior to 1.17.7. It is, therefore, affected by an information disclosure vulnerability.

The web application on the remote host is affected by a cross-site scripting vulnerability due to a vulnerable version of Apache Struts 2 that fails to properly encode the parameters in the 's:a' and 's:url' tags.

A remote attacker can exploit this by tricking a user into requesting a page with arbitrary script code injected. This could have consequences such as stolen authentication credentials.

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode.
MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.

As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1 or newer is supported by the client and service.

The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients; however, it can only protect connections when the client and service support the mechanism. Sites that cannot disable SSLv3 immediately should enable this mechanism.

This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is the only way to completely mitigate the vulnerability.

Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.

The remote web server is affected by an information disclosure vulnerability due to the ETag header providing sensitive information that could aid an attacker, such as the inode number of requested files.

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts, the attacker may be able to derive the plaintext.

According to the self-reported version in the script, the version of JQuery hosted on the remote web server is greater than or equal to 1.2 and prior to 3.5.0. It is, therefore, affected by multiple cross site scripting vulnerabilities.

Note, the vulnerabilities referenced in this plugin have no security impact on PAN-OS, and/or the scenarios required for successful exploitation do not exist on devices running a PAN-OS release.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.35. It is, therefore, affected by the following vulnerability:

  - By sending continuous SETTINGS frames of maximum size an ongoing   HTTP/2 connection could be kept busy and would never time out. This   can be abused for a DoS on the server. This only affect a server   that has enabled the h2 protocol.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the installation of ISC BIND running on the remote name server is version 9.x prior to 9.11.22, 9.12.x prior to 9.16.6 or 9.17.x prior to 9.17.4. It is, therefore, affected by a denial of service (DoS) vulnerability due to an assertion failure when attempting to verify a truncated response to a TSIG-signed request. An authenticated, remote attacker can exploit this issue by sending a truncated response to a TSIG-signed request to trigger an assertion failure, causing the server to exit.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January 1, 2014 must be at least 2048 bits.

Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally, some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.

Note that Nessus will not flag root certificates with RSA keys less than 2048 bits if they were issued prior to December 31, 2010, as the standard considers them exempt.

The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack.

Note: This is considerably easier to exploit if the attacker is on the same physical network.

The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections. An attacker can uncover user names and passwords by sniffing traffic to the POP3 daemon if a less secure authentication mechanism (eg, USER command, AUTH PLAIN, AUTH LOGIN) is used.

The remote SSH server is configured to allow key exchange algorithms which are considered weak.

This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled. This includes:

  diffie-hellman-group-exchange-sha1

  diffie-hellman-group1-sha1

  gss-gex-sha1-*

  gss-group1-sha1-*

  gss-group14-sha1-*

  rsa1024-sha1

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

The SSH server is configured to support Cipher Block Chaining (CBC) encryption.  This may allow an attacker to recover the plaintext message from the ciphertext. 

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.

The remote service has one of two configurations that are known to be required for the CRIME attack :

  - SSL / TLS compression is enabled.

  - TLS advertises the SPDY protocol earlier than version 4.

Note that Nessus did not attempt to launch the CRIME attack against the remote service.

The RPC portmapper is running on this port.

The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request.

The remote host answers to an ICMP timestamp request.  This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.