Nessus Report

Report generated by Nessus™

masked_systemname Pre V6 masked_hostname

Tue, 23 Apr 2024 13:29:08 Tokyo Standard Time

TABLE OF CONTENTS
Vulnerabilities by PluginExpand All | Collapse All
187315 (1) - SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795)
-
Synopsis
The remote SSH server is vulnerable to a mitm prefix truncation attack.
Description
The remote SSH server is vulnerable to a man-in-the-middle prefix truncation weakness known as Terrapin. This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.

Note that this plugin only checks for remote SSH servers that support either ChaCha20-Poly1305 or CBC with Encrypt-then-MAC and do not support the strict key exchange countermeasures. It does not check for vulnerable software versions.
See Also
Solution
Contact the vendor for an update with the strict key exchange countermeasures or disable the affected algorithms.
Risk Factor
Medium
CVSS v3.0 Base Score
5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVSS v3.0 Temporal Score
5.3 (CVSS:3.0/E:P/RL:O/RC:C)
CVSS v2.0 Base Score
5.4 (CVSS2#AV:N/AC:H/Au:N/C:N/I:C/A:N)
CVSS v2.0 Temporal Score
4.2 (CVSS2#E:POC/RL:OF/RC:C)
References
Plugin Information
Published: 2023/12/27, Modified: 2024/01/29
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)

Supports following ChaCha20-Poly1305 Client to Server algorithm : chacha20-poly1305@openssh.com
Supports following CBC Client to Server algorithm : aes192-cbc
Supports following CBC Client to Server algorithm : aes256-cbc
Supports following CBC Client to Server algorithm : blowfish-cbc
Supports following CBC Client to Server algorithm : cast128-cbc
Supports following CBC Client to Server algorithm : 3des-cbc
Supports following CBC Client to Server algorithm : aes128-cbc
Supports following Encrypt-then-MAC Client to Server algorithm : umac-64-etm@openssh.com
Supports following Encrypt-then-MAC Client to Server algorithm : umac-128-etm@openssh.com
Supports following Encrypt-then-MAC Client to Server algorithm : hmac-sha2-256-etm@openssh.com
Supports following Encrypt-then-MAC Client to Server algorithm : hmac-sha2-512-etm@openssh.com
Supports following Encrypt-then-MAC Client to Server algorithm : hmac-sha1-etm@openssh.com
Supports following ChaCha20-Poly1305 Server to Client algorithm : chacha20-poly1305@openssh.com
Supports following CBC Server to Client algorithm : aes192-cbc
Supports following CBC Server to Client algorithm : aes256-cbc
Supports following CBC Server to Client algorithm : blowfish-cbc
Supports following CBC Server to Client algorithm : cast128-cbc
Supports following CBC Server to Client algorithm : 3des-cbc
Supports following CBC Server to Client algorithm : aes128-cbc
Supports following Encrypt-then-MAC Server to Client algorithm : umac-64-etm@openssh.com
Supports following Encrypt-then-MAC Server to Client algorithm : umac-128-etm@openssh.com
Supports following Encrypt-then-MAC Server to Client algorithm : hmac-sha2-256-etm@openssh.com
Supports following Encrypt-then-MAC Server to Client algorithm : hmac-sha2-512-etm@openssh.com
Supports following Encrypt-then-MAC Server to Client algorithm : hmac-sha1-etm@openssh.com
70658 (1) - SSH Server CBC Mode Ciphers Enabled
-
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.
Risk Factor
Low
CVSS v3.0 Base Score
3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVSS v2.0 Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS v2.0 Temporal Score
1.9 (CVSS2#E:U/RL:OF/RC:C)
References
BID 32319
CVE CVE-2008-5161
XREF CERT:958563
XREF CWE:200
Plugin Information
Published: 2013/10/28, Modified: 2023/10/27
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)


The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
153953 (1) - SSH Weak Key Exchange Algorithms Enabled
-
Synopsis
The remote SSH server is configured to allow weak key exchange algorithms.
Description
The remote SSH server is configured to allow key exchange algorithms which are considered weak.

This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) RFC9142. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST NOT be enabled. This includes:

diffie-hellman-group-exchange-sha1

diffie-hellman-group1-sha1

gss-gex-sha1-*

gss-group1-sha1-*

gss-group14-sha1-*

rsa1024-sha1

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.
See Also
Solution
Contact the vendor or consult product documentation to disable the weak algorithms.
Risk Factor
Low
CVSS v3.0 Base Score
3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVSS v2.0 Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information
Published: 2021/10/13, Modified: 2024/03/22
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)


The following weak key exchange algorithms are enabled :

diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
11219 (3) - Nessus SYN scanner
-
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information
Published: 2009/02/04, Modified: 2024/03/19
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)

Port 22/tcp was found to be open

fd01:e2e2:0:e0c0::1b (tcp/111/rpc-portmapper)

Port 111/tcp was found to be open

fd01:e2e2:0:e0c0::1b (tcp/8081)

Port 8081/tcp was found to be open
11111 (2) - RPC Services Enumeration
-
Synopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port.
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2002/08/24, Modified: 2011/05/24
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/111/rpc-portmapper)


The following RPC services are available on TCP port 111 :

- program: 100000 (portmapper), version: 4
- program: 100000 (portmapper), version: 3
- program: 100000 (portmapper), version: 2

fd01:e2e2:0:e0c0::1b (udp/111/rpc-portmapper)


The following RPC services are available on UDP port 111 :

- program: 100000 (portmapper), version: 4
- program: 100000 (portmapper), version: 3
- program: 100000 (portmapper), version: 2
10223 (1) - RPC portmapper Service Detection
-
Synopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.

The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
CVSS v3.0 Base Score
0.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
CVSS v2.0 Base Score
0.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:N)
References
Plugin Information
Published: 1999/08/19, Modified: 2019/10/04
Plugin Output

fd01:e2e2:0:e0c0::1b (udp/111/rpc-portmapper)

10267 (1) - SSH Server Type and Version Information
-
Synopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
References
XREF IAVT:0001-T-0933
Plugin Information
Published: 1999/10/12, Modified: 2020/09/22
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)


SSH version : SSH-2.0-OpenSSH_7.4
SSH supported authentication : publickey,gssapi-keyex,gssapi-with-mic,password
10881 (1) - SSH Protocol Versions Supported
-
Synopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2002/03/06, Modified: 2021/01/19
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)

The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0
19506 (1) - Nessus Scan Information
-
Synopsis
This plugin displays information about the Nessus scan.
Description
This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.
- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2005/08/26, Modified: 2024/03/13
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/0)

Information about this scan :

Nessus version : 10.4.1
Nessus build : 20091
Plugin feed version : 202404150448
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : masked_systemname Pre v6 masked_hostname
Scan policy used : Copy of masked_systemname Pre
Scanner IP : fd01:e2e2:0:e0c0:c1ff:eb68:fcf4:dad5
Port scanner(s) : nessus_syn_scanner
Port range : 1-65535
Ping RTT : Unavailable
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 2
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : yes (supersedence plugin did not launch)
CGI scanning : enabled
Web application tests : disabled
Max hosts : 5
Max checks : 5
Recv timeout : 3
Backports : Detected
Allow post-scan editing : Yes
Nessus Plugin Signature Checking : Enabled
Audit File Signature Checking : Disabled
Scan Start Date : 2024/4/23 13:12 Tokyo Standard Time
Scan duration : 1011 sec
Scan for malware : yes
21745 (1) - OS Security Patch Assessment Failed
-
Synopsis
Errors prevented OS Security Patch Assessment.
Description
OS Security Patch Assessment is not available for this host because either the credentials supplied in the scan policy did not allow Nessus to log into it or some other problem occurred.
Solution
Fix the problem(s) so that OS Security Patch Assessment is possible.
Risk Factor
None
References
XREF IAVB:0001-B-0501
Plugin Information
Published: 2006/06/23, Modified: 2021/07/12
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/0)


The following service errors were logged :

- Plugin : ssh_get_info2.nasl
Plugin ID : 97993
Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
Protocol : SSH
Message :
Unable to login to remote host with supplied credential sets.
Errors:
- No supplied credential sets succeeded on any of the ssh ports

- Plugin : ssh_get_info.nasl
Plugin ID : 12634
Plugin Name : Authenticated Check : OS Name and Installed Package Enumeration
Protocol : SSH
Message : Failed to authenticate using the supplied password.
22964 (1) - Service Detection
-
Synopsis
The remote service could be identified.
Description
Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2007/08/19, Modified: 2024/03/26
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)

An SSH server is running on this port.
39520 (1) - Backported Security Patch Detection (SSH)
-
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.

Banner-based checks have been disabled to avoid false positives.

Note that this test is informational only and does not denote any security problem.
See Also
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2009/06/25, Modified: 2015/07/07
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)


Give Nessus credentials to perform local checks.
45590 (1) - Common Platform Enumeration (CPE)
-
Synopsis
It was possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.
See Also
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2010/04/21, Modified: 2024/04/03
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/0)


Following application CPE matched on the remote system :

cpe:/a:openbsd:openssh:7.4 -> OpenBSD OpenSSH
53335 (1) - RPC portmapper (TCP)
-
Synopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.

The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2011/04/08, Modified: 2011/08/29
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/111/rpc-portmapper)

66334 (1) - Patch Report
-
Synopsis
The remote host is missing several patches.
Description
The remote host is missing one or more security patches. This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date.

Note: Because the 'Show missing patches that have been superseded' setting in your scan policy depends on this plugin, it will always run and cannot be disabled.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information
Published: 2013/07/08, Modified: 2024/04/09
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/0)



. You need to take the following action :

[ SSH Terrapin Prefix Truncation Weakness (CVE-2023-48795) (187315) ]

+ Action to take : Contact the vendor for an update with the strict key exchange countermeasures or disable the affected algorithms.

70657 (1) - SSH Algorithms and Languages Supported
-
Synopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encrypting communications.
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2013/10/28, Modified: 2017/08/28
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)


Nessus negotiated the following encryption algorithm with the server :

The server supports the following options for kex_algorithms :

curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

The server supports the following options for server_host_key_algorithms :

ecdsa-sha2-nistp256
rsa-sha2-256
rsa-sha2-512
ssh-ed25519
ssh-rsa

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
aes128-cbc
aes128-ctr
aes128-gcm@openssh.com
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
aes256-gcm@openssh.com
blowfish-cbc
cast128-cbc
chacha20-poly1305@openssh.com

The server supports the following options for encryption_algorithms_server_to_client :

3des-cbc
aes128-cbc
aes128-ctr
aes128-gcm@openssh.com
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
aes256-gcm@openssh.com
blowfish-cbc
cast128-cbc
chacha20-poly1305@openssh.com

The server supports the following options for mac_algorithms_client_to_server :

hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com

The server supports the following options for mac_algorithms_server_to_client :

hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com

The server supports the following options for compression_algorithms_client_to_server :

none
zlib@openssh.com

The server supports the following options for compression_algorithms_server_to_client :

none
zlib@openssh.com
104410 (1) - Target Credential Status by Authentication Protocol - Failure for Provided Credentials
-
Synopsis
Nessus was unable to log into the detected authentication protocol, using the provided credentials, in order to perform credentialed checks.
Description
Nessus failed to successfully authenticate directly to the remote target on an available authentication protocol. Nessus was able to connect to the remote port and identify that the service running on the port supports an authentication protocol, but Nessus failed to authenticate to the remote service using the provided credentials.

There may have been a failure in protocol negotiation or communication that prevented authentication from being attempted or all of the provided credentials for the authentication protocol may have been invalid. A protocol failure may indicate a compatibility issue with the protocol configuration. A protocol failure due to an environmental issue such as resource or congestion issues may also prevent valid credentials from being identified. See plugin output for error details.

Please note the following :

- This plugin reports per protocol, so it is possible for valid credentials to be provided for one protocol and not another. For example, authentication may succeed via SSH but fail via SMB, while no credentials were provided for an available SNMP service.

- Providing valid credentials for all available authentication protocols may improve scan coverage, but the value of successful authentication for a given protocol may vary from target to target depending upon what data (if any) is gathered from the target via that protocol. For example, successful authentication via SSH is more valuable for Linux targets than for Windows targets, and likewise successful authentication via SMB is more valuable for Windows targets than for Linux targets.
Solution
Address the reported problem(s) so that credentialed checks can be executed.
Risk Factor
None
References
XREF IAVB:0001-B-0503
Plugin Information
Published: 2017/11/06, Modified: 2020/10/19
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)


Nessus was unable to log into the following host for which
credentials have been provided :

Protocol : SSH
Port : 22
Failure details :

- User : root

- Plugin : ssh_rate_limiting.nasl
Plugin ID : 122501
Plugin Name : SSH Rate Limited Device
Message :
Failed to authenticate using the supplied password.


- Plugin : netstat_portscan.nasl
Plugin ID : 14272
Plugin Name : Netstat Portscanner (SSH)
Message :
Failed to authenticate using the supplied password.


- Plugin : ssh_check_compression.nasl
Plugin ID : 104411
Plugin Name : SSH Compression Error Checking
Message :
Failed to authenticate using the supplied password.


- Plugin : ssh_get_info2.nasl
Plugin ID : 97993
Plugin Name : OS Identification and Installed Software Enumeration over SSH v2 (Using New SSH Library)
Message :
Failed to authenticate using the supplied password.


- Plugin : ssh_get_info.nasl
Plugin ID : 12634
Plugin Name : Authenticated Check : OS Name and Installed Package Enumeration
Message :
Failed to authenticate using the supplied password.


- Plugin : sftp_detect.nasl
Plugin ID : 72663
Plugin Name : SFTP Supported
Message :
Failed to authenticate using the supplied password.
149334 (1) - SSH Password Authentication Accepted
-
Synopsis
The SSH server on the remote host accepts password authentication.
Description
The SSH server on the remote host accepts password authentication.
See Also
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2021/05/07, Modified: 2021/05/07
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)

153588 (1) - SSH SHA-1 HMAC Algorithms Enabled
-
Synopsis
The remote SSH server is configured to enable SHA-1 HMAC algorithms.
Description
The remote SSH server is configured to enable SHA-1 HMAC algorithms.

Although NIST has formally deprecated use of SHA-1 for digital signatures, SHA-1 is still considered secure for HMAC as the security of HMAC does not rely on the underlying hash function being resistant to collisions.

Note that this plugin only checks for the options of the remote SSH server.
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2021/09/23, Modified: 2022/04/05
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)


The following client-to-server SHA-1 Hash-based Message Authentication Code (HMAC) algorithms are supported :

hmac-sha1
hmac-sha1-etm@openssh.com

The following server-to-client SHA-1 Hash-based Message Authentication Code (HMAC) algorithms are supported :

hmac-sha1
hmac-sha1-etm@openssh.com
181418 (1) - OpenSSH Detection
-
Synopsis
An OpenSSH-based SSH server was detected on the remote host.
Description
An OpenSSH-based SSH server was detected on the remote host.
See Also
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2023/09/14, Modified: 2024/03/27
Plugin Output

fd01:e2e2:0:e0c0::1b (tcp/22/ssh)


Service : ssh
Version : 7.4
Banner : SSH-2.0-OpenSSH_7.4
Compliance 'FAILED'
Compliance 'SKIPPED'
Compliance 'PASSED'
Compliance 'INFO', 'WARNING', 'ERROR'
Remediations
Suggested Remediations
© 2024 Tenable™, Inc. All rights reserved.