well it seems recent NVT-updates *or* the MS patchday this week fixed it but it would be interesting to know what of both it was, as said if it was the windows update the problem would have been much larger as the NVT says in respect of a closed port
Am 14.06.2013 20:15, schrieb Reindl Harald: > how can this affcet a full patched Windows Server 2008R2 > where netbios-ns (137/tcp) is for sure not open from the > scanner IP as well as any other port of the machine? > > not telnet nor nmap confirms 137 open > > that would mean OpenVAS is doing something special to get > whatever response from the Windows machine while nmap says > there is no open port which would be much more critical > the the CVE because a major bug in the Windows firewall > __________________________________________________________________ > > [root@openvas:~]$ /usr/bin/nmap -O -sV -T4 -d vcenter > Starting Nmap 6.25 ( http://nmap.org ) at 2013-06-14 20:11 CEST > PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0) > --------------- Timing report --------------- > hostgroups: min 1, max 100000 > rtt-timeouts: init 500, min 100, max 1250 > max-scan-delay: TCP 10, UDP 1000, SCTP 10 > parallelism: min 0, max 0 > max-retries: 6, host-timeout: 0 > min-rate: 0, max-rate: 0 > --------------------------------------------- > NSE: Using Lua 5.2. > NSE: Loaded 19 scripts for scanning. > Initiating ARP Ping Scan at 20:11 > Scanning vcenter (xx.xx.xx.132) [1 port] > Packet capture filter (device eth0): arp and arp[18:4] = 0x005056BD and > arp[22:2] = 0x3386 > Completed ARP Ping Scan at 20:11, 0.02s elapsed (1 total hosts) > Overall sending rates: 51.96 packets / s, 2182.39 bytes / s. > Initiating Parallel DNS resolution of 1 host. at 20:11 > mass_rdns: 0.00s 0/1 [#: 3, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1] > Completed Parallel DNS resolution of 1 host. at 20:11, 0.00s elapsed > DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0, > SF: 0, TR: 1, CN: 0] > Initiating SYN Stealth Scan at 20:11 > Scanning vcenter (xx.xx.xx.132) [1000 ports] > Packet capture filter (device eth0): dst host xx.xx.xx.107 and (icmp or icmp6 > or ((tcp or udp or sctp) and (src > host xx.xx.xx.132))) > Completed SYN Stealth Scan at 20:11, 21.07s elapsed (1000 total ports) > Overall sending rates: 94.93 packets / s, 4176.99 bytes / s. > Initiating Service scan at 20:11 > Packet capture filter (device eth0): dst host xx.xx.xx.107 and (icmp or (tcp > and (src host xx.xx.xx.132))) > Initiating OS detection (try #1) against vcenter (xx.xx.xx.132) > Retrying OS detection (try #2) against vcenter (xx.xx.xx.132) > NSE: Script scanning xx.xx.xx.132. > NSE: Starting runlevel 1 (of 1) scan. > Nmap scan report for vcenter (xx.xx.xx.132) > Host is up, received arp-response (0.00042s latency). > rDNS record for xx.xx.xx.132: <target-host> > All 1000 scanned ports on vcenter (xx.xx.xx.132) are filtered because of 1000 > no-responses > MAC Address: 78:E7:D1:F5:A3:AC (Hewlett-Packard Company) > Too many fingerprints match this host to give specific OS details > TCP/IP fingerprint: > SCAN(V=6.25%E=4%D=6/14%OT=%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=78E7D1%TM=51BB5CEB%P=x86_64-unknown-linux-gnu) > U1(R=N) > IE(R=N) > > Network Distance: 1 hop > Final times for host: srtt: 425 rttvar: 5000 to: 100000 > > Read from /usr/bin/../share/nmap: nmap-mac-prefixes nmap-os-db nmap-payloads > nmap-service-probes nmap-services. > OS and Service detection performed. Please report any incorrect results at > http://nmap.org/submit/ . > Nmap done: 1 IP address (1 host up) scanned in 24.51 seconds > Raw packets sent: 2049 (94.700KB) | Rcvd: 1 (28B) > __________________________________________________________________ > > Medium (CVSS: 5.0) > NVT: Microsoft MS03-034 security check (OID: 1.3.6.1.4.1.25623.1.0.101015) > > Under certain conditions, the response to a NetBT Name Service query may, in > addition to the typical reply, contain random data from the target system's > memory. This data could, for example, be a segment of HTML if the user on > the target system was using an Internet browser, or it could contain other > types of data that exist in memory at the time that the target system responds > to the NetBT Name Service query. > > An attacker could seek to exploit this vulnerability by sending a NetBT Name > Service query to the target system and then examine the response to see if it > included any random data from that system's memory. > > Solution : > Microsoft has released a patch to fix this issue, download it from the > following website: > > Windows Server 2003 > http://www.microsoft.com/downloads/details.aspx?FamilyId=A59CC2AC-F182-4CD5-ACE7-3D4C2E3F1↵ > 326&displaylang=en > > Windows Server 2003 64 bit Edition > http://www.microsoft.com/downloads/details.aspx?FamilyId=140CF7BE-0371-4D17-8F4C-951B76AC3↵ > 024&displaylang=en > > Windows XP > http://www.microsoft.com/downloads/details.aspx?FamilyId=1C9D8E86-5B8C-401A-88B2-4443FFB9E↵ > DC3&displaylang=en > > Windows XP 64 bit Edition > http://www.microsoft.com/downloads/details.aspx?FamilyId=378D4B58-BF2C-4406-9D88-E6A3C4601↵ > 795&displaylang=en > > Windows 2000 > http://www.microsoft.com/downloads/details.aspx?FamilyId=D0564162-4EAE-42C8-B26C-E4D4D496E↵ > AD8&displaylang=en > > Windows NT Server 4.0 > http://www.microsoft.com/downloads/details.aspx?FamilyId=F131D63A-F74F-4CAF-95BD-D7FA37ADC↵ > F38&displaylang=en > > Windows NT Server 4.0, Terminal Server Edition > http://www.microsoft.com/downloads/details.aspx?FamilyId=22379951-64A9-446B-AC8F-3F2F08038↵ > 3A9&displaylang=en
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
