Vulnerable

 

Events with this classification type identify a service that is badly configured, unnecessarily exposed to the internet or otherwise vulnerable to exploitation. The service possibly exhibits a known weakness that can be abused by a third party. Otherwise, the service is not intended to be accessible from the public internet, and may be targeted by brute-force attacks.

Such vulnerabilities can be abused for example to support DDoS attacks, gain unauthorized access or even tamper with the system, service or data to just name a few examples. The abuse possibility strongly depends on the nature of the vulnerability.

Most commonly the cause are internet accessible services without sufficient access control, allowing any one on the internet to access or abuse the service. Missing software updates (patches) is also a common cause that the service is vulnerable as the updated version fixes the software flaw. Configuration mistakes on service level are also a common issue that lead to vulnerable services.

The system identified by source is most likely vulnerable to be abused by third parties. If available we include additional information like a classification identifier or `extra` information. The mitigation usually strongly depends on the vulnerability. The system does not have to be compromised, but it should be still investigated.

Recommendations:

  • Check for further information related to the vulnerability.
  • Restrict the access permissions to the intended users on network level.
  • Secure and restrict the access to the intended users on application level.
  • Update the software running on the system.
  • Check the logs for unusual behavior.

Classification Identifier

These devices have the potential to be used in UDP amplification attacks in addition to disclosing large amounts of information about the system and we would like to see these services made un-available to miscreants that would misuse these resources.

Information on UDP-based amplification attacks in general can be found in US-CERT alert TA14-017A at: https://www.us-cert.gov/ncas/alerts/TA14-017A.

Organisation

The scan is not performed by SWITCH. The scans are performed by a known trusted partner.

Methodology

All the routable IPv4 addresses that are not firewalled from the internet on port 111/udp are queries with an "rcpinfo" packet and the response is parsed. If the mountd service is accessible, it will be followed up with a packet equivalent of "showmount"

Self testing

To see if portmap is accessible, run the command "rpcinfo -T udp -p [IP address]" and "showmount -e [IP address]". If the portmapper service is accessible, zou should see a response detailing some of the services that are running. Please note that even though this command specifies that you wish to probe portmapper over UDP, some implementations attempt TCP first and if that probe fails, it does not attempt to probe over UDP.

Additional data

extra.porgrams might contain some additional information regarding the output, for simplicity the output is kept numeric "[program number] [program version] [port/protocol]"

Program Number Program Name
100000 portmapper
100003 nfs
100005 mountd
100021 nlockmgr
100024 status

 

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Reported systems run a RDP server that is publicly accessible. While this is not a vulnerability by itself, this service has the possibility of disclosing sensitive information or unknowningly providing remote access to the system if configured improperly.

Organisation

The scan is not performed by SWITCH. The scans are performed by a known trusted partner.

Self-Testing

To see if RDP is accessible, run the command "nmap -v --script=ssl-cert -p 3389 <ip-address>".

Additional Information

MongoDB is an opensource, cross-platform document-based database system, classified as NoSQL. Reported systems run a publicly accessible MongoDB instance on port 27017/tcp. While this is not a vulnerability by itself, in the majority of installations authentication is not enabled. Without authentication, the MongoDB instance can be accessed by anyone. This is prone to ransomware attacks, in which attackers encrypt the whole database content.

Organisation

The scan is not performed by SWITCH. The scans are performed by a known trusted partner.

Additional Information

Reported systems run a DNS service on port 53/udp without client restrictions. These so-called open DNS resolvers will happily answer queries for anyone on the internet. These servers have the potential to be used in DNS amplification and reflection attacks.

Organisation

The scan is not performed by SWITCH. The scans are performed by a known trusted partner.

Additional Information

Reported systems expose a telnet service on port 23/tcp. As this is not a vulnerability by itself, telnet does not use encryption and has the possibility of disclosing sensitive information or unknowingly providing remote access to the system if configured improperly.

Organisation

The scan is not performed by SWITCH. The scans are performed by a known trusted partner.

 

Elasticsearch is a distributed search engine software with a HTTP web interface. Reported systems run an Elasticsearch instance on port 9200/tcp which is accessible to the public. While this is not a vulnerability by itself, the service does not support authentication by default, which means that anybody can access the service and the contents of the data store.

Organisation

The scan is not performed by SWITCH. The scans are performed by a known trusted partner.

Additional Information