Vulnerable
Events with this classification type identify a service that is badly configured, unnecessarily exposed to the internet or otherwise vulnerable to exploitation. The service possibly exhibits a known weakness that can be abused by a third party. Otherwise, the service is not intended to be accessible from the public internet, and may be targeted by brute-force attacks.
Such vulnerabilities can be abused for example to support DDoS attacks, gain unauthorized access or even tamper with the system, service or data to just name a few examples. The abuse possibility strongly depends on the nature of the vulnerability.
Most commonly the cause are internet accessible services without sufficient access control, allowing any one on the internet to access or abuse the service. Missing software updates (patches) is also a common cause that the service is vulnerable as the updated version fixes the software flaw. Configuration mistakes on service level are also a common issue that lead to vulnerable services.
The system identified by source is most likely vulnerable to be abused by third parties. If available we include additional information like a classification identifier or `extra` information. The mitigation usually strongly depends on the vulnerability. The system does not have to be compromised, but it should be still investigated.
Recommendations:
- Check for further information related to the vulnerability.
- Restrict the access permissions to the intended users on network level.
- Secure and restrict the access to the intended users on application level.
- Update the software running on the system.
- Check the logs for unusual behavior.
Classification Identifier
Reported systems have the Cisco Smart Install service exposed on port 4786/tcp. This service is not intended to be reachable from the internet. Moreover, there are known vulnerabilities for the service which allow unauthenticated remote code execution.
If not required, the Smart Install service may be deactivated with the command no vstack.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Additional Information
Reported systems expose components of a Hadoop cluster; either a namenode (50070/tcp) or a datanode (50075/tcp). These services have the possibility of disclosing sensitive information or may possibly allow a miscreant to manipulate the hadoop instance.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Additional Information
Reported systems expose the non-standard HTTP interface (8080/tcp) to the public. In many cases this exposure is likely unwanted and unintended. The unintended HTTP interface exposure of internal infrastructure (e.g. printers, etc.) and services (e.g. internet proxy, etc.) can disclose sensitive information or may possibly allow a miscreant to manipulate the service or enter the infrastructure unnoticed to take further actions.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Additional Information
Reported systems have a VNC service exposed on port 5900/tcp. This service does not utilize encryption and has the possibility of disclosing sensitive information or unknowningly providing remote access to the system if configured improperly.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Additional Information
Reported systems have a CWMP service (also known as TR-069) exposed on port 7547/tcp or 30005/tcp. This service is not intended to be reachable from the internet.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Additional Information
Reported systems run a DNS service on port 53/udp without client restrictions. These so-called open DNS resolvers will happily answer queries for anyone on the internet. These servers have the potential to be used in DNS amplification and reflection attacks.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Additional Information
Elasticsearch is a distributed search engine software with a HTTP web interface. Reported systems run an Elasticsearch instance on port 9200/tcp which is accessible to the public. While this is not a vulnerability by itself, the service does not support authentication by default, which means that anybody can likely access the service and the contents of the data store.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Additional Information
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. Reported systems run an Kubernetes API which is accessible to the public. While this is not a vulnerability by itself, it is likely that this level of access was not intended. This acts as an unnecessarily exposed attack surface. Exposed Kubernetes API also allow for information leakage on version and builds.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
MongoDB is an opensource, cross-platform document-based database system, classified as NoSQL. Reported systems run a publicly accessible MongoDB instance on port 27017/tcp. While this is not a vulnerability by itself, in the majority of installations authentication is not enabled. Without authentication, the MongoDB instance can be accessed by anyone. This is prone to ransomware attacks, in which attackers encrypt the whole database content.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Additional Information
These devices have the potential to be used in UDP amplification attacks in addition to disclosing large amounts of information about the system and we would like to see these services made un-available to miscreants that would misuse these resources.
Information on UDP-based amplification attacks in general can be found in US-CERT alert TA14-017A at: https://www.us-cert.gov/ncas/alerts/TA14-017A.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Methodology
All the routable IPv4 addresses that are not firewalled from the internet on port 111/udp are queries with an "rcpinfo" packet and the response is parsed. If the mountd service is accessible, it will be followed up with a packet equivalent of "showmount"
Self testing
To see if portmap is accessible, run the command "rpcinfo -T udp -p [IP address]" and "showmount -e [IP address]". If the portmapper service is accessible, zou should see a response detailing some of the services that are running. Please note that even though this command specifies that you wish to probe portmapper over UDP, some implementations attempt TCP first and if that probe fails, it does not attempt to probe over UDP.
Additional data
extra.porgrams might contain some additional information regarding the output, for simplicity the output is kept numeric "[program number] [program version] [port/protocol]"
| Program Number | Program Name |
| 100000 | portmapper |
| 100003 | nfs |
| 100005 | mountd |
| 100021 | nlockmgr |
| 100024 | status |
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to connect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.
Reported systems run a RDP server that is publicly accessible. While this is not a vulnerability by itself, this service has the possibility of disclosing sensitive information or unknowningly providing remote access to the system if configured improperly.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Self-Testing
To see if RDP is accessible, run the command "nmap -v --script=ssl-cert -p 3389 <ip-address>".
Additional Information
Reported systems have the SMB service exposed on port 445/tcp. This service does not utilize encryption and has the possibility of disclosing sensitive information or unknowningly providing remote access to the system if configured improperly. This service is not intended to be reachable from the internet.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.
Additional Information
Reported systems expose a telnet service on port 23/tcp. As this is not a vulnerability by itself, telnet does not use encryption and has the possibility of disclosing sensitive information or unknowingly providing remote access to the system if configured improperly.
Organisation
The scan is not performed by SWITCH. The scans are performed by a known trusted partner.