Hello All,
I've noticed for some plugins that only report on the existence of
a service also include unrelated historical vulnerability
information [1]. This is usually in the form of CVE references to
specific vulnerabilities and/or generic wording about the spotty
history of the service. This is not consistently done, though,
through all plugins. It is usually done on services that have not
had a bunch of issues or are more esoteric in nature (e.g. UDP
inetd services such as qotd, echo, chargen).
I disagree with the usage of CVE entries and harsh wording if all
that is being checked is the existence of a service. Imagine a
plugin that was kept up-to-date and listed all the OpenSSL, Apache,
or Microsoft RPC CVE entries! It does not, in my opinion, provide
useful information and should be removed. It only seems to warn
people that have no idea what the service does and scares them into
disabling it. It logically does not matter what the history of the
service is - if it is superfluous, disable the service.
If I contribute patches removing this, would they be likely
committed?
Thanks,
Jon
[1] Example plugins:
Plugin 10213:
The cmsd RPC service is running. This service has a long history of
security holes, so you should really know what you are doing if you
decide to let it run. *** No security hole regarding this program
has been tested, so *** this might be a false positive Solution :
We suggest that you disable this service. Risk factor : High CVE :
CVE-1999-0320, CVE-1999-0696, CVE-2002-0391 BID : 428, 524, 5356
Related CVE entries:
CVE-1999-0320:
SunOS rpc.cmsd allows attackers to obtain root access by
overwriting arbitrary files.
CVE-1999-0696:
Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd)
CVE-2002-0391:
Integer overflow in xdr_array function in RPC servers for operating
systems that use libc, glibc, or other code based on SunRPC
including dietlibc, allows remote attackers to execute arbitrary
code by passing a large number of arguments to xdr_array through
RPC services such as rpc.cmsd and dmispd.
__________________________________
Do you Yahoo!?
All your favorites on one personal page – Try My Yahoo!
http://my.yahoo.com
I've noticed for some plugins that only report on the existence of
a service also include unrelated historical vulnerability
information [1]. This is usually in the form of CVE references to
specific vulnerabilities and/or generic wording about the spotty
history of the service. This is not consistently done, though,
through all plugins. It is usually done on services that have not
had a bunch of issues or are more esoteric in nature (e.g. UDP
inetd services such as qotd, echo, chargen).
I disagree with the usage of CVE entries and harsh wording if all
that is being checked is the existence of a service. Imagine a
plugin that was kept up-to-date and listed all the OpenSSL, Apache,
or Microsoft RPC CVE entries! It does not, in my opinion, provide
useful information and should be removed. It only seems to warn
people that have no idea what the service does and scares them into
disabling it. It logically does not matter what the history of the
service is - if it is superfluous, disable the service.
If I contribute patches removing this, would they be likely
committed?
Thanks,
Jon
[1] Example plugins:
Plugin 10213:
The cmsd RPC service is running. This service has a long history of
security holes, so you should really know what you are doing if you
decide to let it run. *** No security hole regarding this program
has been tested, so *** this might be a false positive Solution :
We suggest that you disable this service. Risk factor : High CVE :
CVE-1999-0320, CVE-1999-0696, CVE-2002-0391 BID : 428, 524, 5356
Related CVE entries:
CVE-1999-0320:
SunOS rpc.cmsd allows attackers to obtain root access by
overwriting arbitrary files.
CVE-1999-0696:
Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd)
CVE-2002-0391:
Integer overflow in xdr_array function in RPC servers for operating
systems that use libc, glibc, or other code based on SunRPC
including dietlibc, allows remote attackers to execute arbitrary
code by passing a large number of arguments to xdr_array through
RPC services such as rpc.cmsd and dmispd.
__________________________________
Do you Yahoo!?
All your favorites on one personal page – Try My Yahoo!
http://my.yahoo.com