Mailing List Archive

false positive?
Question..



Vulnerability Nessus ID 34820 shows that a server has the vulnerability:



Symantec Backup Exec Authentication Bypass and Potential Buffer Overflow

ID: 34820
<https://128.42.174.70/sc3/console.php?psid=8000&ctxid=8001%5enewscan%5eplug
inid:34820> Family: Gain root remotely NASL: PLUGIN.nasl
<https://128.42.174.70/sc3/console.php?view_nasl=PLUGIN.nasl>


Synopsis :

It is possible to bypass the backup agent authentication.

Description :

The remote host is running a version of VERITAS Backup Exec Agent which is
vulnerable to multiple authentication bypass issues.

An attacker may exploit this flaw to manage the backup agent and/or to
execute commands with high privileges.

Solution :

http://www.symantec.com/avcenter/security/Content/2008.11.19.html

Risk factor :

Critical / CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)



But, this fix was to install the latest and greatest version of BES, which
it already has the newest version/the fix for this vulnerability.



So, why does the vulnerability still show positive? I was not able to open
the .nasl to see what the scan is doing:



But, I was not able to open the "PLUGIN.nasl"



Please advise. Thanks!



Dee
Re: false positive? [ In reply to ]
On Feb 5, 2009, at 3:54 PM, Deepak J. Mathew wrote:

> Vulnerability Nessus ID 34820 shows that a server has the
> vulnerability:
...
> So, why does the vulnerability still show positive?

Would you mind taking a full packet capture of traffic to/from the
affected service when you run a scan with just this plugin enabled and
then sending it to me privately?


George
--
theall@tenablesecurity.com



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
Re: false positive? [ In reply to ]
On Feb 5, 2009, at 9:54 PM, Deepak J. Mathew wrote:

> Question..
>
> Vulnerability Nessus ID 34820 shows that a server has the
> vulnerability:
[...]
> But, this fix was to install the latest and greatest version of BES,
> which it already has the newest version/the fix for this
> vulnerability.
>
Which version did you install exactly ?


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
RE: false positive? [ In reply to ]
I'm assuming you are asking about the Backup Exec version. It's version
12.5 Rev. 2213 SP1 with Hotfix 317412

-----Original Message-----
From: Renaud Deraison [mailto:deraison-lists@nessus.org]
Sent: Friday, February 06, 2009 3:40 AM
To: Deepak J. Mathew; Nessus Discussion Board
Subject: Re: false positive?


On Feb 5, 2009, at 9:54 PM, Deepak J. Mathew wrote:

> Question..
>
> Vulnerability Nessus ID 34820 shows that a server has the
> vulnerability:
[...]
> But, this fix was to install the latest and greatest version of BES,
> which it already has the newest version/the fix for this
> vulnerability.
>
Which version did you install exactly ?



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus