The host is running TWiki and is prone to Cross-Site Scripting (XSS) and Command Execution Vulnerabilities.

Installed version: 01.Feb.2003
Fixed version:     4.2.4

Successful exploitation could allow execution of arbitrary script code or commands. This could let attackers steal cookie-based authentication credentials or compromise the affected application.

Solution type: VendorFix

Upgrade to version 4.2.4 or later.

TWiki, TWiki version prior to 4.2.4.

The flaws are due to,

- %URLPARAM{}% variable is not properly sanitized which lets attackers conduct cross-site scripting attack.

- %SEARCH{}% variable is not properly sanitised before being used in an eval() call which lets the attackers execute perl code through eval injection attack.

Details: TWiki XSS and Command Execution Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.800320)

Version used: $Revision: 12952 $

OS End Of Life Detection

The Operating System on the remote host has reached the end of life and should not be used anymore.

The "Ubuntu" Operating System on the remote host has reached the end of life.

CPE:               cpe:/o:canonical:ubuntu_linux:8.04
Installed version,
build or SP:       8.04
EOL date:          2013-05-09
EOL info:          https://wiki.ubuntu.com/Releases

Solution type: Mitigation

Details: OS End Of Life Detection (OID: 1.3.6.1.4.1.25623.1.0.103674)

Version used: $Revision: 8927 $

This remote host is running a rexec service.

Vulnerability was detected according to the Vulnerability Detection Method.

Solution type: Mitigation

Disable the rexec service and use alternatives like SSH instead.

rexec (Remote Process Execution) has the same kind of functionality that rsh has: you can execute shell commands on a remote computer.

The main difference is that rexec authenticate by reading the username and password *unencrypted* from the socket.

Details: rexec Passwordless / Unencrypted Cleartext Login (OID: 1.3.6.1.4.1.25623.1.0.100111)

Version used: $Revision: 13541 $

Systems using Distributed Ruby (dRuby/DRb), which is available in Ruby versions 1.6 and later, may permit unauthorized systems to execute distributed commands.

The service is running in $SAFE >= 1 mode. However it is still possible to run arbitrary syscall commands on the remote host. Sending an invalid syscall the service returned the following response:

Flo:Errno::ENOSYS:bt["3/usr/lib/ruby/1.8/drb/drb.rb:1555:in `syscall'"0/usr/lib/ruby/1.8/drb/drb.rb:1555:in `send'"4/usr/lib/ruby/1.8/drb/drb.rb:1555:in `__send__'"A/usr/lib/ruby/1.8/drb/drb.rb:1555:in `perform_without_block'"3/usr/lib/ruby/1.8/drb/drb.rb:1515:in `perform'"5/usr/lib/ruby/1.8/drb/drb.rb:1589:in `main_loop'"0/usr/lib/ruby/1.8/drb/drb.rb:1585:in `loop'"5/usr/lib/ruby/1.8/drb/drb.rb:1585:in `main_loop'"1/usr/lib/ruby/1.8/drb/drb.rb:1581:in `start'"5/usr/lib/ruby/1.8/drb/drb.rb:1581:in `main_loop'"//usr/lib/ruby/1.8/drb/drb.rb:1430:in `run'"1/usr/lib/ruby/1.8/drb/drb.rb:1427:in `start'"//usr/lib/ruby/1.8/drb/drb.rb:1427:in `run'"6/usr/lib/ruby/1.8/drb/drb.rb:1347:in `initialize'"//usr/lib/ruby/1.8/drb/drb.rb:1627:in `new'"9/usr/lib/ruby/1.8/drb/drb.rb:1627:in `start_service'"%/usr/sbin/druby_timeserver.rb:12:errnoi+:mesg"Function not implemented

By default, Distributed Ruby does not impose restrictions on allowed hosts or set the $SAFE environment variable to prevent privileged activities. If other controls are not in place, especially if the Distributed Ruby process runs with elevated privileges, an attacker could execute arbitrary system commands or Ruby scripts on the Distributed Ruby server. An attacker may need to know only the URI of the listening Distributed Ruby server to submit Ruby commands.

Solution type: Mitigation

Administrators of environments that rely on Distributed Ruby should ensure that appropriate controls are in place. Code-level controls may include:

- Implementing taint on untrusted input

- Setting $SAFE levels appropriately (>=2 is recommended if untrusted hosts are allowed to submit Ruby commands, and >=3 may be appropriate)

- Including drb/acl.rb to set ACLEntry to restrict access to trusted hosts

Send a crafted command to the service and check for a remote command execution via the instance_eval or syscall requests.

Details: Distributed Ruby (dRuby/DRb) Multiple Remote Code Execution Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.108010)

Version used: $Revision: 12338 $

A backdoor is installed on the remote host

The service is answering to an 'id;' command with the following response: uid=0(root) gid=0(root)

Attackers can exploit this issue to execute arbitrary commands in the context of the application. Successful attacks will compromise the affected isystem.

Solution type: Workaround

Details: Possible Backdoor: Ingreslock (OID: 1.3.6.1.4.1.25623.1.0.103549)

Version used: $Revision: 11327 $

DistCC 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.

It was possible to execute the "id" command.

Result: uid=1(daemon) gid=1(daemon)

DistCC by default trusts its clients completely that in turn could allow a malicious client to execute arbitrary commands on the server.

Solution type: VendorFix

Vendor updates are available. Please see the references for more information.

For more information about DistCC's security see the references.

Details: DistCC Remote Code Execution Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103553)

Version used: $Revision: 12032 $

Try to log in with given passwords via VNC protocol.

It was possible to connect to the VNC server with the password: password

Solution type: Mitigation

Change the password to something hard to guess or enable password protection at all.

This script tries to authenticate to a VNC server with the passwords set in the password preference. It will also test and report if no authentication / password is required at all.

Note: Some VNC servers have a blacklisting scheme that blocks IP addresses after five unsuccessful connection attempts for a period of time. The script will abort the brute force attack if it encounters that it gets blocked.

Note as well that passwords can be max. 8 characters long.

Details: VNC Brute Force Login (OID: 1.3.6.1.4.1.25623.1.0.106056)

Version used: $Revision: 13328 $

It was possible to login into the remote PostgreSQL as user postgres using weak credentials.

It was possible to login as user postgres with password "postgres".

Solution type: Mitigation

Change the password as soon as possible.

Details: PostgreSQL weak password (OID: 1.3.6.1.4.1.25623.1.0.103552)

Version used: $Revision: 10312 $

This remote host is running a rsh service.

The rsh service is misconfigured so it is allowing conntections without a password or with default root:root credentials.

Solution type: Mitigation

Disable the rsh service and use alternatives like SSH instead.

rsh (remote shell) is a command line computer program which can execute shell commands as another user, and on another computer across a computer network.

Details: rsh Unencrypted Cleartext Login (OID: 1.3.6.1.4.1.25623.1.0.100080)

Version used: $Revision: 13010 $

Many PHP installation tutorials instruct the user to create a file called phpinfo.php or similar containing the phpinfo() statement. Such a file is often left back in the webserver directory.

The following files are calling the function phpinfo() which disclose potentially sensitive information:

http://metasploitable2.sicurform/mutillidae/phpinfo.php
http://metasploitable2.sicurform/phpinfo.php

Some of the information that can be gathered from this file includes:

The username of the user running the PHP process, if it is a sudo user, the IP address of the host, the web server version, the system version (Unix, Linux, Windows, ...), and the root directory of the web server.

Solution type: Workaround

Delete the listed files or restrict access to them.

Details: phpinfo() output Reporting (OID: 1.3.6.1.4.1.25623.1.0.11229)

Version used: $Revision: 11992 $

Tiki Wiki CMS Groupware is prone to multiple unspecified vulnerabilities, including:

- An unspecified SQL-injection vulnerability

- An unspecified authentication-bypass vulnerability

- An unspecified vulnerability

Installed version: 1.9.5
Fixed version:     4.2

Exploiting these issues could allow an attacker to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and gain unauthorized access to the affected application. Other attacks are also possible.

Solution type: VendorFix

The vendor has released an advisory and fixes. Please see the references for details.

Versions prior to Tiki Wiki CMS Groupware 4.2 are vulnerable.

Details: Tiki Wiki CMS Groupware < 4.2 Multiple Unspecified Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.100537)

Version used: $Revision: 13960 $

This remote host is running a rlogin service.

The service is misconfigured so it is allowing conntections without a password.

Solution type: Mitigation

Disable the rlogin service and use alternatives like SSH instead.

rlogin has several serious security problems,

- all information, including passwords, is transmitted unencrypted.

- .rlogin (or .rhosts) file is easy to misuse (potentially allowing anyone to login without a password)

Details: rlogin Passwordless / Unencrypted Cleartext Login (OID: 1.3.6.1.4.1.25623.1.0.901202)

Version used: $Revision: 13541 $

Detection of backdoor in UnrealIRCd.

Vulnerability was detected according to the Vulnerability Detection Method.

Solution type: VendorFix

Install latest version of unrealircd and check signatures of software you're installing.

Remote attackers can exploit this issue to execute arbitrary system commands within the context of the affected application.

The issue affects Unreal 3.2.8.1 for Linux. Reportedly package Unreal3.2.8.1.tar.gz downloaded in November 2009 and later is affected. The MD5 sum of the affected file is 752e46f2d873c1679fa99de3f52a274d. Files with MD5 sum of 7b741e94e867c0a7370553fd01506c66 are not affected.

Details: Check for Backdoor in UnrealIRCd (OID: 1.3.6.1.4.1.25623.1.0.80111)

Version used: $Revision: 13960 $

PHP is prone to an information-disclosure vulnerability.

Vulnerable url: http://metasploitable2.sicurform/cgi-bin/php

Exploiting this issue allows remote attackers to view the source code of files in the context of the server process. This may allow the attacker to obtain sensitive information and to run arbitrary PHP code on the affected computer. Other attacks are also possible.

Solution type: VendorFix

PHP has released version 5.4.3 and 5.3.13 to address this vulnerability. PHP is recommending that users upgrade to the latest version of PHP.

When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution.

An example of the -s command, allowing an attacker to view the source code of index.php is below:

http://example.com/index.php?-s

Details: PHP-CGI-based setups vulnerability when parsing query string parameters from ph... (OID: 1.3.6.1.4.1.25623.1.0.103482)

Version used: $Revision: 13679 $

vsftpd is prone to a backdoor vulnerability.

Vulnerability was detected according to the Vulnerability Detection Method.

Attackers can exploit this issue to execute arbitrary commands in the context of the application. Successful attacks will compromise the affected application.

Solution type: VendorFix

The repaired package can be downloaded from the referenced link. Please validate the package with its signature.

The vsftpd 2.3.4 source package is affected.

Details: vsftpd Compromised Source Packages Backdoor Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103185)

Version used: $Revision: 12076 $

vsftpd is prone to a backdoor vulnerability.

Vulnerability was detected according to the Vulnerability Detection Method.

Attackers can exploit this issue to execute arbitrary commands in the context of the application. Successful attacks will compromise the affected application.

Solution type: VendorFix

The repaired package can be downloaded from the referenced link. Please validate the package with its signature.

The vsftpd 2.3.4 source package is affected.

Details: vsftpd Compromised Source Packages Backdoor Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.103185)

Version used: $Revision: 12076 $

Misconfigured web servers allows remote clients to perform dangerous HTTP methods such as PUT and DELETE. This script checks if they are enabled and can be misused to upload or delete files.

We could upload the following files via the PUT method at this web server:

http://metasploitable2.sicurform/dav/puttest845018350.html

We could delete the following files via the DELETE method at this web server:

http://metasploitable2.sicurform/dav/puttest845018350.html

- Enabled PUT method: This might allow an attacker to upload and run arbitrary code on this web server.

- Enabled DELETE method: This might allow an attacker to delete additional files on this web server.

Solution type: Mitigation

Use access restrictions to these dangerous HTTP methods or disable them completely.

Details: Test HTTP dangerous methods (OID: 1.3.6.1.4.1.25623.1.0.10498)

Version used: $Revision: 9335 $

It was possible to login into the remote SSH server using default credentials.

As the NVT 'SSH Brute Force Logins with default Credentials' (OID: 1.3.6.1.4.1.25623.1.0.108013) might run into a timeout the actual reporting of this vulnerability takes place in this NVT instead. The script preference 'Report timeout' allows you to configure if such an timeout is reported.

It was possible to login with the following credentials <User>:<Password>

msfadmin:msfadmin
user:user

Solution type: Mitigation

Change the password as soon as possible.

Try to login with a number of known default credentials via the SSH protocol.

Details: SSH Brute Force Logins With Default Credentials Reporting (OID: 1.3.6.1.4.1.25623.1.0.103239)

Version used: $Revision: 13568 $

This host is installed with UnrealIRCd and is prone to authentication spoofing vulnerability.

Installed version: 3.2.8.1
Fixed version:     3.2.10.7

Successful exploitation of this vulnerability will allows remote attackers to spoof certificate fingerprints and consequently log in as another user.

Solution type: VendorFix

Upgrade to UnrealIRCd 3.2.10.7, or 4.0.6, or later.

UnrealIRCd before 3.2.10.7 and 4.x before 4.0.6.

The flaw exists due to an error in the 'm_authenticate' function in 'modules/m_sasl.c' script.

Checks if a vulnerable version is present on the target host.

Details: UnrealIRCd Authentication Spoofing Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.809883)

Version used: $Revision: 11874 $

The host is running TWiki and is prone to Cross-Site Request Forgery vulnerability.

Installed version: 01.Feb.2003
Fixed version:     4.3.2

Successful exploitation will allow attacker to gain administrative privileges on the target application and can cause CSRF attack.

Solution type: VendorFix

Upgrade to TWiki version 4.3.2 or later.

TWiki version prior to 4.3.2

Attack can be done by tricking an authenticated TWiki user into visiting a static HTML page on another side, where a Javascript enabled browser will send an HTTP POST request to TWiki, which in turn will process the request as the TWiki user.

Details: TWiki Cross-Site Request Forgery Vulnerability - Sep10 (OID: 1.3.6.1.4.1.25623.1.0.801281)

Version used: $Revision: 12952 $

OpenSSL is prone to security-bypass vulnerability.

Vulnerability was detected according to the Vulnerability Detection Method.

Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks.

Solution type: VendorFix

Updates are available. Please see the references for more information.

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m and 1.0.1 before 1.0.1h.

OpenSSL does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.

Send two SSL ChangeCipherSpec request and check the response.

Details: SSL/TLS: OpenSSL CCS Man in the Middle Security Bypass Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.105042)

Version used: $Revision: 12865 $

Multiple vendors' implementations of 'STARTTLS' are prone to a vulnerability that lets attackers inject arbitrary commands.

Vulnerability was detected according to the Vulnerability Detection Method.

An attacker can exploit this issue to execute arbitrary commands in the context of the user running the application. Successful exploits can allow attackers to obtain email usernames and passwords.

Solution type: VendorFix

Updates are available. Please see the references for more information.

The following vendors are affected:

Ipswitch

Kerio

Postfix

Qmail-TLS

Oracle

SCO Group

spamdyke

ISC

Send a special crafted 'STARTTLS' request and check the response.

Details: Multiple Vendors STARTTLS Implementation Plaintext Arbitrary Command Injection ... (OID: 1.3.6.1.4.1.25623.1.0.103935)

Version used: $Revision: 13204 $

In Tiki the user task component is vulnerable to a SQL Injection via the tiki-user_tasks.php show_history parameter.

Installed version: 1.9.5
Fixed version:     17.2

Solution type: VendorFix

Upgrade to version 17.2 or later.

Tiki Wiki CMS Groupware prior to version 17.2.

Checks if a vulnerable version is present on the target host.

Details: Tiki Wiki CMS Groupware < 17.2 SQL Injection Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.141885)

Version used: $Revision: 13115 $

Reports if the remote FTP Server allows anonymous logins.

It was possible to login to the remote FTP service with the following anonymous account(s):

anonymous:anonymous@example.com
ftp:anonymous@example.com

Based on the files accessible via this anonymous FTP login and the permissions of this account an attacker might be able to:

- gain access to sensitive files

- upload or delete files.

Solution type: Mitigation

If you do not want to share files, you should disable anonymous logins.

A host that provides an FTP service may additionally provide Anonymous FTP access as well. Under this arrangement, users do not strictly need an account on the host. Instead the user typically enters 'anonymous' or 'ftp' when prompted for username. Although users are commonly asked to send their email address as their password, little to no verification is actually performed on the supplied data.

Details: Anonymous FTP Login Reporting (OID: 1.3.6.1.4.1.25623.1.0.900600)

Version used: $Revision: 12030 $

The host is running TWiki and is prone to Cross-Site Request Forgery Vulnerability.

Installed version: 01.Feb.2003
Fixed version:     4.3.1

Successful exploitation will allow attacker to gain administrative privileges on the target application and can cause CSRF attack.

Solution type: VendorFix

Upgrade to version 4.3.1 or later.

TWiki version prior to 4.3.1

Remote authenticated user can create a specially crafted image tag that, when viewed by the target user, will update pages on the target system with the privileges of the target user via HTTP requests.

Details: TWiki Cross-Site Request Forgery Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.800400)

Version used: $Revision: 12952 $

Samba is prone to a vulnerability that allows attackers to execute arbitrary shell commands because the software fails to sanitize user-supplied input.

Vulnerability was detected according to the Vulnerability Detection Method.

An attacker may leverage this issue to execute arbitrary shell commands on an affected system with the privileges of the application.

Solution type: VendorFix

Updates are available. Please see the referenced vendor advisory.

This issue affects Samba 3.0.0 to 3.0.25rc3.

Send a crafted command to the samba server and check for a remote command execution.

Details: Samba MS-RPC Remote Shell Command Execution Vulnerability (Active Check) (OID: 1.3.6.1.4.1.25623.1.0.108011)

Version used: $Revision: 10398 $

Debugging functions are enabled on the remote web server.

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.

The web server has the following HTTP methods enabled: TRACE

An attacker may use this flaw to trick your legitimate web users to give him their credentials.

Solution type: Mitigation

Disable the TRACE and TRACK methods in your web server configuration.

Please see the manual of your web server or the references for more information.

Web servers with enabled TRACE and/or TRACK methods.

It has been shown that web servers supporting this methods are subject to cross-site-scripting attacks, dubbed XST for Cross-Site-Tracing, when used in conjunction with various weaknesses in browsers.

Details: HTTP Debugging Methods (TRACE/TRACK) Enabled (OID: 1.3.6.1.4.1.25623.1.0.11213)

Version used: $Revision: 10828 $

The /doc directory is browsable. /doc shows the content of the /usr/doc directory and therefore it shows which programs and - important! - the version of the installed programs.

Vulnerable url: http://metasploitable2.sicurform/doc/

Solution type: Mitigation

Use access restrictions for the /doc directory. If you use Apache you might use this in your access.conf:

<Directory /usr/doc> AllowOverride None order deny, allow deny from all allow from localhost </Directory>

Details: /doc directory browsable (OID: 1.3.6.1.4.1.25623.1.0.10056)

Version used: $Revision: 14336 $

The host is installed with Tiki Wiki CMS Groupware and is prone to a local file inclusion vulnerability.

Installed version: 1.9.5
Fixed version:     12.11

Successful exploitation will allow an user having access to the admin backend to gain access to arbitrary files and to compromise the application.

Solution type: VendorFix

Upgrade to Tiki Wiki CMS Groupware version 12.11 LTS, 15.4 or later.

Tiki Wiki CMS Groupware versions:

- below 12.11 LTS

- 13.x, 14.x and 15.x below 15.4

The Flaw is due to improper sanitization of input passed to the 'fixedURLData' parameter of the 'display_banner.php' script.

Checks if a vulnerable version is present on the target host.

Details: Tiki Wiki CMS Groupware 'fixedURLData' Local File Inclusion Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.108064)

Version used: $Revision: 11863 $

The host is installed with Tiki Wiki CMS Groupware and is prone to input sanitation weakness vulnerability.

Installed version: 1.9.5
Fixed version:     2.2

Successful exploitation could allow arbitrary code execution in the context of an affected site.

Solution type: VendorFix

Upgrade to version 2.2 or later.

Tiki Wiki CMS Groupware version prior to 2.2 on all running platform

The vulnerability is due to input validation error in tiki-error.php which fails to sanitise before being returned to the user.

Details: Tiki Wiki CMS Groupware Input Sanitation Weakness Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.800315)

Version used: $Revision: 14010 $

The remote server's SSL/TLS certificate has already expired.

The certificate of the remote service expired on 2010-04-16 14:07:45.

Certificate details:
subject ...: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F63616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
subject alternative names (SAN):
None
issued by .: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F63616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
serial ....: 00FAF93A4C7FB6B9CC
valid from : 2010-03-17 14:07:45 UTC
valid until: 2010-04-16 14:07:45 UTC
fingerprint (SHA-1): ED093088706603BFD5DC237399B498DA2D4D31C6
fingerprint (SHA-256): E7A7FA0D63E457C7C4A59B38B70849C6A70BDA6F830C7AF1E32DEE436DE813CC

Solution type: Mitigation

Replace the SSL/TLS certificate by a new one.

This script checks expiry dates of certificates associated with SSL/TLS-enabled services on the target and reports whether any have already expired.

Details: SSL/TLS: Certificate Expired (OID: 1.3.6.1.4.1.25623.1.0.103955)

Version used: $Revision: 11103 $

The remote server's SSL/TLS certificate has already expired.

The certificate of the remote service expired on 2010-04-16 14:07:45.

Certificate details:
subject ...: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F63616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
subject alternative names (SAN):
None
issued by .: 1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F63616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
serial ....: 00FAF93A4C7FB6B9CC
valid from : 2010-03-17 14:07:45 UTC
valid until: 2010-04-16 14:07:45 UTC
fingerprint (SHA-1): ED093088706603BFD5DC237399B498DA2D4D31C6
fingerprint (SHA-256): E7A7FA0D63E457C7C4A59B38B70849C6A70BDA6F830C7AF1E32DEE436DE813CC

Solution type: Mitigation

Replace the SSL/TLS certificate by a new one.

This script checks expiry dates of certificates associated with SSL/TLS-enabled services on the target and reports whether any have already expired.

Details: SSL/TLS: Certificate Expired (OID: 1.3.6.1.4.1.25623.1.0.103955)

Version used: $Revision: 11103 $

The Mailserver on this host answers to VRFY and/or EXPN requests.

'VRFY root' produces the following answer: 252 2.0.0 root 

Solution type: Workaround

Disable VRFY and/or EXPN on your Mailserver.

For postfix add 'disable_vrfy_command=yes' in 'main.cf'.

For Sendmail add the option 'O PrivacyOptions=goaway'.

It is suggested that, if you really want to publish this type of information, you use a mechanism that legitimate users actually know about, such as Finger or HTTP.

VRFY and EXPN ask the server for information about an address. They are inherently unusable through firewalls, gateways, mail exchangers for part-time hosts, etc.

Details: Check if Mailserver answer to VRFY and EXPN requests (OID: 1.3.6.1.4.1.25623.1.0.100072)

Version used: $Revision: 13470 $

awiki is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.

Vulnerable url: http://metasploitable2.sicurform/mutillidae/index.php?page=/etc/passwd

An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the host. Other attacks are also possible.

Solution type: WillNotFix

No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

awiki 20100125 is vulnerable. Other versions may also be affected.

Details: awiki Multiple Local File Include Vulnerabilities (OID: 1.3.6.1.4.1.25623.1.0.103210)

Version used: $Revision: 10741 $

The remote host is running a FTP service that allows cleartext logins over unencrypted connections.

The remote FTP service accepts logins without a previous sent 'AUTH TLS' command. Response(s):

Anonymous sessions:     331 Password required for anonymous
Non-anonymous sessions: 331 Password required for openvas-vt

An attacker can uncover login names and passwords by sniffing traffic to the FTP service.

Solution type: Mitigation

Enable FTPS or enforce the connection via the 'AUTH TLS' command. Please see the manual of the FTP service for more information.

Tries to login to a non FTPS enabled FTP service without sending a 'AUTH TLS' command first and checks if the service is accepting the login without enforcing the use of the 'AUTH TLS' command.

Details: FTP Unencrypted Cleartext Login (OID: 1.3.6.1.4.1.25623.1.0.108528)

Version used: $Revision: 13611 $

The remote host is running a FTP service that allows cleartext logins over unencrypted connections.

The remote FTP service accepts logins without a previous sent 'AUTH TLS' command. Response(s):

Anonymous sessions:     331 Please specify the password.
Non-anonymous sessions: 331 Please specify the password.

An attacker can uncover login names and passwords by sniffing traffic to the FTP service.

Solution type: Mitigation

Enable FTPS or enforce the connection via the 'AUTH TLS' command. Please see the manual of the FTP service for more information.

Tries to login to a non FTPS enabled FTP service without sending a 'AUTH TLS' command first and checks if the service is accepting the login without enforcing the use of the 'AUTH TLS' command.

Details: FTP Unencrypted Cleartext Login (OID: 1.3.6.1.4.1.25623.1.0.108528)

Version used: $Revision: 13611 $

The remote host is running a VNC server providing one or more insecure or cryptographically weak Security Type(s) not intended for use on untrusted networks.

The VNC server provides the following insecure or cryptographically weak Security Type(s):

2 (VNC authentication)

An attacker can uncover sensitive data by sniffing traffic to the VNC server.

Solution type: Mitigation

Run the session over an encrypted channel provided by IPsec [RFC4301] or SSH [RFC4254]. Some VNC server vendors are also providing more secure Security Types within their products.

Details: VNC Server Unencrypted Data Transmission (OID: 1.3.6.1.4.1.25623.1.0.108529)

Version used: $Revision: 13014 $

The host / application transmits sensitive information (username, passwords) in cleartext via HTTP.

The following input fields where identified (URL:input name):

http://metasploitable2.sicurform/phpMyAdmin/:pma_password
http://metasploitable2.sicurform/phpMyAdmin/?D=A:pma_password
http://metasploitable2.sicurform/tikiwiki/tiki-install.php:pass
http://metasploitable2.sicurform/twiki/bin/view/TWiki/TWikiUserAuthentication:oldpassword

An attacker could use this situation to compromise or eavesdrop on the HTTP communication between the client and the server using a man-in-the-middle attack to get access to sensitive data like usernames or passwords.

Solution type: Workaround

Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally make sure the host / application is redirecting all users to the secured SSL/TLS connection before allowing to input sensitive data into the mentioned functions.

Hosts / applications which doesn't enforce the transmission of sensitive data via an encrypted SSL/TLS connection.

Evaluate previous collected information and check if the host / application is not enforcing the transmission of sensitive data via an encrypted SSL/TLS connection.

The script is currently checking the following:

- HTTP Basic Authentication (Basic Auth)

- HTTP Forms (e.g. Login) with input field of type 'password'

Details: Cleartext Transmission of Sensitive Information via HTTP (OID: 1.3.6.1.4.1.25623.1.0.108440)

Version used: $Revision: 10726 $

The remote host is running a Telnet service that allows cleartext logins over unencrypted connections.

Vulnerability was detected according to the Vulnerability Detection Method.

An attacker can uncover login names and passwords by sniffing traffic to the Telnet service.

Solution type: Mitigation

Replace Telnet with a protocol like SSH which supports encrypted connections.

Details: Telnet Unencrypted Cleartext Login (OID: 1.3.6.1.4.1.25623.1.0.108522)

Version used: $Revision: 13620 $

This host is accepting 'RSA_EXPORT' cipher suites and is prone to man in the middle attack.

'RSA_EXPORT' cipher suites accepted by this service via the SSLv3 protocol:

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5

'RSA_EXPORT' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5

Successful exploitation will allow remote attacker to downgrade the security of a session to use 'RSA_EXPORT' cipher suites, which are significantly weaker than non-export cipher suites. This may allow a man-in-the-middle attacker to more easily break the encryption and monitor or tamper with the encrypted stream.

Solution type: VendorFix

- Remove support for 'RSA_EXPORT' cipher suites from the service.

- If running OpenSSL update to version 0.9.8zd or 1.0.0p or 1.0.1k or later.

- Hosts accepting 'RSA_EXPORT' cipher suites

- OpenSSL version before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k.

Flaw is due to improper handling RSA temporary keys in a non-export RSA key exchange cipher suite.

Check previous collected cipher suites saved in the KB.

Details: SSL/TLS: RSA Temporary Key Handling 'RSA_EXPORT' Downgrade Issue (FREAK) (OID: 1.3.6.1.4.1.25623.1.0.805142)

Version used: $Revision: 11872 $

This host is prone to an information disclosure vulnerability.

Vulnerability was detected according to the Vulnerability Detection Method.

Successful exploitation will allow a man-in-the-middle attackers gain access to the plain text data stream.

Solution type: Mitigation

Possible Mitigations are:

- Disable SSLv3

- Disable cipher suites supporting CBC cipher modes

- Enable TLS_FALLBACK_SCSV if the service is providing TLSv1.0+

The flaw is due to the block cipher padding not being deterministic and not covered by the Message Authentication Code

Evaluate previous collected information about this service.

Details: SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability ... (OID: 1.3.6.1.4.1.25623.1.0.802087)

Version used: $Revision: 11402 $

This host is prone to an information disclosure vulnerability.

Vulnerability was detected according to the Vulnerability Detection Method.

Successful exploitation will allow a man-in-the-middle attackers gain access to the plain text data stream.

Solution type: Mitigation

Possible Mitigations are:

- Disable SSLv3

- Disable cipher suites supporting CBC cipher modes

- Enable TLS_FALLBACK_SCSV if the service is providing TLSv1.0+

The flaw is due to the block cipher padding not being deterministic and not covered by the Message Authentication Code

Evaluate previous collected information about this service.

Details: SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability ... (OID: 1.3.6.1.4.1.25623.1.0.802087)

Version used: $Revision: 11402 $

This routine reports all Weak SSL/TLS cipher suites accepted by a service.

NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure cleartext communication.

'Weak' cipher suites accepted by this service via the SSLv3 protocol:

TLS_RSA_WITH_RC4_128_SHA

'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_RC4_128_SHA

Solution type: Mitigation

The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore.

Please see the references for more resources supporting you with this task.

These rules are applied for the evaluation of the cryptographic strength:

- RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808).

- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak (CVE-2015-4000).

- 1024 bit RSA authentication is considered to be insecure and therefore as weak.

- Any cipher considered to be secure for only the next 10 years is considered as medium

- Any other cipher is considered as strong

Details: SSL/TLS: Report Weak Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.103440)

Version used: $Revision: 11135 $

The remote SSH server is configured to allow weak encryption algorithms.

The following weak client-to-server encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se


The following weak server-to-client encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

Solution type: Mitigation

Disable the weak encryption algorithms.

The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems with weak keys, and should not be used anymore.

The `none` algorithm specifies that no encryption is to be done. Note that this method provides no confidentiality protection, and it is NOT RECOMMENDED to use it.

A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.

Check if remote ssh service supports Arcfour, none or CBC ciphers.

Details: SSH Weak Encryption Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105611)

Version used: $Revision: 13581 $

This host is accepting 'DHE_EXPORT' cipher suites and is prone to man in the middle attack.

'DHE_EXPORT' cipher suites accepted by this service via the SSLv3 protocol:

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5

'DHE_EXPORT' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5

Successful exploitation will allow a man-in-the-middle attacker to downgrade the security of a TLS session to 512-bit export-grade cryptography, which is significantly weaker, allowing the attacker to more easily break the encryption and monitor or tamper with the encrypted stream.

Solution type: VendorFix

- Remove support for 'DHE_EXPORT' cipher suites from the service

- If running OpenSSL updateto version 1.0.2b or 1.0.1n or later.

- Hosts accepting 'DHE_EXPORT' cipher suites

- OpenSSL version before 1.0.2b and 1.0.1n

Flaw is triggered when handling Diffie-Hellman key exchanges defined in the 'DHE_EXPORT' cipher suites.

Check previous collected cipher suites saved in the KB.

Details: SSL/TLS: 'DHE_EXPORT' Man in the Middle Security Bypass Vulnerability (LogJam) (OID: 1.3.6.1.4.1.25623.1.0.805188)

Version used: $Revision: 11872 $

bin/statistics in TWiki 6.0.2 allows XSS via the webs parameter.

Installed version: 01.Feb.2003
Fixed version:     6.1.0

Solution type: VendorFix

Update to version 6.1.0 or later.

TWiki version 6.0.2 and probably prior.

Checks if a vulnerable version is present on the target host.

Details: TWiki < 6.1.0 XSS Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.141830)

Version used: 2019-03-26T08:16:24+0000

It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.

In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Weak and Supported Ciphers' (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.

An attacker might be able to use the known cryptographic flaws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection.

Solution type: Mitigation

It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the TLSv1+ protocols. Please see the references for more information.

All services providing an encrypted communication using the SSLv2 and/or SSLv3 protocols.

The SSLv2 and SSLv3 protocols containing known cryptographic flaws like:

- Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566)

- Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016-0800)

Check the used protocols of the services provided by this system.

Details: SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012)

Version used: $Revision: 5547 $

It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.

In addition to TLSv1.0+ the service is also providing the deprecated SSLv2 and SSLv3 protocols and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Weak and Supported Ciphers' (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.

An attacker might be able to use the known cryptographic flaws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection.

Solution type: Mitigation

It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the TLSv1+ protocols. Please see the references for more information.

All services providing an encrypted communication using the SSLv2 and/or SSLv3 protocols.

The SSLv2 and SSLv3 protocols containing known cryptographic flaws like:

- Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566)

- Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016-0800)

Check the used protocols of the services provided by this system.

Details: SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012)

Version used: $Revision: 5547 $

The host is running phpMyAdmin and is prone to Cross-Site Scripting Vulnerability.

Vulnerability was detected according to the Vulnerability Detection Method.

Successful exploitation will allow attackers to inject arbitrary HTML code within the error page and conduct phishing attacks.

Solution type: WillNotFix

No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

phpMyAdmin version 3.3.8.1 and prior.

The flaw is caused by input validation errors in the 'error.php' script when processing crafted BBcode tags containing '@' characters, which could allow attackers to inject arbitrary HTML code within the error page and conduct phishing attacks.

Details: phpMyAdmin 'error.php' Cross Site Scripting Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.801660)

Version used: $Revision: 11553 $

This host is running Apache HTTP Server and is prone to cookie information disclosure vulnerability.

Vulnerability was detected according to the Vulnerability Detection Method.

Successful exploitation will allow attackers to obtain sensitive information that may aid in further attacks.

Solution type: VendorFix

Upgrade to Apache HTTP Server version 2.2.22 or later.

Apache HTTP Server versions 2.2.0 through 2.2.21

The flaw is due to an error within the default error response for status code 400 when no custom ErrorDocument is configured, which can be exploited to expose 'httpOnly' cookies.

Details: Apache HTTP Server 'httpOnly' Cookie Information Disclosure Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.902830)

Version used: $Revision: 11857 $

The host is running TWiki and is prone to cross site scripting vulnerability.

Vulnerable url: http://metasploitable2.sicurform/twiki/bin/view/Main/CccCcc

Successful exploitation will allow remote attackers to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site.

Solution type: WillNotFix

No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

TWiki version 5.1.1 and prior

The flaw is due to an improper validation of user-supplied input to the 'organization' field when registering or editing a user, which allows attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.

Details: TWiki 'organization' Cross-Site Scripting Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.802391)

Version used: $Revision: 13659 $

The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).

Server Temporary Key Size: 1024 bits

An attacker might be able to decrypt the SSL/TLS communication offline.

Solution type: Workaround

Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use a 2048-bit or stronger Diffie-Hellman group (see the references).

For Apache Web Servers: Beginning with version 2.4.7, mod_ssl will use DH parameters which include primes with lengths of more than 1024 bits.

The Diffie-Hellman group are some big numbers that are used as base for the DH computations. They can be, and often are, fixed. The security of the final secret depends on the size of these parameters. It was found that 512 and 768 bits to be weak, 1024 bits to be breakable by really powerful attackers like governments.

Checks the DHE temporary public key size.

Details: SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerabili... (OID: 1.3.6.1.4.1.25623.1.0.106223)

Version used: $Revision: 12865 $

The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size < 2048).

Server Temporary Key Size: 1024 bits

An attacker might be able to decrypt the SSL/TLS communication offline.

Solution type: Workaround

Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use a 2048-bit or stronger Diffie-Hellman group (see the references).

For Apache Web Servers: Beginning with version 2.4.7, mod_ssl will use DH parameters which include primes with lengths of more than 1024 bits.

The Diffie-Hellman group are some big numbers that are used as base for the DH computations. They can be, and often are, fixed. The security of the final secret depends on the size of these parameters. It was found that 512 and 768 bits to be weak, 1024 bits to be breakable by really powerful attackers like governments.

Checks the DHE temporary public key size.

Details: SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerabili... (OID: 1.3.6.1.4.1.25623.1.0.106223)

Version used: $Revision: 12865 $

The remote service is using a SSL/TLS certificate in the certificate chain that has been signed using a cryptographically weak hashing algorithm.

The following certificates are part of the certificate chain but using insecure signature algorithms:

Subject:              1.2.840.113549.1.9.1=#726F6F74407562756E74753830342D626173652E6C6F63616C646F6D61696E,CN=ubuntu804-base.localdomain,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
Signature Algorithm:  sha1WithRSAEncryption

Solution type: Mitigation

Servers that use SSL/TLS certificates signed with a weak SHA-1, MD5, MD4 or MD2 hashing algorithm will need to obtain new SHA-2 signed SSL/TLS certificates to avoid web browser SSL/TLS certificate warnings.

The following hashing algorithms used for signing SSL/TLS certificates are considered cryptographically weak and not secure enough for ongoing use:

- Secure Hash Algorithm 1 (SHA-1)

- Message Digest 5 (MD5)

- Message Digest 4 (MD4)

- Message Digest 2 (MD2)

Beginning as late as January 2017 and as early as June 2016, browser developers such as Microsoft and Google will begin warning users when visiting web sites that use SHA-1 signed Secure Socket Layer (SSL) certificates.

NOTE: The script preference allows to set one or more custom SHA-1 fingerprints of CA certificates which are trusted by this routine. The fingerprints needs to be passed comma-separated and case-insensitive:

Fingerprint1

or

fingerprint1,Fingerprint2

Check which hashing algorithm was used to sign the remote SSL/TLS certificate.

Details: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm (OID: 1.3.6.1.4.1.25623.1.0.105880)

Version used: $Revision: 11524 $

An XSS vulnerability (via an SVG image) in Tiki allows an authenticated user to gain administrator privileges if an administrator opens a wiki page with a malicious SVG image, related to lib/filegals/filegallib.php.

Installed version: 1.9.5
Fixed version:     18.0

Solution type: VendorFix

Upgrade to version 18.0 or later.

Tiki Wiki CMS Groupware prior to version 18.0.

Checks if a vulnerable version is present on the target host.

Details: Tiki Wiki CMS Groupware XSS Vulnerability (OID: 1.3.6.1.4.1.25623.1.0.140797)

Version used: $Revision: 12116 $

The remote host implements TCP timestamps and therefore allows to compute the uptime.

It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 3137948370
Packet 2: 3137949502

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

Solution type: Mitigation

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment.

See the references for more information.

TCP/IPv4 implementations that implement RFC1323.

The remote host implements TCP timestamps, as defined by RFC1323.

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported.

Details: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

Version used: $Revision: 14310 $

The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.

The following weak client-to-server MAC algorithms are supported by the remote service:

hmac-md5
hmac-md5-96
hmac-sha1-96


The following weak server-to-client MAC algorithms are supported by the remote service:

hmac-md5
hmac-md5-96
hmac-sha1-96

Solution type: Mitigation

Disable the weak MAC algorithms.

Details: SSH Weak MAC Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105610)

Version used: $Revision: 13581 $