New ReportSave Report

July 8, 2009

1.0  Introduction

On June 29, 2009, at 3:01 PM, a heavy vulnerability assessment was conducted using the SAINT® 7.0 vulnerability scanner. The scan discovered a total of five live hosts, and detected 42 critical problems, 94 areas of concern, and 110 potential problems. The hosts and problems detected are discussed in greater detail in the following sections.

2.0  Summary

The following vulnerability severity levels are used to categorize the vulnerabilities:

CRITICAL PROBLEMS
Vulnerabilities which pose an immediate threat to the network by allowing a remote attacker to directly gain read or write access, execute commands on the target, or create a denial of service.

AREAS OF CONCERN
Vulnerabilities which do not directly allow remote access, but do allow privilege elevation attacks, attacks on other targets using the vulnerable host as an intermediary, or gathering of passwords or configuration information which could be used to plan an attack.

POTENTIAL PROBLEMS
Warnings which may or may not be vulnerabilities, depending upon the patch level or configuration of the target. Further investigation on the part of the system administrator may be necessary.

SERVICES
Network services which accept client connections on a given TCP or UDP port. This is simply a count of network services, and does not imply that the service is or is not vulnerable.

The sections below summarize the results of the scan.

2.1  Vulnerabilities by Severity

This section shows the overall number of vulnerabilities and services detected at each severity level.

2.2  Hosts by Severity

This section shows the overall number of hosts detected at each severity level. The severity level of a host is defined as the highest vulnerability severity level detected on that host.

2.3  Vulnerabilities by Class

This section shows the number of vulnerabilities detected in each of the following classes.


Class Description
Web Vulnerabilities in web servers, CGI programs, and any other software offering an HTTP interface
Mail Vulnerabilities in SMTP, IMAP, POP, or web-based mail services
File Transfer Vulnerabilities in FTP and TFTP services
Login/Shell Vulnerabilities in ssh, telnet, rlogin, rsh, or rexec services
Print Services Vulnerabilities in lpd and other print daemons
RPC Vulnerabilities in Remote Procedure Call services
DNS Vulnerabilities in Domain Name Services
Databases Vulnerabilities in database services
Networking/SNMP Vulnerabilities in routers, switches, firewalls, or any SNMP service
Windows OS Missing hotfixes or vulnerabilities in the registry or SMB shares
Passwords Missing or easily guessed user passwords
Other Any vulnerability which does not fit into one of the above classes


2.4  Vulnerabilities by Subnet

This section shows the number of vulnerabilities detected at each severity level for each subnet that was scanned.




2.5  Hosts by Subnet

This section shows the overall number of hosts detected at each severity level for each subnet that was scanned. The severity level of a host is defined as the highest vulnerability severity level detected on that host.




2.6  Vulnerabilities per Class by Subnet

This section shows the overall number of vulnerabilities detected in each vulnerability class for each subnet that was scanned.

172.16.0

172.16.1

3.0  Overview

The following tables present an overview of the hosts discovered on the network and the vulnerabilities contained therein.

3.1  Host List

This table presents an overview of the hosts discovered on the network.


Host Name Netbios Name IP Address Host Type Critical Problems Areas of Concern Potential Problems
host1.domain.com HOST1 172.16.0.1 Windows 2000 Service Pack 1 21 30 36
host2.domain.com HOST2 172.16.1.2 Windows Server 2003 8 29 31
host3.domain.com   172.16.1.3 Sun Solaris 2.5.1 - 9 (SunOS 5.9) 11 4 17
host4.domain.com HOST4 172.16.1.4 Windows XP Service Pack 2 0 20 19
host5.domain.com   172.16.1.5 Linux 2.4.20-28.7 - Red Hat 2 11 7

3.2  Vulnerability List

This table presents an overview of the vulnerabilities detected on the network.


Host Name Severity Vulnerability / Service Class CVE Exploit Available?
host1.domain.com critical Download.Ject detected on web server Other   no
host1.domain.com critical Guessed password to windows account (foobar:foobar) Passwords   no
host1.domain.com critical MS FrontPage Server Extension Vulnerability: /_vti_bin/shtml.dll Web CVE-2003-0824 no
host1.domain.com critical MS FrontPage Server Extension Vulnerability: remote debug Web CVE-2003-0822 yes
host1.domain.com critical Folder traversal in IIS (Double Decoding) Web CVE-2001-0333 yes
host1.domain.com critical Folder traversal in IIS (Unicode Translation) Web CVE-2000-0884 yes
host1.domain.com critical vulnerabilities in IIS 5 Web CVE-2000-0770 CVE-2001-0151 CVE-2001-0241 CVE-2001-0500 CVE-2001-0507 CVE-2002-0869 CVE-2002-1180 CVE-2002-1181 CVE-2002-1182 CVE-2003-0223 CVE-2003-0224 CVE-2003-0225 CVE-2003-0226 yes
host1.domain.com critical MailEnable HTTPMail vulnerability Mail CVE-2005-1348 CVE-2005-2222 CVE-2006-1338 yes
host1.domain.com critical MS Site Server default account Other CVE-2002-1769 CVE-2002-2073 CVE-2002-2081 no
host1.domain.com critical vulnerability in Windows Media Services (nsiislog.dll) Web CVE-2003-0227 CVE-2003-0349 no
host1.domain.com critical Windows Plug and Play vulnerability Windows OS CVE-2005-1983 yes
host1.domain.com critical RPC runtime library vulnerability Windows OS CVE-2003-0807 CVE-2003-0813 CVE-2004-0116 CVE-2004-0124 no
host1.domain.com critical Windows 2000 ASN1 buffer overflow Windows OS CVE-2003-0818 no
host1.domain.com critical Windows 2000 RPC buffer overflow Windows OS CVE-2003-0352 yes
host1.domain.com critical Windows COM+ command execution vulnerability Windows OS CVE-2005-1978 CVE-2005-1979 CVE-2005-1980 CVE-2005-2119 no
host1.domain.com critical Windows SMB Transaction response buffer overflow Windows OS CVE-2005-0045 no
host1.domain.com critical Windows SMB input validation vulnerability Windows OS CVE-2005-1206 no
host1.domain.com critical Windows TCP/IP vulnerabilities Windows OS CVE-2004-0230 CVE-2004-0790 CVE-2004-1060 CVE-2005-0048 CVE-2005-0688 no
host1.domain.com critical Windows WMF gdi32.dll vulnerability Windows OS CVE-2005-4560 yes
host1.domain.com critical pointer corruption vulnerability in WINS replication service Windows OS CVE-2004-0567 CVE-2004-1080 yes
host1.domain.com critical Worm detected (Code Red II) Other   no
host1.domain.com concern Web server allows cross-site tracing Web   no
host1.domain.com concern Windows DNS server allows cache poisoning DNS CVE-2001-1452 no
host1.domain.com concern Internet Explorer COM object memory corruption Windows OS CVE-2005-2127 no
host1.domain.com concern Internet Explorer Create Text Range code injection Windows OS CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388 yes
host1.domain.com concern Internet Explorer JPEG buffer overflow Windows OS CVE-2005-1988 CVE-2005-1989 CVE-2005-1990 yes
host1.domain.com concern Internet Explorer JS stack overflow Windows OS CVE-2006-0753 CVE-2006-0830 no
host1.domain.com concern Internet Explorer JavaScript vulnerability Windows OS CVE-2005-1790 CVE-2005-2829 CVE-2005-2830 CVE-2005-2831 yes
host1.domain.com concern Internet Explorer PNG buffer overflow Windows OS CVE-2002-0648 CVE-2005-1211 no
host1.domain.com concern Internet Explorer URL parsing buffer overflow Windows OS CVE-2005-0553 CVE-2005-0554 CVE-2005-0555 yes
host1.domain.com concern Internet Explorer WMF handling vulnerability Windows OS CVE-2006-0020 no
host1.domain.com concern vulnerability in License Logging Service Windows OS CVE-2005-0050 no
host1.domain.com concern AxWebRemoveCtrl ActiveX control enabled Web CVE-2005-3693 no
host1.domain.com concern CodeSupport ActiveX control enabled Web CVE-2005-3650 no
host1.domain.com concern null session access using alternate pipes Windows OS CVE-2005-2150 no
host1.domain.com concern Windows Plug and Play privilege elevation Windows OS CVE-2005-2120 no
host1.domain.com concern Run key allows write access Windows OS CVE-1999-0589 no
host1.domain.com concern Uninstall key allows write access Windows OS CVE-1999-0589 no
host1.domain.com concern Windows telephony service vulnerability Windows OS CVE-2005-0058 yes
host1.domain.com concern DirectShow buffer overflow Windows OS CVE-2005-2128 no
host1.domain.com concern HTML Application Host vulnerability in Windows shell Windows OS CVE-2005-0063 no
host1.domain.com concern Microsoft Color Management Module buffer overflow Windows OS CVE-2005-1219 yes
host1.domain.com concern Microsoft Data Access Component vulnerability Windows OS CVE-2006-0003 yes
host1.domain.com concern Windows DHTML Editing Component vulnerability Windows OS CVE-2004-1319 no
host1.domain.com concern Windows Explorer COM object command execution Windows OS CVE-2004-2289 CVE-2006-0012 no
host1.domain.com concern Windows Hyperlink Object Library buffer overflow Windows OS CVE-2005-0057 no
host1.domain.com concern Windows Kernel privilege elevation vulnerability Windows OS CVE-2005-2827 no
host1.domain.com concern Windows Media Player plug-in EMBED vulnerability Windows OS CVE-2006-0005 yes
host1.domain.com concern Windows Web Fonts vulnerability Windows OS CVE-2006-0010 no
host1.domain.com concern Windows shortcut file command execution Windows OS CVE-2005-2117 CVE-2005-2118 CVE-2005-2122 no
host1.domain.com concern vulnerable WinZip version: 8.0 Other CVE-2001-0449 CVE-2004-1465 no
host1.domain.com potential guessable read community string Networking/SNMP CVE-1999-0516 CVE-1999-0517 no
host1.domain.com potential Internet Explorer Shell.Explorer object enabled Windows OS CVE-2004-0985 no
host1.domain.com potential Javaprxy.dll access through Internet Explorer Windows OS CVE-2005-2087 yes
host1.domain.com potential last user name shown in login box Windows OS CVE-1999-0592 no
host1.domain.com potential MailEnable Enterprise 1.04 may be vulnerable Mail CVE-2005-1013 CVE-2005-1781 CVE-2005-2223 yes
host1.domain.com potential possible vulnerability in MailEnable Enterprise IMAP 1.04 Mail CVE-2005-1014 CVE-2005-1015 CVE-2005-2278 CVE-2005-3155 CVE-2005-3690 CVE-2005-3691 CVE-2005-3813 CVE-2005-3993 CVE-2005-4402 CVE-2005-4456 CVE-2005-4457 CVE-2006-0504 yes
host1.domain.com potential possible vulnerability in MailEnable Enterprise POP3 1.04 Mail CVE-2006-1337 no
host1.domain.com potential possible vulnerability in MailEnable POP3 0 Mail   no
host1.domain.com potential excessive null session access Windows OS CVE-2000-1200 no
host1.domain.com potential Possible ODBC RDS Vulnerability Web CVE-1999-1011 CVE-2002-1142 no
host1.domain.com potential chargen could be used in UDP bomb Networking/SNMP CVE-1999-0103 no
host1.domain.com potential pop receives password in clear Mail   no
host1.domain.com potential possible vulnerability in PPTP service Other CVE-2002-1214 no
host1.domain.com potential SNMP is enabled and may be vulnerable Networking/SNMP CVE-1999-0615 CVE-2002-0012 CVE-2002-0013 CVE-2002-0053 CVE-2002-0796 CVE-2002-0797 no
host1.domain.com potential TCP reset using approximate sequence number Other CVE-2004-0230 no
host1.domain.com potential password complexity policy disabled Windows OS CVE-1999-0535 no
host1.domain.com potential weak account lockout policy (0) Windows OS CVE-1999-0582 no
host1.domain.com potential weak minimum password age policy (0 days) Windows OS CVE-1999-0535 no
host1.domain.com potential weak minimum password length policy (0) Windows OS CVE-1999-0535 no
host1.domain.com potential weak password history policy (0) Windows OS CVE-1999-0535 no
host1.domain.com potential non-administrative users can act as part of the operating system Windows OS CVE-1999-0534 no
host1.domain.com potential non-administrative users can bypass traverse checking Windows OS CVE-1999-0534 no
host1.domain.com potential non-administrative users can create token object Windows OS CVE-1999-0534 no
host1.domain.com potential auditing is disabled Windows OS CVE-1999-0575 no
host1.domain.com potential Password never expires for user LDAP_Anonymous Windows OS   no
host1.domain.com potential Password never expires for user foobar Windows OS   no
host1.domain.com potential Client Service for Netware vulnerability Windows OS CVE-2005-1985 no
host1.domain.com potential Collaboration Data Objects vulnerability Windows OS CVE-2005-1987 no
host1.domain.com potential FTP Client vulnerability Windows OS CVE-2005-2126 no
host1.domain.com potential Jet Database Engine input validation problems Windows OS CVE-2005-0944 yes
host1.domain.com potential Microsoft Agent spoofing vulnerability Windows OS CVE-2005-1214 no
host1.domain.com potential Network Connection Manager vulnerability Windows OS CVE-2005-2307 no
host1.domain.com potential Win2000 SP2 Security Rollup 1 not installed Windows OS CVE-1999-0662 no
host1.domain.com potential Windows 2000 SP4 Update Rollup 1 not applied Windows OS CVE-2005-3168 CVE-2005-3169 CVE-2005-3170 CVE-2005-3171 CVE-2005-3172 CVE-2005-3173 CVE-2005-3174 CVE-2005-3175 CVE-2005-3176 CVE-2005-3177 no
host1.domain.com potential Windows Media Player URL script execution Windows OS CVE-2003-1107 no
host1.domain.com potential potential vulnerability in WINS Windows OS CVE-2003-0825 no
host1.domain.com service 17/TCP     no
host1.domain.com service 17/UDP     no
host1.domain.com service 42/TCP     no
host1.domain.com service 1027/TCP     no
host1.domain.com service 1028/TCP     no
host1.domain.com service 1031/UDP     no
host1.domain.com service 1033/TCP     no
host1.domain.com service 1035/UDP     no
host1.domain.com service 1036/TCP     no
host1.domain.com service 1037/UDP     no
host1.domain.com service 1038/TCP     no
host1.domain.com service 1039/TCP     no
host1.domain.com service 1041/UDP     no
host1.domain.com service 1043/UDP     no
host1.domain.com service 1645/UDP     no
host1.domain.com service 1646/UDP     no
host1.domain.com service 1701/UDP     no
host1.domain.com service 1723/TCP     no
host1.domain.com service 1755/TCP     no
host1.domain.com service 1755/UDP     no
host1.domain.com service 1813/UDP     no
host1.domain.com service 3372/TCP     no
host1.domain.com service 6666/TCP     no
host1.domain.com service 7007/TCP     no
host1.domain.com service 7778/TCP     no
host1.domain.com service 8081/TCP     no
host1.domain.com service DNS     no
host1.domain.com service IMAP     no
host1.domain.com service POP     no
host1.domain.com service SMB     no
host1.domain.com service SMTP     no
host1.domain.com service SNMP     no
host1.domain.com service WWW     no
host1.domain.com service WWW (Secure)     no
host1.domain.com service WWW (non-standard port 8080)     no
host1.domain.com service bootpc (68/UDP)     no
host1.domain.com service bootps (67/UDP)     no
host1.domain.com service chargen (19/TCP)     no
host1.domain.com service chargen:UDP (19/UDP)     no
host1.domain.com service daytime (13/TCP)     no
host1.domain.com service daytime (13/UDP)     no
host1.domain.com service discard (9/TCP)     no
host1.domain.com service discard (9/UDP)     no
host1.domain.com service domain (53/TCP)     no
host1.domain.com service domain (53/UDP)     no
host1.domain.com service echo (7/TCP)     no
host1.domain.com service echo (7/UDP)     no
host1.domain.com service epmap (135/TCP)     no
host1.domain.com service epmap (135/UDP)     no
host1.domain.com service isakmp (500/UDP)     no
host1.domain.com service microsoft-ds (445/TCP)     no
host1.domain.com service microsoft-ds (445/UDP)     no
host1.domain.com service name (42/UDP)     no
host1.domain.com service netbios-dgm (138/UDP)     no
host1.domain.com service netbios-ns (137/UDP)     no
host1.domain.com service printer (515/TCP)     no
host1.domain.com service radius (1812/UDP)     no
host1.domain.com info User: Administrator     no
host1.domain.com info User: DHCP Administrators     no
host1.domain.com info User: DHCP Users     no
host1.domain.com info User: Guest     no
host1.domain.com info User: IME_ADMIN     no
host1.domain.com info User: IME_USER     no
host1.domain.com info User: IUSR_HOST1     no
host1.domain.com info User: IWAM_HOST1     no
host1.domain.com info User: LDAP_Anonymous     no
host1.domain.com info User: NetShow Administrators     no
host1.domain.com info User: NetShowServices     no
host1.domain.com info User: TsInternetUser     no
host1.domain.com info User: WINS Users     no
host1.domain.com info User: foobar     no
host1.domain.com info Windows service: Alerter     no
host1.domain.com info Windows service: COM+ Event System     no
host1.domain.com info Windows service: Computer Browser     no
host1.domain.com info Windows service: DHCP Client     no
host1.domain.com info Windows service: DHCP Server     no
host1.domain.com info Windows service: DNS Client     no
host1.domain.com info Windows service: DNS Server     no
host1.domain.com info Windows service: Distributed File System     no
host1.domain.com info Windows service: Distributed Link Tracking Client     no
host1.domain.com info Windows service: Distributed Transaction Coordinator     no
host1.domain.com info Windows service: Event Log     no
host1.domain.com info Windows service: FTP Publishing Service     no
host1.domain.com info Windows service: IIS Admin Service     no
host1.domain.com info Windows service: IPSEC Policy Agent     no
host1.domain.com info Windows service: Internet Authentication Service     no
host1.domain.com info Windows service: License Logging Service     no
host1.domain.com info Windows service: Logical Disk Manager     no
host1.domain.com info Windows service: MailEnable HTTPMail Service     no
host1.domain.com info Windows service: MailEnable IMAP Service     no
host1.domain.com info Windows service: MailEnable List Connector     no
host1.domain.com info Windows service: MailEnable Mail Transfer Agent     no
host1.domain.com info Windows service: MailEnable Management Service     no
host1.domain.com info Windows service: MailEnable POP Connector     no
host1.domain.com info Windows service: MailEnable POP Service     no
host1.domain.com info Windows service: MailEnable Postoffice Connector     no
host1.domain.com info Windows service: MailEnable SMTP Connector     no
host1.domain.com info Windows service: Messenger     no
host1.domain.com info Windows service: NT LM Security Support Provider     no
host1.domain.com info Windows service: Net Logon     no
host1.domain.com info Windows service: Plug and Play     no
host1.domain.com info Windows service: Print Server for Macintosh     no
host1.domain.com info Windows service: Print Spooler     no
host1.domain.com info Windows service: Protected Storage     no
host1.domain.com info Windows service: Remote Access Connection Manager     no
host1.domain.com info Windows service: Remote Procedure Call (RPC)     no
host1.domain.com info Windows service: Remote Registry Service     no
host1.domain.com info Windows service: Removable Storage     no
host1.domain.com info Windows service: Routing and Remote Access     no
host1.domain.com info Windows service: RunAs Service     no
host1.domain.com info Windows service: SNMP Service     no
host1.domain.com info Windows service: Security Accounts Manager     no
host1.domain.com info Windows service: Server     no
host1.domain.com info Windows service: Simple Mail Transport Protocol (SMTP)     no
host1.domain.com info Windows service: Simple TCP/IP Services     no
host1.domain.com info Windows service: System Event Notification     no
host1.domain.com info Windows service: TCP/IP NetBIOS Helper Service     no
host1.domain.com info Windows service: TCP/IP Print Server     no
host1.domain.com info Windows service: Task Scheduler     no
host1.domain.com info Windows service: Telephony     no
host1.domain.com info Windows service: Windows Internet Name Service (WINS)     no
host1.domain.com info Windows service: Windows Management Instrumentation     no
host1.domain.com info Windows service: Windows Management Instrumentation Driver Extensions     no
host1.domain.com info Windows service: Windows Media Monitor Service     no
host1.domain.com info Windows service: Windows Media Program Service     no
host1.domain.com info Windows service: Windows Media Station Service     no
host1.domain.com info Windows service: Windows Media Unicast Service     no
host1.domain.com info Windows service: Windows Time     no
host1.domain.com info Windows service: Workstation     no
host1.domain.com info Windows service: World Wide Web Publishing Service     no
host2.domain.com critical Guessed password to windows account (foobar:foobar) Passwords   no
host2.domain.com critical Windows print spooler vulnerability Print Services CVE-2005-1984 no
host2.domain.com critical RPC runtime library vulnerability Windows OS CVE-2003-0807 CVE-2003-0813 CVE-2004-0116 CVE-2004-0124 no
host2.domain.com critical Win2003 RPC buffer overflow Windows OS CVE-2003-0352 yes
host2.domain.com critical Windows SMB Transaction response buffer overflow Windows OS CVE-2005-0045 no
host2.domain.com critical Windows SMB input validation vulnerability Windows OS CVE-2005-1206 no
host2.domain.com critical Windows TCP/IP vulnerabilities Windows OS CVE-2004-0230 CVE-2004-0790 CVE-2004-1060 CVE-2005-0048 CVE-2005-0688 no
host2.domain.com critical Windows WMF gdi32.dll vulnerability Windows OS CVE-2005-4560 yes
host2.domain.com concern Internet Explorer COM object memory corruption Windows OS CVE-2005-2127 no
host2.domain.com concern Internet Explorer Create Text Range code injection Windows OS CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388 yes
host2.domain.com concern Internet Explorer JPEG buffer overflow Windows OS CVE-2005-1988 CVE-2005-1989 CVE-2005-1990 yes
host2.domain.com concern Internet Explorer JS stack overflow Windows OS CVE-2006-0753 CVE-2006-0830 no
host2.domain.com concern Internet Explorer JavaScript vulnerability Windows OS CVE-2005-1790 CVE-2005-2829 CVE-2005-2830 CVE-2005-2831 yes
host2.domain.com concern Internet Explorer PNG buffer overflow Windows OS CVE-2002-0648 CVE-2005-1211 no
host2.domain.com concern Internet Explorer URL parsing buffer overflow Windows OS CVE-2005-0553 CVE-2005-0554 CVE-2005-0555 yes
host2.domain.com concern Outlook Express Windows Address Book vulnerability Mail CVE-2006-0014 no
host2.domain.com concern CodeSupport ActiveX control enabled Web CVE-2005-3650 no
host2.domain.com concern Sunncomm ActiveX control enabled Web   no
host2.domain.com concern Windows Plug and Play vulnerability Windows OS CVE-2005-1983 yes
host2.domain.com concern Run key allows write access Windows OS CVE-1999-0589 no
host2.domain.com concern Uninstall key allows write access Windows OS CVE-1999-0589 no
host2.domain.com concern DACL privilege elevation Windows OS CVE-2006-0023 no
host2.domain.com concern DirectShow buffer overflow Windows OS CVE-2005-2128 no
host2.domain.com concern Microsoft Color Management Module buffer overflow Windows OS CVE-2005-1219 yes
host2.domain.com concern Microsoft Data Access Component vulnerability Windows OS CVE-2006-0003 yes
host2.domain.com concern Windows COM+ command execution vulnerability Windows OS CVE-2005-1978 CVE-2005-1979 CVE-2005-1980 CVE-2005-2119 no
host2.domain.com concern Windows EMF/WMF image file vulnerability Windows OS CVE-2005-0803 CVE-2005-2123 CVE-2005-2124 no
host2.domain.com concern Windows Explorer COM object command execution Windows OS CVE-2004-2289 CVE-2006-0012 no
host2.domain.com concern Windows HTML Help integer overflow Windows OS CVE-2005-1208 no
host2.domain.com concern Windows Hyperlink Object Library buffer overflow Windows OS CVE-2005-0057 no
host2.domain.com concern Windows Media Player PNG image vulnerability Windows OS CVE-2004-1244 no
host2.domain.com concern Windows Media Player bmp buffer overflow Windows OS CVE-2006-0006 no
host2.domain.com concern Windows Media Player plug-in EMBED vulnerability Windows OS CVE-2006-0005 yes
host2.domain.com concern Windows OLE input validation vulnerability Windows OS CVE-2005-0044 CVE-2005-0047 no
host2.domain.com concern Windows Web Fonts vulnerability Windows OS CVE-2006-0010 no
host2.domain.com concern Windows shortcut file command execution Windows OS CVE-2005-2117 CVE-2005-2118 CVE-2005-2122 no
host2.domain.com concern Windows telnet client session variable disclosure Windows OS CVE-2005-1205 no
host2.domain.com potential Internet Explorer ADODB.Stream object enabled Windows OS   no
host2.domain.com potential Internet Explorer Shell.Explorer object enabled Windows OS CVE-2004-0985 no
host2.domain.com potential Javaprxy.dll access through Internet Explorer Windows OS CVE-2005-2087 yes
host2.domain.com potential last user name shown in login box Windows OS CVE-1999-0592 no
host2.domain.com potential Outlook Express NNTP buffer overflow Mail CVE-2005-1213 yes
host2.domain.com potential User newuser has never logged in Windows OS   no
host2.domain.com potential password complexity policy disabled Windows OS CVE-1999-0535 no
host2.domain.com potential weak account lockout policy (0) Windows OS CVE-1999-0582 no
host2.domain.com potential weak minimum password age policy (0 days) Windows OS CVE-1999-0535 no
host2.domain.com potential weak minimum password length policy (0) Windows OS CVE-1999-0535 no
host2.domain.com potential weak password history policy (0) Windows OS CVE-1999-0535 no
host2.domain.com potential non-administrative users can bypass traverse checking Windows OS CVE-1999-0534 no
host2.domain.com potential non-administrative users can replace a process level token Windows OS CVE-1999-0534 no
host2.domain.com potential account management auditing disabled Windows OS CVE-1999-0575 no
host2.domain.com potential account management failure auditing disabled Windows OS CVE-1999-0575 no
host2.domain.com potential logon failure auditing disabled Windows OS CVE-1999-0575 no
host2.domain.com potential object access auditing disabled Windows OS CVE-1999-0575 no
host2.domain.com potential object access failure auditing disabled Windows OS CVE-1999-0575 no
host2.domain.com potential policy change auditing disabled Windows OS CVE-1999-0575 no
host2.domain.com potential policy change failure auditing disabled Windows OS CVE-1999-0575 no
host2.domain.com potential system event auditing disabled Windows OS CVE-1999-0575 no
host2.domain.com potential system event failure auditing disabled Windows OS CVE-1999-0575 no
host2.domain.com potential Password never expires for user foobar Windows OS   no
host2.domain.com potential Windows TCP/IP Stack not hardened Other CVE-2005-0688 CVE-2005-1649 no
host2.domain.com potential Client Service for Netware vulnerability Windows OS CVE-2005-1985 no
host2.domain.com potential Collaboration Data Objects vulnerability Windows OS CVE-2005-1987 no
host2.domain.com potential FTP Client vulnerability Windows OS CVE-2005-2126 no
host2.domain.com potential Jet Database Engine input validation problems Windows OS CVE-2005-0944 yes
host2.domain.com potential Microsoft Agent spoofing vulnerability Windows OS CVE-2005-1214 no
host2.domain.com potential Network Connection Manager vulnerability Windows OS CVE-2005-2307 no
host2.domain.com potential Windows Media Player URL script execution Windows OS CVE-2003-1107 no
host2.domain.com service 33430/UDP     no
host2.domain.com service 33431/UDP     no
host2.domain.com service 33432/UDP     no
host2.domain.com service 33433/UDP     no
host2.domain.com service 33434/UDP     no
host2.domain.com service 33435/UDP     no
host2.domain.com service 33436/UDP     no
host2.domain.com service 33437/UDP     no
host2.domain.com service 1/UDP     no
host2.domain.com service 1025/TCP     no
host2.domain.com service 1026/TCP     no
host2.domain.com service SMB     no
host2.domain.com service epmap (135/TCP)     no
host2.domain.com service isakmp (500/UDP)     no
host2.domain.com service microsoft-ds (445/TCP)     no
host2.domain.com service microsoft-ds (445/UDP)     no
host2.domain.com service netbios-dgm (138/UDP)     no
host2.domain.com service netbios-ns (137/UDP)     no
host2.domain.com service ntp (123/UDP)     no
host2.domain.com info User: Administrator     no
host2.domain.com info User: Guest     no
host2.domain.com info User: HelpServicesGroup     no
host2.domain.com info User: SUPPORT_388945a0     no
host2.domain.com info User: TelnetClients     no
host2.domain.com info User: foobar     no
host2.domain.com info User: newuser     no
host2.domain.com info Windows service: Automatic Updates     no
host2.domain.com info Windows service: COM+ Event System     no
host2.domain.com info Windows service: Computer Browser     no
host2.domain.com info Windows service: Cryptographic Services     no
host2.domain.com info Windows service: DHCP Client     no
host2.domain.com info Windows service: DNS Client     no
host2.domain.com info Windows service: Distributed File System     no
host2.domain.com info Windows service: Distributed Link Tracking Client     no
host2.domain.com info Windows service: Distributed Transaction Coordinator     no
host2.domain.com info Windows service: Error Reporting Service     no
host2.domain.com info Windows service: Event Log     no
host2.domain.com info Windows service: Help and Support     no
host2.domain.com info Windows service: IPSEC Services     no
host2.domain.com info Windows service: Logical Disk Manager     no
host2.domain.com info Windows service: MCPop3 Service     no
host2.domain.com info Windows service: MCSmtp Service     no
host2.domain.com info Windows service: Net Logon     no
host2.domain.com info Windows service: Plug and Play     no
host2.domain.com info Windows service: Print Spooler     no
host2.domain.com info Windows service: Protected Storage     no
host2.domain.com info Windows service: Remote Procedure Call (RPC)     no
host2.domain.com info Windows service: Remote Registry     no
host2.domain.com info Windows service: Secondary Logon     no
host2.domain.com info Windows service: Security Accounts Manager     no
host2.domain.com info Windows service: Server     no
host2.domain.com info Windows service: Shell Hardware Detection     no
host2.domain.com info Windows service: System Event Notification     no
host2.domain.com info Windows service: TCP/IP NetBIOS Helper     no
host2.domain.com info Windows service: Task Scheduler     no
host2.domain.com info Windows service: Terminal Services     no
host2.domain.com info Windows service: Windows Audio     no
host2.domain.com info Windows service: Windows Management Instrumentation     no
host2.domain.com info Windows service: Windows Time     no
host2.domain.com info Windows service: Wireless Configuration     no
host2.domain.com info Windows service: Workstation     no
host3.domain.com critical cachefsd may be vulnerable RPC CVE-2002-0033 CVE-2002-0084 yes
host3.domain.com critical Calendar Manager service may be vulnerable RPC CVE-1999-0320 CVE-1999-0696 no
host3.domain.com critical possible buffer overflow in dtspcd Other CVE-2001-0803 no
host3.domain.com critical rpc.walld service may be vulnerable RPC CVE-2002-0573 no
host3.domain.com critical sadmind may be vulnerable to buffer overflow RPC CVE-1999-0977 no
host3.domain.com critical Vulnerable Sendmail version: 8.6 Mail CVE-1999-0129 CVE-1999-0131 CVE-1999-0203 CVE-1999-0204 CVE-1999-1109 CVE-1999-1309 CVE-2000-0319 CVE-2002-1337 CVE-2003-0161 CVE-2003-0681 CVE-2003-0694 CVE-2006-0058 no
host3.domain.com critical SNMP to DMI mapper may be vulnerable Networking/SNMP CVE-2001-0236 yes
host3.domain.com critical possible vulnerability in Sun lpd Print Services CVE-2001-0353 no
host3.domain.com critical possible format string vulnerability in tooltalk RPC CVE-2001-0717 no
host3.domain.com critical possible input validation error in tooltalk RPC CVE-2002-0677 CVE-2002-0678 no
host3.domain.com critical tooltalk version may be vulnerable to buffer overflow RPC CVE-1999-0003 CVE-1999-0693 CVE-2002-0679 no
host3.domain.com concern Excessive finger information Other CVE-1999-0612 no
host3.domain.com concern Solaris fingerd user list disclosure Other CVE-2001-1503 no
host3.domain.com concern Information from rusersd could help hacker RPC CVE-1999-0626 no
host3.domain.com concern signal handling race condition in Sendmail Mail CVE-2001-1349 no
host3.domain.com potential possible vulnerability in dtlogin Other CVE-2004-0368 no
host3.domain.com potential Possible globbing vulnerability in SunOS ftpd File Transfer CVE-2001-0249 no
host3.domain.com potential KCMS server may be vulnerable RPC CVE-2003-0027 no
host3.domain.com potential possible vulnerability in login Login/Shell CVE-2001-0797 yes
host3.domain.com potential chargen could be used in UDP bomb Networking/SNMP CVE-1999-0103 no
host3.domain.com potential rlogin is enabled Login/Shell CVE-1999-0651 no
host3.domain.com potential rshd is enabled Login/Shell CVE-1999-0651 no
host3.domain.com potential rexec is enabled and could help attacker Login/Shell CVE-1999-0618 no
host3.domain.com potential rpc.statd is enabled and may be vulnerable RPC CVE-1999-0018 CVE-1999-0019 CVE-1999-0210 CVE-1999-0493 CVE-2000-0666 no
host3.domain.com potential Information from rstatd could help hacker RPC CVE-1999-0624 no
host3.domain.com potential Sendmail command EXPN is enabled Mail CVE-1999-0531 no
host3.domain.com potential Sendmail command VRFY is enabled Mail CVE-1999-0531 no
host3.domain.com potential SMTP may be a mail relay Mail CVE-1999-0512 no
host3.domain.com potential SNMP is enabled and may be vulnerable Networking/SNMP CVE-1999-0615 CVE-2002-0012 CVE-2002-0013 CVE-2002-0053 CVE-2002-0796 CVE-2002-0797 no
host3.domain.com potential sunrpc services may be vulnerable RPC CVE-2002-0391 CVE-2003-0028 no
host3.domain.com potential possible buffer overflow in telnetd telrcv Login/Shell CVE-2001-0554 no
host3.domain.com potential Possible vulnerability in X font server Other CVE-2002-1317 no
host3.domain.com service 4045/TCP     no
host3.domain.com service 6112/TCP     no
host3.domain.com service 7100/TCP     no
host3.domain.com service FTP     no
host3.domain.com service Finger     no
host3.domain.com service SMTP     no
host3.domain.com service SNMP     no
host3.domain.com service Telnet     no
host3.domain.com service X-0 (6000/TCP)     no
host3.domain.com service XDM (X login)     no
host3.domain.com service chargen (19/TCP)     no
host3.domain.com service chargen:UDP (19/UDP)     no
host3.domain.com service daytime (13/TCP)     no
host3.domain.com service daytime (13/UDP)     no
host3.domain.com service discard (9/TCP)     no
host3.domain.com service discard (9/UDP)     no
host3.domain.com service echo (7/TCP)     no
host3.domain.com service echo (7/UDP)     no
host3.domain.com service exec (512/TCP)     no
host3.domain.com service login (513/TCP)     no
host3.domain.com service name (42/UDP)     no
host3.domain.com service printer (515/TCP)     no
host3.domain.com service shell (514/TCP)     no
host3.domain.com service sunrpc (111/TCP)     no
host3.domain.com service sunrpc (111/UDP)     no
host3.domain.com service time (37/TCP)     no
host3.domain.com service time (37/UDP)     no
host3.domain.com service uucp (540/TCP)     no
host3.domain.com info RPC service: 100000-2 portmapper (111/tcp)     no
host3.domain.com info RPC service: 100000-2 portmapper (111/udp)     no
host3.domain.com info RPC service: 100000-3 portmapper (111/tcp)     no
host3.domain.com info RPC service: 100000-3 portmapper (111/udp)     no
host3.domain.com info RPC service: 100000-4 portmapper (111/tcp)     no
host3.domain.com info RPC service: 100000-4 portmapper (111/udp)     no
host3.domain.com info RPC service: 100001-2 rstatd (32778/udp)     no
host3.domain.com info RPC service: 100001-3 rstatd (32778/udp)     no
host3.domain.com info RPC service: 100001-4 rstatd (32778/udp)     no
host3.domain.com info RPC service: 100002-2 rusersd (32772/tcp)     no
host3.domain.com info RPC service: 100002-2 rusersd (32775/udp)     no
host3.domain.com info RPC service: 100002-3 rusersd (32772/tcp)     no
host3.domain.com info RPC service: 100002-3 rusersd (32775/udp)     no
host3.domain.com info RPC service: 100008-1 walld (32777/udp)     no
host3.domain.com info RPC service: 100011-1 rquotad (32774/udp)     no
host3.domain.com info RPC service: 100012-1 sprayd (32776/udp)     no
host3.domain.com info RPC service: 100021-1 nlockmgr (4045/tcp)     no
host3.domain.com info RPC service: 100021-1 nlockmgr (4045/udp)     no
host3.domain.com info RPC service: 100021-2 nlockmgr (4045/tcp)     no
host3.domain.com info RPC service: 100021-2 nlockmgr (4045/udp)     no
host3.domain.com info RPC service: 100021-3 nlockmgr (4045/tcp)     no
host3.domain.com info RPC service: 100021-3 nlockmgr (4045/udp)     no
host3.domain.com info RPC service: 100021-4 nlockmgr (4045/tcp)     no
host3.domain.com info RPC service: 100021-4 nlockmgr (4045/udp)     no
host3.domain.com info RPC service: 100024-1 status (32771/tcp)     no
host3.domain.com info RPC service: 100024-1 status (32772/udp)     no
host3.domain.com info RPC service: 100068-2 (32779/udp)     no
host3.domain.com info RPC service: 100068-2 (33095/tcp)     no
host3.domain.com info RPC service: 100068-3 (32779/udp)     no
host3.domain.com info RPC service: 100068-3 (33095/tcp)     no
host3.domain.com info RPC service: 100068-4 (32779/udp)     no
host3.domain.com info RPC service: 100068-4 (33095/tcp)     no
host3.domain.com info RPC service: 100068-5 (32779/udp)     no
host3.domain.com info RPC service: 100068-5 (33095/tcp)     no
host3.domain.com info RPC service: 100083-1 (32775/tcp)     no
host3.domain.com info RPC service: 100221-1 (32773/tcp)     no
host3.domain.com info RPC service: 100232-10 sadmind (32773/udp)     no
host3.domain.com info RPC service: 100235-1 (32795/tcp)     no
host3.domain.com info RPC service: 100249-1 (33065/tcp)     no
host3.domain.com info RPC service: 100249-1 (33313/udp)     no
host3.domain.com info RPC service: 300598-1 (33064/tcp)     no
host3.domain.com info RPC service: 300598-1 (33312/udp)     no
host3.domain.com info RPC service: 805306368-1 (33064/tcp)     no
host3.domain.com info RPC service: 805306368-1 (33312/udp)     no
host3.domain.com info User: bin     no
host3.domain.com info User: foobar     no
host3.domain.com info User: root     no
host3.domain.com info User: smithrj     no
host3.domain.com info User: sys     no
host4.domain.com concern vulnerable Eudora version: 6.2 Mail   no
host4.domain.com concern vulnerability in Macromedia Flash Player: 8.0.22.0 Other CVE-2006-0024 no
host4.domain.com concern Internet Explorer Create Text Range code injection Windows OS CVE-2006-1185 CVE-2006-1186 CVE-2006-1188 CVE-2006-1189 CVE-2006-1190 CVE-2006-1191 CVE-2006-1192 CVE-2006-1245 CVE-2006-1359 CVE-2006-1388 yes
host4.domain.com concern Internet Explorer JS stack overflow Windows OS CVE-2006-0753 CVE-2006-0830 no
host4.domain.com concern vulnerable iTunes version: 6 Other   no
host4.domain.com concern Microsoft Excel and Office routing slip vulnerabilities Windows OS CVE-2005-4131 CVE-2006-0009 CVE-2006-0028 CVE-2006-0029 CVE-2006-0030 CVE-2006-0031 no
host4.domain.com concern vulnerable Mozilla Thunderbird version: 0.7.2 Mail CVE-2004-0902 CVE-2004-0903 CVE-2004-0904 CVE-2004-0905 CVE-2004-0906 CVE-2004-0907 CVE-2004-0908 CVE-2004-0909 CVE-2004-1316 CVE-2005-0142 CVE-2005-0148 CVE-2005-0149 CVE-2005-0255 CVE-2005-0399 CVE-2005-0590 CVE-2005-0989 CVE-2005-1159 CVE-2005-1160 CVE-2005-1532 CVE-2005-2261 CVE-2005-2265 CVE-2005-2266 CVE-2005-2269 CVE-2005-2270 yes
host4.domain.com concern vulnerable Mozilla Firefox version: 1.0.3 Web CVE-2005-1476 CVE-2005-1477 CVE-2005-1531 CVE-2005-1532 CVE-2005-1937 CVE-2005-2260 CVE-2005-2261 CVE-2005-2262 CVE-2005-2263 CVE-2005-2264 CVE-2005-2265 CVE-2005-2266 CVE-2005-2267 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2871 CVE-2005-2968 CVE-2005-3089 no
host4.domain.com concern vulnerable Mozilla version: 1.7.7 Web CVE-2005-1476 CVE-2005-1531 CVE-2005-1532 CVE-2005-1937 CVE-2005-2260 CVE-2005-2261 CVE-2005-2263 CVE-2005-2265 CVE-2005-2266 CVE-2005-2268 CVE-2005-2269 CVE-2005-2270 CVE-2005-2701 CVE-2005-2702 CVE-2005-2703 CVE-2005-2704 CVE-2005-2705 CVE-2005-2706 CVE-2005-2707 CVE-2005-2871 CVE-2005-2968 CVE-2005-4134 CVE-2006-0292 no
host4.domain.com concern vulnerable Netscape Navigator version: 4.78 Web CVE-2004-0718 CVE-2004-0722 CVE-2004-1160 CVE-2005-0399 CVE-2005-0989 CVE-2005-1156 CVE-2005-1157 CVE-2005-1160 yes
host4.domain.com concern Outlook Express Windows Address Book vulnerability Mail CVE-2006-0014 no
host4.domain.com concern vulnerable QuickTime version: 7.0.3 Other CVE-2005-2340 CVE-2005-3707 CVE-2005-3708 CVE-2005-3709 CVE-2005-3710 CVE-2005-3711 CVE-2005-3713 CVE-2005-4092 CVE-2005-4128 yes
host4.domain.com concern Sunncomm ActiveX control enabled Web   no
host4.domain.com concern vulnerable Winamp version: 5.13 Other CVE-2006-0708 CVE-2006-0720 no
host4.domain.com concern Windows Plug and Play vulnerability Windows OS CVE-2005-1983 yes
host4.domain.com concern Run key allows write access Windows OS CVE-1999-0589 no
host4.domain.com concern Uninstall key allows write access Windows OS CVE-1999-0589 no
host4.domain.com concern HTML Help cross-domain vulnerability Windows OS CVE-2004-1043 no
host4.domain.com concern Microsoft Data Access Component vulnerability Windows OS CVE-2006-0003 yes
host4.domain.com concern Windows Explorer COM object command execution Windows OS CVE-2004-2289 CVE-2006-0012 no
host4.domain.com potential Internet Explorer Shell.Explorer object enabled Windows OS CVE-2004-0985 no
host4.domain.com potential last user name shown in login box Windows OS CVE-1999-0592 no
host4.domain.com potential application uses vulnerable libpng version: Thunderbird 0.7.2 Other CVE-2004-0597 CVE-2004-0598 CVE-2004-0599 no
host4.domain.com potential Possible vulnerability in Microsoft UPnP Windows OS CVE-2001-0876 CVE-2001-0877 no
host4.domain.com potential Outlook Express NNTP buffer overflow Mail CVE-2005-1213 yes
host4.domain.com potential Outlook Express default news server account disclosure Mail CVE-2005-2226 no
host4.domain.com potential User DoeJ has never logged in Windows OS   no
host4.domain.com potential User sainttest has never logged in Windows OS   no
host4.domain.com potential weak maximum password age policy (730 days) Windows OS CVE-1999-0535 no
host4.domain.com potential weak minimum password age policy (0 days) Windows OS CVE-1999-0535 no
host4.domain.com potential weak password history policy (3) Windows OS CVE-1999-0535 no
host4.domain.com potential non-administrative users can act as part of the operating system Windows OS CVE-1999-0534 no
host4.domain.com potential non-administrative users can bypass traverse checking Windows OS CVE-1999-0534 no
host4.domain.com potential non-administrative users can create token object Windows OS CVE-1999-0534 no
host4.domain.com potential non-administrative users can replace a process level token Windows OS CVE-1999-0534 no
host4.domain.com potential Password never expires for user DoeJ Windows OS   no
host4.domain.com potential Password never expires for user foobars Windows OS   no
host4.domain.com potential Windows TCP/IP Stack not hardened Other CVE-2005-0688 CVE-2005-1649 no
host4.domain.com potential Jet Database Engine input validation problems Windows OS CVE-2005-0944 yes
host4.domain.com service 1025/UDP     no
host4.domain.com service 1026/UDP     no
host4.domain.com service 1107/UDP     no
host4.domain.com service 1118/UDP     no
host4.domain.com service 1123/UDP     no
host4.domain.com service 1129/UDP     no
host4.domain.com service 1900/UDP     no
host4.domain.com service SMB     no
host4.domain.com service epmap (135/TCP)     no
host4.domain.com service isakmp (500/UDP)     no
host4.domain.com service microsoft-ds (445/TCP)     no
host4.domain.com service microsoft-ds (445/UDP)     no
host4.domain.com service netbios-dgm (138/UDP)     no
host4.domain.com service netbios-ns (137/UDP)     no
host4.domain.com service ntp (123/UDP)     no
host4.domain.com info User: Administrator     no
host4.domain.com info User: DoeJ     no
host4.domain.com info User: Guest     no
host4.domain.com info User: HelpAssistant     no
host4.domain.com info User: HelpServicesGroup     no
host4.domain.com info User: IME_ADMIN     no
host4.domain.com info User: IME_USER     no
host4.domain.com info User: SUPPORT_388945a0     no
host4.domain.com info User: foobars     no
host4.domain.com info User: sainttest     no
host4.domain.com info Windows service: AhnLab Task Scheduler     no
host4.domain.com info Windows service: Application Layer Gateway Service     no
host4.domain.com info Windows service: Automatic Updates     no
host4.domain.com info Windows service: COM+ Event System     no
host4.domain.com info Windows service: Computer Browser     no
host4.domain.com info Windows service: Creative Service for CDROM Access     no
host4.domain.com info Windows service: Cryptographic Services     no
host4.domain.com info Windows service: DCOM Server Process Launcher     no
host4.domain.com info Windows service: DHCP Client     no
host4.domain.com info Windows service: DNS Client     no
host4.domain.com info Windows service: Distributed Link Tracking Client     no
host4.domain.com info Windows service: Error Reporting Service     no
host4.domain.com info Windows service: Event Log     no
host4.domain.com info Windows service: Help and Support     no
host4.domain.com info Windows service: IPSEC Services     no
host4.domain.com info Windows service: Logical Disk Manager     no
host4.domain.com info Windows service: McAfee Framework Service     no
host4.domain.com info Windows service: Net Logon     no
host4.domain.com info Windows service: Network Associates McShield     no
host4.domain.com info Windows service: Network Associates Task Manager     no
host4.domain.com info Windows service: Network Connections     no
host4.domain.com info Windows service: Network Location Awareness (NLA)     no
host4.domain.com info Windows service: Plug and Play     no
host4.domain.com info Windows service: Print Spooler     no
host4.domain.com info Windows service: Protected Storage     no
host4.domain.com info Windows service: Remote Access Connection Manager     no
host4.domain.com info Windows service: Remote Procedure Call (RPC)     no
host4.domain.com info Windows service: Remote Procedure Call (RPC) Locator     no
host4.domain.com info Windows service: Remote Registry     no
host4.domain.com info Windows service: Removable Storage     no
host4.domain.com info Windows service: SSDP Discovery Service     no
host4.domain.com info Windows service: Secondary Logon     no
host4.domain.com info Windows service: Security Accounts Manager     no
host4.domain.com info Windows service: Server     no
host4.domain.com info Windows service: Shell Hardware Detection     no
host4.domain.com info Windows service: SysTrack Agent     no
host4.domain.com info Windows service: System Event Notification     no
host4.domain.com info Windows service: System Restore Service     no
host4.domain.com info Windows service: TCP/IP NetBIOS Helper     no
host4.domain.com info Windows service: Task Scheduler     no
host4.domain.com info Windows service: Telephony     no
host4.domain.com info Windows service: Terminal Services     no
host4.domain.com info Windows service: Themes     no
host4.domain.com info Windows service: WebClient     no
host4.domain.com info Windows service: Windows Audio     no
host4.domain.com info Windows service: Windows Firewall/Internet Connection Sharing (ICS)     no
host4.domain.com info Windows service: Windows Management Instrumentation     no
host4.domain.com info Windows service: Windows Time     no
host4.domain.com info Windows service: Wireless Zero Configuration     no
host4.domain.com info Windows service: Workstation     no
host5.domain.com critical Anthill 0.1.6.1 is vulnerable Web CVE-2002-0548 CVE-2002-0549 no
host5.domain.com critical OpenSSH 3.1p1 may be vulnerable Login/Shell CVE-2002-0575 CVE-2002-0639 CVE-2002-0640 CVE-2003-0190 CVE-2003-0682 CVE-2003-0693 CVE-2003-0695 CVE-2005-2798 no
host5.domain.com concern Web server allows cross-site tracing Web   no
host5.domain.com concern vulnerable Horde Accounts version: 2.1 Web CVE-2005-1316 no
host5.domain.com concern vulnerable Horde Forwards version: 2.2 Web CVE-2005-1318 no
host5.domain.com concern vulnerable Horde Kronolith version: 1.1 Web CVE-2005-1314 no
host5.domain.com concern vulnerable Horde Mnemo version: 1.1 Web CVE-2005-1320 no
host5.domain.com concern vulnerable Horde Nag version: 1.1 Web CVE-2005-1322 no
host5.domain.com concern vulnerable Horde Passwd version: 2.2 Web CVE-2005-1313 no
host5.domain.com concern vulnerable Horde Turba version: 1.2 Web CVE-2005-1315 no
host5.domain.com concern vulnerable Horde Vacation version: 2.2 Web CVE-2005-1321 no
host5.domain.com concern vulnerable Horde IMP version: 3.2.1 Mail CVE-2004-0584 CVE-2004-1443 CVE-2005-1319 CVE-2005-4080 no
host5.domain.com concern vulnerable Horde version: 2.2.3 Web CVE-2003-0728 CVE-2005-0378 CVE-2005-0961 CVE-2005-3570 no
host5.domain.com potential possible vulnerability in wu-ftpd 2.6.2 File Transfer CVE-2003-0466 CVE-2004-0185 no
host5.domain.com potential possible vulnerability in OpenSSL 0.9.7d Other CVE-2005-2969 no
host5.domain.com potential possible RSA SecurID Web Agent redirect buffer overflow Other   no
host5.domain.com potential possible heap overflow in RSA SecurID Web Agent Other CVE-2005-1471 CVE-2005-4734 yes
host5.domain.com potential SSL server accepts SSLv2 protocol Other   no
host5.domain.com potential SSL server accepts weak ciphers Other   no
host5.domain.com potential TCP reset using approximate sequence number Other CVE-2004-0230 no
host5.domain.com service 1414/TCP     no
host5.domain.com service 1515/TCP     no
host5.domain.com service FTP     no
host5.domain.com service SAINT     no
host5.domain.com service SMTP     no
host5.domain.com service SSH     no
host5.domain.com service WWW     no
host5.domain.com service WWW (Secure)     no
host5.domain.com service WWW (non-standard port 81)     no

4.0  Details

The following sections provide details on the specific vulnerabilities detected on each host.

4.1  host1.domain.com

IP Address: 172.16.0.1 Host type: Windows 2000 Service Pack 1
Scan time: Jun 29 14:31:35 2009 Netbios Name: HOST1


Download.Ject detected on web server
Severity: Critical Problem

Impact

For web servers, a remote attacker has gained access to the server and added malicious content to the web site. For web clients, the web browser may have installed a keystroke logger when visiting a compromised web site. The keystroke logs are automatically sent to a remote web site.

Resolution

Run a virus scan and delete or repair any files infected with Download.Ject or JS.Scob. On IIS web servers, disable the document footer or ensure that the footer is valid in the Documents tab of the Web Site Properties.

To avoid becoming infected, install the fix for the Internet Explorer Modal Dialog Zone Bypass and ADODB.Stream Object File Installation vulnerabilities when available. Until the fix is installed, disable client-side scripting and active content in the Internet zone in Microsoft Internet Explorer.

Where can I read more about this?

For more information, see the Microsoft, and Symantec.

Technical Details

Service: http

Guessed password to windows account (foobar:foobar)
Severity: Critical Problem

Impact

An attacker who is able to guess the password to a user account could gain shell access to the system with the privileges of the user. From there it is often trivial to gain complete control of the system.

Resolution

Protect all accounts with a password that cannot be guessed. Require users to choose passwords which are eight characters long, including numeric and non-alphanumeric characters, and which are not based on the login name or any other personal information about the user. Enforce this policy using a utility such as npasswd in place of the default UNIX passwd program. Check the strength of all account passwords periodically using a password cracking utility such as Crack for Unix.

For Cisco 2700 Series Wireless Location Appliance, change the password or mitigate as described in cisco-air-20061013-wla.

Where can I read more about this?

Walter Belgers' paper, UNIX password security, is a good reference on strengthening passwords.

The Cisco 2700 Series WLA default password was described in cisco-sa-2006-1012-wla and Bugtraq ID 20490.

The IBM Totalstorage DS400 default password was posted to Full Disclosure.

Technical Details

Service: netbios-ssn
foobar:foobar

MS FrontPage Server Extension Vulnerability: /_vti_bin/shtml.dll
Severity: Critical Problem CVE: CVE-2003-0824

Impact

A remote attacker could take control of the web site, and possibly the system as well.

Resolutions

To fix the Front Page Service Extensions Cross-site scripting vulnerability and the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, apply the patch indicated in Microsoft Security Bulletin 06-017.

To fix the vulnerability in the Visual Studio RAD support, apply the patch indicated in Microsoft Security Bulletin 01-035.

To secure the FrontPage password file, set the permissions on the file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.

On Windows NT systems:

  1. Find the file in Windows Explorer
  2. Click on the file with the right mouse button
  3. Select Properties
  4. Click on the Security Tab
  5. Click on the Permissions button
  6. Change or remove permissions on the file as necessary.
On Unix systems:
Use the chmod command.

To fix the buffer overflow in fpcount.exe, upgrade to FrontPage Server Extensions 98 or higher.

Where can I read more about this?

For more information on the Front Page Server Extensions cross-site scripting vulnerabilities see Microsoft Security Bulletin 06-017 and Bugtraq ID 17452.

For more information on the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, see Microsoft Security Bulletin 03-051 and Secunia Advisory SA10195.

For more information on the vulnerability in the Visual Studio RAD support, see Microsoft Security Bulletin 01-035 and NSFOCUS Security Advisory 2001-03.

See the Rhino 9 Advisory for more information about the password file vulnerability.

The fpcount.exe vulnerability was posted to Bugtraq archive 11943.

Technical Details

Service: http
Sent:
POST /_vti_bin/shtml.dll HTTP/1.0
Host: host1.domain.com:80


Received:
HTTP/1.1 200 OK
And:
<HTML><BODY>Cannot run the FrontPage Server Extensions' Smart HTML interpreter on this non-HTML page: &quot;&quot;</BODY></HTML>

MS FrontPage Server Extension Vulnerability: remote debug
Severity: Critical Problem CVE: CVE-2003-0822

Impact

A remote attacker could take control of the web site, and possibly the system as well.

Resolutions

To fix the Front Page Service Extensions Cross-site scripting vulnerability and the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, apply the patch indicated in Microsoft Security Bulletin 06-017.

To fix the vulnerability in the Visual Studio RAD support, apply the patch indicated in Microsoft Security Bulletin 01-035.

To secure the FrontPage password file, set the permissions on the file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.

On Windows NT systems:

  1. Find the file in Windows Explorer
  2. Click on the file with the right mouse button
  3. Select Properties
  4. Click on the Security Tab
  5. Click on the Permissions button
  6. Change or remove permissions on the file as necessary.
On Unix systems:
Use the chmod command.

To fix the buffer overflow in fpcount.exe, upgrade to FrontPage Server Extensions 98 or higher.

Where can I read more about this?

For more information on the Front Page Server Extensions cross-site scripting vulnerabilities see Microsoft Security Bulletin 06-017 and Bugtraq ID 17452.

For more information on the fp30reg.dll remote debug and SmartHTML buffer overflow vulnerabilities, see Microsoft Security Bulletin 03-051 and Secunia Advisory SA10195.

For more information on the vulnerability in the Visual Studio RAD support, see Microsoft Security Bulletin 01-035 and NSFOCUS Security Advisory 2001-03.

See the Rhino 9 Advisory for more information about the password file vulnerability.

The fpcount.exe vulnerability was posted to Bugtraq archive 11943.

Technical Details

Service: http
Sent:
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.0
Host: host1.domain.com:80
Transfer-Encoding: chunked

1

X
0



Received:
HTTP/1.1 400 Bad Request

Folder traversal in IIS (Double Decoding)
Severity: Critical Problem CVE: CVE-2001-0333

Impact

An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server.

Resolutions

Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-006 (for Windows 2003 and XP), and 08-062.

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more about this?

More information on Integer Overflow in IPP Service is available at Microsoft Security Bulletin 08-062.

More information on the IIS ASP remote code execution in Windows 2003 and XP is available in Microsoft Security Bulletin 08-006.

More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.

More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.

More information on the .dll request denial of service was reported in Secunia Advisory SA18106.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.

More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09, Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.

More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.

More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.

Technical Details

Service: http
Sent:
GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
Host: host1.domain.com:80


Received:
HTTP/1.1 200 OK
And:
05/08/2001 04:52p <DIR> WINNT

Folder traversal in IIS (Unicode Translation)
Severity: Critical Problem CVE: CVE-2000-0884

Impact

An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server.

Resolutions

Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-006 (for Windows 2003 and XP), and 08-062.

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more about this?

More information on Integer Overflow in IPP Service is available at Microsoft Security Bulletin 08-062.

More information on the IIS ASP remote code execution in Windows 2003 and XP is available in Microsoft Security Bulletin 08-006.

More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.

More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.

More information on the .dll request denial of service was reported in Secunia Advisory SA18106.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.

More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09, Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.

More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.

More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.

Technical Details

Service: http
Sent:
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
Host: host1.domain.com:80


Received:
HTTP/1.1 200 OK
And:
05/08/2001 04:52p <DIR> WINNT

vulnerabilities in IIS 5
Severity: Critical Problem CVE: CVE-2000-0770 CVE-2001-0151 CVE-2001-0241 CVE-2001-0500 CVE-2001-0507 CVE-2002-0869 CVE-2002-1180 CVE-2002-1181 CVE-2002-1182 CVE-2003-0223 CVE-2003-0224 CVE-2003-0225 CVE-2003-0226

Impact

An attacker could send a specially constructed request which crashes the server or executes arbitrary code with the privileges of the web server.

Resolutions

Install the patches referenced in Microsoft Security Bulletins 03-018, 06-034 (for Windows 2000), 08-006 (for Windows 2003 and XP), and 08-062.

For IIS 5.1, also install the patches referenced in 07-041. Note that the patch referenced in Microsoft Security Bulletin 02-050 must also be installed if client side certificates are to function.

IIS 4.0 users should also install the patch referenced in Microsoft Security Bulletin 04-021 or disable the permanent redirection option under the Home Directory tab in the web site properties.

Where can I read more about this?

More information on Integer Overflow in IPP Service is available at Microsoft Security Bulletin 08-062.

More information on the IIS ASP remote code execution in Windows 2003 and XP is available in Microsoft Security Bulletin 08-006.

More information on the remote code execution in IIS 5.1 is available at Microsoft Security Bulletin 07-041.

More information on the ASP upload vulnerability is available in Microsoft Security Bulletin 06-034.

More information on the .dll request denial of service was reported in Secunia Advisory SA18106.

More information on the chunked .HTR processing vulnerability is available in Microsoft Security Bulletin 02-028 and eEye advisory 20020612.

The IIS 4.0 redirection buffer overflow was reported in Microsoft Security Bulletin 04-021.

More information on the multiple vulnerabilities in IIS 4.0 through 5.1 is available in CERT Advisory 2002-09, Microsoft Security Bulletin 02-018, Microsoft Security Bulletin 02-062, and Microsoft Security Bulletin 03-018.

More information on the buffer overflows in IIS 5.0 is available from Microsoft Security Bulletins 01-023 and 01-033, CERT advisories 2001-10 and 2001-13, and eEye advisories AD20010501 and AD20010618. General information on securing IIS 5.0 can be found in the IIS 5 security checklist.

More information on folder traversal using Unicode translation is available from Microsoft Security Bulletin 00-078 and a posting to Bugtraq. More information on folder traversal using double encoding is available from Microsoft Security Bulletin 01-026, NSFOCUS Security Advisory 2001-02, and CERT Advisory 2001-12.

More information on the buffer overflow vulnerability is available from Microsoft Security Bulletin 99-019 and from Microsoft Knowledge Base article Q234905.

More information on the filename inspection vulnerability can be found in Microsoft Security Bulletin 00-086 and NSFOCUS Security Advisory 2000-07.

More information on the other vulnerabilities was reported in Microsoft Security Bulletins 00-057, 01-016, and 01-044.

Technical Details

Service: http

MailEnable HTTPMail vulnerability
Severity: Critical Problem CVE: CVE-2005-1348 CVE-2005-2222 CVE-2006-1338

Impact

A remote attacker could create a denial of service, or possibly execute arbitrary commands with System privileges.

Resolution

Upgrade to MailEnable Professional 3.53 or higher, MailEnable Enterprise 3.53 or higher, or MailEnable Standard 1.98 when available, or apply all needed hotfixes.

Where can I read more about this?

Additional information can be located at the hotfixes page.

The MailEnable 3.52 IMAP Remote Denial of Service vulnerability was reported in Secunia Advisory SA31325.

The IMAP Service APPEND Command buffer overflow was reported in Secunia Advisory SA24361.

The NTLM denial of service was reported in Secunia Advisory SA24139.

The POP PASS vulnerability was reported in Secunia Advisory SA23127.

The pre-authentication buffer overflow vulnerability was reported at Bugtraq ID 21492.

The IMAP Buffer Overflow and Denial of Service vulnerabilities were reported in Secunia Advisory SA23080.

The invalid command buffer overflow was reported in Bugtraq ID 21252.

The NTLM signature field buffer overflow was reported in Bugtraq ID 20290.

The SPF lookup buffer overflow was reported in Bugtraq ID 20091.

The SMTP HELO denial of service was reported in Secunia Advisory SA20790.

The admin authentication bypass and WebMail vulnerabilities were reported in Secunia Advisory SA20556.

The quoted-printable denial of service vulnerability was reported in Enterprise History.

The unspecified POP authentication bypass was reported in Standard History.

The IMAP buffer overflow and denial-of-service vulnerabilities were reported in Full Disclosure, Full Disclosure, Bugtraq archive 417589, and Secunia Research Advisory 2005-59.

The IMAP directory traversal vulnerability was reported in Secunia Research Advisory 2005-59.

The W3C logging overflow was reported in Secunia Advisory SA17010.

The IMAP STATUS command buffer overflow was reported in a Secunia Advisory SA15986.

The SMTP Authentication denial of service (buffer overflow) vulnerability is described in Bugtraq ID 13772.

The HTTPMail Authorization buffer overflow was posted to Bugtraq archive 396826.

The mailto: format string vulnerability was posted to Bugtraq archive 393566.

The IMAP buffer overflows were reported in a Hat-Squad advisory, Full Disclosure, and Full Disclosure.

The EHLO denial of service was reported in Bugtraq ID 12994.

The DNS response and IMAP denial of service was reported by the vendor.

The Content-length buffer overflow was reported in Bugtraq ID 10838.

The heap overflow was reported in SecurityTracker alert 1010107.

Technical Details

Service: 8080
MailEnable HTTPMail enabled and either MailEnable Enterprise before version 1.21 or MailEnable Professional before version 1.73

MS Site Server default account
Severity: Critical Problem CVE: CVE-2002-1769 CVE-2002-2073 CVE-2002-2081

Impact

A remote attacker could view configuration information, create a denial of service, or upload and execute arbitrary ASP code.

Resolution

Get the latest version or service pack from Microsoft Commerce Server. Then apply or reapply Windows NT Service Pack 6a.

Where can I read more about this?

This vulnerability was reported in Rain Forest Puppy advisory RFP2201.

Technical Details

Service: netbios-ssn

vulnerability in Windows Media Services (nsiislog.dll)
Severity: Critical Problem CVE: CVE-2003-0227 CVE-2003-0349

Impact

A remote attacker could cause the web service to stop responding or execute arbitrary commands with the privileges of the IIS service.

Resolution

Install the patch referenced in Microsoft Security Bulletin 03-022 to correct both vulnerabilities.

Where can I read more about this?

The first vulnerability was reported in Microsoft Security Bulletin 03-019, the second in Microsoft Security Bulletin 03-022.

Technical Details

Service: http

Windows Plug and Play vulnerability
Severity: Critical Problem CVE: CVE-2005-1983

Impact

On Windows 2000, a remote anonymous user could execute arbitrary commands with administrative privileges. On Windows XP Service Pack 1, a remote authenticated user could execute arbitrary commands with administrative privileges. On Windows XP Service Pack 2 and Windows Server 2003, a user who is logged on locally could execute arbitrary commands with administrative privileges.

Resolution

Apply the patch referenced in Microsoft Security Bulletin 05-047.

Where can I read more about this?

These vulnerabilities were reported in Microsoft Security Bulletins 05-039 and 05-047.

Technical Details

Service: netbios
Plug and Play service running and KB899588 not installed

RPC runtime library vulnerability
Severity: Critical Problem CVE: CVE-2003-0807 CVE-2003-0813 CVE-2004-0116 CVE-2004-0124

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

One or more of the following security updates is not installed on the target system. The resolution is to install the needed updates. This can be done either by following the links in the table, or by visiting the Windows Update service which will automatically determine which updates are needed for your system and help you install them. It is a good idea to make a backup of the system before installing an update, especially for service packs. After the system has been brought up to date, check Microsoft's web site regularly for new critical updates.

Note: The links below apply to the standard editions of Windows operating systems. If you are using a Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding Microsoft Security Bulletins for patch information.

Update Name Description Fix Bulletin
RPC runtime library vulnerability Fixes a race condition which could allow an attacker to take control of a system, and fixes three other RPC vulnerabilities. (CVE 2003-0807 CVE 2003-0813 CVE 2004-0116 CVE 2004-0124) NT: 828741
2000: 828741 or SP4 Update Rollup 1
XP: 828741 or SP2
2003: 828741 or SP1 		04-012 TA04-104A

Where can I read more about this?

For more information on critical updates, see the Windows critical update pages which are available for Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server 2008.

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828741 not found

Windows 2000 ASN1 buffer overflow
Severity: Critical Problem CVE: CVE-2003-0818

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

One or more of the following security updates is not installed on the target system. The resolution is to install the needed updates. This can be done either by following the links in the table, or by visiting the Windows Update service which will automatically determine which updates are needed for your system and help you install them. It is a good idea to make a backup of the system before installing an update, especially for service packs. After the system has been brought up to date, check Microsoft's web site regularly for new critical updates.

Note: The links below apply to the standard editions of Windows operating systems. If you are using a Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding Microsoft Security Bulletins for patch information.

Update Name Description Fix Bulletin
ASN.1 buffer overflow Fixes a vulnerability in ASN.1 which could allow remote code execution. (CVE 2003-0818) NT: 828028
2000: 828028 or SP4 Update Rollup 1
XP: 828028 or SP2
2003: 828028 or SP1 		04-007

Where can I read more about this?

For more information on critical updates, see the Windows critical update pages which are available for Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server 2008.

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB828028 not found

Windows 2000 RPC buffer overflow
Severity: Critical Problem CVE: CVE-2003-0352

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

One or more of the following security updates is not installed on the target system. The resolution is to install the needed updates. This can be done either by following the links in the table, or by visiting the Windows Update service which will automatically determine which updates are needed for your system and help you install them. It is a good idea to make a backup of the system before installing an update, especially for service packs. After the system has been brought up to date, check Microsoft's web site regularly for new critical updates.

Note: The links below apply to the standard editions of Windows operating systems. If you are using a Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding Microsoft Security Bulletins for patch information.

Update Name Description Fix Bulletin
RPC buffer overflow fix Fixes a buffer overflow in the DCOM interface to RPC which could allow a remote attacker to execute arbitrary commands. (CVE 2003-0352) NT: 823980
2000: 823980 or SP4 Update Rollup 1
XP: 32-bit: 823980 or SP2
64-bit: 823980 or SP2
2003: 32-bit: 823980 or SP1
64-bit: 823980 or SP1 		03-026 CA-2003-16

Where can I read more about this?

For more information on critical updates, see the Windows critical update pages which are available for Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server 2008.

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980 not found

Windows COM+ command execution vulnerability
Severity: Critical Problem CVE: CVE-2005-1978 CVE-2005-1979 CVE-2005-1980 CVE-2005-2119

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

One or more of the following security updates is not installed on the target system. The resolution is to install the needed updates. This can be done either by following the links in the table, or by visiting the Windows Update service which will automatically determine which updates are needed for your system and help you install them. It is a good idea to make a backup of the system before installing an update, especially for service packs. After the system has been brought up to date, check Microsoft's web site regularly for new critical updates.

Note: The links below apply to the standard editions of Windows operating systems. If you are using a Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding Microsoft Security Bulletins for patch information.

Update Name Description Fix Bulletin
Windows COM+ command execution vulnerability Fixes vulnerabilities which could allow remote command execution on Windows 2000 and XP SP1, or privilege elevation on Windows XP SP2 and 2003. (CVE 2005-1978 CVE 2005-1979 CVE 2005-1980 CVE 2005-2119) 2000: 902400
XP: 902400
2003: 902400 or SP2 		05-051

Where can I read more about this?

For more information on critical updates, see the Windows critical update pages which are available for Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server 2008.

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB902400 not found

Windows SMB Transaction response buffer overflow
Severity: Critical Problem CVE: CVE-2005-0045

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

One or more of the following security updates is not installed on the target system. The resolution is to install the needed updates. This can be done either by following the links in the table, or by visiting the Windows Update service which will automatically determine which updates are needed for your system and help you install them. It is a good idea to make a backup of the system before installing an update, especially for service packs. After the system has been brought up to date, check Microsoft's web site regularly for new critical updates.

Note: The links below apply to the standard editions of Windows operating systems. If you are using a Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding Microsoft Security Bulletins for patch information.

Update Name Description Fix Bulletin
SMB Transaction response buffer overflow Fixes command execution vulnerability in processing of responses to Transaction commands by the SMB client driver. (CVE 2005-0045) 2000: 885250 or SP4 Update Rollup 1
XP: 885250
2003: 885250 or SP1 		05-011

Where can I read more about this?

For more information on critical updates, see the Windows critical update pages which are available for Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server 2008.

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB885250 not found

Windows SMB input validation vulnerability
Severity: Critical Problem CVE: CVE-2005-1206

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

One or more of the following security updates is not installed on the target system. The resolution is to install the needed updates. This can be done either by following the links in the table, or by visiting the Windows Update service which will automatically determine which updates are needed for your system and help you install them. It is a good idea to make a backup of the system before installing an update, especially for service packs. After the system has been brought up to date, check Microsoft's web site regularly for new critical updates.

Note: The links below apply to the standard editions of Windows operating systems. If you are using a Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding Microsoft Security Bulletins for patch information.

Update Name Description Fix Bulletin
SMB input validation vulnerability Fixes a vulnerability which could allow remote code execution. (CVE 2005-1206) 2000: 896422
XP: 896422
2003: 896422 or SP2 		05-027

Where can I read more about this?

For more information on critical updates, see the Windows critical update pages which are available for Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server 2008.

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB896422 not found

Windows TCP/IP vulnerabilities
Severity: Critical Problem CVE: CVE-2004-0230 CVE-2004-0790 CVE-2004-1060 CVE-2005-0048 CVE-2005-0688

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

One or more of the following security updates is not installed on the target system. The resolution is to install the needed updates. This can be done either by following the links in the table, or by visiting the Windows Update service which will automatically determine which updates are needed for your system and help you install them. It is a good idea to make a backup of the system before installing an update, especially for service packs. After the system has been brought up to date, check Microsoft's web site regularly for new critical updates.

Note: The links below apply to the standard editions of Windows operating systems. If you are using a Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding Microsoft Security Bulletins for patch information.

Update Name Description Fix Bulletin
Windows TCP/IP Vulnerabilities Fixes vulnerabilities which could allow a remote attacker to cause a denial of service, or possibly execute commands. (CVE 2004-0230 CVE 2004-0790 CVE 2004-1060 CVE 2005-0048 CVE 2005-0688) 2000: 893066 or SP4 Update Rollup 1
XP: 893066
2003: 893066 or SP1 		05-019

Where can I read more about this?

For more information on critical updates, see the Windows critical update pages which are available for Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server 2008.

Technical Details

Service: netbios
SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB893066 not found

Windows WMF gdi32.dll vulnerability
Severity: Critical Problem CVE: CVE-2005-4560

Impact

The absence of critical updates leads to the potential for denial of service or unauthorized access by attackers or malicious web sites.

The Problems and Resolutions

One or more of the following security updates is not installed on the target system. The resolution is to install the needed updates. This can be done either by following the links in the table, or by visiting the Windows Update service which will automatically determine which updates are needed for your system and help you install them. It is a good idea to make a backup of the system before installing an update, especially for service packs. After the system has been brought up to date, check Microsoft's web site regularly for new critical updates.

Note: The links below apply to the standard editions of Windows operating systems. If you are using a Terminal Server edition, a 64-bit edition, or a non-Intel edition which is not listed, consult the corresponding Microsoft Security Bulletins for patch information.

Update Name Description Fix Bulletin
Windows WMF gdi32.dll vulnerability Fixes a remote code execution vulnerability which exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images. An attacker could exploit the vulnerability to take complete control of the affected system by constructing a specially crafted WMF image which is read by a user on the system. (CVE 2005-4560) 2000: 912919
XP: 912919
2003: 912919 or SP2 		06-001

Where can I read more about this?

For more information on critical updates, see the Windows critical update pages which are available for Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003. Windows Vista. Windows Server 2008.

Technical Details

Service: netbios
gdi32.dll older than 2005-12-25

pointer corruption vulnerability in WINS replication service
Severity: Critical Problem CVE: CVE-2004-0567 CVE-2004-1080

Impact

A remote attacker could execute arbitrary code on the WINS server.

Resolution

Install the fix referenced in Microsoft Security Bulletin 09-008.

It is also advisable to use IPsec, block port 42 at the firewall, or disable WINS if it is not needed. These workarounds are addressed in Microsoft Knowledge Base Article 890710.

Where can I read more about this?

The WPAD registration vulnerability was reported in Microsoft Security Bulletin 09-008.

The WINS local privilege elevation was reported in Microsoft Security Bulletin 08-034.

The pointer corruption vulnerability in WINS replication was reported in Secunia Advisory SA13328. and Microsoft Security Bulletin 04-045.

The name validation buffer overflow was reported in