The following security vulnerabilities were found during security scans of version 3.0 of the BSM Reference Stack on Linux operating systems. This table represents autogenerated output.
SuccessTip
To toggle the appearance of the navigation pane and view all the columns in the table without horizontal scrolling, type [ (opening bracket symbol).
| | | Vulnerability description | | Common Vulnerabilities Exposures (CVE) ID | |
|---|
Linux 2.6.32-71.37.1.el6 (Red Hat Enterprise Linux Server release 6.0 (Santiago)) | | ICMP Timestamp Request Information Disclosure Vulnerability | An information disclosure vulnerability is present in some systems supporting ICMP request/responses. | | | McAfee is currently unaware of a vendor-supplied patch or update (08/05/2010).
Note: The issue can be mitigated by blocking certain incoming ICMP requests to the system. |
Linux 2.6.32-71.37.1.el6 (Red Hat Enterprise Linux Server release 6.0 (Santiago)) | | FTP Anonymous User Account ftp Accessible | A vulnerability in the configuration of FTP servers allows remote attackers to connect with user 'ftp' and an email address for the password | | | Create accounts for specific users that need access to FTP, and enforce a strong password policy. Restrict access to resources on the FTP server that are necessary to perform the needed tasks for each specific user.
Disable anonymous ftp if it is not necessary to the system. Restrict read/write permissions if the functionality is needed and restrict the directory that anonymous ftp accesses.
Disable ftp if it is not necessary by commenting it out of the etc/inetd.conf file.
#ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
Restart the inet process
#kill -HUP (pid of inetd)
UNIX
----
Add users to the /etc/ftpusers file who should not be allowed access to the system via FTP; examples are root, bin, guest, shutdown, lp, user1, user2, user3
To enable Anonymous FTP more securely:
1. Create the correct home directories for exclusive use of ftpd, such as ~ftp/bin, ~ftp/etc, and ~ftp/pub.
2. Create an FTP account that points to the FTP home directory.
3. Change the FTP passwd file to contain entries only for root and FTP.
4. Change the group file to contain only the FTP group.
5. Change permissions on files and directories to appropriate users.
Windows
-------
By default, the Windows FTP service allows for anonymous connections. To turn off this feature follow these steps:
1. Start the Internet Service Manager
2. Select the FTP site running and click on Properties
3. Select the Security Accounts tab
4. Uncheck the 'Allow Anonymous Connections' box. When prompted, click Yes to continue. |
