Network Vulnerability Scanner Report (Light)

Unlock the full capabilities of this scanner

See what the FULL scanner can do

Perform in-depth scanning and detect a wider range of vulnerabilities.

Scanner capabilities Light scan Full scan

Open ports detection  

Version based vulnerability detection  

Active vulnerability detection (57000+ plugins)  

Find service misconfigurations  

Detect missing security patches  

 moz.com.mx
Target created when starting a scan using the API

Summary

Overall risk level: Risk ratings: Scan information:

Medium High: 0 Start time: 2022-11-29 18:12:03 UTC+02

Medium: 2 Finish time: 2022-11-29 18:15:10 UTC+02

Low: 0 Scan duration: 3 min, 7 sec

Info: 11 Tests performed: 13/13

Scan status: Finished

Findings

 Vulnerabilities found for Openssh 7.4 (port 22/tcp)

Risk
CVSS CVE Summary Exploit
level

** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c
toremote function, as demonstrated by backtick characters in the destination argument.
 6.8 CVE-2020-15778 NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous N/A
argument transfers" because that could "stand a great chance of breaking existing
workflows."

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from
1983 rcp, the server chooses which files/directories are sent to the client. However, the scp
client only performs cursory validation of the object name returned (only directory traversal EDB-
 5.8 CVE-2019-6111 attacks are prevented). A malicious scp server (or Man-in-The-Middle attacker) can ID:4619
overwrite arbitrary files in the scp client target directory. If recursive operation (-r) is 3
performed, the server can manipulate subdirectories as well (for example, to overwrite the
.ssh/authorized_keys file).

1/6
 The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent
 5 CVE-2017-15906 N/A
write operations in readonly mode, which allows attackers to create zero-length files.

EDB-
ID:4521
0
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout EDB-
 5 CVE-2018-15473 for an invalid authenticating user until after the packet containing the request has been fully ID:4523
parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. 3
EDB-
ID:4593
9

Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by

remote attackers to detect existence of users on a target system when GSS2 is in use.
 5 CVE-2018-15919 N/A
NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to
treat such a username enumeration (or "oracle") as a vulnerability.'

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are
used, allows privilege escalation because supplemental groups are not initialized as
 4.4 CVE-2021-41617 expected. Helper programs for AuthorizedKeysCommand and N/A
AuthorizedPrincipalsCommand may run with privileges associated with group memberships
of the sshd process, if the configuration specifies running the command as a different user.

** DISPUTED ** OpenSSH through 8.7 allows remote attackers, who have a suspicion that a
certain combination of username and public key is known to an SSH server, to test whether
 4.3 CVE-2016-20012 this suspicion is correct. This occurs because a challenge is sent only when that combination N/A
could be valid for a login session. NOTE: the vendor does not recognize user enumeration as
a vulnerability for this product.

The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an
information leak in the algorithm negotiation. This allows man-in-the-middle attackers to
 4.3 CVE-2020-14145 N/A
target initial connection attempts (where no host key for the server has been cached by the
client). NOTE: some reports state that 8.5 and 8.6 are also affected.

An issue was discovered in OpenSSH 7.9. Due to missing character encoding in the progress
display, a malicious server (or Man-in-The-Middle attacker) can employ crafted object
 4 CVE-2019-6109 N/A
names to manipulate the client output, e.g., by using ANSI control codes to hide additional
files being transferred. This affects refresh_progress_meter() in progressmeter.c.

In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a EDB-
 4 CVE-2019-6110 malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for ID:4619
example to use ANSI control codes to hide additional files being transferred. 3

In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended
 2.6 CVE-2018-20685 access restrictions via the filename of . or an empty filename. The impact is modifying the N/A
permissions of the target directory on the client side.

** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a client is using public-
key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker
has silently modified the server to support the None authentication option, then the user
 2.6 CVE-2021-36368 cannot determine whether FIDO authentication is going to confirm that the user wishes to N/A
connect to that server, or that the user wishes to allow that server to connect to a different
server on the user's behalf. NOTE: the vendor's position is "this is not an authentication
bypass, since nothing is being bypassed."

 Details

Risk description:
These vulnerabilities expose the affected applications to the risk of unauthorized access to confidential data and possibly to denial of
service attacks. An attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to
attack the system.

Notes:
The vulnerabilities are identified based on the server's version information
Only the highest risk 15 vulnerabilities are shown for each port.

Recommendation:
We recommend you to upgrade the affected software to the latest version in order to eliminate the risk of these vulnerabilities.

 Vulnerabilities found for Isc Bind 9.11.4-p2 (port 53/tcp)

2/6
Risk
CVSS CVE Summary Exploit
level

BIND servers are vulnerable if they are running an affected version and are configured to use
GSS-TSIG features. In a configuration which uses BIND's default settings the vulnerable code
path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values
for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options. Although the
default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND
is integrated with Samba, as well as in mixed-server environments that combine BIND servers
 6.8 CVE-2020-8625 N/A
with Active Directory domain controllers. The most likely outcome of a successful
exploitation of the vulnerability is a crash of the named process. However, remote code
execution, while unproven, is theoretically possible. Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 ->
9.16.11, and versions BIND 9.11.3-S1 -> 9.11.27-S1 and 9.16.8-S1 -> 9.16.11-S1 of BIND
Supported Preview Edition. Also release versions 9.17.0 -> 9.17.1 of the BIND 9.17
development branch

A failure to free memory can occur when processing messages having a specific combination
of EDNS options. Versions affected are: BIND 9.10.7 -> 9.10.8-P1, 9.11.3 -> 9.11.5-P1, 9.12.0 -
 5 CVE-2018-5744 N/A
> 9.12.3-P1, and versions 9.10.7-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition.
Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected.

There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd
when operating in DHCPv6 mode. There was also a bug in dhcpd relating to the use of this
function per its documentation, but the bug in the library function prevented this from causing
any harm. All releases of dhcpd from ISC contain copies of this, and other, BIND libraries in
combinations that have been tested prior to release and are known to not present issues like
this. Some third-party packagers of ISC software have modified the dhcpd source, BIND
 5 CVE-2019-6470 source, or version matchup in ways that create the crash potential. Based on reports N/A
available to ISC, the crash probability is large and no analysis has been done on how, or even
if, the probability can be manipulated by an attacker. Affects: Builds of dhcpd versions prior
to version 4.4.1 when using BIND versions 9.11.2 or later, or BIND versions with specific bug
fixes backported to them. ISC does not have access to comprehensive version lists for all
repackagings of dhcpd that are vulnerable. In particular, builds from other vendors may also
be affected. Operators are advised to consult their vendor documentation.

A malicious actor who intentionally exploits this lack of effective limitation on the number of
fetches performed when processing referrals can, through the use of specially crafted
referrals, cause a recursing server to issue a very large number of fetches in an attempt to
 5 CVE-2020-8616 process the referral. This has at least two potential effects: The performance of the recursing N/A
server can potentially be degraded by the additional work required to perform these fetches,
and The attacker can exploit this behavior to use the recursing server as a reflector in a
reflection attack with a high amplification factor.

By design, BIND is intended to limit the number of TCP clients that can be connected at any
given time. The number of allowed connections is a tunable parameter which, if unset,
defaults to a conservative value for most servers. Unfortunately, the code which was
intended to limit the number of simultaneous connections contained an error which could be
 4.3 CVE-2018-5743 exploited to grow the number of simultaneous connections beyond this limit. Versions N/A
affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.6, 9.12.0 -> 9.12.4, 9.14.0. BIND 9 Supported
Preview Edition versions 9.9.3-S1 -> 9.11.5-S3, and 9.11.5-S5. Versions 9.13.0 -> 9.13.7 of
the 9.13 development branch are also affected. Versions prior to BIND 9.9.0 have not been
evaluated for vulnerability to CVE-2018-5743.

Controls for zone transfers may not be properly applied to Dynamically Loadable Zones
(DLZs) if the zones are writable Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-
 4.3 CVE-2019-6465 P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview N/A
Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected. Versions
prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2019-6465.

A race condition which may occur when discarding malformed packets can result in BIND
exiting due to a REQUIRE assertion failure in dispatch.c. Versions affected: BIND 9.11.0 ->
 4.3 CVE-2019-6471 9.11.7, 9.12.0 -> 9.12.4-P1, 9.14.0 -> 9.14.2. Also all releases of the BIND 9.13 development N/A
branch and version 9.15.0 of the BIND 9.15 development branch and BIND Supported Preview
Edition versions 9.11.3-S1 -> 9.11.7-S1.

Using a specially-crafted message, an attacker may potentially cause a BIND server to reach
an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key
used by the server. Since BIND, by default, configures a local session key even on servers
 4.3 CVE-2020-8617 whose configuration does not otherwise make use of it, almost all current BIND servers are N/A
vulnerable. In releases of BIND dating from March 2018 and after, an assertion check in tsig.c
detects this inconsistent state and deliberately exits. Prior to the introduction of the check
the server would continue operating in an inconsistent state, with potentially harmful results.

3/6
 In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-
S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system
 4.3 CVE-2020-8623 with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: N/A
* be running BIND that was built with "--enable-native-pkcs11" * be signing one or more
zones with an RSA key * be able to receive queries from a possible attacker

To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update
records in a zone, BIND 9 provides a feature called update-policy. Various rules can be
configured to limit the types of updates that can be performed by a client, depending on the
key used when sending the update request. Unfortunately, some rule types were not initially
documented, and when documentation for them was added to the Administrator Reference
 4 CVE-2018-5741 N/A
Manual (ARM) in change #3112, the language that was added to the ARM at that time
incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain.
This incorrect documentation could mislead operators into believing that policies they had
configured were more restrictive than they actually were. This affects BIND versions prior to
BIND 9.11.5 and BIND 9.12.3.

In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1
of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed
request, or operating the server receiving the TSIG-signed request, could send a truncated
 4 CVE-2020-8622 response to that request, triggering an assertion failure, causing the server to exit. N/A
Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request
was sent, along with other characteristics of the packet and message, and spoof a truncated
response to trigger an assertion failure, causing the server to exit.

In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3,
also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview
 4 CVE-2020-8624 Edition, An attacker who has been granted privileges to change a specific subset of the N/A
zone's content could abuse these unintended additional privileges to update other contents
of the zone.

"managed-keys" is a feature which allows a BIND resolver to automatically maintain the keys
used by trust anchors which operators configure for use in DNSSEC validation. Due to an error
in the managed-keys feature it is possible for a BIND server which uses managed-keys to exit
due to an assertion failure if, during key rollover, a trust anchor's keys are replaced with keys
 3.5 CVE-2018-5745 N/A
which use an unsupported algorithm. Versions affected: BIND 9.9.0 -> 9.10.8-P1, 9.11.0 ->
9.11.5-P1, 9.12.0 -> 9.12.3-P1, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported
Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected.
Versions prior to BIND 9.9.0 have not been evaluated for vulnerability to CVE-2018-5745.

 Details

Risk description:
These vulnerabilities expose the affected applications to the risk of unauthorized access to confidential data and possibly to denial of
service attacks. An attacker could search for an appropriate exploit (or create one himself) for any of these vulnerabilities and use it to
attack the system.

Notes:
The vulnerabilities are identified based on the server's version information
Only the highest risk 15 vulnerabilities are shown for each port.

Recommendation:
We recommend you to upgrade the affected software to the latest version in order to eliminate the risk of these vulnerabilities.

 Scan coverage information

Port State Service Product Product Version

21 open ftp Pure-FTPd

22 open ssh OpenSSH 7.4

25 open smtp

26 open smtp Exim smtpd 4.95

53 open domain ISC BIND 9.11.4-P2

80 open http Apache httpd

4/6
 110 open pop3 Dovecot pop3d

143 open imap Dovecot imapd

443 open ssl Apache httpd

465 open smtp Exim smtpd 4.95

993 open imap Dovecot imapd

995 open pop3 Dovecot pop3d

 Details

Risk description:
This is the list of ports that have been found open on the target hosts. Having unnecessary open ports may expose the target to more
risks because those network services and applications may contain vulnerabilities.

Recommendation:
We recommend reviewing the list of open ports and closing the ones which are not necessary for business purposes.

 No vulnerabilities found (port 21)

 No vulnerabilities found (port 25)

 No vulnerabilities found (port 26)

 No vulnerabilities found (port 80)

 No vulnerabilities found (port 110)

 No vulnerabilities found (port 143)

 No vulnerabilities found (port 443)

 No vulnerabilities found (port 465)

 No vulnerabilities found (port 993)

 No vulnerabilities found (port 995)

Scan coverage information

List of tests performed (13/13)

5/6
  Checking for open ports...
 Scanning for vulnerabilities on port: 21
 Scanning for vulnerabilities on port: 22
 Scanning for vulnerabilities on port: 25
 Scanning for vulnerabilities on port: 26
 Scanning for vulnerabilities on port: 53
 Scanning for vulnerabilities on port: 80
 Scanning for vulnerabilities on port: 110
 Scanning for vulnerabilities on port: 143
 Scanning for vulnerabilities on port: 443
 Scanning for vulnerabilities on port: 465
 Scanning for vulnerabilities on port: 993
 Scanning for vulnerabilities on port: 995

Scan parameters
Target: moz.com.mx
Scan type: Light
Check alive: True
Protocol type: Tcp
Ports to scan: Top 100 ports

6/6