Voxai Solutions ASV Scan Q1 Summary Report 20 November 2023

1 Review the vulnerabilities that are there in "PCI Affecting" worksheet and for the vulnerabilities that you
ou think are
2 Fix the vulnerabilities which are not false positive, unless there is a technical or businees limitation for which please
3 Save the file as "ASV_summary_report_customer_response.xlsx" and upload against the appropriate quarter/perio
4 Update ConnectWIse once the file has been uploaded.
lities that you think are false positive, enter in column "Client Justification" with evidence as attachment in column "Evidence Attachment
mitation for which please enter the technical/business justification in column "Client Justification"
ppropriate quarter/period on the dashboard using the upload/download functionality.
n "Evidence Attachment".
IP DNS Title Port Protocol
OpenSSH Username Enumeration
162.253.197.123 Vulnerability
OpenSSH Probable User Enumeration
162.253.197.123 OpenSSH
OpenSSH Command Injection(MITM)
Man-in-the-Middle Vulnerability
Attack
OpenSSH Remote Code Execution (RCE)
162.253.197.123 Vulnerability in its forwarded
OpenSSH Improper ssh-agent
Authorization
162.253.197.123 Vulnerability (CVE-2017-15906)
162.253.197.123 OpenSSH Integer overflow Vulnerability
162.253.197.123 SSL Certificate -- Self-Signed
SSL Certificate Certificate Failed
Signature Verification 443 tcp
162.253.197.123 Vulnerability 443 tcp
162.253.197.123 SSL Certificate - Improper Usage
OpenSSH Probable User Enumeration Vulnerability 443 tcp
206.197.9.75 OpenSSH
OpenSSH Command Injection(MITM)
Man-in-the-Middle Vulnerability
Attack
OpenSSH Remote Code Execution (RCE)
206.197.9.75 Vulnerability in its forwarded
OpenSSH Improper ssh-agent
Authorization
206.197.9.75 Vulnerability (CVE-2017-15906)
206.197.9.75 OpenSSH Integer overflow Vulnerability
206.197.9.75 SSL Certificate -- Self-Signed
SSL Certificate Certificate Failed
Signature Verification 443 tcp
206.197.9.75 Vulnerability 443 tcp
206.197.9.75 SSL Certificate - Improper Usage Vulnerability 443 tcp
done
stated
SSH
the
running
key
the
attackers
integer bythat
protocol.
client
parsing
keyUsage verifying
ssh tothey
overflow -V
establish
prior
met.
attacker
whether
via
created
OpenSSH
length tofiles.
8.8the
can
this
ssh-agent(1)'s
generally
versions
that
algorithm.
field
target
if the
intentionally
authenticates
command.
Affected in
a testing thepublic
Versions:
initial
client or the By exploiting this
omit
secure
QID
PKCS#11
for
prior Detection
impersonate
suspicion to 8.3 isof the vulnerability, man-in-
support
key in
validation
The
remote the
process_open
Unauthenticated:
OpenSSH
X509v3
connection
server isserver
5.7-8.6 Successful exploitation
connection.
Logic:
Affected
server
correct.
could
purposes
QID
Affected be
Detection Versions:
byThis
abused
or
Versions:to
certificate
"anomalous
function
using
Vulnerable
Affected
extensions
attempts
configured the in issftp-
server's
Versions:
(where
tofakeuse the-middle attacks in
This
OpenSSH
presenting
occurs
to
avoid
Logic:
signedachieve
OpenSSH because
paying
by versions
a
remote
versions
a a allows
tandem a with
remote DNSattacker
cache
5.0 argument
server.c
Certificate
QID
OpenSSH
section
ano
The Detection
host
crafted ofin
key 7.7and
versions
the
XMSS for Successful exploitation
unauthenticated
prior
self-signed
challenge
code
third-party
This
prior
trusted to 9.3p2
execution
to 7.6
third-isCAs.sent poisoning can occur.if a
to test and confirm
(AV:N/AC:L/ transfers"
OpenSSH
extracts
are
Logic:
through detected
certificate,
the
key. server
This the
7.9before
if
has
leads from
and allows
to certain an attacker toof
CVE ID CVSS Base basicConstraints
4.3 detection
QID
Threat
only
via
These
because
7.6
Public
Detection
certificate.
when
adoes
forwarded
should
unauthenticated
party works
Certificate
Key that
not in
If the
that not
the Impact
Successful combination
exploitation
Au:N/C:P/I:
(AV:N/AC:M the
This
8.x
memory
section
by
Logic:
client banner
before
present,
been cached
reviewing of
knows may 8.1
the by enumerate
the username
that usernames
and public
6.8 combination
agent
be
QID used
detection socket
on
Detection
Authority.
could
properly "stand preventany
works aif allows
Exception: a remote attacker
CVE-2018-15473 /Au:N/C:P/I: Certificate
N/A:N)
(AV:N/AC:M
exposed.
unauthenticated
restrict
the
version
This
could
the
by
Logic:
client).
corruption
certificate
server
be the
of
conditions
production
reviewing
to
may
the
does
valid usage
NOTE:
and
or for
the
on
key aistargeted
Successful
Successful
for known
command
Successful
If the server
system.
exploitation
to an SSH
exploitation
injection
exploitation
4.3 great
write
establish
detection
QID
of
some
localthe
specify chance
operations
Detection the
works
certificate.
reports
code ifofaitservice.
is of
a allows man-in-the-
CVE-2016-20012 N/A:N)
/Au:N/C:P/I: OpenSSH
unauthenticated
not
aThis
version
If have
login
mentioned
critical
areadonly
client session.
servers.the
is8.5here server.
allows
in an
the scp.c
allows
communicates attacker
toremote
aattackers
remote towith
attacker
only
(AV:N/AC:M breaking
in
secure
by reviewing
Logic:
state
execution that
Certificate existing
mode,
the
and middle tocode
CVE-2020-15778 7.5
P/A:P) detection
trusted
(https://www.ope
OpenSSH
unauthenticated
unable
workflows.
which to works
service.
verify perform
function
ahaving
restricteda remote
. set
readonly ofaccess
clients
/Au:N/C:P/I:
(AV:N/AC:L/ version
This
In
8.6
becauseareallows
connection.
general,
Authority
by reviewing
certificate,
Affected ofof
also
nssh.com/txt/rele
By exploiting
the
(CA)
Versions:
The
aitan the
will
this
target
execution initial connection
vulnerability
CVE-2020-14145 5.0
N/A:N) detection
the
OpenSSHcertificate,
attackers
authentication
unauthenticated
server
affected.
error inpublic
the works
to
service. key
XMSS it
is to
who create
attemptshave
Successful zero-length
the server
exploitation
Au:N/C:P/I:P
(AV:N/AC:L/ certificate.
version
accept
OpenSSH
ase-9.3p2)
vulnerability,
by reviewing of
this Also,
the
versions
are an via
the filesaresulting
forwarded agent
in or
4.4 can
create
done abort
Affected
detection
should
key by zero-
parsingnot Versions:
verifying
works
be certificate
leads
If the to or the
memory
keyUsage trusted
the
CVE-2023-38408 /A:P) the
OpenSSH
spoofed
prior
met. keyUsage
attacker
Au:N/C:N/I: that
version to 8.8
ofcanservice.
the socket.
improper authorization
(AV:L/AC:M/ communication
OpenSSH
length
by
used the files.
reviewing
Affected
algorithm.for versions
public
Versions: the or CA
By certificate,
exploiting
corruption
basicConstraint and then
thislocal
field the
is
CVE-2017-15906 6.4
P/A:N) field
QID
OpenSSH in
certificate the
Detection
impersonate and
service. By
the server
and exploiting
lack of this
Integrity.
Au:N/C:P/I:P prompt
prior
key
versionin to
Certificate
OpenSSH the the
8.3
of the
or user
5.7-8.6 CRL code or
vulnerability, CA
execution
designated ascertificate
man-in-
a on the
critical
(AV:N/AC:L/ X509v3
communicate
Logic:
Affected
server Versions:
byVersions: vulnerability,
Successful an attacker
exploitation
CVE-2019-16905 6.4
/A:P) to
QID continue
Affected
OpenSSH
signing,Detection
certificate isthe or may
service. not be
the-middle
targeted available
attacks
system. in
Au:N/C:P/I:P
(AV:N/AC:L/
Affected
OpenSSH thearemote
extensions
with
This
presenting
communication
Logic:
OpenSSH
client
a fake parameter
Versions:
versions
versions can
allowslaunch
publicly, a within
remote
and
theattacker
a man-in-
the scan
5.0 signed
CA
QID
OpenSSH
section by
certificate
Detection
of a
7.7
the tandem
certificate, the DNS cache
client
/A:N)
Au:N/C:P/I:P server.
unauthenticated
prior to
self-signed
without
This
prior tobe 9.3p2
7.6 the-middle
to
willtest
be and
unable attack.
confirm
to verifyif a
(AV:N/AC:L/ trusted
should
Logic:
through
certificate, third-
7.9 not
if and poisoning
may abort can
the occur.
4.3
/A:N) detection
QID Detection
certificate.
authentication.
unauthenticated works
If the certain
the combination
signature.
Successful exploitation of
Au:N/C:N/I: party
(AV:N/AC:M used
This
8.x
present,
by
Certificate
as
before
reviewing
Logic:
client knowsamayserver
8.1thatthe communication
username and if the
public
6.8
P/A:N) detection
QID Detection
Authority.
certificate.
unauthenticated
restrict the works allows
usage Exception:
usage
Successful a remote
validation attacker
fails.
exploitation
/Au:N/C:P/I:
(AV:N/AC:M version
This
thereviewing
by
Logic: server of the does key
the Successful
for is server
known
command
Successful
If the to an
exploitation
injection
exploitation SSH
CVE-2016-20012 4.3
N/A:N) detection
QID
of the
OpenSSH Detection
unauthenticated
not have a works
certificate.
service. allows
server.
allows man-in-the-
an attacker to
/Au:N/C:P/I:
(AV:N/AC:M version
This
If
by areviewing
client ofisthethe communicatesin the scp.c
allows remotetoremote
aattackers attacker
only with
CVE-2020-15778 7.5
P/A:P)
Logic:
detection
trusted
OpenSSH
unauthenticated
unable to works middle
service.
verify perform
function
having
a a. remote
readonly
restricted set of
tocode
access
clients
/Au:N/C:P/I:
(AV:N/AC:L/ version
This
In
by general,
reviewing of the ait will
the target initial connection
CVE-2020-14145 5.0
N/A:N)
certificate,
detection
the
OpenSSHcertificate,
unauthenticated
server public works
service. keyit execution
to
who create
attempts
Successful
vulnerability
havezero-length
the server
exploitation
Au:N/C:P/I:P by
(AV:N/AC:L/ version
accept
can reviewing
abort of thethe files
this via aresulting
forwarded
certificate in agent
CVE-2023-38408 4.4
/A:P) detection
should
OpenSSH
spoofed works
notservice.
be If the keyUsage ortrusted
leads
socket. to or
memory the the
Au:N/C:N/I:
(AV:L/AC:M/ version
communication
by
used reviewing of the or
for andthe basicConstraint improper
CA
corruption authorization
certificate,and then
fieldthe
local is
CVE-2017-15906 6.4
P/A:N) certificate
OpenSSH
prompt the service.
user By
and exploiting
server lackorof this
CAIntegrity.
certificate
Au:N/C:P/I:P
(AV:N/AC:L/ version
Certificate
communicate of the
or CRL code execution
designated as a on the
critical
CVE-2019-16905 6.4
/A:P) to continue
OpenSSH
signing, the or vulnerability,
service.
aremote
client may
targetednot be
parameter system.
in
an attacker
available
the
Au:N/C:P/I:P
(AV:N/AC:L/ with the
communication can launch
publicly, and a man-in-
the scan
5.0
/A:N) CA certificate certificate, the client
Au:N/C:P/I:P server.
(AV:N/AC:L/ withoutbe not
should
the-middle
will be
may unable
abort
attack.
the to verify
/A:N)
Au:N/C:N/I: authentication.
used as a server the signature. if the
communication
P/A:N) certificate. usage validation fails.
or later versions
Customers are to
advised to 15778-Exploit
exploit
considered
integer repository
overflow if a
(https://www.openssh.com/)
Customers
upgrade to are advised
OpenSSH 8.3to recognize
loading
username
OpenSSH intouser
Description:Evan-andssh-
before
Reference:CVE-2020- public
remediate
upgrade
or later
upgrade toto
to this vulnerability.
OpenSSH
remediate
OpenSSH 8.7
these
9.3p2 Link:https://
experimental
client or
enumeration
agent.) server
NOTE: in
as is
a
thisall
(https://www.openssh.com/) key
9.3p2is known
has an
Zhangyf/CVE-2020-
15778 to an
Patch:
vulnerabilities.
(https://www.openssh.com/t gitee.com/
released
configured
vulnerability
issue
SSH exists
server, OpenSSH
to use
tofor
because
test a
this
or later
Customers
Followingto remediate
are
are advised
links forthese
to insufficiently
15778 exploit
Description:cpandya
mirrors_Rhynorater/
or later
Patch: to remediate
xt/release-9.3p2) these
or later versions,
crafted
product
to whether
of and
XMSS
an incomplete there
key.
thissearch fixis Vulnerable SSH-2.0-
vulnerabilities.
upgrade
downloadingto OpenSSH
vulnerabilities. patches to fix trustworthy
7.6 repository
2909/CVE-2020-
CVE-2018-15473-
no supported
Following
remediate
Patch: are links
these for
the vulnerabilities:
This leads
Link:https://
for
suspicion
path,
15778
Exploit leading
Link:https:// to
CVE-2016-10009. to to OpenSSH_7.4
way
memory
is correct.
exploit Vulnerable
Vulnerable
detected on
SSH-2.0-
SSH-2.0-
Customers
downloading are
vulnerabilities.
Solution advised
patches toto
fix enable
corruption it
Link:https://
Exploitability
This occurs
remote code when
rushter.com/blog/and
becauselocal a port 22
Results over TCP.Vulnerable Client Justification
Following
or later totoare
OpenSSH
Patch:
upgrade 7.8 links
remediate for8.1
or later
OpenSSH github.com/Evan-
these repository
building portable OpenSSH_7.4
OpenSSH_7.4
Vulnerable detected
detected on
SSH-2.0- on
Patch:
downloading patches code execution
public-ssh-keys/
www.qualys.com/
challenge
execution
to fix Link:https:// is
if
Zhangyf/CVE-2020- sent
an only
agent SSH-2.0-OpenSSH_7.8-FIPS
port 22
vulnerabilities.
(https://www.openbsd.org/)
Following
OpenSSH
Following are
8.8links
are for
or later
links for OpenSSH.
because of antoerror
2023/07/19/cve- port 22 over
detected over
OpenSSH_7.4
Vulnerable
TCP.Vulnerable
TCP.
detected
onSSH-2.0-
port on
930 over
Patch: when
is
15778 that
forwarded
github.com/ an SSH-2.0-OpenSSH_7.8-FIPS
downloading
or patches
later to remediate
downloading patches to
to fix
these
fix Link:https://ssd-
in the XMSS
2023-38408/rce-
combination
attacker-controlled key port
TCP. 22 over
OpenSSH_7.4 TCP.Vulnerable
could detected on port 930 overdetected on
OpenSSH
Following
the 8.3links for
are
vulnerabilities:
vulnerabilities. cpandya2909/CVE-
disclosure.com/ SSH-2.0-OpenSSH_7.8-FIPS
the vulnerabilities: parsing
be valid algorithm.
openssh-forwarded-
for a login port 22 over TCP.Vulnerable
downloading
CVE-2020-14145 patches to fix system.
(https://www.openssh.com/) 2020-15778 (Code in TCP.
Patch:
OpenSSH
Customers 9.3p2
are advised to NOTE: the
ssh-agent.txt
session.
/usr/lib XMSSthe detected
archives/4033/ssd-
isNOTE:
not
on port 930 over
SSH-2.0-OpenSSH_7.8-FIPS
Following are links for Reference:CVE-2020-
advisory-openssh-
implementation is TCP.
(https://www.openssh.com/t
upgrade
OpenSSH
Customers to7.6
OpenSSH
are advised8.8to vendor doessafe
necessarily detected
notfor Certificate
Vulnerableon#0 port 930 over
SSH-2.0-
downloading
Customers are
xt/release-9.3p2) patches
advised
Customers are advised fix 15778
toto
to pre-auth-xmss-
considered
recognize
loading intouserssh- TCP.
emailAddress=itservicedesk@
upgrade
the to OpenSSH
vulnerabilities: 8.3 Description:Evan- OpenSSH_7.4
Certificate #0 detected on
upgrade
Please
or later
upgrade toto
installOpenSSH
toremediate
xt/release-7.6)OpenSSH
(https://www.openssh.com/) these integer-overflow
a server8.7
9.3p2 experimental
enumeration
agent.) NOTE:as
Zhangyf/CVE-2020-
in aall Vulnerable
this port 22 over
SSH-2.0-
voxai.com,CN=voxalb128t-
TCP.
As confirmed by
OpenSSH 8.1
certificate signed
vulnerabilities. by
(https://www.openssh.com/ta released
vulnerability
issue existsOpenSSHfor this OpenSSH_7.8-FIPS
Certificate #0 detected
b3.voxai.com,OU=IT,O=Voxai,
because voxai.com,CN=voxalb128t- Juniper Team the
Please
or
or later
laterinstall
Customersto
to area advised
serverthese
remediate
remediate to
these 15778
versions, exploit
and there is on port 930 over TCP.
emailAddress=itservicedesk@ CVE mentioned does
trusted
Patch: third-party
xt/release-9.3p2)
certificatetosigned
vulnerabilities.
upgrade OpenSSH or later
by a7.6 to ofproduct
an incomplete fix Vulnerable
repository L=Dallas,ST=Texas,C=US
SSH-2.0-
b3.voxai.com,OU=IT,O=Voxai, is a
vulnerabilities.
Certificate
Following
remediate Authority.
are links for
these no supported
Link:https://
for way
CVE-2016-10009. OpenSSH_7.4to voxai.com,CN=voxalb128t-
self signed certificate.
detected on not affect the
trusted third-party
Patch: install server totofix Link:https://
Please
Customers areapatches
advised enable it when L=Dallas,ST=Texas,C=US
Vulnerable SSH-2.0-
b3.voxai.com,OU=IT,O=Voxai, self current 128T SSH.
downloading
vulnerabilities.
Certificate
Following
or later to Authority.
are links
remediate forthese rushter.com/blog/
Link:https://
github.com/Evan- port
signed22 over
certificate
detected on
certificate
Patch:
upgrade
the towith correct
OpenSSH
vulnerabilities:
Patch: 8.1 building portable
public-ssh-keys/ L=Dallas,ST=Texas,C=US
Vulnerable SSH-2.0-
SSH-2.0-OpenSSH_7.8-FIPS is not Please find the
downloading
vulnerabilities.
usage.
Following are patches
links for
(https://www.openssh.com/) to fix www.qualys.com/
Zhangyf/CVE-2020-
OpenSSH. port 22 over
suitable for
CRL signing.
detected on evidence.
OpenSSH
Following
the 8.8
are or later
links
vulnerabilities:
Patch: for 2023/07/19/cve-
15778 detected
Vulnerableon port 930
SSH-2.0-
SSH-2.0-OpenSSH_7.8-FIPS over
downloading
or later to patches
remediate
downloading to fix
these Link:https://ssd- port
TCP. 22 over TCP.Vulnerable
OpenSSH
Following
the 8.3patches
are links forto fix 2023-38408/rce-
vulnerabilities:
vulnerabilities. disclosure.com/
OpenSSH_7.4
detected detected
on port on
930 over
downloading openssh-forwarded-
patches to fix archives/4033/ssd- TCP. port 22 over TCP.Vulnerable
CVE-2020-14145
Patch:
OpenSSH 9.3p2 ssh-agent.txt detected on port 930 over
Following are links for advisory-openssh- TCP.
OpenSSH 7.6patches to fix pre-auth-xmss- detected on#0
Certificate
Vulnerable port 930 over
SSH-2.0-
downloading
xt/release-9.3p2) TCP.
the vulnerabilities: integer-overflow OpenSSH_7.4
Certificate
Vulnerable #0 detected on
SSH-2.0- As confirmed by
Please install a server
xt/release-7.6) voxai.com,CN=VOXROS128T-
port 22 over TCP.
OpenSSH
certificate 8.1
signed by a OpenSSH_7.8-FIPS
Certificate #0 detected
A3.voxai.com,OU=IT,O=Voxai, Juniper Team the
Please install a server
(https://www.openssh.com/) voxai.com,CN=VOXROS128T-
on port 930 over TCP.
emailAddress=itservicedesk@ CVE mentioned does
trusted third-party
certificate signed by a L=Dallas,ST=Texas,C=US
A3.voxai.com,OU=IT,O=Voxai, is a
Certificate Authority. voxai.com,CN=VOXROS128T-
self signed certificate. self not affect the
trustedinstall
Please third-party
a server L=Dallas,ST=Texas,C=US
A3.voxai.com,OU=IT,O=Voxai, current 128T SSH.
Certificate Authority.
certificate with correct signed certificate
L=Dallas,ST=Texas,C=US is not Please find the
usage. suitable for CRL signing. evidence.
Evidence Attachment ControlCase Comments
ASA_DO. png
Evidence_Upgrade_128T.png
Evidence_Upgrade_128T.png
Component Special Note
97.105.187.42 Remote Access or Management Service Detected
- declaration that the software is implemented with strong security con
Item Noted - Confirmation of removal of software if service is disabled of public acc
Remote Access detected Service name: ISAKMP
on UDP port
Remote 500.
Access Service Service
detected name: SNMP
name:on UDP
SSH on
port
TCP 161.
port 22. Service name: SSH on TCP port 930.
Remote Access Detected Service name: ISAKMP
on UDP port
Remote 500.
Access detected Service name: SSH on
TCP port 22. Service name: SSH on TCP port 930.
Special Notes by ASV Customer Comments
Special Note to Scan Customer: Due to increased
risk to the
Special cardholder
Note data environment
to Scan Customer: when
Due to increased
remote
risk access
to the software
cardholder is present, 1)
data environment justify
whenthe
Special
business Note
needtofor
Scan
thisCustomer:
software Due
to toASV
the increased
and
remote
risk access
to the software
cardholder is present, 1)
data environment justify
whenthe
Special
business Note
needtofor
Scan
thisCustomer:
software Due
to toASV
the increased
and
remote access
risk to the software
cardholder is present,
data 1) justify
environment whenthe
business need for this software to the ASV and
remote access software is present, 1) justify the
business need for this software to the ASV and

Voxai Solutions ASV Scan Q1 Summary Report 20 November 2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Voxai Solutions ASV Scan Q1 Summary Report 20 November 2023

Uploaded by

Copyright:

Available Formats

1 Review the vulnerabilities that are there in "PCI Affecting" worksheet and for the vulnerabilities that you

You might also like