Mailing List Archive: Nessus: users

Plugin 26919

Index | Next | Previous | View Threaded

cmn at leicester

Nov 14, 2007, 6:50 AM

Post #1 of 2 (397 views)
Permalink

Plugin 26919

Hi,

Plugin 26919 says:

........
Synopsis : It is possible to log into the remote host. Description : The remote host is running one of the Microsoft Windows operating systems. It was possible to log into it as a guest user using a random account.

In the group policy change the setting for 'Network access: Sharing and security model for local accounts' from 'Guest only - local users authenticate as Guest' to 'Classic - local users authenticate as themselves'. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
........

Could someone explain what the significance or seriousness of this is? Does it suggest a remote or local exploit is possible? If so what can be achieved and how can I confirm that the report is correct?

--
Carl Nelson,
Information Security Office,
IT Services,
University of Leicester, Leicester, LE1 7RH, U.K.
Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027
_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus

rgula at tenablesecurity

Nov 14, 2007, 8:13 AM

Post #2 of 2 (359 views)
Permalink

Re: Plugin 26919 [In reply to]

Hi Carl,

>From where you performed your Nessus scan against this Windows host,
anyone with network access to that system can log into it with a bogus
account.

If this system is outisde of a firewall or reachable by just about
anyone in your organization, this could be a serious problem for you. If
you had to go through extraordinary effort to scan this box (plug in to
a DMZ, get the IT guys to open firewall ports, .etc) this is something
that should be fixed, but won't be as serious.

If your system has any other vulnerabilities, such as a locally
exploitable vulnerability, it may be possible for a remote user to
connect with a guest account and then attempt to become an
administrator. Of course, if the system isn't really hardened, a guest
account might be all the access that a remote user would need to read
files, install a backdoor, turn the system into a bot, launch attacks
against other systems and so on.

To verify that remote access is allowed by this host, you could try
using the smbshell tool from Tenable:

http://cgi.tenablesecurity.com/tenable/smbshell.php

Keep in mind that Windows has many different types of access control for
file access and program execution. The plugin said that it could log in.
Your IT people may have put some level of security of hardening for
'Guest' users or they may not have.

Ron Gula
Tenable Network Security

Nelson, C.M. wrote:
> Hi,
>
> Plugin 26919 says:
>
> ........
> Synopsis : It is possible to log into the remote host. Description : The remote host is running one of the Microsoft Windows operating systems. It was possible to log into it as a guest user using a random account.
>
> In the group policy change the setting for 'Network access: Sharing and security model for local accounts' from 'Guest only - local users authenticate as Guest' to 'Classic - local users authenticate as themselves'. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
> ........
>
>
> Could someone explain what the significance or seriousness of this is? Does it suggest a remote or local exploit is possible? If so what can be achieved and how can I confirm that the report is correct?
>
> --
> Carl Nelson,
> Information Security Office,
> IT Services,
> University of Leicester, Leicester, LE1 7RH, U.K.
> Tel: +44 (0)116 252 2060, Fax: +44 (0)116 252 5027
> _______________________________________________
> Nessus mailing list
> Nessus [at] list
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads