Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Nessus: users

false positive?

 

 

Nessus users RSS feed   Index | Next | Previous | View Threaded


deepakm at rice

Feb 5, 2009, 12:54 PM

Post #1 of 4 (6209 views)
Permalink
false positive?

Question..



Vulnerability Nessus ID 34820 shows that a server has the vulnerability:



Symantec Backup Exec Authentication Bypass and Potential Buffer Overflow

ID: 34820
<https://128.42.174.70/sc3/console.php?psid=8000&ctxid=8001%5enewscan%5eplug
inid:34820> Family: Gain root remotely NASL: PLUGIN.nasl
<https://128.42.174.70/sc3/console.php?view_nasl=PLUGIN.nasl>


Synopsis :

It is possible to bypass the backup agent authentication.

Description :

The remote host is running a version of VERITAS Backup Exec Agent which is
vulnerable to multiple authentication bypass issues.

An attacker may exploit this flaw to manage the backup agent and/or to
execute commands with high privileges.

Solution :

http://www.symantec.com/avcenter/security/Content/2008.11.19.html

Risk factor :

Critical / CVSS Base Score : 10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)



But, this fix was to install the latest and greatest version of BES, which
it already has the newest version/the fix for this vulnerability.



So, why does the vulnerability still show positive? I was not able to open
the .nasl to see what the scan is doing:



But, I was not able to open the "PLUGIN.nasl"



Please advise. Thanks!



Dee


theall at tenablesecurity

Feb 5, 2009, 1:43 PM

Post #2 of 4 (5969 views)
Permalink
Re: false positive? [In reply to]

On Feb 5, 2009, at 3:54 PM, Deepak J. Mathew wrote:

> Vulnerability Nessus ID 34820 shows that a server has the
> vulnerability:
...
> So, why does the vulnerability still show positive?

Would you mind taking a full packet capture of traffic to/from the
affected service when you run a scan with just this plugin enabled and
then sending it to me privately?


George
--
theall [at] tenablesecurity



_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus


deraison-lists at nessus

Feb 6, 2009, 1:40 AM

Post #3 of 4 (5949 views)
Permalink
Re: false positive? [In reply to]

On Feb 5, 2009, at 9:54 PM, Deepak J. Mathew wrote:

> Question..
>
> Vulnerability Nessus ID 34820 shows that a server has the
> vulnerability:
[...]
> But, this fix was to install the latest and greatest version of BES,
> which it already has the newest version/the fix for this
> vulnerability.
>
Which version did you install exactly ?


_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus


deepakm at rice

Feb 6, 2009, 6:34 AM

Post #4 of 4 (5949 views)
Permalink
RE: false positive? [In reply to]

I'm assuming you are asking about the Backup Exec version. It's version
12.5 Rev. 2213 SP1 with Hotfix 317412

-----Original Message-----
From: Renaud Deraison [mailto:deraison-lists [at] nessus]
Sent: Friday, February 06, 2009 3:40 AM
To: Deepak J. Mathew; Nessus Discussion Board
Subject: Re: false positive?


On Feb 5, 2009, at 9:54 PM, Deepak J. Mathew wrote:

> Question..
>
> Vulnerability Nessus ID 34820 shows that a server has the
> vulnerability:
[...]
> But, this fix was to install the latest and greatest version of BES,
> which it already has the newest version/the fix for this
> vulnerability.
>
Which version did you install exactly ?



_______________________________________________
Nessus mailing list
Nessus [at] list
http://mail.nessus.org/mailman/listinfo/nessus

Nessus users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.