ID APC_SMARTSLOT_FACTORY_PASSWORD.NASL Type nessus Reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. Modified 2021-03-02T00:00:00
Description
The remote APC Smartslot Web/SNMP Management card ships with a default
username and password. An attacker can use this information to access
the remote APC device with any username and the factory password
'TENmanUFactOryPOWER'.
#
# (C) Tenable Network Security, Inc.
#
# Refs:
# Subject: APC 9606 SmartSlot Web/SNMP management card "backdoor"
# From: Dave Tarbatt <bugtraq@always.sniffing.net>
# To: bugtraq@securityfocus.com
# Date: 16 Feb 2004 11:24:32 +0000
#
include("compat.inc");
if(description)
{
script_id(12066);
script_version ("1.18");
script_cve_id("CVE-2004-0311");
script_bugtraq_id(9681);
script_xref(name:"Secunia", value:"10905");
script_name(english:"APC SmartSlot Web/SNMP Management Card Default Password");
script_summary(english:"Logs into the remote host");
script_set_attribute(attribute:"synopsis", value:
"The remote host has a default password set." );
script_set_attribute(attribute:"description", value:
"The remote APC Smartslot Web/SNMP Management card ships with a default
username and password. An attacker can use this information to access
the remote APC device with any username and the factory password
'TENmanUFactOryPOWER'." );
script_set_attribute(attribute:"see_also", value:"http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=3131&p_created=1077139129" );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Feb/456" );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Feb/512" );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Feb/514" );
script_set_attribute(attribute:"solution", value:
"Upgrade the firmware according to the APC recommendations." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2004/02/18");
script_set_attribute(attribute:"vuln_publication_date", value: "2004/02/18");
script_cvs_date("Date: 2018/11/15 20:50:23");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
script_dependencie("find_service1.nasl");
script_require_ports("Services/telnet", 23);
exit(0);
}
#
# The script code starts here :
#
include('telnet_func.inc');
port = 23;
if(get_port_state(port))
{
banner = get_telnet_banner(port:port);
if ( "User Name :" >!< buf ) exit(0);
soc = open_sock_tcp(port);
if(soc)
{
buf = telnet_negotiate(socket:soc);
if ("User Name :" >< buf)
{
data = string("*\r\n");
send(socket:soc, data:data);
buf = recv_line(socket:soc, length:1024);
if ( "Password" >!< buf ) exit(0);
send(socket:soc, data:'TENmanUFactOryPOWER\r\n');
buf = recv(socket:soc, length:4096);
if ("Factory Menu" >< buf ||
"Final Functional Test" >< buf ) security_hole(port);
}
close(soc);
}
}
{"id": "APC_SMARTSLOT_FACTORY_PASSWORD.NASL", "bulletinFamily": "scanner", "title": "APC SmartSlot Web/SNMP Management Card Default Password", "description": "The remote APC Smartslot Web/SNMP Management card ships with a default\nusername and password. An attacker can use this information to access\nthe remote APC device with any username and the factory password\n'TENmanUFactOryPOWER'.", "published": "2004-02-18T00:00:00", "modified": "2021-03-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/12066", "reporter": "This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.", "references": ["http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=3131&p_created=1077139129", "https://seclists.org/bugtraq/2004/Feb/512", "https://seclists.org/bugtraq/2004/Feb/456", "https://seclists.org/bugtraq/2004/Feb/514"], "cvelist": ["CVE-2004-0311"], "type": "nessus", "lastseen": "2021-03-01T01:24:19", "edition": 27, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0311"]}, {"type": "osvdb", "idList": ["OSVDB:3985"]}, {"type": "nessus", "idList": ["SNMP_DEFAULT_COMMUNITIES.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:136141256231010264"]}], "modified": "2021-03-01T01:24:19", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2021-03-01T01:24:19", "rev": 2}, "vulnersScore": 6.2}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Refs:\n# Subject: APC 9606 SmartSlot Web/SNMP management card \"backdoor\"\n# From: Dave Tarbatt <bugtraq@always.sniffing.net>\n# To: bugtraq@securityfocus.com\n# Date: 16 Feb 2004 11:24:32 +0000\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(12066);\n script_version (\"1.18\");\n script_cve_id(\"CVE-2004-0311\");\n script_bugtraq_id(9681);\n script_xref(name:\"Secunia\", value:\"10905\");\n \n script_name(english:\"APC SmartSlot Web/SNMP Management Card Default Password\");\n script_summary(english:\"Logs into the remote host\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a default password set.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote APC Smartslot Web/SNMP Management card ships with a default\nusername and password. An attacker can use this information to access\nthe remote APC device with any username and the factory password\n'TENmanUFactOryPOWER'.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=3131&p_created=1077139129\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2004/Feb/456\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2004/Feb/512\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2004/Feb/514\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the firmware according to the APC recommendations.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/02/18\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/02/18\");\n script_cvs_date(\"Date: 2018/11/15 20:50:23\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_dependencie(\"find_service1.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n exit(0);\n}\n\n#\n# The script code starts here : \n#\n\ninclude('telnet_func.inc');\nport = 23;\nif(get_port_state(port))\n{\n banner = get_telnet_banner(port:port);\n if ( \"User Name :\" >!< buf ) exit(0);\n\n soc = open_sock_tcp(port);\n if(soc)\n {\n buf = telnet_negotiate(socket:soc);\n if (\"User Name :\" >< buf)\n {\n data = string(\"*\\r\\n\");\n send(socket:soc, data:data);\n buf = recv_line(socket:soc, length:1024);\n\t if ( \"Password\" >!< buf ) exit(0);\n\t send(socket:soc, data:'TENmanUFactOryPOWER\\r\\n');\n\t buf = recv(socket:soc, length:4096);\n\t if (\"Factory Menu\" >< buf ||\n\t\t\"Final Functional Test\" >< buf ) security_hole(port);\n }\n close(soc);\n }\n}\n\n", "naslFamily": "Misc.", "pluginID": "12066", "cpe": [], "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:22:58", "description": "American Power Conversion (APC) Web/SNMP Management SmartSlot Card 3.0 through 3.0.3 and 3.21 are shipped with a default password of TENmanUFactOryPOWER, which allows remote attackers to gain unauthorized access.", "edition": 4, "cvss3": {}, "published": "2004-11-23T05:00:00", "title": "CVE-2004-0311", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0311"], "modified": "2017-07-11T01:30:00", "cpe": ["cpe:/h:apc:ap9606:3.0.1", "cpe:/h:apc:ap9606:3.0"], "id": "CVE-2004-0311", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0311", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:h:apc:ap9606:3.0:*:*:*:*:*:*:*", "cpe:2.3:h:apc:ap9606:3.0.1:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:58", "bulletinFamily": "software", "cvelist": ["CVE-2004-0311"], "edition": 1, "description": "## Vulnerability Description\nBy default, APC Smartslot Web/SNMP Management Card ships with a default password. An attacker can supply any account name and a password of TENmanUFactOryPOWER which is publicly known and documented. This allows attackers to trivially access the program or system.\n## Solution Description\nUpgrade to latest firmware for your hardware, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nBy default, APC Smartslot Web/SNMP Management Card ships with a default password. An attacker can supply any account name and a password of TENmanUFactOryPOWER which is publicly known and documented. This allows attackers to trivially access the program or system.\n## References:\nVendor URL: http://www.apcc.com/\nVendor Specific Solution URL: http://www.apc.com/go/direct/index.cfm?tag=sa2988_patch\n[Secunia Advisory ID:10905](https://secuniaresearch.flexerasoftware.com/advisories/10905/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-02/0460.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-02/0527.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-02/0517.html\nKeyword: APC,AP9606,AP9617,AP9618,AP9618,Management Card,Smartslot\nISS X-Force ID: 15238\nGeneric Exploit URL: http://packetstormsecurity.nl/0402-exploits/apc_9606_backdoor.txt\n[CVE-2004-0311](https://vulners.com/cve/CVE-2004-0311)\nBugtraq ID: 9681\n", "modified": "2004-02-18T04:50:22", "published": "2004-02-18T04:50:22", "href": "https://vulners.com/osvdb/OSVDB:3985", "id": "OSVDB:3985", "type": "osvdb", "title": "APC SmartSlot Web/SNMP Management Card Default Password", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-03-01T06:25:25", "description": "It is possible to obtain the default community names of the remote\nSNMP server.\n\nAn attacker can use this information to gain more knowledge about the\nremote host or to change the configuration of the remote system (if\nthe default community allows such modifications).", "edition": 26, "published": "2002-11-25T00:00:00", "title": "SNMP Agent Default Community Names", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0792", "CVE-2002-0478", "CVE-2001-0514", "CVE-2010-1574", "CVE-1999-0517", "CVE-2002-0109", "CVE-2001-0380", "CVE-2004-0311", "CVE-2002-1229", "CVE-1999-0516", "CVE-2000-0147", "CVE-2004-1474", "CVE-1999-0254", "CVE-1999-0186", "CVE-2001-1210", "CVE-1999-0472"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:snmp:snmp"], "id": "SNMP_DEFAULT_COMMUNITIES.NASL", "href": "https://www.tenable.com/plugins/nessus/10264", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\n#\n# Thanks to the following persons for having sent additional\n# SNMP communities over time :\n#\n# Javier Fernandez-Sanguino, Axel Nennker and the following references :\n#\n# From: Raphael Muzzio (rmuzzio_at_ZDNETMAIL.COM)\n# Date: Nov 15 1998\n# To: bugtraq@securityfocus.com\n# Subject: Re: ISS Security Advisory: Hidden community string in SNMP\n# (http://lists.insecure.org/lists/bugtraq/1998/Nov/0212.html)\n#\n# Date: Mon, 5 Aug 2002 19:01:24 +0200 (CEST)\n# From:\"Jacek Lipkowski\" <sq5bpf@andra.com.pl>\n# To: bugtraq@securityfocus.com\n# Subject: SNMP vulnerability in AVAYA Cajun firmware\n# Message-ID: <Pine.LNX.4.44.0208051851050.3610-100000@hash.intra.andra.com.pl>\n#\n# From:\"Foundstone Labs\" <labs@foundstone.com>\n# To: da@securityfocus.com, vulnwatch@vulnwatch.org\n# Subject: Foundstone Labs Advisory - Information Leakage in Orinoco and Compaq Access Points\n# Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC476B0@MISSION.foundstone.com>\n#\n# CC:da@securityfocus.com, vulnwatch@vulnwatch.org\n# To:\"Foundstone Labs\" <labs@foundstone.com>\n# From:\"Rob Flickenger\" <rob@oreillynet.com>\n# In-Reply-To: <9DC8A3D37E31E043BD516142594BDDFAC476B0@MISSION.foundstone.com>\n# Message-Id: <D8F6A4EC-ABE3-11D6-AF54-0003936D6AE0@oreillynet.com>\n# Subject: Re: [VulnWatch] Foundstone Labs Advisory - Information Leakage in Orinoco and Compaq Access Points\n#\n# http://www.securityfocus.com/archive/1/313714/2003-03-01/2003-03-07/0\n# http://www.nessus.org/u?b471b647\n#\n\nif (description)\n{\n script_id(10264);\n script_version(\"1.107\");\n script_cvs_date(\"Date: 2018/07/30 15:31:32\");\n\n script_cve_id(\n \"CVE-1999-0186\",\n \"CVE-1999-0254\",\n \"CVE-1999-0472\",\n \"CVE-1999-0516\",\n \"CVE-1999-0517\",\n \"CVE-1999-0792\",\n \"CVE-2000-0147\",\n \"CVE-2001-0380\",\n \"CVE-2001-0514\",\n \"CVE-2001-1210\",\n \"CVE-2002-0109\",\n \"CVE-2002-0478\",\n \"CVE-2002-1229\",\n \"CVE-2004-0311\",\n \"CVE-2004-1474\",\n \"CVE-2010-1574\"\n );\n script_bugtraq_id(\n 177,\n 973,\n 986,\n 2112,\n 3758,\n 3795,\n 3797,\n 4330,\n 6825,\n 7081,\n 7212,\n 7317,\n 9681,\n 10576,\n 11237,\n 41436\n );\n script_xref(name:\"CERT\", value:\"732671\");\n script_xref(name:\"EDB-ID\", value:\"20892\");\n\n script_name(english:\"SNMP Agent Default Community Names\");\n script_summary(english:\"Checks default community names of the SNMP agent.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n \"The community names of the remote SNMP server can be guessed.\");\n script_set_attribute(attribute:\"description\",value:\n\"It is possible to obtain the default community names of the remote\nSNMP server.\n\nAn attacker can use this information to gain more knowledge about the\nremote host or to change the configuration of the remote system (if\nthe default community allows such modifications).\");\n script_set_attribute(attribute:\"solution\",value:\n\"Disable the SNMP service on the remote host if you do not use it,\nfilter incoming UDP packets going to this port, or change the default\ncommunity string.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1998/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/11/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:snmp:snmp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SNMP\");\n\n script_dependencies(\"find_service2.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_timeout(540); # max number of community names to test * 10.\n exit(0);\n}\n\ninclude (\"global_settings.inc\");\ninclude (\"misc_func.inc\");\ninclude (\"snmp_func.inc\");\ninclude (\"audit.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\n# if we don't know which versions of SNMP are supported, try both v2c and v1.\n# Protect against the fact that this host may be configured for SNMPv3 auth.\nif ( get_kb_item(\"SNMP/version\") )\n{\n if ( get_kb_item(\"SNMP/version_v1\") )\n vers = make_list(0);\n else\n vers = make_list(1);\n}\nelse vers = make_list(1, 0);\n\nport = get_kb_item(\"SNMP/port\");\nif(!port){\n\tport = 161;\n\tsnmp_not_detected = TRUE;\n\t}\nif (! get_udp_port_state(port)) exit(0, \"UDP port \"+port+\" is not open.\");\n\n# CS-21187: privat, German for private\ndefault = make_list(\"private\", \"privat\", \"public\", \"cisco\");\nextra = make_list(\n \"0392a0\",\n \"ANYCOM\",\n \"Cisco router\",\n \"ILMI\",\n \"NoGaH$@!\",\n \"OrigEquipMfr\",\n \"Secret C0de\",\n \"TENmanUFactOryPOWER\",\n \"admin\",\n \"agent\",\n \"agent_steal\",\n \"all\",\n \"all private\",\n \"apc\",\n \"blue\",\n \"c\",\n \"cable-docsis\",\n \"cascade\",\n \"cc\",\n \"comcomcom\",\n \"community\",\n \"core\",\n \"default\",\n \"diag\",\n \"freekevin\",\n \"fubar\",\n \"guest\",\n \"hp_admin\",\n \"ilmi\",\n \"internal\",\n \"localhost\",\n \"manager\",\n \"manuf\",\n \"monitor\",\n \"openview\",\n \"password\",\n \"proxy\",\n \"regional\",\n \"riverhead\",\n \"rmon\",\n \"rmon_admin\",\n \"secret\",\n \"security\",\n \"snmp\",\n \"snmpd\",\n \"system\",\n \"test\",\n \"tivoli\",\n \"write\",\n \"xyzzy\",\n \"yellow\"\n);\nif (thorough_tests) default = make_list(default, extra);\n\n\ncomm_list = \"\";\ncomm_number = 0;\nforeach community (default)\n{\n soc[community] = open_sock_udp(port);\n if (!soc[community]) continue;\n}\n\n\nfor ( i = 0 ; i < 2 ; i ++ )\n{\n foreach community ( default )\n {\n foreach ver ( vers )\n {\n set_snmp_version( version:ver );\n\n if ( isnull(soc[community]) ) continue;\n rep = snmp_request_next(socket:soc[community], timeout:1 + i, community:community, oid:\"1.3\");\n if (!isnull(rep))\n {\n if (\n # Sun ...\n (rep[1] != \"/var/snmp/snmpdx.st\") && (rep[1] != \"/etc/snmp/conf\") &&\n # HP MSL 8048\n \"1.3.6.1.2.1.11.6.0\" != rep[0]\n )\n {\n set_kb_item(name:\"SNMP/default/community\", value:community);\n comm_list += strcat(' - ' + community + '\\n');\n comm_number++;\n }\n close(soc[community]);\n soc[community] = NULL;\n }\n }\n\n # once we've received a response, keep using the same SNMP version in all remaining requests\n if (!isnull(rep)) vers = make_list(ver);\n }\n}\n\nforeach community (keys(soc) )\n{\n if ( !isnull(soc[community]) ) close(soc[community]);\n}\n\n\n# We're done with actual sends, so set the SNMP_VERSION back, if needed.\nreset_snmp_version();\n\nif (comm_number > 0)\n{\n if (comm_number > 5)\n report = string (\n \"\\n\",\n \"The remote SNMP server replies to more than 5 default community\\n\",\n \"strings. This may be due to a badly configured server or an SNMP\\n\",\n \"server on a printer.\"\n );\n else\n {\n if (comm_number == 1) s = \"\";\n else s = \"s\";\n report = string (\n \"\\n\",\n \"The remote SNMP server replies to the following default community\\n\",\n \"string\", s, \" :\\n\",\n \"\\n\",\n comm_list\n );\n }\n\n\n if ( snmp_not_detected ) register_service( port:161, proto:\"snmp\", ipproto:\"udp\");\n\n\n if (comm_number != 1 || (comm_number == 1 && \"public\" >!< comm_list))\n security_hole(port:port, extra:report, protocol:\"udp\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-03-27T19:09:09", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-0792", "CVE-2002-0478", "CVE-2001-0514", "CVE-2017-7922", "CVE-2010-1574", "CVE-1999-0517", "CVE-2002-0109", "CVE-2016-1473", "CVE-2001-0380", "CVE-2004-0311", "CVE-2002-1229", "CVE-1999-0516", "CVE-2000-0147", "CVE-2014-4862", "CVE-2004-1474", "CVE-1999-0254", "CVE-2006-4950", "CVE-2010-2976", "CVE-2016-1452", "CVE-2011-0890", "CVE-1999-0186", "CVE-2001-1210", "CVE-1999-0472", "CVE-2004-1776", "CVE-2012-4964", "CVE-2016-5645", "CVE-2014-4863", "CVE-2004-1775"], "description": "Simple Network Management Protocol (SNMP) is a protocol\n which can be used by administrators to remotely manage a computer or network device. There\n are typically 2 modes of remote SNMP monitoring. These modes are roughly ", "modified": "2020-03-26T00:00:00", "published": "2014-03-12T00:00:00", "id": "OPENVAS:136141256231010264", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010264", "type": "openvas", "title": "Report default community names of the SNMP Agent", "sourceData": "# Copyright (C) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10264\");\n script_cve_id(\"CVE-1999-0472\", \"CVE-1999-0516\", \"CVE-1999-0517\", \"CVE-1999-0792\",\n \"CVE-2000-0147\", \"CVE-2001-0380\", \"CVE-2001-0514\", \"CVE-2001-1210\",\n \"CVE-2002-0109\", \"CVE-2002-0478\", \"CVE-2002-1229\", \"CVE-2004-1474\",\n \"CVE-2004-1775\", \"CVE-2004-1776\", \"CVE-2011-0890\", \"CVE-2012-4964\",\n \"CVE-2014-4862\", \"CVE-2014-4863\", \"CVE-2016-1452\", \"CVE-2016-5645\",\n \"CVE-2017-7922\");\n # nb: CVEs about default communities. Those are currently commented out as they would\n # increase the CVSS to 10.0:\n # \"CVE-1999-0186\", \"CVE-1999-0254\", \"CVE-2004-0311\", \"CVE-2006-4950\", \"CVE-2010-1574\", \"CVE-2010-2976\", \"CVE-2016-1473\"\n script_bugtraq_id(177, 973, 986, 2112, 2896, 3758, 3795, 3797, 4330, 5030, 5965,\n 7081, 7212, 7317, 9681, 11237, 20125, 41436, 46981, 91756,\n 92428, 99083);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"2020-03-26T08:48:45+0000\");\n script_name(\"Report default community names of the SNMP Agent\");\n script_tag(name:\"last_modification\", value:\"2020-03-26 08:48:45 +0000 (Thu, 26 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-03-12 10:10:24 +0100 (Wed, 12 Mar 2014)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"SNMP\");\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"snmp_detect.nasl\");\n script_require_udp_ports(\"Services/udp/snmp\", 161);\n script_mandatory_keys(\"SNMP/v12c/detected_community\");\n\n script_tag(name:\"impact\", value:\"If an attacker is able to guess a PUBLIC community string,\n they would be able to read SNMP data (depending on which MIBs are installed) from the remote\n device. This information might include system time, IP addresses, interfaces, processes\n running, etc.\n\n If an attacker is able to guess a PRIVATE community string (WRITE or 'writeall'\n access), they will have the ability to change information on the remote machine.\n This could be a huge security hole, enabling remote attackers to wreak complete\n havoc such as routing network traffic, initiating processes, etc. In essence,\n 'writeall' access will give the remote attacker full administrative rights over\n the remote machine.\n\n Note that this test only gathers information and does not attempt to write to\n the remote device. Thus it is not possible to determine automatically whether\n the reported community is public or private.\n\n Also note that information made available through a guessable community string\n might or might not contain sensitive data. Please review the information\n available through the reported community string to determine the impact of this\n disclosure.\");\n\n script_tag(name:\"solution\", value:\"Determine if the detected community string is a private\n community string. Determine whether a public community string exposes sensitive information.\n Disable the SNMP service if you don't use it or change the default community string.\");\n\n script_tag(name:\"summary\", value:\"Simple Network Management Protocol (SNMP) is a protocol\n which can be used by administrators to remotely manage a computer or network device. There\n are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE'\n (or PUBLIC and PRIVATE).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"snmp_func.inc\");\n\nport = snmp_get_port( default:161 );\n\ncos = make_list( get_kb_list( \"SNMP/\" + port + \"/v12c/detected_community\" ) );\nif( ! cos ) exit( 99 );\n\n# If snmp_default_communities.nasl is detecting more than four different communities there might be something wrong...\nif( get_kb_item( \"SNMP/\" + port + \"/v12c/all_communities\" ) ) exit( 0 );\n\nreport = 'SNMP Agent responded as expected when using the following community name:\\n\\n';\n\n# Sort to not report changes on delta reports if just the order is different\ncos = sort( cos );\n\nforeach co( cos ) {\n report += co + '\\n';\n vuln = TRUE;\n}\n\nif( vuln ) {\n security_message( port:port, data:report, proto:\"udp\" );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
