PCI DSS Compliance : Remote Access Software Has Been Detected

2011-09-15T00:00:00
ID PCI_REMOTE_SERVICES.NASL
Type nessus
Reporter Tenable
Modified 2018-05-10T00:00:00

Description

Due to increased risk to the cardholder data environment when remote access software is present, 1) justify the business need for this software to the ASV and confirm it is implemented securely, or 2) confirm it is disabled/ removed. Consult your ASV if you have questions about this Special Note.

                                        
                                            #TRUSTED 40ab94f6cfac547588ed0bff0c2fc9dc4d96fa942927e771fc54c5aee7622e82e2791e8cc55f9f5b2c2a2472020dc3cdcbf61a0f0471c53f8226b216b02579312bb223bf3c22b0195ce5577ed5ea62bc49b69c6cacb4bba9b982361efe0dde7ffb5a88ccc8cbd2d806e65cb9b0af6d8395d00d0d3e2ed5bf896cd17c128d8bf5fda7d5617b06f7940e41d9130c75ee2ef2af80ef354529ade7122868198090cba0f6d515b73597d04ad39caa38be3e0be29d10976d1023f8bb34ec34168509872645afceaa40fb7b7a8981e700716466e020dbc117cc6c9479cbfaa91129dd3859348d7e5328961f2007117513b4c82615dc30efcfb9e069ef8a29beeaea2dd3338ca9a2fc9d876f4ef7b45bf8da013b54281f710797b838dbec17d60c0cf3d4520241d241c1fdf558cc25c9e04b44ed228e6cc0cca9b6ab4a9e570a457ca798ccd43bb1f727573258259994c01cffffd4daf62eb3161f91a9bd46c8b41b70d1d2abe6889b7bb5c8a0aa0bfa1d9377d595fb846e72818704072e1260622ace8114dc78aba4614294560032b53cd25c77f27503c634c34e22daa423289f36388559cc21ffad61ef45858025ab65c3913fd6e35ccb173b9ead3bea6834ffd5e2ce7f4fee9a02e7d57ef1e29a3774a8dd3fb89f3f5d5458b6664361f57dac31b0e87647b7ec31290a96e2c0f6684574c596b324c984f4f057c47ea9de052cc3bcce
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(56209);
 script_version("1.24");
 script_set_attribute(attribute:"plugin_modification_date", value:"2018/05/10");

 script_name(english:"PCI DSS Compliance : Remote Access Software Has Been Detected");
 script_summary(english:"Modify global variables for PCI DSS.");

 script_set_attribute(attribute:"synopsis", value:
"Remote access software has been detected.");
 script_set_attribute(attribute:"description", value:
"Due to increased risk to the cardholder data environment when remote
 access software is present, 1) justify the business need for this 
software to the ASV and confirm it is implemented securely, or 2) 
confirm it is disabled/ removed. Consult your ASV if you have
questions about this Special Note.");
 script_set_attribute(attribute:"solution", value:"n/a");

 script_set_attribute(attribute:"plugin_publication_date", value:"2011/09/15");

 script_set_attribute(attribute:"plugin_type", value:"summary");
 script_set_attribute(attribute:"risk_factor", value:"Medium");

 script_end_attributes();

 script_category(ACT_END);

 script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
 script_family(english:"Policy Compliance");

 script_require_keys("Settings/PCI_DSS");

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");

if (!get_kb_item("Settings/PCI_DSS")) audit(AUDIT_PCI);

function pci_webapp_chk(port, app)
{
  if (isnull(app) || isnull(port)) return NULL;
  local_var install, chk_app, dir, urls;

  urls = make_list();
  chk_app = get_installs(
    app_name : app,
    port     : port
  );
  if (chk_app[0] == IF_OK)
  {
    foreach install (chk_app[1])
    {
      dir = install['path'];
      urls = make_list(urls, build_url2(qs:dir, port:port));
    }
    return urls;
  }
  else
    return NULL;
}

str = NULL;

ports = get_kb_list("Services/www");

if ( ! isnull(ports) )
{
 foreach port ( make_list(ports) )
 {
   page = get_kb_item("Cache/" + port + "/URL_/");
   # Cisco
   if ( page && 'WWW-Authenticate: Basic realm="level_15' >< page )
    {
      str += '\nA web-based Cisco management interface is running on the remote host on TCP port ' +  port + '.\n';
    }

   # Citrix Access Gateway Administrative Web Interface
   app = 'citrix_access_gateway_admin';
   urls = pci_webapp_chk(app:app, port:port);
   if (!isnull(urls))
   {
     if ( max_index(urls) == 1) location = 'location';
     else location = 'locations';
     str += '\nCitrix Access Gateway Administrative Web Interface, a web-based management application for Citrix Access Gateway, is running on the remote host at the following ' +location + ' :\n';
     foreach url (urls)
     {
       str += '\n  '+url;
     }
     str += '\n';
   }

   # Cobbler Admin Interface
   app = 'cobbler_web_admin';
   urls = pci_webapp_chk(app:app, port:port);
   if (!isnull(urls))
   {
     if ( max_index(urls) == 1) location = 'location';
     else location = 'locations';
     str += '\nA web-based administration interface for Cobbler, a Linux distribution, is running on the remote host at the following ' +location + ' :\n';
     foreach url (urls)
     {
       str += '\n  '+url;
     }
     str += '\n';
   }

   # CodeMeter
   app = 'CodeMeter';
   urls = pci_webapp_chk(app:app, port:port);
   if (!isnull(urls))
   {
     if ( max_index(urls) == 1) location = 'location';
     else location = 'locations';
     str += '\nCodeMeter WebAdmin, a web-based management application for CodeMeter hardware and software, is running on the remote host at the following ' +location + ' :\n';
     foreach url (urls)
     {
       str += '\n  '+url;
     }
     str += '\n';
   }

   # HP Guardian Service Processor
   if (
     page &&
     '<TITLE>HP Web Console on' >< page &&
     '<APPLET CODE="pericom/TeemWorld/TeemWorld.class" ARCHIVE="TeemWorld.jar" ' >< page &&
     '<PARAM NAME=IPAddress' >< page
   )
   {
    str += '\nAn HP Guardian Service Processor interface is running on the remote host on TCP port ' +  port + '.\n';
   }

   # HP iLO
   if (
     page &&
     'Hewlett-Packard Development Company, L.P.' >< page &&
     (
       '<title>iLO 4</title>' >< page ||
       'id="titleHeading">iLO 4</h1>' >< page ||
       '<title>iLO 3</title>' >< page ||
       'id="titleHeading">Integrated Lights-Out 3</h1>' >< page ||
       '<TITLE>HP Integrated Lights-Out ' >< page
     )
   )
   {
    str += '\nAn HP Integrated Lights-Out (iLO) interface is running on the remote host on TCP port ' +  port + '.\n';
   }

   # HP Web Jetadmin
   app = 'hp_web_jetadmin';
   urls = pci_webapp_chk(app:app, port:port);
   if (!isnull(urls))
   {
     if ( max_index(urls) == 1) location = 'location';
     else location = 'locations';
     str += '\nHP Web Jetadmin, a web-based management application for networked printers, is running on the remote host at the following ' +location + ' :\n';
     foreach url (urls)
     {
       str += '\n  '+url;
     }
     str += '\n';
   }

   if ( page && '<form METHOD="POST" NAME="form" ACTION="/cgi-bin/home.tcl">' >< page &&
	        '<b>Acquire Exclusive Configuration Lock</b>' >< page )
   {
    str += '\nA web-based management interface is running on the remote host on TCP port ' + port + '.\n';
   }

   # MongoDB Web Admin Interface
   app = "mongodb_web";
   urls = pci_webapp_chk(app:app, port:port);
   if (!isnull(urls))
   {
     if ( max_index(urls) == 1) location = 'location';
     else location = 'locations';
     str += '\nMongoDB Web Admin Interface, a web-based MongoDB database management interface, is running on the remote host at the following ' +location + ' :\n';
     foreach url (urls)
     {
       str += '\n  '+url;
     }
     str += '\n';
   }

   # OpenAdmin Tool
   app = "openadmin_tool";
   urls = pci_webapp_chk(app:app, port:port);
   if (!isnull(urls))
   {
     if ( max_index(urls) == 1) location = 'location';
     else location = 'locations';
     str += '\nOpenAdmin Tool, a web-based tool for managing Informix database servers, is running on the remote host at the following ' +location + ' :\n';
     foreach url (urls)
     {
       str += '\n  '+url;
     }
     str += '\n';
   }

   # phpLDAPadmin
   app = "phpLDAPadmin";
   urls = pci_webapp_chk(app:app, port:port);
   if (!isnull(urls))
   {
     if ( max_index(urls) == 1) location = 'location';
     else location = 'locations';
     str += '\nphpLDAPadmin, a web-based LDAP management client, is running on the remote host at the following ' +location + ' :\n';
     foreach url (urls)
     {
       str += '\n  '+url;
     }
     str += '\n';
   }

   # phpMoAdmin
   app = "phpMoAdmin";
   urls = pci_webapp_chk(app:app, port:port);
   if (!isnull(urls))
   {
     if ( max_index(urls) == 1) location = 'location';
     else location = 'locations';
     str += '\nphpMoAdmin, a web-based MongoDB database management interface, is running on the remote host at the following ' +location + ' :\n';
     foreach url (urls)
     {
       str += '\n  '+url;
     }
     str += '\n';
   }

   # phpMyAdmin
   app = "phpMyAdmin";
   urls = pci_webapp_chk(app:app, port:port);
   if (!isnull(urls))
   {
     if ( max_index(urls) == 1) location = 'location';
     else location = 'locations';
     str += '\nphpMyAdmin, a web-based MySQL database management interface, is running on the remote host at the following ' +location + ' :\n';
     foreach url (urls)
     {
       str += '\n  '+url;
     }
     str += '\n';
   }

 }
}

# HP Onboard Administrator
hp_ports = get_kb_list('Host/HP/Onboard_Administrator/Port');
if (!isnull(hp_ports))
{
  foreach hp_port (hp_ports)
  {
    str += '\nAn HP Onboard Administrator interface is running on the remote host on TCP port ' + hp_port + '.\n';
  }
}

services = make_array(
  "ard",            "An Apple Remote Desktop server (remote administration)",
  "ca_rchost",      "A Unicenter Remote Control agent (remote administration)",
  "cifs",           "A CIFS server",
  "cisco-ssl-vpn-svr", "A Cisco ASA SSL VPN server (VPN)",
  "dameware",       "A DameWare server (remote administration)",
  "db2das",         "An IBM DB2 Administration Server",
  "db2das_connect", "An IBM DB2 Administration Server",
  "domino_console", "A Lotus Domino console",
  "ebsadmin",       "A McAfee E-Business Server (remote administration)",
  "egosecure_endpoint", "An EgoSecure EndPoint remote administration service",
  "hydra_saniq",    "An HP LeftHand OSremote administration",
  "ike",            "An IKE server (VPN)",
  "inoweb",         "A Computer Associates administration server",
  "juniper_nsm_gui_svr", "A Juniper NSM GUI Server (remote administration)",
  "l2tp",           "An L2TP server (VPN)",
  "lgserver_admin", "An ARCserve Backup server",
  "linuxconf",      "A LinuxConf server (remote administration)",
  "mikrotik_mac_telnet", "A MikroTik MAC Telnet Protocol (remote administration)",
  "msrdp",          "A Terminal Services server (remote display)",
  "netbus",         "A NetBus remote administration tool",
  "netbus2",        "A NetBus remote administration tool",
  "openvpn",        "An OpenVPN server (VPN)",
  "pcanywhereaccessserver", "A Symantec pcAnywhere Access server (remote administration)",
  "pcanywheredata", "A pcAnywhere server (remote administration)",
  "pptp",           "A PPTP server (VPN)",
  "radmin",         "An Radmin server (remote administration)",
  "remote_pc",      "A Remote PC Access server (remote administration)",
  "rlogin",         "An rlogin server (remote terminal)",
  "rsh",            "An rsh server (remote terminal)",
  "smb",            "An SMB server",
  "ssh",            "An SSH server (remote terminal)",
  "synergy",        "A Synergy server (remote administration)",
  "teamviewer",     "A TeamViewer server (remote administration)",
  "telnet",         "A Telnet server (remote terminal)",
  "tinc_vpn",       "A Tinc VPN server (VPN)",
  "tor",            "A Tor relay (VPN)",
  "ultravnc-dsm",   "An UltraVNC server (remote display)",
  "veritas-ucl",    "A Symantec Veritas Enterprise Administrator Service",
  "vnc",            "A VNC server (remote display)",
  "vncviewer",      "A VNC Viewer listener (remote display)",
  "www/hp_smh",     "An HP System Management Homepage server (remote administration)",
  "www/logmein",    "A LogMeIn server (remote administration)",
  "www/webmin",     "A webmin server (remote administration)",
  "x11",            "An X11 server (remote display)"
);

foreach service (keys(services))
{
  desc = services[service];
  protos = make_array();
  ipprotos = make_list("TCP", "UDP");

  # Get TCP/UDP port(s) for each service
  foreach ipproto (ipprotos)
  {
    kb = NULL;
    if (ipproto == "TCP")      kb = "Services/" + service;
    else if (ipproto == "UDP") kb = "Services/udp/" + service;

    ports = get_kb_list(kb);
    if (empty_or_null(ports)) continue;

    ports = make_list(ports);
    protos[service][ipproto] = ports;
  }

  if (empty_or_null(protos)) continue;

  # Add to report
  foreach svc (keys(protos))
  {
    foreach proto (keys(protos[svc]))
    {
      ports = protos[svc][proto];
      index = max_index(ports);
      s = 's';
      sep = '';

      # Determine if 'and' or ', and' should be used
      if (index == 1) s = NULL;
      else if (index == 2) sep = ' and ';
      else if (index > 2)
      {
        ports[index-1] = 'and ' + ports[index-1];
        sep = ', ';
      }

      ports = join(ports, sep:sep);

      # E.g. An SSH server (remote terminal) is running on the remote host on TCP port 22.
      str += '\n'+desc+' is running on the remote host on '+proto+' port'+s+' '+ports+'.\n';
    }
  }
}

if (strlen(str) > 0)
{
  security_warning(extra:str, port:0);
}