MikroTik RouterOS < 6.39.3 / 6.40.4 / 6.41rc (KRACK)

According to its self-reported version, the remote networking device is running a version of MikroTik 6.9.X prior to 6.39.3, 6.40.x 6.40.4, or 6.41rc. It, therefore, vulnerable to multiple vulnerabilities discovered in the WPA2 handshake protocol. %NASLMINLEVEL 70300 C Tenable Network Security,...

OpenSSH < 8.0

According to its banner, the version of OpenSSH running on the remote host is prior to 8.0. It is, therefore, affected by the following vulnerabilities: - A permission bypass vulnerability due to improper directory name validation. An unauthenticated, remote attacker can exploit this, with a...

UPnP WFA Device Detection

According to its UPnP data, the remote device implements a UPnP WFA Device profile. This interface allows a user to configure WiFi settings over UPnP. The specifications requires a WPS-like authentication scheme. C Tenable Network Security, Inc. include"compat.inc"; ifdescription scriptid94049;...

JForum jforum.page start Parameter XSS

The version of JForum installed on the remote host fails to properly sanitize user-supplied input to the 'start' parameter of the 'jforum.page' script. An attacker may be able to leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security contex...

Microsoft Outlook Web Access (OWA) Version Detection

Microsoft Exchange Server with Outlook Web Access OWA embeds the Exchange version number inside the default HTML web page. By requesting the default HTML page, Nessus was able to extract the Microsoft Exchange server version. %NASLMINLEVEL 70300 C Tenable Network Security, Inc...

Apache 2.2.x < 2.2.15 Multiple Vulnerabilities

According to its banner, the version of Apache 2.2.x running on the remote host is prior to 2.2.15. It is, therefore, potentially affected by multiple vulnerabilities : - A TLS renegotiation prefix injection attack is possible. CVE-2009-3555 - The 'modproxyajp' module returns the wrong status cod...

PHP 5.3.x < 5.3.29 Multiple Vulnerabilities

According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.29. It is, therefore, affected by the following vulnerabilities : - A heap-based buffer overflow error exists in the file 'ext/date/lib/parseisointervals.c' related to handling DateInterval objects that...

SSL Certificate Cannot Be Trusted

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below : - First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can...

ICMP Timestamp Request Remote Date Disclosure

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. Timestamps returned from machines running Windows Vista / 7 /...

AMQP Cleartext Authentication

The remote Advanced Message Queuing Protocol AMQP service supports one or more authentication mechanisms that allow credentials to be sent in the clear. C Tenable Network Security, Inc. include"compat.inc"; if description scriptid87733; scriptversion"$Revision: 1.1 $"; scriptcvsdate"$Date:...

Apache 2.4.x < 2.4.54 Multiple Vulnerabilities

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.54. It is, therefore, affected by multiple vulnerabilities: - Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker...

Unsupported Web Server Detection

According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it may contain security vulnerabilities. C Tenable Network Security, In...

VNC Server Security Type Detection

This script checks the remote VNC server protocol version and the available 'security types'. C Tenable Network Security, Inc. Some information: http://www.nessus.org/u?31a1871a http://www.nessus.org/u?6ad5fd00 http://www.nessus.org/u?99e99399 include"compat.inc"; if description scriptid19288;...

SSH Weak Key Exchange Algorithms Enabled

The remote SSH server is configured to allow key exchange algorithms which are considered weak. This is based on the IETF draft document Key Exchange KEX Method Updates and Recommendations for Secure Shell SSH RFC9142. Section 4 lists guidance on key exchange algorithms that SHOULD NOT and MUST N...

Apache Server ETag Header Information Disclosure

The remote web server is affected by an information disclosure vulnerability due to the ETag header providing sensitive information that could aid an attacker, such as the inode number of requested files. C Tenable Network Security, Inc. include"compat.inc"; if description scriptid88098;...

IP Forwarding Enabled

The remote host has IP forwarding enabled. An attacker can exploit this to route packets through the host and potentially bypass some firewalls / routers / NAC filtering. Unless the remote host is a router, it is recommended that you disable IP forwarding. TRUSTED...

Apache 2.4.x < 2.4.56 Multiple Vulnerabilities

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.56. It is, therefore, affected by multiple vulnerabilities: - Some modproxy configurations allow a HTTP Request Smuggling attack. CVE-2023-25690 - HTTP Response Smuggling vulnerability via modproxyuwsg...

SMB Signing not required

Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server. C Tenable Network Security, Inc. include'compat.inc'; if description scriptid57608; scriptversion"1.20";...

Hikvision IP Camera Remote Authentication Bypass

The remote Hikvision IP camera is affected by an authentication bypass vulnerability. A remote, unauthenticated attacker can read configurations including account passwords, access the camera images, or modify the camera firmware. C Tenable Network Security, Inc. include'compat.inc'; if descripti...

MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527) (Badlock) (uncredentialed check)

The remote Windows host is affected by an elevation of privilege vulnerability in the Security Account Manager SAM and Local Security Authority Domain Policy LSAD protocols due to improper authentication level negotiation over Remote Procedure Call RPC channels. A man-in-the-middle attacker able ...

SSL Medium Strength Cipher Suites Supported (SWEET32)

The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite. Note that it is considerably easier to circumvent...

Microsoft SQL Server Unsupported Version Detection (remote check)

According to its self-reported version number, the installation of Microsoft SQL Server on the remote host is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities...

SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

The remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites. It is, therefore, affected by a vulnerability, known as SWEET32, due to the use of weak 64-bit block ciphers. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerabilit...

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)

The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities : - Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 SMBv1 due to improper handling of certain requests. An unauthenticated, remote attacker...

Insecure Windows Service Permissions

At least one Windows service executable with insecure permissions was detected on the remote host. Services configured to use an executable with weak permissions are vulnerable to privilege escalation attacks. An unprivileged user could modify or overwrite the executable with arbitrary code, whic...

Apache Tomcat / JBoss EJBInvokerServlet / JMXInvokerServlet Multiple Vulnerabilities

The 'EBJInvokerServlet' and 'JMXInvokerServlet' servlets hosted on the web server on the remote host are accessible to unauthenticated users. The remote host is, therefore, affected by the following vulnerabilities : - A security bypass vulnerability exists due to improper restriction of access t...

PHP 5.4.x < 5.4.45 Multiple Vulnerabilities

According to its banner, the version of PHP running on the remote web server is 5.4.x prior to 5.4.45. It is, therefore, affected by the following vulnerabilities : - A directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/phpzip.c could allow a remote attacker to...

Apache 2.4.x < 2.4.46 Multiple Vulnerabilities

The version of Apache httpd installed on the remote host is prior to 2.4.46. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.46 advisory. - Apache HTTP server 2.4.32 to 2.4.44 modproxyuwsgi info disclosure and possible RCE CVE-2020-11984 - Apache HTTP Server versio...

Default Password (alpine) for 'root' Account

The account 'root' on the remote host has the password 'alpine'. An attacker may leverage this issue to gain full access to the affected system. Note that iPhones are known to use these credentials by default and allow access via SSH when jailbroken. %NASLMINLEVEL 70300 C Tenable Network Security...

SNMP Agent Default Community Name (public)

It is possible to obtain the default community name of the remote SNMP server. An attacker may use this information to gain more knowledge about the remote host, or to change the configuration of the remote system if the default community allows such modifications. C Tenable Network Security, Inc...

Redis Server Unprotected by Password Authentication

The Redis server running on the remote host is not protected by password authentication. A remote attacker can exploit this to gain unauthorized access to the server. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. include'deprecatednasllevel.inc'; include'compat.inc'; if description...

nginx 0.6.x < 1.20.1 1-Byte Memory Overwrite RCE

According to its Server response header, the installed version of nginx is 0.6.18 prior to 1.20.1. It is, therefore, affected by a remote code execution vulnerability. A security issue in nginx resolver was identified, which might allow an unauthenticated remote attacker to cause 1-byte memory...

Apache Tomcat 7.0.0 < 7.0.94 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 7.0.94. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat7.0.94security-7 advisory. - When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1...

Default Password (nas4free) for 'root' Account

The account 'root' on the remote host has the password 'nas4free'. An attacker may leverage this issue to gain administrative access to the affected system. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. account = "root"; password = "nas4free"; include'deprecatednasllevel.inc';...

SunSSH < 1.1.1 / 1.3 CBC Plaintext Disclosure

The version of SunSSH running on the remote host has an information disclosure vulnerability. A design flaw in the SSH specification could allow a man-in-the-middle attacker to recover up to 32 bits of plaintext from an SSH-protected connection in the standard configuration. An attacker could...

lighttpd < 1.4.35 Multiple Vulnerabilities

According to its banner, the version of lighttpd running on the remote host is prior to 1.4.35. It is, therefore, affected by the following vulnerabilities : - A SQL injection flaw exists in the 'modmysqlvhost' module where user input passed using the hostname is not properly sanitized. A remote...

HTTP Reverse Proxy Detection (Deprecated)

This web server is reachable through a reverse HTTP proxy. Note: This plugin has been deprecated. @DEPRECATED@ C Tenable Network Security, Inc. HTTP/1.1 is defined by RFC 2068 Check for proxy on the way transparent or reverse?! include"compat.inc"; ifdescription scriptid11040; scriptversion "1.37...

Web Server Directory Traversal Arbitrary File Access

It appears possible to read arbitrary files on the remote host outside the web server's document directory using a specially crafted URL. An unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. Note that this plugin is not limit...

SSH Protocol Version 1 Session Key Retrieval

The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. C Tenable Network Security, Inc. include"compat.inc"; ifdescription scriptid10882; scriptversion"1.37";...

Microsoft Windows SMBv1 Multiple Vulnerabilities

The remote Windows host has Microsoft Server Message Block 1.0 SMBv1 enabled. It is, therefore, affected by multiple vulnerabilities : - Multiple information disclosure vulnerabilities exist in Microsoft Server Message Block 1.0 SMBv1 due to improper handling of SMBv1 packets. An unauthenticated,...

Default Password (password) for 'admin' Account on Broadcom BCM96338 ADSL Router

The remote host is a Broadcom BCM96338 ADSL router, and its 'admin' account uses the password 'password'. An attacker may leverage this issue to gain administrative access to the affected system. C Tenable Network Security, Inc. include"compat.inc"; if description scriptid35621; scriptversion...

SSL/TLS EXPORT_RSA <= 512-bit Cipher Suites Supported (FREAK)

The remote host supports EXPORTRSA cipher suites with keys less than or equal to 512 bits. An attacker can factor a 512-bit RSA modulus in a short amount of time. A man-in-the middle attacker may be able to downgrade the session to use EXPORTRSA cipher suites e.g. CVE-2015-0204. Thus, it is...

MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527) (Badlock)

The remote Windows host is affected by an elevation of privilege vulnerability in the Security Account Manager SAM and Local Security Authority Domain Policy LSAD protocols due to improper authentication level negotiation over Remote Procedure Call RPC channels. A man-in-the-middle attacker able ...

Web Server info.php / phpinfo.php Detection

Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo' for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web...

PHP 5.4.x < 5.4.16 Multiple Vulnerabilities

According to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.16. It is, therefore, potentially affected by the following vulnerabilities: - An error exists in the mimetype detection of 'mp3' files that could lead to a denial of service. Bug 64830 - An error exist...

SMB NULL Session Authentication

The remote host is running and SMB protocol. It is possible to log into the browser or spoolss pipes using a NULL session i.e., with no login or password. Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to get information about the...

MS KB2269637: Insecure Library Loading Could Allow Remote Code Execution

The remote host is missing Microsoft KB2264107 or an associated registry change, which provides a mechanism for mitigating binary planting or DLL preloading attacks. Insecurely implemented applications look in their current working directory when resolving DLL dependencies. If a malicious DLL wit...

GNU Bash Environment Variable Handling Code Injection (Shellshock)

The remote web server is affected by a command injection vulnerability in GNU Bash known as Shellshock. The vulnerability is due to the processing of trailing strings after function definitions in the values of environment variables. This allows a remote attacker to execute arbitrary code via...

Microsoft SQL Server Unsupported Version Detection

According to its self-reported version number, the installation of Microsoft SQL Server on the remote host is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities...

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret in a short amount of time depending on modulus size and attacker resources. This may allow an attacker to...