Shadowserver

Accessible Cisco Smart Install

Description

Cisco Smart Install is a legacy feature in some Cisco switches which allows zero-touch deployment. Cisco explicitely states that the service must not be exposed to untrusted networks as there is no authentication whatsoever. It listens on port 4786/TCP by default.

Risks

  • Criminals can completely take over your Cisco switch by abusing Cisco Smart Install, including executing arbitrary commands and even replacing the operating system.

Mitigation

  • Deactivate Cisco Smart Install after successful installation if possible.
  • Restrict access to internal networks.
  • If remote access is absolutely necessary, use a VPN.

Cisco's PSIRT (Product Security Incident Response Team) published an advisory[0] and a blogpost[1] describing Best Practice for Cisco Smart Install.

[0]: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
[1]: https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature

Accessible RDP

Description

RDP (Remote Desktop Protocol) is a proprietary protocol by Microsoft which per default listens on 3389/UDP and 3389/TCP and lets users log into computers remotely. It is often used for remote administration.

RDP-servers should not be accessible from the public Internet.

Risks

  • If an RDP-server reachable from the public Internet attackers can try to gain access using brute-force attacks[0]. In case of success they can do anything the compromised account is allowed to, steal sensitive data or get information about internal networks.
  • Misconfigured servers are susceptible to Monster-In-The-Middle (MITM) attacks.[1]

Mitigation

  • If possible, restrict access to RDP servers to internal networks.
  • If remote access is necessary use a VPN, lock accounts after multiple failed login attempts,[2] enforce strong passwords, and use multi factor authentication wherever possible[3].

[0]: https://en.wikipedia.org/wiki/Brute-force_attack
[1]: https://www.exploit-db.com/docs/english/41621-attacking-rdp---how-to-eavesdrop-on-poorly-secured-rdp-connections.pdf (PDF)
[2]: https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/
[3]: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg

Accessible SMB

Description

SMB (Server Message Block) is a protocol to give users access to shared files. Servers listen on port 445/TCP by default. They should not be reachable from the public Internet.

Risks

  • Multiple vulnerabilities in SMB have surfaced over the years, some with severe consequences.[0] Servers which can be reached from the public Internet make easy targets.
  • Criminals may try to get access to your server using brute-force attacks[1] and steal sensitive data if successful.
  • Depending on the configuration, other attacks may be possible.

Mitigation

  • Restrict access to internal networks, if possible.
  • If remote access is necessary use a VPN, enforce strong passwords and follow best practices[3].

[0]: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
[1]: https://en.wikipedia.org/wiki/Brute-force_attack
[2]: https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices

Accessible Telnet

Description

Telnet is a legacy protocol listening by default on port 23/TCP. It was and sometimes is still used today for remote administration of mainly network equipment. As it offers no encryption it should only be used if no alternatives exist and must never be reachable from the public Internet.

Risks

  • Telnet transmits all data, including account names and passwords, in plaintext. Therefore, anyone who can sniff network traffic is able to get this information and (mis)use it in any way they like. As telnet is mainly used for administrative purposes such breaches have devastating consequences.
  • If telnet is inadvertadly accessible from the public Internet, chances are that the (often generally known) default credentials are still in place. This gives attackers easy access to such devices.
  • Publicly accessible telnet services can fall victim to brute-force attacks[0].

Mitigation

  • If possible disable telnet altogether and switch to modern, encrypted protocols like SSH.
  • Restrict access to the service to internal networks.
  • If remote access is absolutely necessary, use a VPN through which only authorized personell can access the devices.

[0]: https://en.wikipedia.org/wiki/Brute-force_attack

NTP Version

Description

NTP, the Network Time Protocol, is a protocol which enables computers to synchronize their clocks over the network. Servers listen on ports 123/UDP or 123/TCP by default. If a server should be reachable from the public Internet has to be decided by the owner.

Risks

  • Depending on the configuration criminals can abuse NTP servers in up to two ways for UDP amplification DDoS attacks[0], i.e. using a mode 6 query for READVAR[1] or a mode 7 query for MON_GETLIST_1[2].

Mitigation

  • Restrict access to internal networks or VPNs if possible.
  • If access from the public Internet is desired, make sure to use a safe configuration.[3][4]

[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
[1]: https://ntpscan.shadowserver.org/
[2]: https://ntpmonitorscan.shadowserver.org/
[3]: https://www.team-cymru.com/secure-ntp-template.html
[4]: http://support.ntp.org/bin/view/Support/AccessRestrictions

Open CHARGEN

Description

CHARGEN (Character Generation Protocol)[0] is a legacy protocol which was intended for testing and debugging purposes. By default it listens on port 19/UDP or 19/TCP. There has never been a good reason to make CHARGEN servers accessible from the public Internet and this still holds today. If there is an open CHARGEN service running this is usually not intended and results from poor default configurations that have never been changed. In many cases old network printers are the culprits here, so have a look at them if you have been informed that there is an open CHARGEN in your network.

Risks

  • CHARGEN can be misused for UDP amplification attacks[1][2] with an amplification factor of almost 360.

Mitigation

  • Turn off the CHARGEN-service or at least restrict access to the local network if you really need it or are not able to turn it off.

[0]: https://en.wikipedia.org/wiki/Character_Generator_Protocol
[1]: https://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Service#Amplification
[2]: https://www.us-cert.gov/ncas/alerts/TA14-017A

Open CWMP

Description

The CPE WAN Management Protocol (CWMP) enables ISPs to configure and administer customers' home routers, a.k.a. CPE (Customer Premises Equipment), remotely using so-called ACSs (Auto Configuration Servers). While certainly useful, ISPs need to ensure that CPEs listening on port 7547 for this purpose are not accessible from the public Internet.

Risks

  • Some implementations of ACSs have/had RCE (Remote Code Execution) vulnerabilities[0] which could enable criminals to take over the servers and push malicious malware to CPEs.
  • Some CPE implementations are suceptible to DDoS-Attacks.[1]

Mitigation

  • Block access to ACSs and CPEs from outside of your network.

[0]: https://2016.hack.lu/archive/2014/I-hunt-TR-069-admins-shahar-tal-hacklu.pdf (PDF)
[1]: https://threatpost.com/hacker-admits-to-mirai-attack-against-deutsche-telekom/127001/

Open DNS Resolver

Description

The DNS (Domain Name System) is one of the integral parts of the modern Internet. It usually listens on port 53/UDP or 53/TCP. An open DNS resolver is a DNS server which answers to recursive DNS queries from any client from the public Internet.

Risks

  • Criminals can send requests with spoofed IP addresses to port 53/UDP of open DNS resolvers to trigger large answers to a victim. Often requests of type ANY[0] are used, but see [1]. This mechanism can be used to launch DDoS attacks.[2]

Mitigation

  • Make sure your DNS resolver handels only queries from certain (i.e. your) clients.
  • Use source-IP verification to make address spoofing impossible/much harder.
  • Use Response Rate Limiting, i.e. limit the number of queries a client is allowed to make per second.
  • Disable recursive queries on authoritative name servers alltogether.

A description on how to implement these mitigations has been published by the US CERT.[0]

[0]: https://www.us-cert.gov/ncas/alerts/TA13-088A

Open Elasticsearch

Description

Elasticsearch is a search engine which companies can set up to make their information searchable. It is listening on port 9200/TCP by default. If the installation is not ment to provide a search engine to the public, access from the open Internet should not be possible.

Risks

  • If the Elasticsearch installation contains sensitive data and is accessible from the public Internet unauthorized persons may read and search the data.

Mitigation

  • Restrict acces to internal networks.
  • If remote access is necessary, use a VPN.
  • Configure your Elasticsearch instance(s) securely. All possible security settings can be found on Elastic's website.[0]

[0]: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html

Open IPMI

Description

IPMI (Intelligent Platform Management Interface) enables remote administration of computers without relying on the computer's CPU, OS, or firmware. As compromising IPMI can have severe consequences it should never be accessible from the public Internet. By default it listens on port 623/UDP. Well-known implementations of IPMI include HPE's iLO and Dell's (i)DRAC.

Risks

  • Criminals may use brute-force attacks[0] against IPMI to take full control of the computer.
  • Default usernames and passwords for some of the IPMI implementations are publicly known which can result in a takeover if these credentials have not been changed.

Mitigation

  • Restrict access to IPMI to your internal networks.
  • If remote access from outside of your networks is necessary use a VPN through wich authorized employees can connect to IPMI.

[0]: https://en.wikipedia.org/wiki/Brute-force_attack

Open LDAP

Description

Active-Directory/LDAP-Servers listen on 389/UDP or 389/TCP and should never be reachable from the public Internet. Search engines like shodan.io make it trivial to find such services, i.e. trying to keep a URL secret offers no protection.

Risks

  • Attackers can try to take over accounts using brute-force[0] or credential stuffing attacks[1]. If successful they are able to read and change data as well as creating new files according to the stolen account's permissions.
  • If 389/UDP is used the servers can additionally be abused for DDoS amplification attacks[2].

Mitigation

  • Restrict access to the server(s) to internal networks.
  • If remote access is necessary, set up a VPN which authorized people can use to access the server(s).

[0]: https://en.wikipedia.org/wiki/Brute-force_attack
[1]: https://en.wikipedia.org/wiki/Credential_stuffing
[2]: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification

Open mDNS

Description

mDNS (Multicast DNS) is a zero-configuration protocol for name resolution to be used in small networks. Devices with mDNS send queries to a multicast IP-address which other mDNS devices will receive and answer with their data to the same multicast IP-address. By default mDNS listens on port 5353/UDP. It should never be accessible from the public Internet.

Risks

  • mDNS devices which can be reached from the public Internet will disclose possibly sensible information like IPv4 address, IPv6 address, host name, and MAC address to anyone who asks.

Mitigation

  • Restrict access to internal networks. If the need arises to route mDNS' service over the public Internet you are using the wrong tool and switch to "real" DNS instead.

Open memcached

Description

Memcached is a distributed cache-server which is usually deployed to minimize the response time of websites by e.g. caching database query results thereby making multiple queries in the backend unnecessary. By default memcached listens on ports 11211/TCP and 11211/UDP. According to the developers it should never be exposed to the public Internet.[0]

Risks

  • Criminals can abuse memcached servers which can be reached from the public Internet to launch UDP amplification DDoS attacks[1].

Mitigation

  • Restrict access to internal networks.
  • If remote access is necessary use a VPN.
  • Deactivate UDP on the memcached server.

[0]: https://github.com/memcached/memcached/wiki/ConfiguringServer#networking
[1]: https://www.us-cert.gov/ncas/alerts/TA14-017A

Open MongoDB

Description

MongoDB is a NoSQL database listening on 27017/TCP by default. In most cases it is not necessary to have it accessible from the public Internet.

Risks

  • If the database can be reached from the public Internet and authentication is not enabled criminals can easily access all data in the database.
  • If authentication is enabled criminals can still try to get access using brute-force attacks[0] or credential stuffing[1].

Mitigation

  • Restrict access to the database server to internal networks.
  • If remote access is necessary use a VPN or at least enable authentication[2] and make sure strong passwords are used.

[0]: https://en.wikipedia.org/wiki/Brute-force_attack
[1]: https://en.wikipedia.org/wiki/Credential_stuffing
[2]: https://docs.mongodb.com/manual/tutorial/enable-authentication/

Open MSSQL

Description

Microft SQL Server is Microsoft's SQL server software which by default listens on ports 1433/TCP and 1433/UDP. This service should not be exposed to the public Internet.

Risks

  • Criminals may try to get access to the data in the database to steal information. At least they will be able to gather information about the MS-SQL server running.
  • Criminals my abuse the server for UDP amplification DDoS attacks[0].[1]

Mitigation

  • Restrict access to internal networks.
  • If remote acces is necessary, use a VPN.

[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
[1]: https://mssqlscan.shadowserver.org/

Open NAT-PMP

Description

NAT-PMP (Network Address Translation - Port Mapping Protocol) enables NAT and port forwarding without user interaction. This should be possible only on the internal interface of the device which offers these services. By default it listens on port 5351/UDP and should not be accessible from the public Intnernet.

Risks

  • If the NAT-PMP service is accessible on the external interface and this interface can be reached from the public Internet, any attacker from the Internet can obtain information about the device, manipulate port mapping, read public and private communications, access private client services and block the host services of the device.

Mitigation

  • Disable NAT-PMP if possible.
  • Restrict access to internal networks.
  • If you are using miniupnp: It's configuration may well be the origin of the problem. Thus, ensure that you have version 1.8.20141022 or later installed.
  • Make sure NAT-PMP is securely configured:
    1. WAN and LAN interfaces are correctly assigned.
    2. NAT-PMP requests are accepted only on internal interfaces.
    3. Port mappings are only opened for the requesting internal IP address.

For more information have a look at the original blogpost of Rapid7[0]. Information about the risks and the mitigation have been taken from the cert.org Advisory[1].

[0]: https://blog.rapid7.com/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities/
[1]: https://www.kb.cert.org/vuls/id/184540/

Open NetBIOS

Description

NetBIOS is a protocol which enables computers to communicate in the local network. On of its services is name resolution which is listening on port 137/UDP by default. This should never be accessible from the public Internet.

Risks

  • Depending on the configuration answers to name queries may include the server's MAC address, its name as well as the name of the user who is running the service leading to possible information leakage.

Mitigation

  • Disable NetBIOS if you don't absolutely need it.
  • Restrict access to NetBIOS to internal networks.

[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A

Open Portmapper

Description

Portmapper enables remote procedure calls and by default listens on ports 111/TCP and 111/UDP. This service should not be exposed to the public Internet.

Risks

  • Criminals may abuse an open instance for UDP amplification attacks[0][1].
  • Depending on the configuration and other running services, criminals can obtain a lot of information regarding the server and the network.

Mitigation

  • Restrict access to internal networks.
  • If remote access is necessary, use a VPN.

[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
[1]: https://www.netformation.com/our-pov/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/

Open QOTD

Description

Quote Of The Day (QOTD) is a service which returns a quote of the day to queries. It listens of ports 17/TCP and 17/UDP by default

Risks

  • If QOTD listens on 17/UDP it can be abused for UDP amplicifcation attacks[0].

Mitigation

  • If possible, turn off the service on 17/UDP.
  • Restrict access to internal networks.
  • If remote access is necessary, use a VPN.

[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A

Open Redis

Description

Redis is a NoSQL in-memory database which listens on port 6379/TCP by default. It should no be accessible from the public Internet as its security model explicitly assumes that it can only be queried by trusted clients.[0]

Risks

  • If redis is accessible from the public Internet, unauthorized persons can read the contents of the database and, depending on the configuration, even manipulate them.

Mitigation

  • Restrict access to internal networks.
  • If remote access is necessary, use a VPN.

[0]: https://redis.io/topics/security

Open SNMP

Description

SNMP (Simple Network Management Protocol) makes it possible to monitor and configure devices on a network remotely. SNMP agents of managed devices listen on port 161/UDP by default. SNMP agents should not be accessible from the public Internet.

Risks

  • SNMP agents accessible from the public Internet may leak information about the hosts they are running on and even the entire network if not configured properly.
  • SNMPv2c agents accessible from the public Internet can be abused for UDP-based amplification attacks[0].

Mitigation

  • Make sure SNMP is configured according to current best practices. A possible guideline can be found here[1].
  • Restrict access to internal networks.
  • If remote access is necessary use a VPN.

[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
[1]: https://blog.rapid7.com/2016/01/27/simple-network-management-protocol-snmp-best-practices/

Open SSDP

Description

SSDP (Simple Service Discovery Protocol) enables devices in small networks to discover addresses and services without using dedicated servers (e.g. DHCP, DNS). The service listens on port 1900/UDP by default and should never be accessible from the public Internet.

Risks

  • SSDP services which are accessible from the public Internet can be abused by criminals to launch UDP-based amplification attacks[0].

Mitigation

  • Turn off SSDP. Today it is mostly used in conjunction with UPnP which also shouldn't be reachable from the public Internet.
  • If you definitely need SSDP on your network, make sure access is restricted to internal networks.

[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A

Open TFTP

Description

TFTP, the Trivial File Transfer Protocol, is a very simple protocol for downloading and uploading files. The server listens on port 69/UDP by default. As TFTP offers no security mechanisms whatsoever it should not be accessible from the public Internet.

Risks

  • Criminals are able to download and upload arbitrary files from/to the server if it is accessible from the public Internet.

Mitigation

  • Restrict access to internal networks.
  • If remote access is necessary, use a VPN.

Open XDMCP

Description

XDMCP (X Display Manager Control Protocol) is a protocol that is used to connect remote X displays to an X server over the network. It listens on port 177/UDP by default. This service should not be accessible from the public Internet.

Risks

  • Authentication in XDMCP is unencrypted, i.e. everyone who can read network traffic will see user names and passwords in plaintext.
  • If the server is reachable from the public Internet XDMCP can be used to gain information about the host.
  • XDMCP servers accessible from the public Internet can be abused for UDP-based amplification attacks[0].

Mitigation

  • Use an encrypted SSH tunnel for remote X displays instead of XDMCP.
  • Restrict access to internal networks.
  • If remote access is necessary, use a VPN.

[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A

Sandbox URL

If you received a notification about "Sandbox-URL"s this tells you that malware running in sandboxes of the shadowserver project tried to access these URLs. This indicates that criminals have uploaded files to these URLs which the malware now tries to download. In many cases this contains more malicious code.

Sinkhole HTTP Drone

Description

The Sinkhole-HTTP-Drone feed from shadowserver indicates that your system is very likely infected with malware. They make use of the fact that a lot of malware communicates with a so-called Command & Control (C2) server to receive commands, download files, upload files, etc. If the name of the C2 server is stored as a URL in the malware, it has to be mapped to an IP address before communication can begin. This is accomplished using the DNS (Domain Name System) and here shadowserver can interfere. They set up a DNS server which responds to the query with an IP address that is under their control and not the one of the C2 server. Thus, any connection attempts to this IP address originate from infected clients with high probability.

Risks

  • Depending on the malware. Common actions are stealing passwords, account data (banks, email, social media,...), browser histories, etc., abusing the infected machine to send spam or use it to infect other computers.

Mitigation

  • Also depending on the malware. If possible, CERT.at recommends to reinstall the operating system and restore the data from a known good backup. If there are no (good) backups available it is also possible to clean the PC using anti-malware software. However, as anti-malware authors and malware authors are in a constant cat-and-mouse game this method is less reliable. Also don't hesitate to seek help from professionals if you are unsure whether you can handle the task.

Spam URL

Description

Shadowserver's Spam-URL feed contains IP addresses of relay servers and URLs which have been found in spam emails.

Spam messages often contain multiple legitimate URLs to look more credible and increase the likelyhood that users click on the malicious URLs as well. However, if one of your URLs is listed in the feed you should check it on your webserver to elimiate the possibility that criminals gained access to it and placed malicious files there.

Additionally, shadowserver collects the IP addresses of the last hop before the mail is delivered because this cannot be spoofed. In case on of your IPs is listed as such, your server was sending, routing or forwarding the spam message.

Risks

  • Criminals may have access to your web server and/or mail server.

Mitigation

  • Check your web server and/or mail server for unauthorized access and traces of an intrusion. If you find that a server has likely been compromised CERT.at recommends to reinstall the operating system and restore the data from a known good backup. If there are no (good) backups available it is also possible to try cleaning the machine using anti-malware software. If you are unsure how to do this don't hesitate to seek professional help.

SSL FREAK

Description

SSL FREAK (Factoring RSA_EXPORT keys) is a vulnerability which was found in 2015. It makes a Monster-In-The-Middle (MITM) attack possible that leads to the decryption of an encrypted communication by an adversary. This is done by using a server which tries to force vulnerable clients to downgrade to RSA Export keys, a cipher suite which is deliberately insecure and was introduced to enable US agencies to decrypt foreign communications more easily.[0]

Risks

  • A successful MITM attack it is possible to decrypt the encrypted communication fairly easily.

Mitigation

  • For all vulnerable clients updates are available since 2015.[1]
  • Disable the RSA_EXPORT ciphers on your server to make it impossible for clients to even try using them in communicating with you. A MITM attack would simply fail as the server refuses connections that try to use these ciphers.

[0]: https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States
[1]: https://mitls.org/pages/attacks/SMACK#freak

SSL Poodle

Description

SSL-Poodle is an attack against SSLv3 (Secure Socket Layer) and some implementations of TLS (Transport Layer Security) which was published in 2014. The attack works only if chipher-block chaining (CBC) mode ciphers[0] are enabled. If so, due to errors in the protocol attackers in a Monster-In-The-Middle (MITM) position can decrypt the encrypted communication rather easily.

SSLv3 has been deprecated and replaced by TLS a long time ago, but due to backwards compatibility many servers, browsers and other software still support(s|ed) it.

Risks

  • After successful MITM attack attackers can force a downgrade to SSLv3 and decrypt the communication using the Poodle attack, and therefore may obtain valuable information like passwords.

Mitigation

  • In the case of vulnerable TLS implementations: Implement the updates which are available.
  • Configure servers and clients to not support SSLv3 and vulnerable TLS implementations.

More information about Poodle can be found in the original paper[1] as well as the website of the US-CERT[2].

[0]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_(CBC)
[1]: https://www.openssl.org/~bodo/ssl-poodle.pdf (PDF)
[2]: https://www.us-cert.gov/ncas/alerts/TA14-290A

Vulnerable ISAKMP

Description

ISAKMP (Internet Security Association and Key Management Protocol) defines the creation, negotiation, modification and deletion of Security Associations as well as cryptographic key management. In the Cisco implementation IKEv1 which is based on ISAKMP researchers found a severe vulnerability in 2016.[0] This has been patched soon thereafter, but even today not everyone updated their effected systems.

Cisco's IKEv1 implementation may listen on port 500/UDP, 848/UDP, 4500/UDP, or 4848/UDP.

Risks

  • Attackers can send a specially crafted packet to the device to read out parts of its memory and thus potentially gain access to sensitive data.

Mitigation

  • Roll out the update according to the description in the linked advisory below.

[0]: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1