Vulnerable
Devices in this category suffer from vulnerabilities which either render themselves susceptible to attacks or abusable in attacks against others. In most cases, such vulnerabilities result from implementation errors, design errors, or configuration errors.
- Accessible Cisco Smart Install
- Accessible RDP
- Accessible SMB
- Accessible Telnet
- Accessible Ubiquiti Discovery
- NTP Version
- Open CHARGEN
- Open CWMP
- Open DNS Resolver
- Open Elasticsearch
- Open IPMI
- Open LDAP
- Open mDNS
- Open memcached
- Open MongoDB
- Open MSSQL
- Open NAT-PMP
- Open NetBIOS
- Open Portmapper
- Open QOTD
- Open Redis
- Open SNMP
- Open SSDP
- Open TFTP
- Open XDMCP
- SSL FREAK
- SSL Poodle
- Vulnerable Exchange Server
- Vulnerable ISAKMP
Accessible Cisco Smart Install
Description
Cisco Smart Install is a legacy feature in some Cisco switches which allows zero-touch deployment. Cisco explicitely states that the service must not be exposed to untrusted networks as there is no authentication whatsoever. It listens on port 4786/TCP by default.
Risks
- Criminals can completely take over your Cisco switch by abusing Cisco Smart Install, including executing arbitrary commands and even replacing the operating system.
Mitigation
- Deactivate Cisco Smart Install after successful installation if possible.
- Restrict access to internal networks.
- If remote access is absolutely necessary, use a VPN.
Cisco's PSIRT (Product Security Incident Response Team) published an advisory[0] and a blogpost[1] describing Best Practice for Cisco Smart Install.
[0]: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
[1]: https://blogs.cisco.com/security/cisco-psirt-mitigating-and-detecting-potential-abuse-of-cisco-smart-install-feature
Accessible RDP
Description
RDP (Remote Desktop Protocol) is a proprietary protocol by Microsoft which per default listens on 3389/UDP and 3389/TCP and lets users log into computers remotely. It is often used for remote administration.
RDP-servers should not be accessible from the public Internet.
Risks
- If an RDP-server reachable from the public Internet attackers can try to gain access using brute-force attacks[0]. In case of success they can do anything the compromised account is allowed to, steal sensitive data or get information about internal networks.
- Misconfigured servers are susceptible to Monster-In-The-Middle (MITM) attacks.[1]
Mitigation
- If possible, restrict access to RDP servers to internal networks.
- If remote access is necessary use a VPN, lock accounts after multiple failed login attempts,[2] enforce strong passwords, and use multi factor authentication wherever possible[3].
[0]: https://en.wikipedia.org/wiki/Brute-force_attack
[1]: https://www.exploit-db.com/docs/english/41621-attacking-rdp---how-to-eavesdrop-on-poorly-secured-rdp-connections.pdf (PDF)
[2]: https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/
[3]: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
Accessible SMB
Description
SMB (Server Message Block) is a protocol to give users access to shared files. Servers listen on port 445/TCP by default. They should not be reachable from the public Internet.
Risks
- Multiple vulnerabilities in SMB have surfaced over the years, some with severe consequences.[0] Servers which can be reached from the public Internet make easy targets.
- Criminals may try to get access to your server using brute-force attacks[1] and steal sensitive data if successful.
- Depending on the configuration, other attacks may be possible.
Mitigation
- Restrict access to internal networks, if possible.
- If remote access is necessary use a VPN, enforce strong passwords and follow best practices[3].
[0]: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
[1]: https://en.wikipedia.org/wiki/Brute-force_attack
[2]: https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
Accessible Telnet
Description
Telnet is a legacy protocol listening by default on port 23/TCP. It was and sometimes is still used today for remote administration of mainly network equipment. As it offers no encryption it should only be used if no alternatives exist and must never be reachable from the public Internet.
Risks
- Telnet transmits all data, including account names and passwords, in plaintext. Therefore, anyone who can sniff network traffic is able to get this information and (mis)use it in any way they like. As telnet is mainly used for administrative purposes such breaches have devastating consequences.
- If telnet is inadvertadly accessible from the public Internet, chances are that the (often generally known) default credentials are still in place. This gives attackers easy access to such devices.
- Publicly accessible telnet services can fall victim to brute-force attacks[0].
Mitigation
- If possible disable telnet altogether and switch to modern, encrypted protocols like SSH.
- Restrict access to the service to internal networks.
- If remote access is absolutely necessary, use a VPN through which only authorized personell can access the devices.
[0]: https://en.wikipedia.org/wiki/Brute-force_attack
Accessible Ubiquiti Discovery
Description
Devices of the company Ubiquiti use a discovery protocol to identify other Ubiquiti devices within the same network automatically. By default this service listens on port 10001/UDP (on newer versions also 10001/TCP). It should not be accessible from the public Internet.
Risks
- The service allows anyone to remotely gather a lot of information about the system without any authentication.
- Vulnerabilities in older firmware versions allowed for automatic take-over of the devices.[0][1] If the CSV file we sent to you has the word
intrusion
in the columnclassification.taxonomy
your device has already been compromised according to our sources and should be fixed as soon as possible. - Criminals can abuse the devices for UDP amplification DDoS attacks[2].
Mitigation
- Restrict access to internal networks or VPNs. You can find a description of how to configure the devices correctly on the website of Ubiquit[3].
[0]: https://www.zdnet.com/article/over-485000-ubiquiti-devices-vulnerable-to-new-attack/
[1]: https://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/
[2]: https://www.us-cert.gov/ncas/alerts/TA14-017A
[3]: https://help.ui.com/hc/en-us/articles/204976244-EdgeRouter-UBNT-Device-Discovery
NTP Version
Description
NTP, the Network Time Protocol, is a protocol which enables computers to synchronize their clocks over the network. Servers listen on ports 123/UDP or 123/TCP by default. If a server should be reachable from the public Internet has to be decided by the owner.
Risks
- Depending on the configuration criminals can abuse NTP servers in up to two ways for UDP amplification DDoS attacks[0], i.e. using a mode 6 query for READVAR[1] or a mode 7 query for MON_GETLIST_1[2].
Mitigation
- Restrict access to internal networks or VPNs if possible.
- If access from the public Internet is desired, make sure to use a safe configuration.[3][4]
[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
[1]: https://scan.shadowserver.org/ntpversion/
[2]: https://scan.shadowserver.org/ntpmonitor/
[3]: https://www.team-cymru.com/secure-ntp-template.html
[4]: http://support.ntp.org/bin/view/Support/AccessRestrictions
Open CHARGEN
Description
CHARGEN (Character Generation Protocol)[0] is a legacy protocol which was intended for testing and debugging purposes. By default it listens on port 19/UDP or 19/TCP. There has never been a good reason to make CHARGEN servers accessible from the public Internet and this still holds today. If there is an open CHARGEN service running this is usually not intended and results from poor default configurations that have never been changed. In many cases old network printers are the culprits here, so have a look at them if you have been informed that there is an open CHARGEN in your network.
Risks
- CHARGEN can be misused for UDP amplification attacks[1][2] with an amplification factor of almost 360.
Mitigation
- Turn off the CHARGEN-service or at least restrict access to the local network if you really need it or are not able to turn it off.
[0]: https://en.wikipedia.org/wiki/Character_Generator_Protocol
[1]: https://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Service#Amplification
[2]: https://www.us-cert.gov/ncas/alerts/TA14-017A
Open CWMP
Description
The CPE WAN Management Protocol (CWMP) enables ISPs to configure and administer customers' home routers, a.k.a. CPE (Customer Premises Equipment), remotely using so-called ACSs (Auto Configuration Servers). While certainly useful, ISPs need to ensure that CPEs listening on port 7547 for this purpose are not accessible from the public Internet.
Risks
- Some implementations of ACSs have/had RCE (Remote Code Execution) vulnerabilities[0] which could enable criminals to take over the servers and push malicious malware to CPEs.
- Some CPE implementations are suceptible to DDoS-Attacks.[1]
Mitigation
- Block access to ACSs and CPEs from outside of your network.
[0]: https://2016.hack.lu/archive/2014/I-hunt-TR-069-admins-shahar-tal-hacklu.pdf (PDF)
[1]: https://threatpost.com/hacker-admits-to-mirai-attack-against-deutsche-telekom/127001/
Open DNS Resolver
Description
The DNS (Domain Name System) is one of the integral parts of the modern Internet. It usually listens on port 53/UDP or 53/TCP. An open DNS resolver is a DNS server which answers to recursive DNS queries from any client from the public Internet.
Risks
- Criminals can send requests with spoofed IP addresses to port 53/UDP of open DNS resolvers to trigger large answers to a victim. Often requests of type ANY[0] are used, but see [1]. This mechanism can be used to launch DDoS attacks.[2]
Mitigation
- Make sure your DNS resolver handels only queries from certain (i.e. your) clients.
- Use source-IP verification to make address spoofing impossible/much harder.
- Use Response Rate Limiting, i.e. limit the number of queries a client is allowed to make per second.
- Disable recursive queries on authoritative name servers alltogether.
A description on how to implement these mitigations has been published by the US CERT.[0]
[0]: https://www.us-cert.gov/ncas/alerts/TA13-088A
Open Elasticsearch
Description
Elasticsearch is a search engine which companies can set up to make their information searchable. It is listening on port 9200/TCP by default. If the installation is not ment to provide a search engine to the public, access from the open Internet should not be possible.
Risks
- If the Elasticsearch installation contains sensitive data and is accessible from the public Internet unauthorized persons may read and search the data.
Mitigation
- Restrict acces to internal networks.
- If remote access is necessary, use a VPN.
- Configure your Elasticsearch instance(s) securely. All possible security settings can be found on Elastic's website.[0]
[0]: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
Open IPMI
Description
IPMI (Intelligent Platform Management Interface) enables remote administration of computers without relying on the computer's CPU, OS, or firmware. As compromising IPMI can have severe consequences it should never be accessible from the public Internet. By default it listens on port 623/UDP. Well-known implementations of IPMI include HPE's iLO and Dell's (i)DRAC.
Risks
- Criminals may use brute-force attacks[0] against IPMI to take full control of the computer.
- Default usernames and passwords for some of the IPMI implementations are publicly known which can result in a takeover if these credentials have not been changed.
Mitigation
- Restrict access to IPMI to your internal networks.
- If remote access from outside of your networks is necessary use a VPN through wich authorized employees can connect to IPMI.
[0]: https://en.wikipedia.org/wiki/Brute-force_attack
Open LDAP
Description
Active-Directory/LDAP-Servers listen on 389/UDP or 389/TCP and should never be reachable from the public Internet. Search engines like shodan.io make it trivial to find such services, i.e. trying to keep a URL secret offers no protection.
Risks
- Attackers can try to take over accounts using brute-force[0] or credential stuffing attacks[1]. If successful they are able to read and change data as well as creating new files according to the stolen account's permissions.
- If 389/UDP is used the servers can additionally be abused for DDoS amplification attacks[2].
Mitigation
- Restrict access to the server(s) to internal networks.
- If remote access is necessary, set up a VPN which authorized people can use to access the server(s).
[0]: https://en.wikipedia.org/wiki/Brute-force_attack
[1]: https://en.wikipedia.org/wiki/Credential_stuffing
[2]: https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification
Open mDNS
Description
mDNS (Multicast DNS) is a zero-configuration protocol for name resolution to be used in small networks. Devices with mDNS send queries to a multicast IP-address which other mDNS devices will receive and answer with their data to the same multicast IP-address. By default mDNS listens on port 5353/UDP. It should never be accessible from the public Internet.
Risks
- mDNS devices which can be reached from the public Internet will disclose possibly sensible information like IPv4 address, IPv6 address, host name, and MAC address to anyone who asks.
Mitigation
- Restrict access to internal networks. If the need arises to route mDNS' service over the public Internet you are using the wrong tool and switch to "real" DNS instead.
Open memcached
Description
Memcached is a distributed cache-server which is usually deployed to minimize the response time of websites by e.g. caching database query results thereby making multiple queries in the backend unnecessary. By default memcached listens on ports 11211/TCP and 11211/UDP. According to the developers it should never be exposed to the public Internet.[0]
Risks
- Criminals can abuse memcached servers which can be reached from the public Internet to launch UDP amplification DDoS attacks[1].
Mitigation
- Restrict access to internal networks.
- If remote access is necessary use a VPN.
- Deactivate UDP on the memcached server.
[0]: https://github.com/memcached/memcached/wiki/ConfiguringServer#networking
[1]: https://www.us-cert.gov/ncas/alerts/TA14-017A
Open MongoDB
Description
MongoDB is a NoSQL database listening on 27017/TCP by default. In most cases it is not necessary to have it accessible from the public Internet.
Risks
- If the database can be reached from the public Internet and authentication is not enabled criminals can easily access all data in the database.
- If authentication is enabled criminals can still try to get access using brute-force attacks[0] or credential stuffing[1].
Mitigation
- Restrict access to the database server to internal networks.
- If remote access is necessary use a VPN or at least enable authentication[2] and make sure strong passwords are used.
[0]: https://en.wikipedia.org/wiki/Brute-force_attack
[1]: https://en.wikipedia.org/wiki/Credential_stuffing
[2]: https://docs.mongodb.com/manual/tutorial/enable-authentication/
Open MSSQL
Description
Microft SQL Server is Microsoft's SQL server software which by default listens on ports 1433/TCP and 1433/UDP. This service should not be exposed to the public Internet.
Risks
- Criminals may try to get access to the data in the database to steal information. At least they will be able to gather information about the MS-SQL server running.
- Criminals my abuse the server for UDP amplification DDoS attacks[0].[1]
Mitigation
- Restrict access to internal networks.
- If remote acces is necessary, use a VPN.
[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
[1]: https://scan.shadowserver.org/mssql/
Open NAT-PMP
Description
NAT-PMP (Network Address Translation - Port Mapping Protocol) enables NAT and port forwarding without user interaction. This should be possible only on the internal interface of the device which offers these services. By default it listens on port 5351/UDP and should not be accessible from the public Intnernet.
Risks
- If the NAT-PMP service is accessible on the external interface and this interface can be reached from the public Internet, any attacker from the Internet can obtain information about the device, manipulate port mapping, read public and private communications, access private client services and block the host services of the device.
Mitigation
- Disable NAT-PMP if possible.
- Restrict access to internal networks.
- If you are using miniupnp: It's configuration may well be the origin of the problem. Thus, ensure that you have version 1.8.20141022 or later installed.
- Make sure NAT-PMP is securely configured:
- WAN and LAN interfaces are correctly assigned.
- NAT-PMP requests are accepted only on internal interfaces.
- Port mappings are only opened for the requesting internal IP address.
For more information have a look at the original blogpost of Rapid7[0]. Information about the risks and the mitigation have been taken from the cert.org Advisory[1].
[0]: https://blog.rapid7.com/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities/
[1]: https://www.kb.cert.org/vuls/id/184540/
Open NetBIOS
Description
NetBIOS is a protocol which enables computers to communicate in the local network. On of its services is name resolution which is listening on port 137/UDP by default. This should never be accessible from the public Internet.
Risks
- Depending on the configuration answers to name queries may include the server's MAC address, its name as well as the name of the user who is running the service leading to possible information leakage.
Mitigation
- Disable NetBIOS if you don't absolutely need it.
- Restrict access to NetBIOS to internal networks.
[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
Open Portmapper
Description
Portmapper enables remote procedure calls and by default listens on ports 111/TCP and 111/UDP. This service should not be exposed to the public Internet.
Risks
- Criminals may abuse an open instance for UDP amplification attacks[0][1].
- Depending on the configuration and other running services, criminals can obtain a lot of information regarding the server and the network.
Mitigation
- Restrict access to internal networks.
- If remote access is necessary, use a VPN.
[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
[1]: https://www.netformation.com/our-pov/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/
Open QOTD
Description
Quote Of The Day (QOTD) is a service which returns a quote of the day to queries. It listens of ports 17/TCP and 17/UDP by default
Risks
- If QOTD listens on 17/UDP it can be abused for UDP amplicifcation attacks[0].
Mitigation
- If possible, turn off the service on 17/UDP.
- Restrict access to internal networks.
- If remote access is necessary, use a VPN.
[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
Open Redis
Description
Redis is a NoSQL in-memory database which listens on port 6379/TCP by default. It should no be accessible from the public Internet as its security model explicitly assumes that it can only be queried by trusted clients.[0]
Risks
- If redis is accessible from the public Internet, unauthorized persons can read the contents of the database and, depending on the configuration, even manipulate them.
Mitigation
- Restrict access to internal networks.
- If remote access is necessary, use a VPN.
[0]: https://redis.io/topics/security
Open SNMP
Description
SNMP (Simple Network Management Protocol) makes it possible to monitor and configure devices on a network remotely. SNMP agents of managed devices listen on port 161/UDP by default. SNMP agents should not be accessible from the public Internet.
Risks
- SNMP agents accessible from the public Internet may leak information about the hosts they are running on and even the entire network if not configured properly.
- SNMPv2c agents accessible from the public Internet can be abused for UDP-based amplification attacks[0].
Mitigation
- Make sure SNMP is configured according to current best practices. A possible guideline can be found here[1].
- Restrict access to internal networks.
- If remote access is necessary use a VPN.
[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
[1]: https://blog.rapid7.com/2016/01/27/simple-network-management-protocol-snmp-best-practices/
Open SSDP
Description
SSDP (Simple Service Discovery Protocol) enables devices in small networks to discover addresses and services without using dedicated servers (e.g. DHCP, DNS). The service listens on port 1900/UDP by default and should never be accessible from the public Internet.
Risks
- SSDP services which are accessible from the public Internet can be abused by criminals to launch UDP-based amplification attacks[0].
Mitigation
- Turn off SSDP. Today it is mostly used in conjunction with UPnP which also shouldn't be reachable from the public Internet.
- If you definitely need SSDP on your network, make sure access is restricted to internal networks.
[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
Open TFTP
Description
TFTP, the Trivial File Transfer Protocol, is a very simple protocol for downloading and uploading files. The server listens on port 69/UDP by default. As TFTP offers no security mechanisms whatsoever it should not be accessible from the public Internet.
Risks
- Criminals are able to download and upload arbitrary files from/to the server if it is accessible from the public Internet.
Mitigation
- Restrict access to internal networks.
- If remote access is necessary, use a VPN.
Open XDMCP
Description
XDMCP (X Display Manager Control Protocol) is a protocol that is used to connect remote X displays to an X server over the network. It listens on port 177/UDP by default. This service should not be accessible from the public Internet.
Risks
- Authentication in XDMCP is unencrypted, i.e. everyone who can read network traffic will see user names and passwords in plaintext.
- If the server is reachable from the public Internet XDMCP can be used to gain information about the host.
- XDMCP servers accessible from the public Internet can be abused for UDP-based amplification attacks[0].
Mitigation
- Use an encrypted SSH tunnel for remote X displays instead of XDMCP.
- Restrict access to internal networks.
- If remote access is necessary, use a VPN.
[0]: https://www.us-cert.gov/ncas/alerts/TA14-017A
SSL FREAK
Description
SSL FREAK (Factoring RSA_EXPORT keys) is a vulnerability which was found in 2015. It makes a Monster-In-The-Middle (MITM) attack possible that leads to the decryption of an encrypted communication by an adversary. This is done by using a server which tries to force vulnerable clients to downgrade to RSA Export keys, a cipher suite which is deliberately insecure and was introduced to enable US agencies to decrypt foreign communications more easily.[0]
Risks
- A successful MITM attack it is possible to decrypt the encrypted communication fairly easily.
Mitigation
- For all vulnerable clients updates are available since 2015.[1]
- Disable the RSA_EXPORT ciphers on your server to make it impossible for clients to even try using them in communicating with you. A MITM attack would simply fail as the server refuses connections that try to use these ciphers.
[0]: https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States
[1]: https://mitls.org/pages/attacks/SMACK#freak
SSL Poodle
Description
SSL-Poodle is an attack against SSLv3 (Secure Socket Layer) and some implementations of TLS (Transport Layer Security) which was published in 2014. The attack works only if chipher-block chaining (CBC) mode ciphers[0] are enabled. If so, due to errors in the protocol attackers in a Monster-In-The-Middle (MITM) position can decrypt the encrypted communication rather easily.
SSLv3 has been deprecated and replaced by TLS a long time ago, but due to backwards compatibility many servers, browsers and other software still support(s|ed) it.
Risks
- After successful MITM attack attackers can force a downgrade to SSLv3 and decrypt the communication using the Poodle attack, and therefore may obtain valuable information like passwords.
Mitigation
- In the case of vulnerable TLS implementations: Implement the updates which are available.
- Configure servers and clients to not support SSLv3 and vulnerable TLS implementations.
More information about Poodle can be found in the original paper[1] as well as the website of the US-CERT[2].
[0]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_Block_Chaining_(CBC)
[1]: https://www.openssl.org/~bodo/ssl-poodle.pdf (PDF)
[2]: https://www.us-cert.gov/ncas/alerts/TA14-290A
Vulnerable Exchange Server
Note: Our notifications cover 2 different vulnerability chains, vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, which have been exploited by the HAFNIUM group and CVE-2022-41080/CVE-2022-41082 (RCE) which are part of the ProxyNotShell exploit chain.
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (HAFNIUM)
Description
In March 2021 Microsoft published emergency patches for vulnerabilities in Microsoft Exchange Server which have been actively exploited [0].
Risks
- Attackers can completely take over vulnerable Exchange instances, make arbitrary changes within the operating system and read all E-mails.
- In many cases attackers initially deploy webshells to continue and escalate their privileges at a later point.
Mitigation
- Apply patches with the Exchange On-premises mitigation tool [1] published by Microsoft. This tool will also attempt to remove any existing webshells.
- Upgrade to a fixed Microsoft Exchange version:
- Exchange Server 2019: Cumulative Update 9 (Version 15.02.0858.005) later
- Exchange Server 2016: Cumulative Update 20 (Version 15.01.2242.004) later
- Exchange Server 2013: This version did not get any cumulative updates, only patches
[0]: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
[1]: https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-premises-mitigation-tool-eomt
CVE-2022-41080, CVE-2022-41082 (ProxyNotShell)
Description
In November 2022, Microsoft published patches for actively exploited vulnerabilities in Microsoft Exchange Server 2019, Exchange Server 2016 and Exchange Server 2013 [0].
The previously recommended workarounds for the ProxyNotShell exploit chain can be bypassed by successful exploitation of CVE-2022-41082 [1].
Risks
- Kriminelle können verwundbare Installationen vollständig übernehmen, beliebige Veränderungen am Betriebssystem vornehmen und den Inhalt sämtlicher E-Mails lesen.
Mitigation
- Applying the patches from Microsoft's November 2022 Pach Tuesday.
[0]: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
[1]: https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
A list of vulnerable Exchange server versions and further information about the Shadowserver scan can be found here:
https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/
Vulnerable ISAKMP
Description
ISAKMP (Internet Security Association and Key Management Protocol) defines the creation, negotiation, modification and deletion of Security Associations as well as cryptographic key management. In the Cisco implementation IKEv1 which is based on ISAKMP researchers found a severe vulnerability in 2016.[0] This has been patched soon thereafter, but even today not everyone updated their effected systems.
Cisco's IKEv1 implementation may listen on port 500/UDP, 848/UDP, 4500/UDP, or 4848/UDP.
Risks
- Attackers can send a specially crafted packet to the device to read out parts of its memory and thus potentially gain access to sensitive data.
Mitigation
- Roll out the update according to the description in the linked advisory below.
[0]: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1