Vulnerabilities found by Nessus

Tue, 15 Oct 2002 06:34:18 -0500 

Hi everybody!

Now, I have finally configured all the security features that I wanted, 
so last night, I launched a full Nessus attack against my server, 
hammering on it with the possibly harmful plugins too. It survived 
that, but it also reports two vulnerabilities on the port 25. I've got 
Exim running there. 

I was a careless when I upgraded to Woody, so I managed to upgrade to 
testing instead this summer... And I haven't been able to downgrade 
(hints are welcome! :-) ), but I do not have any testing or unstable 
sources in my sources.list right now. Anyway, the Exim version is 
3.35-1.

Well, this is what Nessus said:
--------- nessus report -----------------

 . Vulnerability found on port smtp (25/tcp) :


    There is a buffer overflow
    when this MTA is issued the 'HELO' command
    issued by a too long argument.

    This problem may allow an attacker to
    execute arbitrary code on this computer,
    or to disable your ability to send or
    receive emails.

    Solution : contact your vendor for a
    patch.

    Risk factor : High
    CVE : CAN-1999-0284

 . Vulnerability found on port smtp (25/tcp) :



    It was possible to crash the remote SMTP server
    by opening a great amount of sockets on it.


    This problem allows crackers to make your
    SMTP server crash, thus preventing you
    from sending or receiving e-mails, which
    will affect your work.

    Solution :
    If your SMTP server is contrained to a maximum
    number of processes, i.e. it's not running as
    root and as a ulimit 'max user processes' of
    256, you may consider upping the limit with 'ulimit -u'.

    If your server has the ability to protect itself from
    SYN floods, you should turn on that features, i.e. Linux's
     CONFIG_SYN_COOKIES

    The best solution may be cisco's 'TCP intercept' feature.


    Risk factor : Serious
    CVE : CAN-1999-0846
----------- end nessus report -------------

Well, I don't know if I should be alarmed, I guess the whole reason for 
running nessus is to be alarmed, so I am... :-) And it seems it found 
these holes to be real (as opposed to a Qpopper hole it also reported, 
but that was based on the version number only, and I guess the patch 
there hsa been backported), so I'm seeking advice on what to do with 
this.... 

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/

Reply via email to