Scribd
Upload
270 views

VAPT Report

The document provides a threat assessment report for Acme Corporation Inc. that was conducted by Cloud24x7 Inc. It includes a scan manifest, global summary, vulnerability dashboard, assessment checks performed, and severity matrix. It then details findings and recommendations for the web application server, network device, and firewall that were assessed.

Uploaded by

Rushabh Makim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
270 views

VAPT Report

The document provides a threat assessment report for Acme Corporation Inc. that was conducted by Cloud24x7 Inc. It includes a scan manifest, global summary, vulnerability dashboard, assessment checks performed, and severity matrix. It then details findings and recommendations for the web application server, network device, and firewall that were assessed.

Uploaded by

Rushabh Makim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 83

Threat Assessment Report

(Vulnerability Assessment & Pen Testing)


Report For:
Acme Corporation Inc.
(Sample Report)

03-20-2017

[email protected] +1-844-285-0011 (Toll Free)

CONFIDENTIAL
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Contents
Scan Manifest………………………………...……………………………………………….. 03 Disclaimer …………………………………………………………………………………..…….. 82

Global Summary ……………………………………………………………………………….. 04

Vulnerability Dashboard………..………………………………………………………… 05

Assessment Checks..………………………………………………………07
Severity Matrix……………………..………………………………… ………………….08
Web Application Server Assessment...…...……………… …………….09
Executive Summary…………... ……………………………………………………………………. 10

Key Observations…… ……………………………………………………………………………... 11


• Device Strength Highlights ……………………………………………………………………. 12
• Device Weakness Highlights……………………………………………………………………..13

Network Device Assessment.……………………………………………………………..32


Executive Summary…………... ……………………………………………………………………. 33

Key Observations…… ……………………………………………………………………………... 34


• Device Strength Highlights ……………………………………………………………………. 35
• Device Weakness Highlights……………………………………………………………………..36

Firewall Assessment………...……………………………………………………………..60
Executive Summary…………... ……………………………………………………………………. 61

Key Observations…… ……………………………………………………………………………... 62


• Device Strength Highlights ……………………………………………………………………. 63
• Device Weakness Highlights……………………………………………………………………..64

Way Forward……………………………………………………………………………………... 81

Confidential | 2
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Scan Manifest

Assessor Client
Cloud24x7 Inc. Acme Corporation Inc.

Scan Identifier Assessment Start Date


External 17-03-2017

Device/s Location Assessment End Date


Houston, United States 19-03-2017

No of In-Scope Devices FQDN of Assessor


Total: 03 Devices soc.cloud24x7.us

 Web Server: 01
 Network Device (L2
Switch):01
 Firewall: 01

Confidential | 3
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Global Summary
Acme Corporation Inc. engaged Cloud24x7 Inc. to conduct an external Vulnerability Assessment & Pen Testing for
its critical assets. The purpose of this engagement was to evaluate the security of the critical assets of the Acme
Corporation Inc. against best practice criteria and provide security assistance through proactively identifying
vulnerabilities, validating their severity, and helping with the possible remediation.

Scope of the assessment was limited to following target devices:

Web Application Server www.xxxxx.com

192.x.x.x (Availed access using IP


Network Switch Cisco L2 64.x.x.x)

Perimeter Firewall
Cyberoam 64.x.x.x

Note: Assessment was carried out without administrative access of the target device.

Assessment provides Acme Corporation Inc. with insight into the resilience of critical assets to withstand attack
from unauthorised users and the potential for valid users to abuse their privileges and access. The assessment
evaluates the security of the critical assets against best practice criteria to validate security mechanisms and
identify vulnerabilities. This report details the scope of testing conducted, all significant findings along with
detailed remedial recommendations.

Confidential | 4
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Vulnerability Dashboard
Observed presence of serious vulnerabilities in the assessed devices which might highly impact the security of
Acme Corporation Inc. Below dashboard gives insight of our findings during the assessment.

Total
High Medium Low
Vulnerabilities
10 10 7
27

By Severity By Ease Of Exploit


Low
26% High
High 36%
Low
37% 43%

Medium
Medium 21%
37%

High Medium Low Confidential | 5


High Medium Low
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Vulnerability Dashboard

Web App Server 2


1

Network Device 5
0

Firewall 3
5

0 1 2 3 4 5 6 7

High Medium Low

Confidential | 6
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Assessment Checks
Vulnerabilities checks performed during the assessment includes OWASP top 10 and SANS Top 50 Vulnerabilities
and further categorized in to below categories.

Broken Authentication
Cross Site Scripting (XSS) and Session Injection Attack
Management (XSS)

Insecure Direct Object


Sensitive Data Exposure Security Misconfiguration
References

Using Components with Cross Site Request Missing Function Level


Known Vulnerabilities Forgery (CSRF) Access Control

Confidential | 7
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Severity Matrix
Risk levels of security vulnerabilities can be classified using Severity metric. Severity level assigned to the
vulnerability depends on the impact to the organization, should the vulnerability exploited and the complexity or
difficulty level involved in exploiting the vulnerability. Vulnerability exploit may result in to the sensitive information
leakage, impacting the business continuity, compromise of network or critical assets like servers or implantation of
malware/ransomware on user machine.

Following is the description of severity levels based on the impact on the device being assessed and the
organization.

High Medium Low

An attacker can fully compromise the An attacker can partially compromise the An attacker can limitedly compromise

confidentiality, integrity and availability of the confidentiality, integrity and availability of the confidentiality, integrity and

device without any specialized access the device without any specialized access availability of the device without any

conditions, privileges and user interaction. conditions, privileges and user interaction. specialized access conditions,

privileges and user interaction.

Confidential | 8
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Severity Matrix – Exploitation Likelihood


Discovering vulnerabilities is important, but being able to estimate the associated risk to the business is just as
important. It is possible to estimate the severity of all of these risks to the business and make an informed
decision about what to do about those risks. Having a system in place for rating risks will save time and eliminate
arguing about priorities. This system will help to ensure that the business doesn't get distracted by minor risks
while ignoring more serious risks that are less well understood.

Following is the description of severity levels based on the exploitation on the device being assessed and the
organization.

High Medium Low

An attacker can fully compromise the An attacker can partially compromise the An attacker can limitedly compromise

confidentiality, integrity and availability of the confidentiality, integrity and availability of the confidentiality, integrity and

device without any specialized access the device without any specialized access availability of the device without any

conditions, privileges and user interaction. conditions, privileges and user interaction. specialized access conditions,

privileges and user interaction.

Confidential | 9
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Web Application
Server
Assessment

Confidential | 10
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Executive Summary
Summary of the vulnerabilities observed for the Web Application Server during assessment is as below. Server is
hosted in internal zone and published on the internet for public access. All these vulnerabilities are exploitable
which might highly impact the business.

Total Vulnerabilities High Medium Low


9 6 2 1

Assessment Summary Exploitation Likelihood


Low Risk
Medium Risk 11% Low, 22%
22%

Medium, 11% High, 67%

High Risk
67% Confidential | 11
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Key Observations
This section details Compliances & Non-Compliances with below information.

Compliance status Highlighting strengths Severity for all


and weaknesses non-compliances

Confidential | 12
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Device Strength Highlights


This section highlights the strength of the device as it passed the below vulnerability tests.

SQL Injection attacks via HTTP GET & POST methods

OS Command Injection attack

Brute force attempts

Information leakage using illegal HTTP Method

Poodle Attack

Unpreviledged access due to unpatched Apache HTTPD & Tomcat

Unpreviledged access due to unpatched OpenSSL

Confidential | 13
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Device Weakness Highlights


This section highlights vulnerabilities of the device along with severity, impact, remediation and evidence
supporting the proof of our findings.

Observed vulnerabilities falling in below vulnerability category types.

 Cross-site Scripting (XSS)

 Click Jacking

 HTML Injection

 CSRF

 Session Fixation

 Local File Inclusion (LFI)

 Security Misconfiguration

 Sensitive Data Exposure

Confidential | 14
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Cross Site Scripting

Cross Site Scripting (XSS) Severity High

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper
Observation validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious sites.
For organizations that rely on internet facing web applications as part of the production flow, XSS vulnerabilities
are, again, a major point of concern. Employees may become the victims of XSS attacks and their ability of
using the production web application may be limited. Moreover, XSS attacks may be used to install malware,
Impact
thus compromising the employees’ workstations, affecting productivity even further. In addition, a hacker that
discovers an XSS vulnerability can gain access to your production web application, by stealing your users’
session. This would allow the hacker access to the functions in your web application which should be reserved
to your employees.
Risk Critical

Exploitation Likelihood High

The preferred option is to properly escape all untrusted data based on the HTML context (body, attribute,
Remediation JavaScript, CSS, or URL) that the data will be placed into.

Confidential | 15
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 16
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Cross Site Scripting

HTML Injection Severity High

HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker
Observation can inject and execute JavaScript code, the HTML injection attack only allows the injection of certain HTML
tags.

An attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the
Impact
page.

Risk Critical

Exploitation Likelihood High

Remediation Your script should filter metacharacters from user input.

Confidential | 17
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 18
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Cross Site Scripting (XSS)

Potential Clickjacking attack Severity High

Observation The required header is missing

This can result in letting the browser allow to render a webpage in a <frame> or <iframe>, thus making it a
spam-supporter for malicious websites.
Impact
Example: Ex: User is accessing his company website www.xyz.com and it appears a small window (iframe) of
Cyberoam device login page, user will submit his/her credentials thinking that it has been prompted by their
firewall and attacker can redirect the credentials to his/her location or can also implant a script which can
download malware on user machine when he submits credentials.

Risk Critical

Exploitation Likelihood High

Configure your device to include an X-Frame-Options header. Device should return a response header with the
Remediation name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow
framing only by pages on the same origin as the response itself.

Confidential | 19
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 20
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Security Misconfiguration

Cross Site Request Forgery Severity High

Cross-Site Request Forgery, or CSRF for short is a common and regular online attack. CSRF attacks include a
Observation malicious exploit of a website in which a user will transmit malicious requests that the target website trusts
without the user’s consent.

The consequences will vary depending on the nature of the functionality that is vulnerable to CSRF. An attacker
could effectively perform any operations as the victim. If the victim is an administrator or privileged user, the
Impact consequences may include obtaining complete control over the web application - deleting or stealing data,
uninstalling the product, or using it to launch other attacks against all of the product's users. Because the
attacker has the identity of the victim, the scope of CSRF is limited only by the victim's privileges.

Risk Critical

Exploitation Likelihood High

The unique token can also be included in the URL itself, or a URL parameter. However, such placement runs a
greater risk that the URL will be exposed to an attacker, thus compromising the secret token.
Remediation
Requiring the user to reauthenticate, or prove they are a user (e.g., via a CAPTCHA) can also protect against
CSRF.

Confidential | 21
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 22
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Security Misconfiguration

Local File Inclusion (LFI) Severity High

A File inclusion vulnerability is a type of vulnerability that is most commonly found to affect web
Observation
applications that rely on a scripting run time

In that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability
Impact
subverts how an application loads code for execution.

Risk Critical

Exploitation Likelihood High

Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system
Remediation
(IDS) to help detect and prevent attacks that attempt to exploit these vulnerabilities

Confidential | 23
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 24
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Sensitive Data Exposure

Path Traversal Attack Severity High

Properly controlling access to web content is crucial for running a secure web server. Directory traversal is an
Observation HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web
server's root directory.

An attacker can gain access to sensitive and system information on the system, delete or modify files. The
Impact maximum impact depends on the functionality of the application.

Risk Critical

Exploitation Likelihood High

Never use attacker controlled data as a filename or part of the filename when performing operations on files or
folders. If filename should be based on the user's choice use predefined conditions instead of direct input.
Remediation
Perform whitelist checks when working with files or directories using user controlled input.

Confidential | 25
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 26
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Broken Authentication and session management

Session cookies missing the ‘Security’ & ‘HttpOnly’ Flags Severity Medium

While trying to access the device over HTTPS management protocol, we observed that ‘Secure’ and ‘HttpOnly’
Observation
flags were not enabled.

With ‘HttpOnly’ flag disabled, It can result in to client site scripting to access cookie. The purpose of the secure
Impact flag is to prevent cookies from being observed by unauthorized parties due to the transmission of a cookie in
clear text.

Risk Medium

Exploitation Likelihood Medium

Remediation ‘Secure’ and ‘HttpOnly’ flags must be enabled.

Confidential | 27
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 28
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Improper Authorization

Session Fixation Severity Medium

The software does not perform or incorrectly performs an authorization check when an actor attempts to
Observation
access a resource or perform an action.

An attacker could modify sensitive data, either by writing the data directly to a data store that is not properly
Impact
restricted, or by accessing insufficiently-protected, privileged functionality to write the data.

Risk Medium

Exploitation Likelihood Low

For web applications, make sure that the access control mechanism is enforced correctly at the server side on
Remediation every page. Users should not be able to access any unauthorized functionality or information by simply
requesting direct access to that page.

Confidential | 29
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 30
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Sensitive Data Exposure

Server and Language Disclosure Severity Low

Consider who can gain access to your sensitive data and any backup of that data.. This includes the data at rest
Observation
in transit, and even in customers browser.

Consider the business value of the lost data and impact to your reputation. What is your legal liability if this
Impact
data is exposed? Also consider the damage to your reputation.

Risk Informative

Exploitation Likelihood Low

Ensure strong standard algorithms and strong keys are used, and proper key management is in place. Consider
Remediation
using FIPS 140 validated cryptographic modules.

Confidential | 31
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 32
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Network Device
Assessment

Confidential | 33
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Executive Summary
Summary of the vulnerabilities observed for the Network Switch (L2) during assessment is as below. Switch is
hosted in internal zone and access was availed to this switch on public IP for assessment.

Total Vulnerabilities High Medium Low


10 0 5 5

Assessment Summary Exploitation Likelihood


Low, 20%

Medium Risk Low Risk


50% 50%

Medium, 80%

Confidential | 34
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Key Observations
This section details Compliances & Non-Compliances with below information.

Compliance status Highlighting strengths Severity for all


and weaknesses non-compliances

Confidential | 35
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Device Strength Highlights


This section highlights the strength of the device as it passed the below vulnerability tests.

SQL Injection attacks via HTTP GET & POST methods

XSS

Brute force attempts

Unprivileged access due to unpatched Apache HTTPD & Tomcat

Unprivileged access due to unpatched Open SSL

XML Injection

Broken Link and Session Management

Confidential | 36
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Device Weakness Highlights


This section highlights vulnerabilities of the device along with severity, impact, remediation and evidence
supporting the proof of our findings.

Observed vulnerabilities falling in below vulnerability category types.

 SSL Certificate Cannot Be Trusted

 SSL Certificate Expiry

 SSL Certificate Signed Using Weak Hashing Algorithm

 SSL Version 2 and 3 Protocol Detection

 SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability

 SSL Certificate Chain Contains RSA Keys Less Than 2048 bits

 SSL RC4 Cipher Suites Supported

 Service Detection

 Backported Security Patch Detection (SSH)

Confidential | 37
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Device Weakness Highlights (Continued…)

 OS Identification

 SSH Server Type and Version Information

Confidential | 38
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Security Misconfiguration

SSL Certificate Cannot Be Trusted Severity Medium

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the
Observation
chain of trust can be broken.

If the remote host is a public host in production, any break in the chain makes it more difficult for users to
Impact verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle
attacks against the remote host.

Risk Medium

Exploitation Likelihood Medium

Remediation Purchase or generate a proper certificate for this service.

Confidential | 39
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 40
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Security Misconfiguration

SSL Certificate Expiry Severity Medium

This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any
Observation have already expired.

Impact N/A

Risk Low

Exploitation Likelihood Low

Remediation Purchase or generate a new SSL certificate to replace the existing one.

Confidential | 41
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 42
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Security Misconfiguration

SSL Certificate Signed Using Weak Hashing Algorithm Severity Medium

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm
Observation (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks.

An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to
Impact masquerade as the affected service.

Risk Low

Exploitation Likelihood Low

Remediation Contact the Certificate Authority to have the certificate reissued.

Confidential | 43
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 44
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Security Misconfiguration

SSL Version 2 and 3 Protocol Detection Severity Medium

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by
Observation several cryptographic flaws. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt
communications between the affected service and clients.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found
Impact in PCI DSS v3.1, any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.

Risk Medium

Exploitation Likelihood Medium

Consult the application's documentation to disable SSL 2.0 and 3.0.


Remediation Use TLS 1.1 (with approved cipher suites) or higher instead.

Confidential | 45
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 46
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Improper Authorization

SSLv3 Padding Oracle On Downgraded Legacy Encryption


Severity Medium
Vulnerability

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as
Observation POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining (CBC) mode.

MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a
Impact
victim application to repeatedly send the same data over newly created SSL 3.0 connections.

Risk Medium

Exploitation Likelihood Medium

Remediation Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be disabled.

Confidential | 47
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 48
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Sensitive Data Exposure

SSL Certificate Chain Contains RSA Keys Less Than 2048 bits Severity Low

At least one of the X.509 certificates sent by the remote host has a key that is shorter than 2048 bits. According
Observation to industry standards set by the Certification Authority/Browser (CA/B) Forum, certificates issued after January
1, 2014 must be at least 2048 bits.

Some browser SSL implementations may reject keys less than 2048 bits after January 1, 2014. Additionally,
Impact some SSL certificate vendors may revoke certificates less than 2048 bits before January 1, 2014.

Risk Low

Exploitation Likelihood Low

Replace the certificate in the chain with the RSA key less than 2048 bits in length with a longer key, and reissue
Remediation any certificates signed by the old certificate.

Confidential | 49
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 50
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Sensitive Data Exposure

SSL RC4 Cipher Suites Supported Severity Low

The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small
Observation biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of
Impact millions) ciphertexts, the attacker may be able to derive the plaintext.

Risk Low

Exploitation Likelihood Low

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-
Remediation GCM suites subject to browser and web server support.

Confidential | 51
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 52
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Information Disclosure

Service Detection Severity Low

Identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP
Observation request.

An attacker could exploit this vulnerability. An exploit could allow the attacker to send network traffic to the
Impact host system when such actions are not normally permitted.

Risk Informative

Exploitation Likelihood Low

Remediation N/A

Confidential | 53
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 54
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Sensitive Data Exposure

Product Detection Severity Low

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
Observation printer, router, general-purpose computer, etc).

If the attacker get your product details. Then He/she can use the present flaws present in your product to
Impact compromise it.

Risk Informative

Exploitation Likelihood Low

Remediation N/A

Confidential | 55
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 56
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Sensitive Data Exposure

Operating System Detection Severity Low

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the
Observation name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

If the attacker get your product details. Then He/she can use the present flaws present in your product to
Impact compromise it.

Risk Informative

Likelihood Low

Remediation N/A

Confidential | 57
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 58
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Sensitive Data Exposure

SSH Server Type and Version Information Severity Low

Observation It is possible to obtain information about the remote SSH server by sending an empty authentication request.

If the attacker get your product details. Then He/she can use the present flaws present in your product to
Impact compromise it.

Risk Informative

Exploitation Likelihood Low

Remediation N/A

Confidential | 59
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 60
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Firewall
Assessment

Confidential | 61
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Executive Summary
Summary of the vulnerabilities observed for the Firewall during assessment is as below. It’s a perimeter firewall.

Total Vulnerabilities High Medium Low


8 3 0 5

Assessment Summary Exploitation Likelihood

Low, 25%

Low Risk
High Risk 63% High, 50%
38%

Medium, 25%

Confidential | 62
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Key Observations
This section details Compliances & Non-Compliances with below information.

Compliance status Highlighting strengths Severity for all


and weaknesses non-compliances

Confidential | 63
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Device Strength Highlights


This section highlights the strength of the device as it passed the below vulnerability tests.

SQL Injection attacks via HTTP GET & POST methods

OS Command Injection attack

Brute force attempts

Unprivileged access due to unpatched Apache HTTPD & Tomcat

Unprivileged access due to unpatched Open SSL

XML Injection

Broken Link and Session Management

Confidential | 64
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Device Weakness Highlights


This section highlights vulnerabilities of the device along with severity, impact, remediation and evidence
supporting the proof of our findings.

Observed vulnerabilities falling in below vulnerability category types.

 Broken Authentication and session management

 Cross-site Scripting (XSS)

 Security Misconfiguration

 Sensitive Data Exposure

Confidential | 65
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Broken Authentication and session management

Clear Text Credentials during authentication Severity High

The credentials of the device administration observed in plain text though device was accessed over
Observation
HTTPS management protocol.

This can result into sensitive information exposure via an HTTPS tunnel based Man in the Middle
Impact attack. Attacker can gain access of the device and can gain the control of the device, network and
sensitive information of the organization.

Risk Critical

Exploitation Likelihood High

Remediation Device admin credentials must be encrypted when accessed over HTTPS protocol.

Confidential | 66
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 67
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Broken Authentication and session management

Session cookies missing the ‘Security’ & ‘HttpOnly’ Flags Severity Medium

While trying to access the device over HTTPS management protocol, we observed that ‘Secure’ and
Observation
‘HttpOnly’ flags were not enabled.

With ‘HttpOnly’ flag disabled, It can result in to client site scripting to access cookie. The purpose of
Impact the secure flag is to prevent cookies from being observed by unauthorized parties due to the
transmission of a cookie in clear text.

Risk Medium

Exploitation Likelihood Medium

Remediation ‘Secure’ and ‘HttpOnly’ flags must be enabled.

Confidential | 68
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 69
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Cross Site Scripting (XSS)

Potential Clickjacking attack Severity High

Observation The required header is missing

This can result in letting the browser allow to render a webpage in a <frame> or <iframe>, thus making
it a spam-supporter for malicious websites.
Impact
Example: Ex: User is accessing his company website www.xyz.com and it appears a small window
(iframe) of Cyberoam device login page, user will submit his/her credentials thinking that it has been
prompted by their firewall and attacker can redirect the credentials to his/her location or can also
implant a script which can download malware on user machine when he submits credentials.

Risk Critical

Exploitation Likelihood High

Configure your device to include an X-Frame-Options header. Device should return a response header
Remediation with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value
SAMEORIGIN to allow framing only by pages on the same origin as the response itself.
Confidential | 70
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 71
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Cross Site Scripting (XSS)

Outdated JQuery library Severity High

Observation Device is using outdated JQuery library with version 1.8.3.

Impact Vulnerable JQuery JavaScript library version is prone to Cross Site Scripting attacks (XSS).

Risk Critical

Exploitation Likelihood High

Upgrade to latest JavaScript library. Download available at


Remediation
http://jquery.com/download/

Confidential | 72
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 73
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Security Misconfiguration

Weak DH Key exchange used Severity High

Observation Diffie-Helman algorithms are used with strength 1024.

Impact DH key exchange with value 1024 or lower can result into LOGJAM or FREAK attacks.

Risk High

Exploitation Likelihood Medium

It is recommended that these algorithms be replaced with stronger algorithms. If you are using

encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5, 14, 19, 20 or
Remediation
24. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-

Hellman group 21 or 24.

Confidential | 74
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 75
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Security Misconfiguration

SSL Weak Cipher suits Severity Medium

Observation Device is using SSL Ciphers RC4 suits.

RC4 has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-

Impact recovery attacks via statistical analysis of cipher text in a large number of sessions that use the same

plaintext.

Risk Medium

Exploitation Likelihood Low

Remediation Disable weak cipher RC4. Device should use TLS 1.2 with AES-GCM suites.

Confidential | 76
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 77
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Sensitive Data Exposure

ICMP Reponses fetched Severity High

Device is responding to an ICMP netmask request where ICMP netmask response contains the remote
Observation
host's network mask (on the interface that processed the request).

This information can be used by a hacker to accurately map your subnet structures, determining the

Impact broadcast addresses in use, and which routers are responsible for which subnets. This may make it

easier for them to launch a "SMURF attack" using broadcast-directed ICMP ping packets.

Risk High

Exploitation Likelihood High

Remediation Disable ICMP netmask responses.

Confidential | 78
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 79
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights
Sensitive Data Exposure

Visible SSH Banner Severity Medium

Observation Device responds with the version of SSH which is 2.0 in this case.

Software used and version details can be used by the attacker to plan further attacks through know or
Impact
zero day vulnerabilities

Risk Informative

Exploitation Likelihood Low

Banner should not be revealed. Should disable SSH access to the device from external zone or should
Remediation
implement restricted access to specific IP.

Confidential | 80
Threat Assessment Report
Key Observations (Vulnerability Assessment & Pen Testing)

Weakness Highlights

Evidence:

Confidential | 81
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Way Forward
Services offered FireSecure Secure Alert Secure Plus VA & Pen Test
Security is a continuous process
considering the fact that threat Firewall Assesments √
landscape keeps on changing Policy Management √
which leads to frequent changes in
Compliances √
device configuration and
compliance guidelines. Security Firewall Hardening √
devices must be proactively
Remediation √
monitored and reviewed on a
periodic basis. Alerting √

Monitoring √
Cloud24x7 offers comprehensive
range of Managed Security Services Reporting √
to protect information systems and
Threat Intelligence √
IT infrastructure:
Breach Detection √

Event Correlation √

Incidence Response √

Visit us at www.cloud24x7.us or Proactive Monitoring 24/365 √

email at [email protected] Network Discovery √

Network Vulnerability √

Penetration Testing √

Confidential | 82
Threat Assessment Report
(Vulnerability Assessment & Pen Testing)

Disclaimer
The information contained within this report is considered proprietary and confidential to Acme
Corporation Inc. Inappropriate and unauthorized disclosure of this report or portions of it could result in
significant damage or loss to the Acme Corporation Inc. This report should be distributed to individuals
on a Need-to-Know basis only. Paper copies should be locked up when not in use. Electronic copies
should be stored offline and protected appropriately.

Altering or Editing this report apart from Cloud24x7 would be under strict Cyber-Security Law and Breach
of Compliances. Violators will be notified to the Cyber Agencies and will be officially removed as
Cloud24x7 Partners or Customers by Law.

Americas Europe Australia


Cloud24x7 Inc Cloud24x7 (UK) Limited Cloud24x7 Pty. Ltd.
1451 W. Cypress Creek Road, 51, Lyndhurst Avenue, Streatham, 7-9 Underwood Road,
Suite 300. Ft Lauderdale, FL 33309. London, SW16 4UG, United Kingdom Homebush, NSW-2140, Australia
Tel: +1-844-423-2739 (Toll Free) Tel: +44(0)203-769-2735 Tel: +61-2-8880-0381
Email: [email protected] Email: [email protected] Email: [email protected]

© Copyright 2017 Cloud24x7 INC. All Rights Reserved.

Confidential |

You might also like