On Tuesday 09 December 2003 06:24 am, Javier Fernandez-Sanguino wrote:
> Since this seems to came up fairly often. Why not make a list of
> hardware that seems to break when scanned by Nessus? (Even if
> enabling safe_checks and disabling dangerous plugins). Let's try this
> (from recent threads and some googling on DoS vulnerabilities in Bugtraq)
This is a very good idea. Some Nessus scans have caused crashes in our
organization. The administrators for the systems expect an "answer from
Nessus about how to avoid the crash". I have tried to explain that they need
to talk to their system vendor, but they haven't been thrilled with that
answer. One other field in the crash table that would be very handy, though,
is how to fix the problem. For example, a simple SYN-ACK-RST can crash an
unpatched HP-UX 11.0 system. We haven't figured out which patch fixes the
problem, but that kind of detail would be very helpful.
Beirne
>
> Format: Hardware/software type: problem description
>
> - HP Procurve 4000M switches: meshing information lost, network
> blackout, will not answer to telnet requests if scanned from the
> management IP address (BID-4212/CAN-2002-0350).
>
> - Enterasys Networks (formerly Cabletron) SmartSwitch Router 8000
> (BID-5703/CAN-2002-1501)
>
> - Thomson SpeedTouch 510 DSL Router: might crash when port scanned
> (BID-9102)
>
> - HP printers with built-in NICs: print blank pages, in some cases
> they might crash when being scanned.
>
> - HP-UX, different versions inlcuding 11.00: might crash when scanned,
> also many services might crash: dce service (crashes with msrpc_dcom*,
> plugins) NIS server, NFS, automounter, OVO agents, ecotools...
>
> - IBM's Netview: nvlockd and other daemons of NetView die with core.
>
> - IBM's HACMP (cluster): application might crash when doing a connect
> scan (code IY23867, BID-3358)
>
> - Compaq TruCluster: might crash when port scanned (BID-3362)
>
> - SGI IRIX IPV6 inetd: might crash when port scanned (BID-8027)
>
> - Caldera OpenServer 5.0.5 and previous: might crash when port scanned
> (BID-4044)
>
> - Packeteer Packetshaper: tables full, drops traffic.
>
> - AS/400: CPF87D7 ("cannot automatically select virtual device") after
> an assessment (will show up continously).
>
> - NAV for Exchange 2000: the embedded web server cannot handle the web
> plugins.
>
> - Veritas Volume Manager on Solaris: might be crashed because of a
> port scan.
>
> - SonicWall Pro 100: will die after an Nmap scan
>
> - Checkpoint FW-1 4.1: might be killed (probably by stream.nasl)
>
> - PIX 525 running IOS 6.22.140: killed by WAP discovery NASL
>
> - Allegro-based embedded web server on a network switch: crash after
> port scan
>
> - Legacy systems such as old MVS (IBM mainframe) systems: might crash
> when port scanned (see BID-3358)
>
> - Old versions of Solaris: might crash when port scanned
>
> - Data General's Unix (DGUX) 2.x and previous: might crash when port
> scanned
>
> - Unisys's Clearpath mainframe server: might crash when port scanned
> (BID-5863)
>
> - DEC UNIX: might crash when port scanned (because of inetd)
>
> - HP Tru64: portmapper might crash when port scanned (BID-7249)
>
> - Symantec pcAnywhere might crash when port scanned (BID-1150)
>
> NOTE (1): Notice that (in general) stateful firewalls might be taxed
> due to port scanning (needs a state table entry for each port being
> scanned). Also some systems might not handle port scans properly
>
> NOTE (2): Many PBX, built up on top of old UNIX versions (such as
> Nortel Meridan PBX) might crash due to the same reasons as given above.
>
> BTW, a good read (might be eligible to add to the documentation) is
> Reanud answer to a post in pen-test:
> http://archives.neohapsis.com/archives/sf/pentest/2003-06/0067.html
>
> "The bottom line is that as soon as you start to interfere with
> another host, you can never predict how it will react to actions that
> it has never been designed to handle, so no scan is totally
> risk-free[1], and it's often very hard to find the balance between a
> 99.9% accurate security audit and a non-intrusive one. Note that this
> does not only affects Nessus+Nmap, but any network vulnerability scanner."
>
>
> Feel free to add more information here, we could submit it to the FAQ
> author/maintainer when finished or to the nessus-core/doc documentation.
>
> Regards
>
> Javi
>
> PS: I've checked also a pen-test thread
> (http://archives.neohapsis.com/archives/sf/pentest/2003-06/0060.html)
>
> _______________________________________________
> Nessus mailing list
> [EMAIL PROTECTED]
> http://mail.nessus.org/mailman/listinfo/nessus
--
Beirne "Bern" Konarski
[EMAIL PROTECTED] "Untouched by Scandal"
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
