3 Replies Latest reply on Jun 16, 2020 6:54 AM by Bill Robinson

    Critical Vulnerability has been detected on Windows Server: 90999 , 91947

    Prateek Garg
      Share This:

      1. How to close these types of Vulnerability and share artifacts.
      2. How to Stop these types of Vulnerability which is coming daily basis on multiple windows servers.

      3. What is the impact on windows Server from these types of vulnerabilities.

      4. what is meaning of * in below screenshot.

       

      Currently we have execute below agent bundle job and ACL Job on all windows servers. So please confirm that this is correct or not?

       

       

        • 1. Re: Critical Vulnerability has been detected on Windows Server: 90999 , 91947
          Bill Robinson

          what version of the rscd is installed on the target servers ?

          what's in the exports, users, and users.local on the target servers ?

           

          after installing the agent, did you push acls to it ?  what may be happening is this:

           

          any connection from 10.250.10.143 is mapped to administrator

          the roles listed in the users.local are mapped to administrator

           

          the users file is likely blank, because that is populated w/ an acl push job

           

          which means the scanner system is likely being mapped to the anonymous account and able to read some information off the server, which gets it flagged as vulnerable to 'weak acl configuration', which is true.

           

          so, you should be pushing acls to the server.  that will do a couple things:

          - populate the users file w/ the list of role:user mappings to a local account so you are actually using acls/rbac to restrict access

          - add a 'nouser' entry at the end of the file, which means if there was no match in the users.local or users, then deny access.

          • 2. Re: Critical Vulnerability has been detected on Windows Server: 90999 , 91947
            Prateek Garg
            1. what version of the rscd is installed on the target servers - RSCD Agent Version 8.9.03.165
            2. what's in the exports, users, and users.local on the target servers

             

             

             

             

            1. after installing the agent, did you push acls to it ? - Yes
            2. any connection from 10.250.10.143 is mapped to administrator - How to check
            3. the roles listed in the users.local are mapped to administrator - In above Screenshot
            4. the users file is likely blank, because that is populated w/ an acl push job - In users file, nouser added in end of the file.
            5. which means the scanner system is likely being mapped to the anonymous account and able to read some information off the server, which gets it flagged as vulnerable to 'weak acl configuration', which is true. - How to check.
            6. - add a 'nouser' entry at the end of the file, which means if there was no match in the users.local or users, then deny access.
            • 3. Re: Critical Vulnerability has been detected on Windows Server: 90999 , 91947
              Bill Robinson

              the scan was done after you pushed acls ?

               

              any connection from 10.250.10.143 is mapped to administrator - How to check

              which means the scanner system is likely being mapped to the anonymous account and able to read some information off the server, which gets it flagged as vulnerable to 'weak acl configuration', which is true. - How to check.

              look in the rscd log on the target and look for the hostname or ip of the scanner system.  is it being denied access ?  is it being mapped to a local account ?

               

              any connection from 10.250.10.143 is mapped to administrator - How to check

              the roles listed in the users.local are mapped to administrator - In above Screenshot

              there's nothing to check, i'm explaining what the entries in the file do.