Nessus false positives and errors
Here are the list of Nessus scan results that are marked as False Positives, Operational Need, Acceptable Risk, etc.
Listings in italics have disappeared from Nessus results (reason not always known) since marked.
Reasons for "date nessus result found gone" are as follows:
- The CS database is keyed on (1) machine IP (2) MAC (3) nessus ID (the test # from nessus) (plus (4) the port)
- While the nessus ID should not change often nor should the IP, any change in those first three information would make the reason disappear
The only path is to document the explanations.
| NODE | RISK | PORT | Nessus Plugin ID | ISSUE | DATE ADDED | COMMENT IN NESSUS DATABASE |
DATE NESSUS RESULT FOUND GONE |
| onldb2.starp.bnl.gov | HIGH | 3601 | Synopis: The remote database server can be accessed without a password. (anonymous account does not have a password) |
2013/03/20 | Operational Need: Anonymous access is read-only by configuration. No sensitive information is available. Access is needed for monitoring of experiment operations. | ||
| dbbak.starp.bnl.gov | HIGH | 3400-3413 |
Synopsis : The remote database server can be accessed without a password. Plugin output : The anonymous account does not have a password. |
06/11/2012 3404: 12/16/2013 |
Operational Need: Anonymous access is read-only by configuration. No sensitive information is available. Access is needed for monitoring of experiment operations. | 2012/11/19 | |
| fc3.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 03/29/2011 | Operational need: "Access without a password is limited to read-only by configuration. No sensitive information is available in this database." |
6/11/2012 | |
| db01.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db02.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 3/12/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db04.star.bnl.gov | HIGH | 3400-3412 3316 |
anonymous account w/o password | 3/31/2014 | Operational Need: Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db05.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db06.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 02/12/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db08.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 02/12/2014 found again (and retoggled) on 10/24/2014 |
Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db07.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 02/12/2014 | Anonymous/passwordless access is read-only by configuration and by design. No sensitive information is available through this access. | ||
| db10.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db11.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db12.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db13.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db14.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db15.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db16.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db17.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| db18.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 2/26/2014 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| mq01.starp.bnl.gov | HIGH | 3606 | anonymous account w/o password | 1/9/2015 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| mq01.starp.bnl.gov mq02.starp.bnl.gov openstack1.starp.bnl.gov |
MEDIUM | 5672/tcp | 87733 | AMQP cleartext authentication | 5/18/2016 openstack1 added on 9/28/2016 |
This is by intent and we accept the associated risk which we consider to be very small. | |
| mongodev01.starp.bnl.gov mongodev02.starp.bnl.gov mongodev03.starp.bnl.gov |
MEDIUM | 27017/tcp | 81777 | MongoDB Service access without authentication | 9/29/2016 | The access to publicly available information is expected. There is no real privileged access allowed on this service/server. | |
| heston.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 5/13/2013 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| fc3.star.bnl.gov | HIGH | 3316 | anonymous account w/o password | 5/13/2013 | Anonymous/passwordless access is read-only by configuration. No sensitive information is available through this access. | ||
| dean.star.bnl.gov (BNL and external repos) | MEDIUM | 80/tcp, 443/tcp | 40984 | browseable directories | 4/19/2016 | This is the desired behaviour for this server. It is not exposing any sensitive information. | |
| bcf-console.star.bnl.gov | MEDIUM | 443 | Encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection | ? | This device has no configuration options to disable renegotiation. It also has the latest (and likely last) firmware and software updates from the vendor, so it is unlikely to ever be correctable. | ||
| bcf-console.star.bnl.gov | MEDIUM | 443 | MITM/POODLE | 12/1/2014 | Vendor support for this unit ended before POODLE was known, and the unit is not configurable to disable SSLv3 or to use TLS Fallback SCSV. It is rarely accessed (by only 2-3 people), and will only be accessed by internal clients that do disable SSLv3, which is believed to prevent the MITM nature of the attack. | ||
| bcf-console.star.bnl.gov | MEDIUM | 443 | 42873 | SSL Medium strength ciphers | 11/27/2018 | This unit has no configuration option to disable these ciphers. | |
| bcf-console.star.bnl.gov | HIGH | 443 | 20007 | SSLv3 supported | 11/27/2018 | This unit has no configuration to disable SSLv3. | |
| epson7520.star.bnl.gov | MEDIUM | 161/udp | 41028 | default SNMP community string | 12/02/2015 | This device does not allow changes to the SNMP public community string. | |
| epson7520.star.bnl.gov | MEDIUM | 445/tcp | 57608 | signing not required on SMB server | 12/29/2016 (missing & re-added on 9/26/2017) | This printer has no configuration options to alter the SMB server behaviour. The risk is acceptable. |
|
| splat-s60.starp.bnl.gov | MEDIUM | 443/tcp | MITM/POODLE | 1/8/2015 | No update has been released for this particular model. (The manufacturer has released updates for other products, so it may eventually update this line.) Meanwhile, the risk is considered acceptably low, as the device is rarely accessed, and is only reachable from portions of BNL, and the 2 or 3 potential users all use browsers that themselves will not allow the TLS/SSL downgrade. | ||
| splat-s60.starp.bnl.gov | MEDIUM | 443/tcp | 3 separate issues: 1) (83875) SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. 2) (20007) connections encrypted using SSL 2.0 and/or SSL 3.0. 3) (78479) man-in-the-middle (MitM) information disclosure vulnerability known as POODLE |
7/5/2014 | The device manufacturer has not released updated firmware to correct this, nor are there settings to eliminate this without disabling encryption completely. | ||
| east-s60.starp.bnl.gov | MEDIUM | 443/tcp | MITM/POODLE | 1/8/2015 | No update has been released for this particular model. (The manufacturer has released updates for other products, so it may eventually update this line.) Meanwhile, the risk is considered acceptably low, as the device is rarely accessed, and is only reachable from portions of BNL, and the 2 or 3 potential users all use browsers that themselves will not allow the TLS/SSL downgrade. | ||
| east-s60.starp.bnl.gov | MEDIUM | 443/tcp | 3 separate issues: 1) (83875) SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. 2) (20007) connections encrypted using SSL 2.0 and/or SSL 3.0. 3) (65821) the use of RC4 in one or more cipher suites. |
7/5/2014 | The device manufacturer has not released updated firmware to correct this, nor are there settings to eliminate this without disabling encryption completely. | ||
| west-s60.starp.bnl.gov | MEDIUM | 443/tcp | 4 separate issues: 1) (83875) SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. 2) (20007) connections encrypted using SSL 2.0 and/or SSL 3.0. 3) (78479) man-in-the-middle (MitM) information disclosure vulnerability known as POODLE 4) (65821) use of RC4 in one or more cipher suites. |
7/5/2014 | The device manufacturer has not released updated firmware to correct this, nor are there settings to eliminate this without disabling encryption completely. | ||
| nplat-s60.starp.bnl.gov | MEDIUM | 443/tcp | MITM/POODLE | 1/8/2015 | No update has been released for this particular model. (The manufacturer has released updates for other products, so it may eventually update this line.) Meanwhile, the risk is considered acceptably low, as the device is rarely accessed, and is only reachable from portions of BNL, and the 2 or 3 potential users all use browsers that themselves will not allow the TLS/SSL downgrade. | ||
| nplat-s60.starp.bnl.gov | MEDIUM | 443/tcp | 3 separate issues: 1) (83875) SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. 2) (20007) connections encrypted using SSL 2.0 and/or SSL 3.0. 3) (65821) use of RC4 in one or more cipher suites. |
7/5/2014 | The device manufacturer has not released updated firmware to correct this, nor are there settings to eliminate this without disabling encryption completely. | ||
| temperature1.starp.bnl.gov temperature2.starp.bnl.gov |
MEDIUM | 502/tcp | 23817 83301 83302 (three separate Accept Risk rules in Security Center) |
Modbus access | This is a very simple device with very little configurability. No sensitive information is available to be read from this device, nor are any hardware systems controlled by this device. |
||
| cleanroom-sw.starp.bnl.gov | MEDIUM | 23/tcp | 42263 | The remote Telnet server transmits traffic in cleartext. | 7/2/2015 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
|
| rps1.starp.bnl.gov | MEDIUM | 23/tcp | 42263 | The remote Telnet server transmits traffic in cleartext. | 4/21/2016 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
|
| rps2.starp.bnl.gov | MEDIUM | 23/tcp | 42263 | The remote Telnet server transmits traffic in cleartext. | 4/21/2016 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
|
| starvoltmeter1.starp.bnl.gov | MEDIUM | 23/tcp | 42263 | The remote Telnet server transmits traffic in cleartext. | 5/4/2016 | Device is incapable of SSH connections. No sensitive information is on this device, and it does not have any experimental hardware controls. It will be removed in the summer of 2016. [allowance set to expire Dec. 1, 2016] |
|
| starvoltmeter1.starp.bnl.gov | MEDIUM | 80/tcp | 85582 | Web app vulnerable to clickjacking | 5/9/2016 | Risk is acceptable and it is not correctable with this hardware. No sensitive information is on this device, and it does not have any experimental hardware controls. It will be removed in the summer or fall of 2016. [allowance set to expire Dec. 1, 2016] |
|
| starvoltmeter1.starp.bnl.gov | MEDIUM | 80/tcp | 46194 | CGI Path Traversal | 5/9/2016 | Risk is acceptable and it is not correctable with this hardware. No sensitive information is on this device, and it does not have any experimental hardware controls. It will be removed in the summer or fall of 2016. [allowance set to expire Dec. 1, 2016] |
|
| tofunps.starp.bnl.gov | MEDIUM | 23/tcp | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
||
| daq-sw2.starp.bnl.gov | MEDIUM | 23/tcp | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
||
| eemccanpower.starp.bnl.gov | MEDIUM | 23/tcp | 42263 | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
1/10/2017: found in scan results again. No risk acceptance listed in Security Center, so re-added. |
| npslaser.starp.bnl.gov | MEDIUM | 23/tcp | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
||
| eemc-pwrs1.starp.bnl.gov | MEDIUM | 23/tcp | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
||
| mtdnps.starp.bnl.gov | MEDIUM | 23/tcp | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
||
| tofnps2.starp.bnl.gov | MEDIUM | 23/tcp | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
||
| daq-sw1.starp.bnl.gov | MEDIUM | 23/tcp | 42263 | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
|
| daq-sw1.starp.bnl.gov | MEDIUM | 80/TCP | 85582 | Potentially Vulnerable to Clickjacking (no X-Frame-Options response header) | 05/18/2018 | The embedded web server on this network switch is not configurable in a way that will resolve this. Considering that firewall rules generally prevent access to this web interface from outside its subnet, this risk is acceptably low. | |
| scdaqpower.starp.bnl.gov | MEDIUM | 23/tcp | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
||
| tofnps1.starp.bnl.gov | MEDIUM | 23/tcp | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
||
| tof-hv.starp.bnl.gov | MEDIUM | 23/tcp | The remote Telnet server transmits traffic in cleartext. | 7/2/15 | Operational Need: Device does not support SSH connections. Telnet only accessible from limited subnets. No sensitive data is transmitted. |
||
| splat-s60-2.starp.bnl.gov | MEDIUM | 443/tcp | 4 separate issues: 1) (83875) SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. 2) (20007) connections encrypted using SSL 2.0 and/or SSL 3.0. 3) (78479) man-in-the-middle (MitM) information disclosure vulnerability known as POODLE 4) (65821) use of RC4 in one or more cipher suites. |
7/5/2014 | The device manufacturer has not released updated firmware to correct this, nor are there settings to eliminate this without disabling encryption completely. | ||
| onlpool-s60-01.starp.bnl.gov onlpool-s60-02.starp.bnl.gov |
MEDIUM | 23/tcp | 42263 | Telnet server | 4/28/2016 | Though it accepts connections, it only displays a banner stating that it is disallowed, and immediately disconnects. | |
| onlpool-s60-02.starp.bnl.gov | MEDIUM | 80/tcp | 85582 | Potentially vulnerable to clickjacking (no X-Frame-Options) | 1/10/2017 | This device has no configuration option available to mitigate or eliminate this issue. | |
| alh2.starp.bnl.gov | MEDIUM | 16992/tcp | 85582 | Web app vulnerable to clickjacking | 5/31/2016 | Risk is acceptable. This is a very rarely used (but useful when needed) Intel AMT interface (beneath the Operating System), where it is not correctable. | |
| daq-sw1.starp.bnl.gov daq-sw2.starp.bnl.gov cleanroom-sw.starp.bnl.gov |
MEDIUM | 60000/tcp | 42263 | Telnet server | 6/1/2016 | Cannot disable telnet on these devices' Broadcom FASTPATH version (tried), nor is SSH available. We however do not use telnet to interact with these devices, so the danger of intercepted plain text login credentials and such is zero. | |
| 130.199.61.255 | MEDIUM | 23/tcp | 42263 | Telnet server | 6/8/2016 | This is a strange case. This IP address is the broadcast address for the subnet. The device that is connecting is an instrumentation device that appears to be properly configured to use 130.199.60.54, yet is answering to the broadcast address. Meanwhile, the device has a Telnet toggle option to disable telnet, but it does not work - it continues answering telnet despite restarts. In any case, the users do not use the telnet interface, thus the risk of this is considered acceptable. |
|
| tpcanodehv.starp.bnl.gov | MEDUIM | 22/TCP | 90317 | SSH weak algorithms supported (arcfour) | 10/17/2016 | The encryption algorithms are not configurable. The system is not widely accessible even with in the BNL campus, and SSH will only rarely be used with this device. | |
| star-design.star.bnl.gov | HIGH | 445/TCP | 36087 | Autodesk IDrop ActiveX Control Heap Corruption | 04/25/2017 | The contents of IDrop.ocx have been deleted, leaving the empty file in place to prevent Autodesk from recreating it. | |
| ovirt1.star.bnl.gov | MEDIUM | 443/TCP | 40984 | Browseable web directories | 12/13/2016 | This behaviour is intentional and does not expose any sensitive information. | |
| sc.starp.bnl.gov | MEDIUM | 9812/TCP and 4812/TCP (two separate Nessus results) | 12085 | Tomcat default files | 05/16/2018 | The risk this adds is acceptably low, as very little information is actually returned in the response. Furthermore, this is not a full-blown Tomcat installation, and it does not have the usual web.xml to add custom error pages. | |
| lecroyabsw.starp.bnl.gov | MEDIUM | 23/TCP | 42263 | Telnet server | 11/29/2018 | This hardware hardware does not have SSH access and we actively use the telnet access for monitoring the device. The device is on a firewalled subnet dedicated to our experiment's operations, so access is limited and the risk is considered acceptable. | |
| lecroyabsw.starp.bnl.gov | MEDIUM | 23/TCP | 42263 | Telnet server | 01/07/2019 | This instrumentation does not have SSH access. This device is on a firewalled subnet dedicated to our experiment's operations and hosts no sensitive information. We consider the risk of operating this device as is to be acceptably low. | |
| l402-onl.starp.bnl.gov | HIGH | 3316 | anonymous account w/o password | 08/27/2021 | Operational Need: Anonymous access is read-only by configuration. No sensitive information is available. Access is needed for monitoring of experiment operations. | ||
| l403-onl.starp.bnl.gov | MEDIUM | 3316 | anonymous account w/o password | 08/27/2021 | Operational Need: Anonymous access is read-only by configuration. No sensitive information is available. Access is needed for monitoring of experiment operations. | ||
| l404-onl.starp.bnl.gov | MEDIUM | 3316 | anonymous account w/o password | 08/27/2021 | Operational Need: Anonymous access is read-only by configuration. No sensitive information is available. Access is needed for monitoring of experiment operations. | ||
| onldb3.starp.bnl.gov | MEDIUM | 3316 | anonymous account w/o password | 08/27/2021 | Operational Need: Anonymous access is read-only by configuration. No sensitive information is available. Access is needed for monitoring of experiment operations. | ||
| onldb4.starp.bnl.gov | MEDIUM | 3316 | anonymous account w/o password | 08/27/2021 | Operational Need: Anonymous access is read-only by configuration. No sensitive information is available. Access is needed for monitoring of experiment operations. | ||
| xeon-phi-dev.starp.bnl.gov | MEDIUM | 3316 | anonymous account w/o password | 08/27/2021 | Operational Need: Anonymous access is read-only by configuration. No sensitive information is available. Access is needed for monitoring of experiment operations. |
The passwordless accounts ("root" and "anonymous") are only distinguished in the details of each finding -- our comments sometimes address root when anoymous is found or vice versa.
Some db nodes have no marked findings (as of 3/31/2014, but not an exhaustive check): robinson, heston (despite being listed above), duvall/db09 (alias), omega.
Groups: