I'm trying to understand how certain KB entried are used. Or more
specifically, why certain plugins are not reporting. I scanned a host
that had sendmail 8.12.8 according to Nessus. Plugin 11499 supposedly
reports a buffer overflow based on service version number which in this
case, would make my server vulnerable, yet as far as I can tell, Nessus
did not report the vuln b/c of the KB entry for BID-8641.
Nothing in the report mentioned this vuln or BID-8641. So my question
is what is the purpose of this entry in the KB if it keeps the plugin
from running and is apparently not used for the report.
Here are excerpts from the plugin code that show it should rely on
service version for detection, and the versions which are vulnerable
<plugin 11499>
The remote sendmail server, according to its version number,
may be vulnerable to a remote buffer overflow allowing remote
users to gain root privileges.
*** Nessus reports this vulnerability using only
*** the banner of the remote SMTP server. Therefore,
*** this might be a false positive.
Sendmail versions from 5.79 to 8.12.8 are vulnerable.
Solution : Upgrade to Sendmail ver 8.12.9 or greater or
if you cannot upgrade, apply patches for 8.10-12 here:
if ( get_kb_item("BID-8641") ) exit(0);
<output from nessus report for this service >
An SMTP server is running on this port
Here is its banner :
220 bootes.zeroprivate.net ESMTP Sendmail 8.12.8/8.12.8; Tue, 17 Apr
2007 13:10:17 +0200
Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330>
thanks
Scott Pate
Security Consultant
Spohn & Associates
512-685-1000
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
