Transcription

ASSESSMENTSUMMARYCyber Hygiene AssessmentCYHYNONEApril 2, 2018Cyber Hygiene AssessmentSample OrganizationNUMBERDAT E

Contents1 How To Use This Report51.1 SAMPLE Points of Contact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Report Card63 Executive Summary74 Sub-Organization Summary105 Methodology115.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115.2 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116 Approximate Host Locations147 Vulnerability Scan Results158 Results Trending179 Conclusion20Appendices21Appendix A Vulnerability Summary21Appendix B Vulnerability Changes Since Last Report23B.1 Mitigated Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23B.2 New Vulnerabilities Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32B.3 Re-Detected (Previously-Mitigated) Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32B.4 Recently-Detected Vulnerabilities36. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Appendix C Detailed Findings and Recommended Mitigations by Vulnerability44Appendix D Critical and High Vulnerability Mitigations by IP Address692April 2, 2018

Appendix E False Positive Findings70E.1 Expiring Soon False Positive Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70E.2 All False Positive Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70Appendix F Frequently Asked Questions71Appendix G Attachments74Appendix H Glossary and Acronyms75List of Figures1Top Vulnerabilities by Occurrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72Top High-Risk Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73Top Risk-Based Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74Median Time in Days to Mitigate Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85Median Age in Days of Active Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86Critical Vulnerability Age Over Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97Active Critical Vulnerability Age. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98Approximate Host Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149Vulnerability Count per Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1510CVSS Histogram for Active Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1511Total Active Vulnerabilities Over Time1712Active Critical and High Vulnerabilities Over Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1713Active Medium and Low Vulnerabilities Over Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1714Vulnerable Hosts Over Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1815Distinct Services Over Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1816Distinct Vulnerabilities Over Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .List of Tables13Number of Vulnerabilities by Severity Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .April 2, 20187

42Top Operating Systems Detected. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83Top Services Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84Active Critical Vulnerability Age Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95Number of Vulnerabilities by Severity Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156Top Vulnerabilities by Common Vulnerability Scoring System (CVSS) . . . . . . . . . . . . . . . . . . . . . . . . . . . .157Top Hosts by Weighted Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168Risk Rating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169Comparison with Previous Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19April 2, 2018

1How To Use This ReportWelcome to your Cyber Hygiene (CyHy) report. This document aims to be a comprehensive weekly snapshot of known vulnerabilitiesdetected on Internet-facing hosts for Sample Organization (SAMPLE).You may wonder what you’re supposed to do with all this information. While it’s not our intent to prescribe to you a particular process forremediating vulnerabilities, we hope you’ll use this report to strengthen your security posture. Here’s a basic flow:1. Review the Cyber Hygiene Report Card for a high-level overview. This section gives a quick comparison of the problems we findweek to week. If this is your first report, you should note that the Report Card will initially lack historical data to make comparisonsagainst, though that data will exist in your next report.2. See Appendix A: Vulnerability Summary for a list of unique vulnerabilities across all the systems we detect problems with. Appendix C:Detailed Findings and Recommended Mitigations by Vulnerability provides more information about each vulnerability and all the hoststhat we detect are susceptible to a given vulnerability. You should focus on those vulnerabilities rated with the greatest severity, aswell as those that impact your high-value assets, but don’t ignore the medium or low vulnerabilities. Recognize that a vulnerability’srating tends to get worse with time.3. If this report is not your first, review Appendix B: Vulnerability Changes Since Last Report for a breakdown of all the changes wedetected in your scope in the last week.4. If you’ve patched a vulnerability since your last report, verify it’s listed here. If it’s not present, there may still be an issue. It may alsobe possible that the issue was fixed after our latest scan, which was on April 2, 2018.5. For additional analysis, see Appendix G: Attachments, which provides Comma-Separated Values (CSV) files for all findings, services,hosts, and the scope that we scan.You should be aware that Cyber Hygiene does not scan your entire scope (all of the addresses your organization has sent us) every week,but does attempt to scan every host each week. For an explanation of how CyHy works, see the Methodology section.As you review the report, you may have additional questions. Check out the answers we provide in the Frequently Asked Questions section.If you have any additional questions, email us at [email protected] Points of ContactSAMPLE has defined the following points-of-contact for Cyber Hygiene activities; if present, reports are emailed solely to distribution lists.If you receive this report through a distribution list, Department of Homeland Security (DHS) requests that you funnel your request throughyour technical POC(s).5TypeNameEmail AddressPhone NumberTechnicalTechnicalDistribution ListTechnical POC 1Technical POC 2Distro POC 1tech poc [email protected] poc [email protected] poc [email protected] 2, 2018

CYBER HYGIENE REPORT CARDHIGH LEVEL FINDINGSADDRESSES SCANNEDLATEST SCANS293,005 293,005 no changeno changeAddresses: December 5, 2017 — April 4, 2018Vulnerabilities: March 28, 2018 — April 4, 2018ADDRESSES OWNED100% of addresses scannedHOSTSVULNERABLE HOSTSVULNERABILITIESSERVICES3,9863931,1598,72438 decrease44 decrease192 decrease196 decrease10% of hosts vulnerableVULNERABILITIESCRITICALHIGHMEDIUMLOW104 1,0441012 resolved0 new1 resolved1 new258 resolved108 new53 resolved13 new resolvedPREVIOUS REPORT newCURRENT REPORTVULNERABILITY RESPONSE TIME (since April 2, 2017)CRITICALDAYS TO MITIGATEDAYS CURRENTLY 521,95237291,5171,622April 2, 2018

3Executive SummaryThis report provides the results of a DHS / National Cybersecurity Assessments and Technical Services (NCATS) CyHy assessment of SAMPLE conducted from December 5, 2017 at 15:54 UTC through April 2, 2018 at 03:53 UTC. The Cyber Hygiene assessment includes networkmapping and vulnerability scanning for Internet-accessible SAMPLE hosts. This report is intended to provide SAMPLE with enhanced understanding of their cyber posture and to promote a secure and resilient Information Technology (IT) infrastructure across SAMPLE’s Internetaccessible networks and hosts.For this reporting period, a total of 3,986 hosts were identified out of the 293,005 addresses provided to NCATS. The scanning revealed1,159 total potential vulnerabilities on 393 vulnerable hosts, 10% of all SAMPLE hosts. 143 distinct open ports, 67 distinct services, and132 operating systems were detected.63 distinct types of potential vulnerabilities (3 critical, 3 high, 43 medium, and 14 low) were detected, as shown in Table 1. The vulnerabilitiesthat were detected most frequently on SAMPLE hosts are displayed in Figure 1.SAMPLE should review the potential vulnerabilities detected and report any false positives back to NCATS so they can be excluded fromfuture reports. Please refer to Appendix A: Vulnerability Summary for an illustration of the breakdown of vulnerability occurrences over al ble 1: Number of Vulnerabilities by Severity Level180Critical7311465CeBertificaTru teste Cand notSSLSCer elftific Signate edSSLMCip ediuher m SSui trentes gthSSLCerUsi tificng ateWe Sigak nedSSLCertificateExpiryDistinct VulnerabilitiesHighSSLSeverityMediumFigure 1: Top Vulnerabilities by OccurrenceAdditionally, the top high-risk hosts and top risk-based vulnerabilities are displayed in Figure 2 and Figure 3. For more information aboutthese risk calculations, refer to Table 8: Risk Rating 96062 1 21 3 11 2 124High32319Critical6Vulnerabilities2810Figure 2: Top High-Risk Hosts7180Medium4HighCritical33CeBertificaTru teste Cand notSSLSCer elftific Signate edMikro6.4Tik Ro1.3 uteSM rOSB Portable SDev DKice for Us PnMikProTSer ik Rver outArb erOSitra HTry TPx.x.192.34MediumSSLLowFigure 3: Top Risk-Based VulnerabilitiesApril 2, 2018

The most frequently detected operating systems and services for SAMPLE are displayed in Table 2 and Table 3 respectively.Operating SystemDetectionsunknownOpenBSD 4.0F5 BIG-IP Edge GatewayFreeBSD 6.2-RELEASEOpenBSD rTable 2: Top Operating Systems Detected0.3%0.1%0.0%0.0%0.0%99.6%2582118,657Table 3: Top Services DetectedThe next two figures illustrate how quickly SAMPLE responds to vulnerabilities that have been identified. Figure 4 shows how long it hastaken SAMPLE to mitigate vulnerabilities of each severity level (for vulnerabilities mitigated since April 2, 2017), while Figure 5 shows themedian ages of current active vulnerabilities. Vulnerability age is based on the initial detection date by CyHy.1588Critical3727HighMediumLowFigure 4: Median Time in Days to Mitigate e 5: Median Age in Days of Active Vulnerabilities8April 2, 2018

Figure 6 displays the number of active critical vulnerabilities that were less than 30 days old and more than 30 days old, as of the dateindicated on the graph. Vulnerability age is based on the initial detection date by CyHy.Active Less Than 30 Days16Active 30 DaysCritical -10-012017-12-012018-02-012018-04-01Figure 6: Critical Vulnerability Age Over Time90 Days30 Days2.521 Days7 DaysCritical Vulnerabilities3.014 DaysFigure 7 and Table 4 provide an age breakdown of every currently active critical vulnerability for SAMPLE.2.01.51.00.50.0020406080100120Age (Days)140160Figure 7: Active Critical Vulnerability AgeActive Critical -90Days90 Days040150Table 4: Active Critical Vulnerability Age Summary9April 2, 2018180

104Sub-Organization SummaryThis section shows the key CyHy metrics for each sub-organization within SAMPLE. A CSV with this data can be found in Appendix G: Attachments.OrgNameAddressesOwned ScannedHostsDetected VulnerableVulnerabilities DetectedCritical HighMed LowServicesDetectedMedian Days To MitigateCritical High Med LowMedian Days Currently ActiveCritical High MedLowApril 2, 2018SUB ORGSUB ORGSUB ORGSUB ORGSUB ORGSUB ORGSUB ORGSUB ORGSUB ORGSUB ORGSUB ORGSUB ORGSUB %100%3,3607985111593231181296641297 (3%)8 (10%)44 (52%)0 (0%)79 (69%)64 (69%)12 (52%)1 (100%)9 (50%)57 (44%)5 (83%)12 (19%)5 100214214SAMPLE Total293,005100%3,986393 (10%)1041,0441018,72482715837285430729

5Methodology5.1BackgroundThe NCATS team conducted a Cyber Hygiene assessment of SAMPLE’s Internet-facing networks and hosts from December 5, 2017 at15:54 UTC through April 2, 2018 at 03:53 UTC. This report provides result summaries and detailed findings of the CyHy assessment activityfor SAMPLE and its associated sub-organizations. All scan results are included in Appendix G: Attachments as CSV files.Cyber Hygiene is intended to improve your security posture by proactively identifying and reporting on vulnerabilities and configurationissues present on Internet-facing systems before those vulnerabilities can be exploited.Cyber Hygiene is a service of NCATS, organized under the DHS National Protection and Programs Directorate (NPPD), Office of Cybersecurity and Communications (CS&C), National Cybersecurity and Communications Integration Center (NCCIC).DHS began Cyber Hygiene in January 2012 to assess, on a recurring basis, the “health” of unclassified federal civilian networks accessiblevia the Internet. Since then, the program has grown to provide a persistent scanning service to federal, state, local, tribal, and territorialgovernments and private sector organizations.Upon submission of an Acceptance Letter, SAMPLE provided NCATS with their public network address information. SAMPLE and NCATSagreed on any time restrictions which would be imposed on the scanning activity.5.2ProcessAll Cyber Hygiene scanning activity originates from the 64.69.57.0/24 network.CyHy uses a combination of scanning services for testing: Network Mapping Vulnerability ScanningNetwork MappingUsing Nmap [https://nmap.org], we attempt to determine what hosts are available, identify what services (application name and version)those hosts are offering, and what Operating System (OS) versions they are running. We first scan the most commonly detected 1,000Transmission Control Protocol (TCP) ports of the addresses you’ve submitted to us to get a quick understanding of the active/dark landscape.An address that has a least one port open/listening service is considered a host and is then fully port-scanned (TCP) and included in thevulnerability scan. For the purposes of this report, tcpwrapped ports are not considered to be open; for more information on tcpwrappedports, refer to the Frequently Asked Questions section.If no services are detected in the most common 1,000 ports on a given Internet Protocol (IP) address, that address is considered “dark” inCyHy and will be re-scanned after at least 90 days to check for change. Addresses marked dark are not included in the host count of theweekly report. Understand that CyHy is not attempting to make a judgment call about why an address is unresponsive. If there’s not a portopen, it’s not a host in the language of CyHy.11April 2, 2018

Vulnerability ScanningUsing Nessus, a commercial vulnerability scanner, each host is evaluated against a library of vulnerabilities that an Internet-based actorcould exploit. Vulnerabilities are reported with a severity of critical, high, medium, or low to facilitate prioritization of remediation efforts. Weenable all Nessus Plugins [https://www.tenable.com/plugins/] except those in the “Denial of Service” family.Scanning FrequencyScanning occurs continuously between each weekly report. All hosts are scanned for vulnerabilities at least once every two weeks; hostswith vulnerabilities are scanned more frequently.Cyber Hygiene’s scan prioritization is as follows: Addresses with no running services detected (dark space) are rescanned after at least 90 days. Hosts with no vulnerabilities detected are rescanned every 7 days. Hosts with low-severity vulnerabilities are rescanned every 6 days. Hosts with medium-severity vulnerabilities are rescanned every 4 days. Hosts with high-severity vulnerabilities are rescanned every 24 hours. Hosts with critical-severity vulnerabilities are rescanned every 12 hours.You should understand that a single host may have multiple vulnerabilities of varying severity, which impacts the frequency that the host isscanned.To be clear, it is not the case that we scan your entire address scope for vulnerabilities each week (unless each address you’ve provided tous has a responsive host). It is the case, though, that each host will get vulnerability scanned at least once per week.Recurring VulnerabilitiesAfter you’ve remediated a vulnerability (and it remains resolved for a period of 90 days), the host’s scan priority will drop. This approachallows the NCATS team to focus on the areas of importance and give more attention to the hosts that need it.Vulnerabilities are assigned an age in order to track timeliness of remediation. Vulnerability age is determined by when it was first detectedon a host, not from when it first appeared on a report. As scanning occurs continuously between weekly reports, it is possible to have “new”vulnerabilities appear on a report that are already days old. It is also possible for a vulnerability to fluctuate between being detected and notdetected during mid-week scans and then at a future time appear in a report as many days old. If a mitigated vulnerability is re-detectedless than 90 days after the date of non-detection, it will be considered to be the same vulnerability with the same “initial detection date” aspreviously recorded. If it is re-detected more than 90 days after the date of non-detection, it will be treated as a new vulnerability with a new“initial detection date”.12April 2, 2018

Vulnerability ScoringThe Nessus vulnerability scanner references the National Vulnerability Database (NVD) [https://nvd.nist.gov/] for its vulnerability information.The NVD provides CVSS scores for many known vulnerabilities. In particular, NVD supports the CVSS version standard for all CommonVulnerabilities and Exposures (CVE) vulnerabilities.The CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attemptsto assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. The NVD usesseverity rankings of “Low,” “Medium,” and “High” in addition to the numeric CVSS scores, but these qualitative rankings are simply mappedfrom the numeric CVSS base scores: Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9. Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9. Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.Nessus has a “critical” rating which it uses for CVSS 10 vulnerabilities. Where the NVD has not provided a CVE severity rating, the Nessusscanner relies on its own rankings.What’s In The Report?Though Cyber Hygiene initiates multiple scans between reports, only the latest scan data for each host is used to determine currentvulnerability. This is the data that appears in the main body of the report and in Appendix A: Vulnerability Summary, Appendix B.2: NewVulnerabilities Detected and Appendix B.3: Re-Detected (Previously-Mitigated) Vulnerabilities.If a vulnerability was detected since that last report (e.g., it wasn’t in the previous report’s findings, though CyHy saw it mid-week) but it wasnot in the latest scan, we include it in Appendix B.4: Recently-Detected Vulnerabilities.If a vulnerability that was previously reported to you is no longer detected by the latest scan, the vulnerability and host will be listed inAppendix B.1: Mitigated Vulnerabilities.We encourage you to validate the status of vulnerabilities in both Appendix B.1: Mitigated Vulnerabilities and Appendix B.4: RecentlyDetected Vulnerabilities against your change control register. This will help to ensure that the vulnerability we detected has actually beenremediated and is not simply unresponsive to our scans.13April 2, 2018

6Approximate Host LocationsThe map below shows the approximate locations of detected hosts as listed in a geo-location database. This map is provided as a tool toidentify hosts that may have been mistakenly added in to, or removed from scope. The map is scaled to include all known SAMPLE hostlocations.Figure 8: Approximate Host Locations14April 2, 2018

7Vulnerability Scan ResultsFor this period, CyHy detected 1,159 occurrences of 63 distinct vulnerabilities (10 critical, 4 high, 1,044 medium, and 101 low). SAMPLEshould review the vulnerabilities detected and report any false positives back to NCATS so these can be excluded from future reports (seethe Frequently Asked Questions section for more about false positives).The scanning detected 393 vulnerable hosts—364 hosts with one to five vulnerabilities were identified; 24 hosts had between six and ninevulnerabilities; 4 hosts had ten or more vulnerabilities identified.SeverityDistinct %33431463Total e 5: Number of Vulnerabilities by Severity Level2446-910 Figure 9: Vulnerability Count per HostThe CVSS scores for all active vulnerabilities can be found in Figure 10.Active Vulnerabilities60050040030020010000.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0 5.5 6.0 6.5 7.0 7.5 8.0 8.5 9.0 9.5 10.0CVSSFigure 10: CVSS Histogram for Active VulnerabilitiesThe top vulnerabilities according to CVSS score are represented in Table 6.Vulnerability NameSeverityHostsCVSS ScoreMikroTik RouterOS 6.41.3 SMB Buffer OverflowMikroTik RouterOS HTTP Server Arbitrary Write RCE (ChimayRed)Portable SDK for UPnP Devices (libupnp) 1.6.18 Multiple Stack-based Buffer Overflows RCEPHP 5.6.x 5.6.34 Stack Buffer OverflowFTP Privileged Port Bounce ScanSNMP Agent Default Community Name (public)Apache Tomcat Default FilesAXIS gSOAP Message Handling RCE (ACV-116267) (Devil’s Ivy)SSL Certificate Cannot Be TrustedSSL Self-Signed 7.57.56.86.86.46.4Table 6: Top Vulnerabilities by CVSS15April 2, 2018

A complete list of distinct vulnerabilities detected, including severity level and number of hosts having the vulnerability can be found inAppendix A: Vulnerability Summary. Full details on every detected vulnerability can be found in Appendix C: Detailed Findings andRecommended Mitigations by Vulnerability. Every critical and high finding detected, along with the hosts that have these findings, are listedin Appendix D: Critical and High Vulnerability Mitigations by IP Address.The top high-risk hosts are identified in Table 7 by combining the total number of vulnerabilities, the severity of the vulnerabilities, and aweighted CVSS score for vulnerabilities detected. For more information on the formula, please refer to Table 8: Risk Rating System.IP 00002016313220109904211132118955444141011Table 7: Top Hosts by Weighted RiskThe Risk Rating System (RRS) emphasizes higher-rated CVSS scores to ensure that hosts with a large number of lower-risk vulnerabilitiesdo not outweigh hosts with a smaller number of high-risk vulnerabilities, while ensuring that hosts with an extreme number of low-riskvulnerabilities are not overshadowed by hosts with a single higher-risk issue. The RRS also ensures that hosts with a significant number ofhigh-risk vulnerabilities will not be overshadowed by a host with only a single critical vulnerability.Table 8 illustrates the base and weighted CVSS scores and shows the equivalent number of lower-risk vulnerabilities to weigh evenly witha single critical (CVSS score of 10) vulnerability.Base CVSS Score1.02.03.04.05.06.07.08.09.010.0Weighted CVSS ScoreEquivalent to CVSS Score 10 061 572.47610.35128.035.7212.144.772.091.0Table 8: Risk Rating SystemAs an example, a host having 400 vulnerabilities with a base CVSS score of 1.0 would get a weighted RRS score of 4 10 04 , which isconsidered lower-risk than a host with a single critical vulnerability (RRS score of 10.0). Similarly, a host having 4 vulnerabilities with a baseCVSS score of 8 would get a RRS score of 8.39 and still be considered a lower risk than a host with a single critical vulnerability (RRS scoreof 10.0).16April 2, 2018

8Results TrendingVulnerabilitiesTo help decision-makers, this section provides a comparison of the current data against similar CyHy scans conducted over 201ceDJan82018201beF0182Mar0182AprFigure 11: Total Active Vulnerabilities Over 2Oct7201DecJan82011820FebMar8201Apr2018Figure 12: Active Critical and High Vulnerabilities Over 000Oct7201Nov7201Dec7201Jan82018201FebFigure 13: Active Medium and Low Vulnerabilities Over Time17April 2, 20180182MarApr2018

HostsSAMPLE vulnerability profile over time, reporting on the total hosts detected, number of hosts with vulnerabilities, number of distinct services,and the number of distinct vulnerabilities detected can be found in Figure 14, Figure 15, and Figure 16 ostsVulnerable 2AprFigure 14: Vulnerable Hosts Over TimeDistinct 2011820Feb0182Mar0182AprVulnerabilitiesFigure 15: Distinct Services Over Time80706050403020100Distinct Vulnerabilities0172Oct0172Nov7201DecJan8201Figure 16: Distinct Vulnerabilities Over Time18April 2, 20181820FebMar8201Apr2018

HostsVulnerable HostsDistinct ServicesDistinct VulnerabilitiesDistinct Operating SystemsPrevious ReportCurrent Report% .0%-13.0%0.0%Table 9: Comparison with Previous ReportOverall, for all hosts identified, SAMPLE averaged 0.29 vulnerabilities per host. For vulnerable hosts, SAMPLE averaged 2.95 total vulnerabilities per host. By severity, vulnerable hosts averaged 0.03 critical, 0.01 high, 2.66 medium, and 0.26 low vulnerabilities per host.19April 2, 2018

9ConclusionSAMPLE should use the data provided in this report to correct any identified vulnerabilities, configuration errors, and security concerns inyour external network perimeter. If SAMPLE has questions, comments, or concerns about the findings or data contained in this report,please work with your designated technical point of contact when requesting assistance from NCATS at [email protected] 2, 2018

Appendix A Vulnerability SummaryThis section presents counts of all distinct vulnerabilities that were detected in the latest scans. It shows the name of the vulnerability, theseverity level of the vulnerability, and the number of vulnerability detections in the previous report vs. this report. Low, medium, high, andcritical vulnerabilities are displayed.VulnerabilityMikroTik RouterOS 6.41.3 SMB Buffer OverflowMikroTik RouterOS HTTP Server Arbitrary Write RCE (ChimayRed)Portable SDK for UPnP Devices (libupnp) 1.6.18 Multiple Stack-based BufferOverflows RCEOpenSSL UnsupportedFTP Privileged Port Bounce ScanPHP 5.6.x 5.6.34 Stack Buffer OverflowSNMP Agent Default Community Name (public)Apache 2.2.x 2.2.33-dev / 2.4.x 2.4.26 Multiple VulnerabilitiesApache .htaccess and .htpasswd DisclosureMultiple Vendor DNS Query ID Field Prediction Cache PoisoningWeb Server Uses Non Random Session IDsWeb Server Generic Cookie InjectionDNS Server Cache Snooping Remote Information DisclosureDNS Server Recursive Query Cache Poisoning WeaknessDNS Server Spoofed Request Amplification DDoSOpenSSL 1.1.0 1.1.0g RSA/DSA Unspecified Carry IssueTLS Padding Oracle Information Disclosure Vulnerability (TLS POODLE)Terminal Services Doesn’t U

SSL Certificate Cannot Be Trusted SSL Self-Signed Certificate SSL Medium Strength Cipher Suites SSL Certificate Signed Using Weak SSL Certificate Expiry: 319 180 114 73 65: Low Medium High Critical: Additionally, the top high-risk hosts and top risk-based vulnerabilities are displ