Author Ashlyn Matthews
In an attempt to practice my blue team skills, I launched a vulnerable instance from AWS and sought out to scan it. Although there are several vulnerability scanners, I chose to use Nessus, as it is a good general scanner and produces a pretty thorough vulnerability report.
This instance had several vulnerabilities, including: shellshock, smb guest account and anonymous ftp account , amongst others.
Understanding the Shellshock Vulnerability
One of the first vulnerabilities on the list was a shellshock vulnerability. Shellshock is a critical level vulnerability that results from the bash shell failing to properly validate and sanitize values of declared variables . It causes bash to execute unintentional bash commands. This vulnerability can affect email and dns servers , as well as hardware like home routers and IOT devices. Also shellshock can be used to launch denial of service attacks. By exploiting this vulnerability malicious actors can launch programs on your system create outbound connections to their system, and execute malicious software. Such a vulnerability gives way for your confidential data and information that is stored within your compromised system to be stolen, i.e. passwords, financial details, etc.
Accessing the Root Cause
After some research, I found that the vulnerability was a result of an out of date shell.
I ssh into the vulnerable machine. Because webservers usually serve up files out of the /var/www/ directory I changed into that directory. I eventually switched into the cgi-bin directory and read the test.cgi file.
I observed a shebang leading to a bash shell. I ran that bash to confirm its version. Being a version 4.3, it was in the range of bash shells being affected by this vulnerability.
Shellshock Vulnerability Remediation:
I checked for more vulnerable bashes by using find / -name bash 2>/dev/null. This code locates the bashes and forwards the errors. I found that the only non-vulnerable shell was /usr/bin/bash so I went and edited the test.cgi to point the shebang to that bash. I saved the edited cgi and deleted the vulnerable bashes.
Understanding the SMB Guest Account Vulnerability
A smb guest account vulnerability is caused by a poor authentication policy in the smb service that allows remote hosts to access the host without any credentials. It is an example of an insecure configuration vulnerability and is considered a high level vulnerability. An smb server called Samba had been configured to be allowed to access resources without authenticating users.
SMB Guest Account Vulnerability Remediation
Because this is a configuration issue, I set out to edit the /etc/samba/smb.conf file.
I scrolled down to the section labeled global and changed ‘guest ok’ to ‘No’ and ‘map to guest’ to ‘Never’.
Understanding the Anonymous FTP Vulnerability
An anonymous ftp account vulnerability is caused by a poor authentication policy in the ftp service that allows remote hosts to access the host without any credentials. This is another example of an insecure configuration vulnerability and is recognized to be a medium level vulnerability. It allows anyone to sign in as Anonymous with no password.
Anonymous FTP Account Vulnerability Remediation
sudo nano /etc/vsftpd/vsftpd.conf
I set out to edit the ftp configuration file /etc/vsftpd/vsftpd.conf file. I found a line where the ‘anonymous_enable’ was set to ‘YES’ and I changed it to ‘NO’. Then I restarted vsftpd with sudo systemctl restart vsftpd.
Understanding SSH Server CBC Mode Ciphers Enabled Vulnerability
70658 — SSH Server CBC Mode Ciphers Enabled
The ssh server cbc mode ciphers enabled vulnerability occurs when the ssh server is set to user cipher block chaining encryption (CBC). It is a low level vulnerability. The problem with CBC mode is that the decryption of blocks is dependent on the previous ciphertext block. While CBC is fine in theory, there is always the risk that an improper implementation will subject the connection to padding oracle attack. A padding oracle attack is a type of attack against encrypted data that allows the attacker to decrypt the contents of the data, without knowing the key,thus allowing the attacker to recover plain text message from the cipher text.
SSH Server CBC Mode Ciphers Enabled Vulnerability Remediation
Backup of the sshd_file
I started off by backing up the ssh configuration file, as a precaution
I checked all the available encryption algorithms. SSH can be configured to use Counter (CTR) mode encryption instead of CBC. Counter mode generates the keystream by encrypting successive values of a “counter” function
In order to disable CBC mode, I edited the sshd_config to change which algorithms would be used.
I restarted the ssh service and then ran sshd -T | grep ciphers again and only the ciphers I specified remained. Nessus scan after minor remediations
After I remediated those four vulnerabilities I ran another Nessus scan. The vulnerabilities disappeared.
Honestly this was a pretty cool exercise. I learned a bit about known vulnerabilities. I think the Nessus scanner is great for understanding vulnerabilities and it is very organized and easy to read. Google is definitely your friend in cyber. Also, please note I did not go through the real world process of prioritizing vulnerabilities based off a company’s assets. Please feel free to follow me if you like what you have read. Thank you for reading.
About the Author: Ashlyn Matthews is a Technical Writer at LogRhythm. She assists in the creation and modernization of internal and public-facing documentation. She is still continuing her cyber security studies with the help of Hackthebox and tryhackme. She is also currently working on building her CTF and scripting skills. is a Technical Writer at LogRhythm. She assists in the creation and modernization of internal and public-facing documentation. She is still continuing her cyber security studies with the help of Hackthebox and tryhackme. She is also currently working on building her CTF and scripting skills.