This article describes false positives found by common vulnerability scanners run against PGP Universal Server, the "vulnerabilities" that may erroneously be identified by such a scan, and an explanation of such errors.

Below are examples of vulnerability scans run by various security scanners. These would generally be run on SSH, HTTP/HTTPS, LDAP/LDAPS, and General TCP. These are but examples of what a scan may detect, and the explanations of the scan and "vulnerabilities". Again, these are not vulnerabilities, but may seem to be. Explanations as to why these are not actual vulnerabilities are provided in the Analysis of each scan.

SSH 

Scan Result Vulnerability found on port ssh (22/tcp). You are running a version of OpenSSH that is older than 3.7.1. Versions older than 3.7.1 are vulnerable to a flaw in the buffer management functions which might allow an attacker to execute arbitrary commands on this host. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The ssh server in PGP Universal has the necessary patches applied to address this vulnerability.

Scan Result Warning found on port ssh (22/tcp)You are running OpenSSH-portable 3.6.1p1 or older.If PAM support is enabled, an attacker may use a flaw in this version to determine the existence or a given login name by comparing the times the remote sshd daemon takes to refuse a bad password for a non-existent login compared to the time it takes to refuse a bad password for a valid login. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The OpenSSH server in PGP Universal has the necessary patches applied to address this vulnerability.

Scan Result Warning found on port ssh (22/tcp)You are running OpenSSH-portable 3.6.1 or older. There is a flaw in this version which may allow an attacker to bypass the access controls set by the administrator of this server. OpenSSH features a mechanism which can restrict the list of hosts a given user can log from by specifying a pattern in the user key file (i.e. *.mynetwork.com would let a user connect only from the local network). However there is a flaw in the way OpenSSH does reverse DNS lookups. If an attacker configures his DNS server to send a numeric IP address when a reverse lookup is performed, he may be able to circumvent this mechanism. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The OpenSSH server in PGP Universal has the necessary patches applied to address this vulnerability.

HTTP

Scan Result Vulnerability found on port www (80/tcp)The remote host appears to be running a version of Apache which is older than 1.3.28 There are several flaws in this version, which may allow an attacker to disable the remote server remotely.You should upgrade to 1.3.28 or newer. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The apache server in PGP Universal has the necessary patches applied to address these vulnerabilities.

Scan Result Vulnerability found on port www (80/tcp)The remote host appears to be running a version of Apache which is older than 1.3.29 There are several flaws in this version, which may allow an attacker to possibly execute arbitrary code through mod_alias and mod_rewrite.You should upgrade to 1.3.29 or newer. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The apache server in PGP Universal has the necessary patches applied to address these vulnerabilities.

Scan Result Warning found on port www (80/tcp). Some Web Servers use a file called /robot(s).txt to make search engines and any other indexing tools visit their Web Pages more frequently and more efficiently.By connecting to the server and requesting the /robot(s).txt file, an attacker may gain additional information about the system they areattacking.Such information as restricted directories, hidden directories, cgi script directories and etc. Take special care not to tell the robots not to index sensitive directories, since this tells attackers exactly which of your directories are sensitive. The file 'robots.txt' contains the following:User-Agent: *Disallow: / Analysis The robots.txt file which exists on Universal does not provide any information which would aid potential attackers or make Universal more vulnerable to attack. Our file simply notifies all robots that the contents of the PGP Universal server are not to be indexed by robots.

LDAP 

Scan Result Vulnerability found on port ldap (389/tcp)Improperly configured LDAP servers will allow any user to connect to the server and query for information. Solution: Disable NULL BIND on your LDAP serverIn addition, the LDAP bind function in Exchange 5.5 has a buffer overflow that allows a user to conduct a denial of service or execute commands in all versions prior to Exchange server SP2. Coupled with a NULL BIND, an anonymous user can mount a remote attack against your server. Analysis PGP Universal uses LDAP to publish PGP keys. The purpose of integrated key server is to allow anyone to connect and retrieve public keys. This ability to access those keys is not a vulnerability, but is as designed. PGP Universal does not use Microsoft Exchange 5.5; the Exchange 5.5 vulnerability does not apply.

Scan Result Vulnerability found on port ldap (389/tcp)Improperly configured LDAP servers will allow the directory BASE to be set to NULL. This allows information to be culled without any prior knowledge of the directory structure. Coupled with a NULL BIND, an anonymous user can query your LDAP server using a tool such as 'LdapMiner'. Analysis PGP Universal uses LDAP to publish PGP keys. The purpose of integrated key server is to allow anyone to connect and retrieve public keys. This ability to access those keys is not a vulnerability, but is as designed.

HTTPS 

Scan Result Vulnerability found on port https (443/tcp)The remote host appears to be running a version of Apache which is older than 1.3.28 There are several flaws in this version, which may allow an attacker to disable the remote server remotely.You should upgrade to 1.3.28 or newer. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The apache server used in PGP Universal has the necessary patches applied to address these vulnerabilities.

Scan Result Vulnerability found on port https (443/tcp)The remote host appears to be running a version of Apache which is older than 1.3.29 There are several flaws in this version, which may allow an attacker to possibly execute arbitrary code through mod_alias and mod_rewrite. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The apache server used in PGP Universal has the necessary patches applied to address these vulnerabilities.

Scan Result Warning found on port https (443/tcp)The remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b. This version is vulnerable to a timing based attack which may allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the private RSA key of the server. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The OpenSSL library used in PGP Universal has the necessary patches applied to address these vulnerabilities.

Scan Result Warning found on port https (443/tcp)Some Web Servers use a file called /robot(s).txt to make search engines and any other indexing tools visit their Web Pages more frequently and more efficiently.By connecting to the server and requesting the /robot(s).txt file, an attacker may gain additional information about the system they areattacking.Such information as, restricted directories, hidden directories, cgi script directories and etc. Take special care not to tell the robots not to index sensitive directories, since this tells attackers exactly which of your directories are sensitive.The file 'robots.txt' contains the following:User-Agent: *Disallow: / Analysis The robots.txt file which exists on Universal does not provide any information which would aid potential attackers or make Universal more vulnerable to attack. Our file simply notifies all robots that the contents of the PGP Universal server are not to be indexed by robots.

LDAPS 

Scan Result Warning found on port ldaps (636/tcp)The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers.The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack Solution:: disable those ciphers and upgrade your client software if necessary. Analysis Universal uses LDAP to publish PGP keys. The purpose of the key server is to allow anyone to connect and retrieve public keys. Since anybody is permitted to access keys, the inclusion of these two "weak" ciphers does not compromise the security of the Universal server and as stated in the warning would only be chosen by an "export-grade or badly configured client".

Port TCP/9000 (PGP Universal Administrative Interface)

Scan Result Vulnerability found on port unknown (9000/tcp)The remote host appears to be running a version of Apache which is older than 1.3.28 there are several flaws in this version, which may allow an attacker to disable the remote server remotely.You should upgrade to 1.3.28 or newer. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The apache server used in PGP Universal has the necessary patches applied to address these vulnerabilities.

Scan Result Vulnerability found on port unknown (9000/tcp)The remote host appears to be running a version of Apache which is older than 1.3.29 there are several flaws in this version, which may allow an attacker to possibly execute arbitrary code through mod_alias and mod_rewrite. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The apache server used in PGP Universal has the necessary patches applied to address these vulnerabilities.

Scan Result Warning found on port unknown (9000/tcp)The remote host is using a version of OpenSSL which is older than 0.9.6j or 0.9.7b This version is vulnerable to a timing based attack which may allow an attacker to guess the content of fixed data blocks and may eventually be able to guess the value of the private RSA key of the server. Analysis When checking for version related vulnerabilities for specific services, the scanner simply checks the version against a list of versions it knows are "vulnerable". It does not perform tests against the target server to actually verify the vulnerability exists. The scanner doesn't correctly recognize that our servers have been patched with the relevant security fixes using a more appropriate and conservative versioning and change control. We regularly create maintenance releases to address new vulnerabilities in Universal components as they are found and fixed. The OpenSSL library used in PGP Universal has the necessary patches applied to address these vulnerabilities.

Scan Result Warning found on port unknown (9000/tcp)Some Web Servers use a file called /robot(s).txt to make search engines and any other indexing tools visit their Web Pages more frequently and more efficiently.By connecting to the server and requesting the /robot(s).txt file, an attacker may gain additional information about the system they areattacking.Such information as, restricted directories, hidden directories, cgi script directories and etc. Take special care not to tell the robots not to index sensitive directories, since this tells attackers exactly which of your directories are sensitive. The file 'robots.txt' contains the following:User-Agent: *Disallow: / Analysis The robots.txt file which exists on Universal does not provide any information which would aid potential attackers or make Universal more vulnerable to attack. Our file simply notifies all robots that the contents of the PGP Universal server are not to be indexed by robots.

General TCP 

Scan Result Warning found on port general/tcp The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. Analysis This scan warns about a potential bug in firewall's the customer may use to protect their site. It is assumed that this kind of firewall issue is of course properly handled by the firewall at the customer's site.