Macro or script of sort

[gr85z]

We are working on getting data from CVSS (Common Vulnerability Security Scans)and take each host and findings from a CSV file and then take all findings from each host and do the following

List the host IP/ Hostname
CVSS, Severity,Solution Type, Summary
Screeenshot of CSV below
I am not fluent in Macros or if it is possible

So there could be or several findings per host so ideally list the hosts once and findings below
IP / Hostname
Finding A
Finding B
Finding C
etc.....

Findings will include our specified columns

All the output is the same on each of of the CSV files.

Over all goal is to take the output open in excel run marco produce document we can sent to management.
Since we have to run this quarterly against hundreds of IPs/hosts we want to make it as automated as possible.
Overall end product will be to have files land in a folder and run script against folder and do all the conversation etc.... with end result of document.
Thanks in adavance

 

[gr85z]

There shouldn't be anything merged this is simply the raw data. I did no formatting other than removing the columns we dont want and inserting cells to be in the view we want it. Here are the 2 tabs I have pulled data from.
Raw_data

IP

Hostname

Port

Port Protocol

CVSS

Severity

Solution Type

NVT Name

Summary

Specific Result

NVT OID

CVEs

Task ID

Task Name

Timestamp

Result ID

Impact

Solution

Affected Software/OS

Vulnerability Insight

Vulnerability Detection Method

Product Detection Result

BIDs

CERTs

Other References

xxx.yyy.zzz.aa

161​

udp

7.5​

High

VendorFix

Report default community names of the SNMP Agent

Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE).

SNMP Agent responded as expected when using the following community name: public

1.3.6.1.4.1.25623.1.0.10264

CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-1999-0792,CVE-2000-0147,CVE-2001-0380,CVE-2001-0514,CVE-2001-1210,CVE-2002-0109,CVE-2002-0478,CVE-2002-1229,CVE-2004-1474,CVE-2004-1775,CVE-2004-1776,CVE-2011-0890,CVE-2012-4964,CVE-2014-4862,CVE-2014-4863,CVE-2016-1452,CVE-2016-5645,CVE-2017-7922

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

c08e30db-a509-4302-92b4-a4769cb8364a

If an attacker is able to guess a PUBLIC community string, they would be able to read SNMP data (depending on which MIBs are installed) from the remote device. This information might include system time, IP addresses, interfaces, processes running, etc. If an attacker is able to guess a PRIVATE community string (WRITE or 'writeall' access), they will have the ability to change information on the remote machine. This could be a huge security hole, enabling remote attackers to wreak complete havoc such as routing network traffic, initiating processes, etc. In essence, 'writeall' access will give the remote attacker full administrative rights over the remote machine. Note that this test only gathers information and does not attempt to write to the remote device. Thus it is not possible to determine automatically whether the reported community is public or private. Also note that information made available through a guessable community string might or might not contain sensitive data. Please review the information available through the reported community string to determine the impact of this disclosure.

Determine if the detected community string is a private community string. Determine whether a public community string exposes sensitive information. Disable the SNMP service if you don't use it or change the default community string.

Details: Report default community names of the SNMP Agent (OID: 1.3.6.1.4.1.25623.1.0.10264)

177,973,986,2112,2896,3758,3795,3797,4330,5030,5965,7081,7212,7317,9681,11237,20125,41436,46981,91756,92428,99083

DFN-CERT-2016-1130,CB-K18/1132,CB-K16/1061

xxx.yyy.zzz.aa

2.6​

Low

Mitigation

TCP timestamps

The remote host implements TCP timestamps and therefore allows to compute the uptime.

It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Packet 1: 1262565174 Packet 2: 1262565292

1.3.6.1.4.1.25623.1.0.80091

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

7f007f0d-eb57-4b5b-ba65-ff250fd8c177

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See the references for more information.

TCP/IPv4 implementations that implement RFC1323.

The remote host implements TCP timestamps, as defined by RFC1323.

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

xxx.yyy.zzz.aa

22​

tcp

2.6​

Low

Mitigation

SSH Weak MAC Algorithms Supported

The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.

The following weak client-to-server MAC algorithms are supported by the remote service: hmac-md5 hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-sha1-96 hmac-sha1-96-etm@openssh.com The following weak server-to-client MAC algorithms are supported by the remote service: hmac-md5 hmac-md5-96 hmac-md5-96-etm@openssh.com hmac-md5-etm@openssh.com hmac-sha1-96 hmac-sha1-96-etm@openssh.com

1.3.6.1.4.1.25623.1.0.105610

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

6233ac49-8cf9-41c7-afd1-fe58885dd397

Disable the weak MAC algorithms.

Details: SSH Weak MAC Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105610)

xxx.yyy.zzz.aa

443​

tcp

5​

Medium

Mitigation

SSL/TLS: Certificate Expired

The remote server's SSL/TLS certificate has already expired.

The certificate of the remote service expired on 1971-01-01 00:02:54. Certificate details: subject ...: CN=192.168.1.2 subject alternative names (SAN): None issued by .: CN=192.168.1.2 serial ....: 00FE5B4AEF7A424B93 valid from : 1970-01-01 00:02:54 UTC valid until: 1971-01-01 00:02:54 UTC fingerprint (SHA-1): E86A2CE79E8BE24EF2DEBC9E494B61E11A1179F2 fingerprint (SHA-256): 07F9C202624A63505D33639D09E5C48952227269429E18BE3C0E03778A64AD09

1.3.6.1.4.1.25623.1.0.103955

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

191a4cea-8d08-4484-aa1e-d0a122900ea5

Replace the SSL/TLS certificate by a new one.

This script checks expiry dates of certificates associated with SSL/TLS-enabled services on the target and reports whether any have already expired.

Details: SSL/TLS: Certificate Expired (OID: 1.3.6.1.4.1.25623.1.0.103955)

xxx.yyy.zzz.aa

161​

udp

5​

Medium

Workaround

SNMP GETBULK Reflected DRDoS

The remote SNMP daemon allows distributed reflection and amplification (DRDoS) attacks.

By sending an SNMP GetBulk request of 41 bytes, we received a response of 2027 bytes.

1.3.6.1.4.1.25623.1.0.105062

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

f4fb2190-661b-4389-ba6e-d339a5c0544e

Successfully exploiting this vulnerability allows attackers to cause denial-of-service conditions against remote hosts.

Disable the SNMP service on the remote host if you do not use it or restrict access to this service.

Send an SNMP GetBulk request and check the response. Details: SNMP GETBULK Reflected DRDoS (OID: 1.3.6.1.4.1.25623.1.0.105062)

xxx.yyy.zzz.aa

443​

tcp

5​

Medium

Mitigation

SSL/TLS: Report Vulnerable Cipher Suites for HTTPS

This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.

'Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol: TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) 'Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol: TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32) 'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol: TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

1.3.6.1.4.1.25623.1.0.108031

CVE-2016-2183,CVE-2016-6329

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

56a0b838-dac8-42f1-bb6b-939d7cf9de1e

The configuration of this services should be changed so that it does not accept the listed cipher suites anymore. Please see the references for more resources supporting you with this task.

Services accepting vulnerable SSL/TLS cipher suites via HTTPS.

These rules are applied for the evaluation of the vulnerable cipher suites: - 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).

Details: SSL/TLS: Report Vulnerable Cipher Suites for HTTPS (OID: 1.3.6.1.4.1.25623.1.0.108031)

DFN-CERT-2020-0368,DFN-CERT-2019-1455,DFN-CERT-2019-0068,DFN-CERT-2018-1296,DFN-CERT-2018-0323,DFN-CERT-2017-2070,DFN-CERT-2017-1954,DFN-CERT-2017-1885,DFN-CERT-2017-1831,DFN-CERT-2017-1821,DFN-CERT-2017-1785,DFN-CERT-2017-1626,DFN-CERT-2017-1326,DFN-CERT-2017-1239,DFN-CERT-2017-1238,DFN-CERT-2017-1090,DFN-CERT-2017-1060,DFN-CERT-2017-0968,DFN-CERT-2017-0947,DFN-CERT-2017-0946,DFN-CERT-2017-0904,DFN-CERT-2017-0816,DFN-CERT-2017-0746,DFN-CERT-2017-0677,DFN-CERT-2017-0675,DFN-CERT-2017-0611,DFN-CERT-2017-0609,DFN-CERT-2017-0522,DFN-CERT-2017-0519,DFN-CERT-2017-0482,DFN-CERT-2017-0351,DFN-CERT-2017-0090,DFN-CERT-2017-0089,DFN-CERT-2017-0088,DFN-CERT-2017-0086,DFN-CERT-2016-1943,DFN-CERT-2016-1937,DFN-CERT-2016-1732,DFN-CERT-2016-1726,DFN-CERT-2016-1715,DFN-CERT-2016-1714,DFN-CERT-2016-1588,DFN-CERT-2016-1555,DFN-CERT-2016-1391,DFN-CERT-2016-1378,CB-K20/0321,CB-K20/0314,CB-K20/0157,CB-K19/0618,CB-K19/0615,CB-K18/0296,CB-K17/1980,CB-K17/1871,CB-K17/1803,CB-K17/1753,CB-K17/1750,CB-K17/1709,CB-K17/1558,CB-K17/1273,CB-K17/1202,CB-K17/1196,CB-K17/1055,CB-K17/1026,CB-K17/0939,CB-K17/0917,CB-K17/0915,CB-K17/0877,CB-K17/0796,CB-K17/0724,CB-K17/0661,CB-K17/0657,CB-K17/0582,CB-K17/0581,CB-K17/0506,CB-K17/0504,CB-K17/0467,CB-K17/0345,CB-K17/0098,CB-K17/0089,CB-K17/0086,CB-K17/0082,CB-K16/1837,CB-K16/1830,CB-K16/1635,CB-K16/1630,CB-K16/1624,CB-K16/1622,CB-K16/1500,CB-K16/1465,CB-K16/1307,CB-K16/1296

xxx.yyy.zzz.aa

22​

tcp

4.3​

Medium

Mitigation

SSH Weak Encryption Algorithms Supported

The remote SSH server is configured to allow weak encryption algorithms.

The following weak client-to-server encryption algorithms are supported by the remote service: 3des-cbc aes128-cbc aes192-cbc aes256-cbc arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se The following weak server-to-client encryption algorithms are supported by the remote service: 3des-cbc aes128-cbc aes192-cbc aes256-cbc arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se

1.3.6.1.4.1.25623.1.0.105611

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

8d0f71d7-1e9c-472a-98ce-faedc500d4f0

Disable the weak encryption algorithms.

The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems with weak keys, and should not be used anymore. The `none` algorithm specifies that no encryption is to be done. Note that this method provides no confidentiality protection, and it is NOT RECOMMENDED to use it. A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.

Check if remote ssh service supports Arcfour, none or CBC ciphers. Details: SSH Weak Encryption Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105611)

xxx.yyy.zzz.ab

2.6​

Low

Mitigation

TCP timestamps

The remote host implements TCP timestamps and therefore allows to compute the uptime.

It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Packet 1: 4248000010 Packet 2: 4248001162

1.3.6.1.4.1.25623.1.0.80091

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

bfee8286-518c-4b14-84b4-a5ee368b56e4

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See the references for more information.

TCP/IPv4 implementations that implement RFC1323.

The remote host implements TCP timestamps, as defined by RFC1323.

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

xxx.yyy.zzz.ac

161​

udp

7.5​

High

VendorFix

Report default community names of the SNMP Agent

Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE).

SNMP Agent responded as expected when using the following community name: public

1.3.6.1.4.1.25623.1.0.10264

CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-1999-0792,CVE-2000-0147,CVE-2001-0380,CVE-2001-0514,CVE-2001-1210,CVE-2002-0109,CVE-2002-0478,CVE-2002-1229,CVE-2004-1474,CVE-2004-1775,CVE-2004-1776,CVE-2011-0890,CVE-2012-4964,CVE-2014-4862,CVE-2014-4863,CVE-2016-1452,CVE-2016-5645,CVE-2017-7922

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

ab8b836e-6aa2-49d3-aa2b-81ccdad32f62

If an attacker is able to guess a PUBLIC community string, they would be able to read SNMP data (depending on which MIBs are installed) from the remote device. This information might include system time, IP addresses, interfaces, processes running, etc. If an attacker is able to guess a PRIVATE community string (WRITE or 'writeall' access), they will have the ability to change information on the remote machine. This could be a huge security hole, enabling remote attackers to wreak complete havoc such as routing network traffic, initiating processes, etc. In essence, 'writeall' access will give the remote attacker full administrative rights over the remote machine. Note that this test only gathers information and does not attempt to write to the remote device. Thus it is not possible to determine automatically whether the reported community is public or private. Also note that information made available through a guessable community string might or might not contain sensitive data. Please review the information available through the reported community string to determine the impact of this disclosure.

Determine if the detected community string is a private community string. Determine whether a public community string exposes sensitive information. Disable the SNMP service if you don't use it or change the default community string.

Details: Report default community names of the SNMP Agent (OID: 1.3.6.1.4.1.25623.1.0.10264)

177,973,986,2112,2896,3758,3795,3797,4330,5030,5965,7081,7212,7317,9681,11237,20125,41436,46981,91756,92428,99083

DFN-CERT-2016-1130,CB-K18/1132,CB-K16/1061

xxx.yyy.zzz.ac

2.6​

Low

Mitigation

TCP timestamps

The remote host implements TCP timestamps and therefore allows to compute the uptime.

It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Packet 1: 3951388049 Packet 2: 3951389197

1.3.6.1.4.1.25623.1.0.80091

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

bdd6199e-9f23-4639-866a-695eeff3d06a

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See the references for more information.

TCP/IPv4 implementations that implement RFC1323.

The remote host implements TCP timestamps, as defined by RFC1323.

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

xxx.yyy.zzz.ac

161​

udp

5​

Medium

Workaround

SNMP GETBULK Reflected DRDoS

The remote SNMP daemon allows distributed reflection and amplification (DRDoS) attacks.

By sending an SNMP GetBulk request of 41 bytes, we received a response of 2594 bytes.

1.3.6.1.4.1.25623.1.0.105062

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

14205704-8c95-4633-b60f-1b4acbb60391

Successfully exploiting this vulnerability allows attackers to cause denial-of-service conditions against remote hosts.

Disable the SNMP service on the remote host if you do not use it or restrict access to this service.

Send an SNMP GetBulk request and check the response. Details: SNMP GETBULK Reflected DRDoS (OID: 1.3.6.1.4.1.25623.1.0.105062)

xxx.yyy.zzz.ac

80​

tcp

4.8​

Medium

Workaround

Cleartext Transmission of Sensitive Information via HTTP

The host / application transmits sensitive information (username, passwords) in cleartext via HTTP.

The following URLs requires Basic Authentication (URL:realm name): http://xxx.yyy.zzz.ac/console:"connect_console_ws" http://xxx.yyy.zzz.ac/export:"get_export" http://xxx.yyy.zzz.ac/services:"get_services"

1.3.6.1.4.1.25623.1.0.108440

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

62c5d92e-6f3c-4886-8508-e74e70183c1a

An attacker could use this situation to compromise or eavesdrop on the HTTP communication between the client and the server using a man-in-the-middle attack to get access to sensitive data like usernames or passwords.

Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally make sure the host / application is redirecting all users to the secured SSL/TLS connection before allowing to input sensitive data into the mentioned functions.

Hosts / applications which doesn't enforce the transmission of sensitive data via an encrypted SSL/TLS connection.

Evaluate previous collected information and check if the host / application is not enforcing the transmission of sensitive data via an encrypted SSL/TLS connection. The script is currently checking the following: - HTTP Basic Authentication (Basic Auth) - HTTP Forms (e.g. Login) with input field of type 'password' Details: Cleartext Transmission of Sensitive Information via HTTP (OID: 1.3.6.1.4.1.25623.1.0.108440)

xxx.yyy.zzz.ac

22​

tcp

4.3​

Medium

Mitigation

SSH Weak Encryption Algorithms Supported

The remote SSH server is configured to allow weak encryption algorithms.

The following weak client-to-server encryption algorithms are supported by the remote service: 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc The following weak server-to-client encryption algorithms are supported by the remote service: 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc

1.3.6.1.4.1.25623.1.0.105611

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

7f86d736-2851-465f-9966-44e02935013f

Disable the weak encryption algorithms.

The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems with weak keys, and should not be used anymore. The `none` algorithm specifies that no encryption is to be done. Note that this method provides no confidentiality protection, and it is NOT RECOMMENDED to use it. A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.

Check if remote ssh service supports Arcfour, none or CBC ciphers. Details: SSH Weak Encryption Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105611)

xxx.yyy.zzz.ad

2.6​

Low

Mitigation

TCP timestamps

The remote host implements TCP timestamps and therefore allows to compute the uptime.

It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Packet 1: 3214874085 Packet 2: 3214875233

1.3.6.1.4.1.25623.1.0.80091

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

eb3032bc-e1f0-41d6-990a-62c2dbe1a3c5

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See the references for more information.

TCP/IPv4 implementations that implement RFC1323.

The remote host implements TCP timestamps, as defined by RFC1323.

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

xxx.yyy.zzz.ad

443​

tcp

6.4​

Medium

Mitigation

SSL/TLS: Missing `secure` Cookie Attribute

The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.

The cookies: Set-Cookie: XSRF-TOKEN=eyJpdiI6ImRQUGR3RE13dGJhc1ppUHhQRjh1MEE9PSIsInZhbHVlIjoiRkZXQWllVUFBakFNZjVKNzZheUhDS3cxWHMrRGpNRDhPc2ExY3JiVWJYWVlxb2RnYUxoY2VxREdyZjdwY0QxaCIsIm1hYyI6IjgyNjhjMDgxODMzZDU2NWFkYWIxNzU4NWZjZmFiZjcyNDQ2NzUyNDZiNzM3YmE1YzQ2ZTBiZDcxMzdjZTkzZjUifQ%3D%3D; expires=Thu, 18-Jun-2020 01:13:43 GMT; Max-Age=***replaced***; path=/ Set-Cookie: laravel_session=eyJpdiI6InFPRFhGcDN2MVhoY2sxa0dUS2F4cHc9PSIsInZhbHVlIjoiRUpUWXRvaHc4YVwvbFVYYVd4eXcwbFFOWVIzY25WbnFLZTFSWWxJcFo1UHZZamRKNmN5MzhocFhjRUNPSjhDTFIiLCJtYWMiOiI4MjY1MjQ5NjljZGFlMDllNGIzYTUyMmFhNWI3OGU5YzZlNzU5OGIxZmM3Zjg5ZGE5NGM2MWVkNDFhZTg5Njc1In0%3D; expires=Thu, 18-Jun-2020 01:13:43 GMT; Max-Age=***replaced***; path=/; httponly are missing the "secure" attribute.

1.3.6.1.4.1.25623.1.0.902661

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

f8204ee4-4ebc-4262-811f-dc1d450c385e

Set the 'secure' attribute for any cookies that are sent over a SSL/TLS connection.

Server with SSL/TLS.

The flaw is due to cookie is not using 'secure' attribute, which allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker to conduct session hijacking attacks.

Details: SSL/TLS: Missing `secure` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.902661)

xxx.yyy.zzz.ad

443​

tcp

5​

Medium

Mitigation

Missing `httpOnly` Cookie Attribute

The application is missing the 'httpOnly' cookie attribute

The cookies: Set-Cookie: XSRF-TOKEN=eyJpdiI6ImRQUGR3RE13dGJhc1ppUHhQRjh1MEE9PSIsInZhbHVlIjoiRkZXQWllVUFBakFNZjVKNzZheUhDS3cxWHMrRGpNRDhPc2ExY3JiVWJYWVlxb2RnYUxoY2VxREdyZjdwY0QxaCIsIm1hYyI6IjgyNjhjMDgxODMzZDU2NWFkYWIxNzU4NWZjZmFiZjcyNDQ2NzUyNDZiNzM3YmE1YzQ2ZTBiZDcxMzdjZTkzZjUifQ%3D%3D; expires=Thu, 18-Jun-2020 01:13:43 GMT; Max-Age=***replaced***; path=/ are missing the "httpOnly" attribute.

1.3.6.1.4.1.25623.1.0.105925

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

fc2e64ae-82dc-41c5-95d4-fd66aaeada2a

Set the 'httpOnly' attribute for any session cookie.

Application with session handling in cookies.

The flaw is due to a cookie is not using the 'httpOnly' attribute. This allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.

Check all cookies sent by the application for a missing 'httpOnly' attribute Details: Missing `httpOnly` Cookie Attribute (OID: 1.3.6.1.4.1.25623.1.0.105925)

xxx.yyy.zzz.ad

2.6​

Low

Mitigation

TCP timestamps

The remote host implements TCP timestamps and therefore allows to compute the uptime.

It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Packet 1: 292205112 Packet 2: 292206260

1.3.6.1.4.1.25623.1.0.80091

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:38Z

20f7e1bd-a6ea-431e-b373-b374902523b6

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See the references for more information.

TCP/IPv4 implementations that implement RFC1323.

The remote host implements TCP timestamps, as defined by RFC1323.

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

xxx.yyy.zzz.ae

23​

tcp

4.8​

Medium

Mitigation

Telnet Unencrypted Cleartext Login

The remote host is running a Telnet service that allows cleartext logins over unencrypted connections.

Vulnerability was detected according to the Vulnerability Detection Method.

1.3.6.1.4.1.25623.1.0.108522

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T21:34:41Z

a87f3bf3-4b57-49c9-b438-15999024b844

An attacker can uncover login names and passwords by sniffing traffic to the Telnet service.

Replace Telnet with a protocol like SSH which supports encrypted connections.

Details: Telnet Unencrypted Cleartext Login (OID: 1.3.6.1.4.1.25623.1.0.108522)

xxx.yyy.zzz.af

2.6​

Low

Mitigation

TCP timestamps

The remote host implements TCP timestamps and therefore allows to compute the uptime.

It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Packet 1: 294184465 Packet 2: 294185608

1.3.6.1.4.1.25623.1.0.80091

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T22:07:11Z

0f13bd7d-a3c7-42c4-acc1-ab1db6a8b865

A side effect of this feature is that the uptime of the remote host can sometimes be computed.

To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See the references for more information.

TCP/IPv4 implementations that implement RFC1323.

The remote host implements TCP timestamps, as defined by RFC1323.

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps (OID: 1.3.6.1.4.1.25623.1.0.80091)

xxx.yyy.zzz.af

636​

tcp

4.3​

Medium

Mitigation

SSL/TLS: Report Weak Cipher Suites

This routine reports all Weak SSL/TLS cipher suites accepted by a service. NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure cleartext communication.

'Weak' cipher suites accepted by this service via the SSLv3 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_SEED_CBC_SHA 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_SEED_CBC_SHA 'Weak' cipher suites accepted by this service via the TLSv1.1 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_SEED_CBC_SHA 'Weak' cipher suites accepted by this service via the TLSv1.2 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_SEED_CBC_SHA

1.3.6.1.4.1.25623.1.0.103440

CVE-2013-2566,CVE-2015-2808,CVE-2015-4000

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T22:07:11Z

adf65c2d-7298-4e92-afd0-97b4739b55ae

The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore. Please see the references for more resources supporting you with this task.

These rules are applied for the evaluation of the cryptographic strength: - RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808). - Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak (CVE-2015-4000). - 1024 bit RSA authentication is considered to be insecure and therefore as weak. - Any cipher considered to be secure for only the next 10 years is considered as medium - Any other cipher is considered as strong

Details: SSL/TLS: Report Weak Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.103440)

DFN-CERT-2020-1276,DFN-CERT-2017-1821,DFN-CERT-2016-1692,DFN-CERT-2016-1648,DFN-CERT-2016-1168,DFN-CERT-2016-0665,DFN-CERT-2016-0642,DFN-CERT-2016-0184,DFN-CERT-2016-0135,DFN-CERT-2016-0101,DFN-CERT-2016-0035,DFN-CERT-2015-1853,DFN-CERT-2015-1679,DFN-CERT-2015-1632,DFN-CERT-2015-1608,DFN-CERT-2015-1542,DFN-CERT-2015-1518,DFN-CERT-2015-1406,DFN-CERT-2015-1341,DFN-CERT-2015-1194,DFN-CERT-2015-1144,DFN-CERT-2015-1113,DFN-CERT-2015-1078,DFN-CERT-2015-1067,DFN-CERT-2015-1038,DFN-CERT-2015-1016,DFN-CERT-2015-1012,DFN-CERT-2015-0980,DFN-CERT-2015-0977,DFN-CERT-2015-0976,DFN-CERT-2015-0960,DFN-CERT-2015-0956,DFN-CERT-2015-0944,DFN-CERT-2015-0937,DFN-CERT-2015-0925,DFN-CERT-2015-0884,DFN-CERT-2015-0881,DFN-CERT-2015-0879,DFN-CERT-2015-0866,DFN-CERT-2015-0844,DFN-CERT-2015-0800,DFN-CERT-2015-0737,DFN-CERT-2015-0696,DFN-CERT-2014-0977,CB-K19/0812,CB-K17/1750,CB-K16/1593,CB-K16/1552,CB-K16/1102,CB-K16/0617,CB-K16/0599,CB-K16/0168,CB-K16/0121,CB-K16/0090,CB-K16/0030,CB-K15/1751,CB-K15/1591,CB-K15/1550,CB-K15/1517,CB-K15/1514,CB-K15/1464,CB-K15/1442,CB-K15/1334,CB-K15/1269,CB-K15/1136,CB-K15/1090,CB-K15/1059,CB-K15/1022,CB-K15/1015,CB-K15/0986,CB-K15/0964,CB-K15/0962,CB-K15/0932,CB-K15/0927,CB-K15/0926,CB-K15/0907,CB-K15/0901,CB-K15/0896,CB-K15/0889,CB-K15/0877,CB-K15/0850,CB-K15/0849,CB-K15/0834,CB-K15/0827,CB-K15/0802,CB-K15/0764,CB-K15/0733,CB-K15/0667,CB-K14/0935,CB-K13/0942

xxx.yyy.zzz.af

389​

tcp

4.3​

Medium

Mitigation

SSL/TLS: Report Weak Cipher Suites

This routine reports all Weak SSL/TLS cipher suites accepted by a service. NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure cleartext communication.

'Weak' cipher suites accepted by this service via the SSLv3 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_SEED_CBC_SHA 'Weak' cipher suites accepted by this service via the TLSv1.0 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_SEED_CBC_SHA 'Weak' cipher suites accepted by this service via the TLSv1.1 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_SEED_CBC_SHA 'Weak' cipher suites accepted by this service via the TLSv1.2 protocol: TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_SEED_CBC_SHA

1.3.6.1.4.1.25623.1.0.103440

CVE-2013-2566,CVE-2015-2808,CVE-2015-4000

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T22:07:11Z

7fe61bd4-51a3-4cf8-b191-b26ad871d026

The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore. Please see the references for more resources supporting you with this task.

These rules are applied for the evaluation of the cryptographic strength: - RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808). - Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak (CVE-2015-4000). - 1024 bit RSA authentication is considered to be insecure and therefore as weak. - Any cipher considered to be secure for only the next 10 years is considered as medium - Any other cipher is considered as strong

Details: SSL/TLS: Report Weak Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.103440)

DFN-CERT-2020-1276,DFN-CERT-2017-1821,DFN-CERT-2016-1692,DFN-CERT-2016-1648,DFN-CERT-2016-1168,DFN-CERT-2016-0665,DFN-CERT-2016-0642,DFN-CERT-2016-0184,DFN-CERT-2016-0135,DFN-CERT-2016-0101,DFN-CERT-2016-0035,DFN-CERT-2015-1853,DFN-CERT-2015-1679,DFN-CERT-2015-1632,DFN-CERT-2015-1608,DFN-CERT-2015-1542,DFN-CERT-2015-1518,DFN-CERT-2015-1406,DFN-CERT-2015-1341,DFN-CERT-2015-1194,DFN-CERT-2015-1144,DFN-CERT-2015-1113,DFN-CERT-2015-1078,DFN-CERT-2015-1067,DFN-CERT-2015-1038,DFN-CERT-2015-1016,DFN-CERT-2015-1012,DFN-CERT-2015-0980,DFN-CERT-2015-0977,DFN-CERT-2015-0976,DFN-CERT-2015-0960,DFN-CERT-2015-0956,DFN-CERT-2015-0944,DFN-CERT-2015-0937,DFN-CERT-2015-0925,DFN-CERT-2015-0884,DFN-CERT-2015-0881,DFN-CERT-2015-0879,DFN-CERT-2015-0866,DFN-CERT-2015-0844,DFN-CERT-2015-0800,DFN-CERT-2015-0737,DFN-CERT-2015-0696,DFN-CERT-2014-0977,CB-K19/0812,CB-K17/1750,CB-K16/1593,CB-K16/1552,CB-K16/1102,CB-K16/0617,CB-K16/0599,CB-K16/0168,CB-K16/0121,CB-K16/0090,CB-K16/0030,CB-K15/1751,CB-K15/1591,CB-K15/1550,CB-K15/1517,CB-K15/1514,CB-K15/1464,CB-K15/1442,CB-K15/1334,CB-K15/1269,CB-K15/1136,CB-K15/1090,CB-K15/1059,CB-K15/1022,CB-K15/1015,CB-K15/0986,CB-K15/0964,CB-K15/0962,CB-K15/0932,CB-K15/0927,CB-K15/0926,CB-K15/0907,CB-K15/0901,CB-K15/0896,CB-K15/0889,CB-K15/0877,CB-K15/0850,CB-K15/0849,CB-K15/0834,CB-K15/0827,CB-K15/0802,CB-K15/0764,CB-K15/0733,CB-K15/0667,CB-K14/0935,CB-K13/0942

xxx.yyy.zzz.af

389​

tcp

4.3​

Medium

Mitigation

SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection

It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.

In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Weak and Supported Ciphers' (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.

1.3.6.1.4.1.25623.1.0.111012

CVE-2016-0800,CVE-2014-3566

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T22:07:11Z

39e6b5e2-a30a-46b1-84a7-d73c7da83486

An attacker might be able to use the known cryptographic flaws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection.

It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the TLSv1+ protocols. Please see the references for more information.

All services providing an encrypted communication using the SSLv2 and/or SSLv3 protocols.

The SSLv2 and SSLv3 protocols containing known cryptographic flaws like: - Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566) - Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016-0800)

Check the used protocols of the services provided by this system. Details: SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012)

DFN-CERT-2018-0096,DFN-CERT-2017-1238,DFN-CERT-2017-1236,DFN-CERT-2016-1929,DFN-CERT-2016-1527,DFN-CERT-2016-1468,DFN-CERT-2016-1216,DFN-CERT-2016-1174,DFN-CERT-2016-1168,DFN-CERT-2016-0884,DFN-CERT-2016-0841,DFN-CERT-2016-0644,DFN-CERT-2016-0642,DFN-CERT-2016-0496,DFN-CERT-2016-0495,DFN-CERT-2016-0465,DFN-CERT-2016-0459,DFN-CERT-2016-0453,DFN-CERT-2016-0451,DFN-CERT-2016-0415,DFN-CERT-2016-0403,DFN-CERT-2016-0388,DFN-CERT-2016-0360,DFN-CERT-2016-0359,DFN-CERT-2016-0357,DFN-CERT-2016-0171,DFN-CERT-2015-1431,DFN-CERT-2015-1075,DFN-CERT-2015-1026,DFN-CERT-2015-0664,DFN-CERT-2015-0548,DFN-CERT-2015-0404,DFN-CERT-2015-0396,DFN-CERT-2015-0259,DFN-CERT-2015-0254,DFN-CERT-2015-0245,DFN-CERT-2015-0118,DFN-CERT-2015-0114,DFN-CERT-2015-0083,DFN-CERT-2015-0082,DFN-CERT-2015-0081,DFN-CERT-2015-0076,DFN-CERT-2014-1717,DFN-CERT-2014-1680,DFN-CERT-2014-1632,DFN-CERT-2014-1564,DFN-CERT-2014-1542,DFN-CERT-2014-1414,DFN-CERT-2014-1366,DFN-CERT-2014-1354,CB-K18/0094,CB-K17/1198,CB-K17/1196,CB-K16/1828,CB-K16/1438,CB-K16/1384,CB-K16/1141,CB-K16/1107,CB-K16/1102,CB-K16/0792,CB-K16/0599,CB-K16/0597,CB-K16/0459,CB-K16/0456,CB-K16/0433,CB-K16/0424,CB-K16/0415,CB-K16/0413,CB-K16/0374,CB-K16/0367,CB-K16/0331,CB-K16/0329,CB-K16/0328,CB-K16/0156,CB-K15/1514,CB-K15/1358,CB-K15/1021,CB-K15/0972,CB-K15/0637,CB-K15/0590,CB-K15/0525,CB-K15/0393,CB-K15/0384,CB-K15/0287,CB-K15/0252,CB-K15/0246,CB-K15/0237,CB-K15/0118,CB-K15/0110,CB-K15/0108,CB-K15/0080,CB-K15/0078,CB-K15/0077,CB-K15/0075,CB-K14/1617,CB-K14/1581,CB-K14/1537,CB-K14/1479,CB-K14/1458,CB-K14/1342,CB-K14/1314,CB-K14/1313,CB-K14/1311,CB-K14/1304,CB-K14/1296

xxx.yyy.zzz.af

636​

tcp

4.3​

Medium

Mitigation

SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection

It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.

In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Weak and Supported Ciphers' (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.

1.3.6.1.4.1.25623.1.0.111012

CVE-2016-0800,CVE-2014-3566

31b63aaa-edb7-4a89-89bd-be48cf3c4e05

Internal_scans

2020-06-17T22:07:11Z

e9640d60-673b-42dd-80b7-bc93f3cccb04

An attacker might be able to use the known cryptographic flaws to eavesdrop the connection between clients and the service to get access to sensitive data transferred within the secured connection.

It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the TLSv1+ protocols. Please see the references for more information.

All services providing an encrypted communication using the SSLv2 and/or SSLv3 protocols.

The SSLv2 and SSLv3 protocols containing known cryptographic flaws like: - Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566) - Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016-0800)

Check the used protocols of the services provided by this system. Details: SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection (OID: 1.3.6.1.4.1.25623.1.0.111012)

DFN-CERT-2018-0096,DFN-CERT-2017-1238,DFN-CERT-2017-1236,DFN-CERT-2016-1929,DFN-CERT-2016-1527,DFN-CERT-2016-1468,DFN-CERT-2016-1216,DFN-CERT-2016-1174,DFN-CERT-2016-1168,DFN-CERT-2016-0884,DFN-CERT-2016-0841,DFN-CERT-2016-0644,DFN-CERT-2016-0642,DFN-CERT-2016-0496,DFN-CERT-2016-0495,DFN-CERT-2016-0465,DFN-CERT-2016-0459,DFN-CERT-2016-0453,DFN-CERT-2016-0451,DFN-CERT-2016-0415,DFN-CERT-2016-0403,DFN-CERT-2016-0388,DFN-CERT-2016-0360,DFN-CERT-2016-0359,DFN-CERT-2016-0357,DFN-CERT-2016-0171,DFN-CERT-2015-1431,DFN-CERT-2015-1075,DFN-CERT-2015-1026,DFN-CERT-2015-0664,DFN-CERT-2015-0548,DFN-CERT-2015-0404,DFN-CERT-2015-0396,DFN-CERT-2015-0259,DFN-CERT-2015-0254,DFN-CERT-2015-0245,DFN-CERT-2015-0118,DFN-CERT-2015-0114,DFN-CERT-2015-0083,DFN-CERT-2015-0082,DFN-CERT-2015-0081,DFN-CERT-2015-0076,DFN-CERT-2014-1717,DFN-CERT-2014-1680,DFN-CERT-2014-1632,DFN-CERT-2014-1564,DFN-CERT-2014-1542,DFN-CERT-2014-1414,DFN-CERT-2014-1366,DFN-CERT-2014-1354,CB-K18/0094,CB-K17/1198,CB-K17/1196,CB-K16/1828,CB-K16/1438,CB-K16/1384,CB-K16/1141,CB-K16/1107,CB-K16/1102,CB-K16/0792,CB-K16/0599,CB-K16/0597,CB-K16/0459,CB-K16/0456,CB-K16/0433,CB-K16/0424,CB-K16/0415,CB-K16/0413,CB-K16/0374,CB-K16/0367,CB-K16/0331,CB-K16/0329,CB-K16/0328,CB-K16/0156,CB-K15/1514,CB-K15/1358,CB-K15/1021,CB-K15/0972,CB-K15/0637,CB-K15/0590,CB-K15/0525,CB-K15/0393,CB-K15/0384,CB-K15/0287,CB-K15/0252,CB-K15/0246,CB-K15/0237,CB-K15/0118,CB-K15/0110,CB-K15/0108,CB-K15/0080,CB-K15/0078,CB-K15/0077,CB-K15/0075,CB-K14/1617,CB-K14/1581,CB-K14/1537,CB-K14/1479,CB-K14/1458,CB-K14/1342,CB-K14/1314,CB-K14/1313,CB-K14/1311,CB-K14/1304,CB-K14/1296

Output data

IP	Hostname
xxx.yyy.zzz.aa
		Port	Port Protocol	CVSS	Severity	Solution Type	NVT Name	Summary	CVEs
		161​	udp	7.5​	High	VendorFix	Report default community names of the SNMP Agent	Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE).	CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-1999-0792,CVE-2000-0147,CVE-2001-0380,CVE-2001-0514,CVE-2001-1210,CVE-2002-0109,CVE-2002-0478,CVE-2002-1229,CVE-2004-1474,CVE-2004-1775,CVE-2004-1776,CVE-2011-0890,CVE-2012-4964,CVE-2014-4862,CVE-2014-4863,CVE-2016-1452,CVE-2016-5645,CVE-2017-7922
				2.6​	Low	Mitigation	TCP timestamps	The remote host implements TCP timestamps and therefore allows to compute the uptime.
		22​	tcp	2.6​	Low	Mitigation	SSH Weak MAC Algorithms Supported	The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.
		443​	tcp	5​	Medium	Mitigation	SSL/TLS: Certificate Expired	The remote server's SSL/TLS certificate has already expired.
		161​	udp	5​	Medium	Workaround	SNMP GETBULK Reflected DRDoS	The remote SNMP daemon allows distributed reflection and amplification (DRDoS) attacks.
		443​	tcp	5​	Medium	Mitigation	SSL/TLS: Report Vulnerable Cipher Suites for HTTPS	This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services.	CVE-2016-2183,CVE-2016-6329
		22​	tcp	4.3​	Medium	Mitigation	SSH Weak Encryption Algorithms Supported	The remote SSH server is configured to allow weak encryption algorithms.
IP	Hostname
xxx.yyy.zzz.ab
				2.6​	Low	Mitigation	TCP timestamps	The remote host implements TCP timestamps and therefore allows to compute the uptime.
IP	Hostname
xxx.yyy.zzz.ac
		161​	udp	7.5​	High	VendorFix	Report default community names of the SNMP Agent	Simple Network Management Protocol (SNMP) is a protocol which can be used by administrators to remotely manage a computer or network device. There are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE' (or PUBLIC and PRIVATE).	CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-1999-0792,CVE-2000-0147,CVE-2001-0380,CVE-2001-0514,CVE-2001-1210,CVE-2002-0109,CVE-2002-0478,CVE-2002-1229,CVE-2004-1474,CVE-2004-1775,CVE-2004-1776,CVE-2011-0890,CVE-2012-4964,CVE-2014-4862,CVE-2014-4863,CVE-2016-1452,CVE-2016-5645,CVE-2017-7922
				2.6​	Low	Mitigation	TCP timestamps	The remote host implements TCP timestamps and therefore allows to compute the uptime.
		161​	udp	5​	Medium	Workaround	SNMP GETBULK Reflected DRDoS	The remote SNMP daemon allows distributed reflection and amplification (DRDoS) attacks.
		80​	tcp	4.8​	Medium	Workaround	Cleartext Transmission of Sensitive Information via HTTP	The host / application transmits sensitive information (username, passwords) in cleartext via HTTP.
		22​	tcp	4.3​	Medium	Mitigation	SSH Weak Encryption Algorithms Supported	The remote SSH server is configured to allow weak encryption algorithms.
IP	Hostname
xxx.yyy.zzz.ad
				2.6​	Low	Mitigation	TCP timestamps	The remote host implements TCP timestamps and therefore allows to compute the uptime.
		443​	tcp	6.4​	Medium	Mitigation	SSL/TLS: Missing `secure` Cookie Attribute	The host is running a server with SSL/TLS and is prone to information disclosure vulnerability.
		443​	tcp	5​	Medium	Mitigation	Missing `httpOnly` Cookie Attribute	The application is missing the 'httpOnly' cookie attribute
				2.6​	Low	Mitigation	TCP timestamps	The remote host implements TCP timestamps and therefore allows to compute the uptime.
IP	Hostname
xxx.yyy.zzz.ae
		23​	tcp	4.8​	Medium	Mitigation	Telnet Unencrypted Cleartext Login	The remote host is running a Telnet service that allows cleartext logins over unencrypted connections.
IP	Hostname
xxx.yyy.zzz.af
				2.6​	Low	Mitigation	TCP timestamps	The remote host implements TCP timestamps and therefore allows to compute the uptime.
		636​	tcp	4.3​	Medium	Mitigation	SSL/TLS: Report Weak Cipher Suites	This routine reports all Weak SSL/TLS cipher suites accepted by a service. NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure cleartext communication.	CVE-2013-2566,CVE-2015-2808,CVE-2015-4000
		389​	tcp	4.3​	Medium	Mitigation	SSL/TLS: Report Weak Cipher Suites	This routine reports all Weak SSL/TLS cipher suites accepted by a service. NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure cleartext communication.	CVE-2013-2566,CVE-2015-2808,CVE-2015-4000
		389​	tcp	4.3​	Medium	Mitigation	SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection	It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.	CVE-2016-0800,CVE-2014-3566
		636​	tcp	4.3​	Medium	Mitigation	SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection	It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this system.	CVE-2016-0800,CVE-2014-3566

 

[pbornemeier]

This code should go in a standard module in the workbook that will hold the input data.

The CVSS .csv file data should be copied to the INPUT worksheet and there should be an OUTPUT worksheet (which will be erased during processing)

Please test on a copy of your file and let me know how it works or if it needs any changes.

Option Explicit

Sub subConvertCVSSInputWorksheet()
    'This code expects an 'Input' and an 'Output' worksheet to be
    '  present in the ActiveWorkbook
    
    'Using the data on the Input worksheet transform it into the
    '  required format on the output worksheet
    'Input Column           Output Column
    'A   IP                 A
    'B   Hostname           B
    'C   Port               C
    'D   Port Protocol      D
    'E   CVSS               E
    'F   Severity           F
    'G   Solution Type      G
    'H   NVT Name           H
    'I   Summary            I
    'J   Specific Result
    'K   NVT OID
    'L   CVEs               J
    'M   Task ID
    'N   Task Name
    'O   Timestamp
    'P   Result ID
    'Q   Impact
    'R   Solution
    'S   Affected Software/OS
    'T   Vulnerability Insight
    'U   Vulnerability Detection Method
    'V   Product Detection Result
    'W   BIDs
    'X   CERTs
    'Y   Other References
    
    Dim lLastInputRow As Long
    Dim lIndex As Long
    Dim sIP As String
    Dim sPort As String
    Dim sProtocol As String
    Dim sHostname As String
    Dim aryHeaders As Variant
    Dim sOutput As String
    Dim sCell As String
    Dim sHdr As String
    Dim sCol As String
    Dim lHdrErrCount As Long
    Dim aryOutputHeader1 As Variant
    Dim aryOutputHeader2 As Variant
    Dim lWriteRow As Long
    Dim wksOutput As Worksheet
    Dim wksInput As Worksheet
    
    Set wksInput = Worksheets("Input")
    Set wksOutput = Worksheets("Output")
    
    Select Case MsgBox("The CVSS file data on the " & wksInput.Name & " worksheet will " & _
        "be transformed and placed on the " & wksOutput.Name & " worksheet." & vbLf & vbLf & _
        "ALL DATA ON THE " & UCase(wksOutput.Name) & " WORKSHEET WILL BE ERASED." & vbLf & vbLf & _
        "    Yes" & vbTab & " to erase and continue." & vbLf & _
        "    No" & vbTab & " to halt processing", vbYesNo + vbDefaultButton2 + vbCritical, _
        "Erase " & wksOutput.Name & " and Continue ?")
    Case vbNo
        GoTo End_Sub
    Case Else
    End Select
    
    aryHeaders = Array("IP", "Hostname", "Port", "Port Protocol", "CVSS", _
        "Severity", "Solution Type", "NVT Name", "Summary", "Specific Result", _
        "NVT OID", "CVEs", "Task ID", "Task Name", "Timestamp", "Result ID", _
        "Impact", "Solution", "Affected Software/OS", "Vulnerability Insight", _
        "Vulnerability Detection Method", "Product Detection Result", "BIDs", _
        "CERTs", "Other References")    '0 based array
    aryOutputHeader1 = Array("IP", "Hostname")
    aryOutputHeader2 = Array("Port", "Port Protocol", "CVSS", "Severity", _
        "Solution Type", "NVT Name", "Summary", "CVEs")
        
    wksOutput.Cells.Clear
        
    With wksInput
        'Validate Input Headers
        For lIndex = LBound(aryHeaders) To UBound(aryHeaders)
            sCell = .Cells(1, lIndex + 1).Value
            sHdr = aryHeaders(lIndex)
            sCol = Split(Cells(1, lIndex + 1).Address, "$")(1)   'Column Letter
            If sCell <> sHdr Then
                lHdrErrCount = lHdrErrCount + 1
                sOutput = sOutput & vbLf & "[" & sCol & "] " & sHdr & " (" & sCell & ")"
            End If
        Next
        If Len(sOutput) <> 0 Then
            'Some columns did not match expected value
            sOutput = "[Column] Expected Value (Actual Value)" & sOutput
            MsgBox lHdrErrCount & " headers on the input worksheet did not match the expected value(s)." & vbLf & _
                "Correct this problem and start again.  Exiting." & vbLf & vbLf & sOutput, , "Header Error"
            GoTo End_Sub
        End If
        
        'Copy Data
        lLastInputRow = .Cells(.Rows.Count, 1).End(xlUp).Row
        For lIndex = 2 To lLastInputRow
            If .Cells(lIndex, 1).Value <> .Cells(lIndex - 1, 1).Value Then
                'New IP, add headers and copy first data row
                sIP = .Cells(lIndex, 1).Value
                sHostname = .Cells(lIndex, 2).Value
                sPort = .Cells(lIndex, 3).Value
                sProtocol = .Cells(lIndex, 4).Value
                If lIndex = 2 Then
                    lWriteRow = 2
                Else
                    lWriteRow = lWriteRow + 2
                End If
                With wksOutput
                    .Cells(lWriteRow, 1).Resize(1, 2).Value = aryOutputHeader1
                    .Cells(lWriteRow + 1, 1).Resize(1, 2).Value = Array(sIP, sHostname)
                    lWriteRow = lWriteRow + 2
                    .Cells(lWriteRow, 3).Resize(1, 8).Value = aryOutputHeader2
                    wksInput.Range(wksInput.Cells(lIndex, 3), wksInput.Cells(lIndex, 9)).Copy _
                        Destination:=.Cells(lWriteRow + 1, 3)
                    wksInput.Cells(lIndex, 12).Copy _
                        Destination:=.Cells(lWriteRow + 1, 10)
                    lWriteRow = lWriteRow + 1
                End With
            Else
                'Copy subsequent data rows
                lWriteRow = lWriteRow + 1
                .Range(wksInput.Cells(lIndex, 3), wksInput.Cells(lIndex, 9)).Copy _
                    Destination:=wksOutput.Cells(lWriteRow, 3)
                .Cells(lIndex, 12).Copy _
                    Destination:=wksOutput.Cells(lWriteRow, 10)
            End If
        Next
        
        'Format Output
        With wksOutput
            With .Cells.Font
                .Name = "Calibri"
                .Size = 10
            End With
            'Add space after commas in CVE column so they don't break in middle
            .Columns("J:J").Replace What:=",", Replacement:=", ", LookAt:=xlPart, _
                SearchOrder:=xlByRows, MatchCase:=False, SearchFormat:=False, _
                ReplaceFormat:=False
            'Remove extra line breaks from H:I
            .Columns("H:I").Replace What:="" & Chr(10) & "", Replacement:=" ", LookAt:=xlPart, _
                SearchOrder:=xlByRows, MatchCase:=False, SearchFormat:=False, _
                ReplaceFormat:=False
            'Remove double spaces from H:I (4 times)
            For lIndex = 1 To 4
                .Columns("H:I").Replace What:="  ", Replacement:=" ", LookAt:=xlPart, _
                    SearchOrder:=xlByRows, MatchCase:=False, SearchFormat:=False, _
                    ReplaceFormat:=False
            Next
            Cells.EntireColumn.AutoFit
            .Columns("H:I").ColumnWidth = 30
            .Columns("J:J").ColumnWidth = 35
            With .Cells
                .HorizontalAlignment = xlLeft
                .VerticalAlignment = xlTop
                .WrapText = True
            End With
            .Cells.EntireRow.AutoFit
            
            Application.Goto wksOutput.Range("A1"), scroll:=True
        End With
                    
    End With
    
    If Err.Number = 0 Then
        VBA.Beep
        MsgBox lLastInputRow & " rows processed", , "Processing complete"
    End If
    
End_Sub:

End Sub

 

[gr85z]

This works great thank you for the assistance.
I have a few more things to do on my side for our process on this.
Thanks again.

 

[pbornemeier]

You are welcome - glad to help.