Activity 13-1

1. Cisco IOS, iOS XE, and iOS XR Software SNAIP Denial of Service

Vulnerabilities (2025 March 12)

o This advisory likely addresses vulnerabilities in Cisco's IOS, IOS XE, and IOS

XR software that could lead to denial of service (DoS) attacks.

2. Cisco Secure Client for Windows with Secure Firewall Posture Engine DLL

Hijacking Vulnerability (2025 March 05)

o This advisory concerns a DLL hijacking vulnerability in the Cisco Secure Client

for Windows, which could be exploited if an attacker places a malicious DLL in a specific

location.

3. Cisco iOS XR Software Bootloader Unauthenticated Information Disclosure

Vulnerability (2024 November 13)

o This advisory highlights a vulnerability in the bootloader of Cisco iOS XR

software that could allow unauthenticated information disclosure.

 4. Cisco Firepower Threat Defense Software for Cisco Firepower 2100 Series

Appliances TCP UDP Snort 2 and Snort 3 Denial of Service Vulnerability (2024 October 23)

o This advisory addresses a DoS vulnerability in the TCP/UDP handling of Snort 2

and Snort 3 in Cisco Firepower Threat Defense Software.

5. Cisco Firepower Threat Defense Software Geolocation ACL Bypass Vulnerability

(2024 October 23)

o This advisory discusses a vulnerability that could allow an attacker to bypass

geolocation-based access control lists (ACLs) in Cisco Firepower Threat Defense Software.

6. Cisco Adaptive Security Appliance and Firepower Threat Defense Software KEx2

VPN Denial of Service Vulnerability (2024 October 23)

o This advisory pertains to a DoS vulnerability in the KEx2 VPN functionality of

Cisco Adaptive Security Appliance and Firepower Threat Defense Software.

7. Cisco Adaptive Security Appliance and Firepower Threat Defense Software

Remote Access VPN Brute Force Denial of Service Vulnerability (2024 October 23)

o This advisory covers a vulnerability that could allow brute force attacks leading to

DoS on remote access VPNs in the mentioned Cisco products.

 1. CVE-2024-20510

o Description: A vulnerability in the Central Web Authentication (CWA) feature of

Cisco IOS XE Software for Wireless Controllers could allow an unauthenticated, adjacent

attacker to bypass the pre-authentication access control list (ACL).

o Impact: An attacker could access network resources before user authentication,

bypassing configured ACL protections.

o Published: September 25, 2024.

2. CVE-2024-20480
 o Description: A vulnerability in the DHCP Snooping feature of Cisco IOS XE

Software on SD-Access fabric edge nodes could allow an unauthenticated, remote attacker to

cause high CPU utilization, resulting in a denial of service (DoS) condition.

o Impact: An attacker could cause the device to exhaust CPU resources, requiring a

manual reload to recover.

o Published: September 25, 2024.

3. CVE-2024-20467

o Description: A vulnerability in the IPv4 fragmentation reassembly code in Cisco

IOS XE Software could allow an unauthenticated, remote attacker to cause a DoS condition.

o Impact: An attacker could cause the device to reload, resulting in a DoS

condition.

o Published: September 25, 2024.

4. CVE-2024-20464

o Description: A vulnerability in the Protocol Independent Multicast (PIM) feature

of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a DoS

condition.

o Impact: An attacker could cause an affected device to reload, resulting in a DoS

condition.

o Published: September 25, 2024.

5. CVE-2024-20455
 o Description: A vulnerability in the traffic classification process for the Unified

Threat Defense (UTD) component of Cisco IOS XE Software could allow an unauthenticated,

remote attacker to cause a DoS condition.

o Impact: An attacker could cause the device to reload, resulting in a DoS

condition.

o Published: September 25, 2024.

6. CVE-2024-20437

o Description: A vulnerability in the web-based management interface of Cisco IOS

XE Software could allow an unauthenticated, remote attacker to perform a cross-site request

forgery (CSRF) attack.

o Impact: An attacker could execute commands on the CLI of an affected device

with the privileges of the targeted user.

o Published: September 25, 2024.

7. CVE-2024-20436

o Description: A vulnerability in the HTTP Server feature of Cisco IOS XE

Software when the Telephony Service feature is enabled could allow an unauthenticated, remote

attacker to cause a DoS condition.

o Impact: An attacker could cause the affected device to reload, resulting in a DoS

condition.

o Published: September 25, 2024.

 For each of these vulnerabilities, Cisco typically provides software updates or patches to

address the issues.

Activity 13-2

The configuration file for the Linux Web Server in OpenCanary enables the following

ports and serves the corresponding software:

1. FTP (File Transfer Protocol):

o Port: 21

o Software: FTP server

o Banner: "FTP server ready."

2. HTTP (Hypertext Transfer Protocol):

o Port: 80

o Software: Apache/2.2.22 (Ubuntu)

 o Banner: "Apache/2.2.22 (Ubuntu)"

o Skin: "nasLogin" (Synology NAS Login)

3. SSH (Secure Shell):

o Port: 8022

o Software: OpenSSH_5.1p1 Debian-4

o Version: "SSH-2.0-OpenSSH_5.1p1 Debian-4"

These ports and services are configured to simulate a Linux web server environment.

This setup helps in detecting and analyzing malicious activities.

 The configuration file provided is for a Samba server, a versatile tool that bridges the gap

between Linux/Unix and Windows systems by enabling file and print sharing. While the file

doesn’t explicitly list the ports, Samba typically operates on two key ports: Port 139 for NetBIOS

Session Service, which facilitates SMB communication, and Port 445 for direct SMB over

TCP/IP, bypassing the need for NetBIOS. These ports allow Windows clients to seamlessly

access shared files and printers on a Linux/Unix server, making Samba a powerful ally in mixed-

OS environments.

In the configuration, the [myshare] section defines a shared directory with a playful

comment, "All the stuff!" This share points to the /samba directory, allowing guest access and

making it browseable, though it’s set to read-only to prevent unauthorized modifications. The

configuration also includes advanced auditing features using the full_audit module, which logs

file system operations to /var/log/samba/log.all. These logs are funneled through

the local7 facility and can be redirected to /var/log/samba-audit.log using rsyslog, ensuring that

every access attempt and operation is meticulously recorded.

 This setup not only provides seamless file sharing but also integrates robust logging

capabilities, making it an excellent companion for security tools like OpenCanary. By monitoring

these logs, you can detect and analyze suspicious activities, turning your Samba server into both

a functional file-sharing hub and a vigilant security sentinel. Whether you’re sharing documents

or safeguarding your network, this configuration ensures you’re well-equipped for both tasks.

The configuration file for the MySQL Server in OpenCanary enables two specific ports,

each serving different software to simulate a realistic server environment. The MySQL service is

configured to run on port 3306, presenting a banner that identifies it as version "5.5.43-

0ubuntu0.14.04.1." This mimics a genuine MySQL server, which is commonly used for database

management. Additionally, the SSH (Secure Shell) service is enabled on port 22, with a version

string indicating it is running "SSH-2.0-OpenSSH_5.1p1 Debian-4," simulating an OpenSSH

server typically used for secure remote access.

 The configuration file for the MSSQL Server in OpenCanary enables two specific ports,

each serving different software to simulate a realistic server environment. The Microsoft SQL

Server (MSSQL) service is configured to run on port 1433, with a version identifier set to

"2012," mimicking a genuine MSSQL database server commonly used for data storage and

management. Additionally, the Remote Desktop Protocol (RDP) service is enabled on port 3389,

simulating a Windows Remote Desktop service that allows remote access to a system.

By enabling these ports and services, OpenCanary creates a deceptive environment that

can attract and detect potential attackers. The simulated MSSQL and RDP services trick attackers

into believing they are interacting with real systems, allowing security professionals to monitor

and analyze malicious activities. This setup is handy for identifying attack patterns and gathering

intelligence on potential threats targeting database servers or remote access services.

 Overview of the Scan

 Target IP Address: 172.20.10.9.

 Nmap Version: 7.94SVM

Host Status

 Host Availability: The host at 172.20.10.9 is active and reachable, with a response

latency of 0.0030 seconds. This confirms that the host is operational and connected to the

network.

Open Ports and Services

The scan detected four open TCP ports on the target host, each associated with specific

services:

1. Port 80/tcp - HTTP:

o Service: HTTP (Hypertext Transfer Protocol)

o Significance: This port is typically used for web servers. An open HTTP port

indicates that the host is likely hosting a website or web application. This is a common area of
interest for security assessments, as web services can often contain vulnerabilities that may be

exploited.

2. Port 135/tcp - MSRPC:

o Service: MSRPC (Microsoft Remote Procedure Call)

o Significance: MSRPC facilitates communication between processes on Windows

systems. An open MSRPC port can be a potential security risk, particularly if the service is

improperly configured or has known vulnerabilities.

3. Port 139/tcp - NetBIOS-SSN:

o Service: NetBIOS Session Service

o Significance: NetBIOS is commonly used for file and printer sharing in Windows

networks. An open NetBIOS port can pose a security threat, as it may allow unauthorized access

to shared resources if not adequately secured.

4. Port 445/tcp - Microsoft-DS:

o Service: Microsoft-DS (Microsoft Directory Services)

o Significance: This port is associated with the SMB (Server Message Block)

protocol, which is used for file sharing and network browsing. Attackers often target open SMB

ports due to historical vulnerabilities, such as the EternalBlue exploit.

Filtered Ports
  Filtered Ports: The scan identified 996 filtered TCP ports. These ports did not

respond to Nmap's probes, likely due to being blocked by a firewall or other network filtering

mechanisms.
 CVE-2024-10180 affects the Contact Form 7 – Repeatable Fields plugin for WordPress.

This vulnerability allows for Stored Cross-Site Scripting (XSS) via the plugin’s field_group

shortcode in versions up to and including 2.0.1. The issue arises from insufficient input

sanitization and output escaping on user-supplied attributes, enabling authenticated attackers

with contributor-level access or higher to inject arbitrary web scripts. These scripts execute

whenever a user accesses an injected page, posing a significant security risk.

CVE-2020-10180 pertains to the ESET AV parsing engine, which allows virus-detection

bypass via a crafted BZ2 Checksum field in an archive. This vulnerability affects versions before

1294 of several ESET products, including Smart Security Premium, Internet Security, NOD32

Antivirus, and others. The flaw could enable attackers to bypass virus detection mechanisms,

compromising system security.

CVE-2019-10180 involves a vulnerability in all pkt-core 10. x.x versions, where the

Token Processing Service (TPS) fails to sanitize several parameters stored for tokens properly.

This oversight can lead to a Stored Cross-Site Scripting (XSS) vulnerability, allowing attackers
to modify token parameters and trick authenticated users into executing arbitrary JavaScript

code.

CVE-2018-10180 is currently reserved, meaning an organization or individual has set

aside this identifier for a future security announcement. Details will be provided once the issue is

publicized.

CVE-2017-10180 is a vulnerability in the Oracle CRM Technical Foundation component

of Oracle E-Business Suite. Affected versions include 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

This easily exploitable vulnerability allows unauthenticated attackers with network access via

HTTP to compromise Oracle CRM Technical Foundation. Successful attacks require human

interaction and can result in unauthorized access to critical data or complete control over

accessible data, with a CVSS 3.0 Base Score of 8.2.

CVE-2016-10180 highlights an issue with the D-Link DWR-932B router, where WPS

PIN generation is based on stand(time(0)) seeding. This weak seeding mechanism can be

exploited to predict or brute-force WPS PINs, compromising network security.

CVE-2014-10180 is another reserved CVE, with details to be announced in the future.

CVE-2009-4093 describes multiple cross-site scripting (XSS) vulnerabilities in

comments.php in Simplog 0.9.3.2 and possibly earlier versions. Remote attackers can inject

arbitrary web script or HTML via the charms (Name) or email parameters, leading to potential

security breaches.

CVE-2009-4092 involves a cross-site request forgery (CSRF) vulnerability in user.php in

Simplog 0.9.3.2 and possibly earlier versions. This flaw allows remote attackers to hijack the
authentication of administrators and users, enabling them to change passwords without

authorization.