I may have found couple of vulnerabilities in the O\S

First up TCP timestamps have been implemented are these required or can turn these off?

This is being reported as low and the timesteps but allows the uptime of the host to be computed.

The second one the scanner found the remote server is configured to allow weak MD5 and\or 96-bit MAC algorithms

Again the tool has reported this to low tool used openvas

hmac-md5

Can this be disabled?

Hey @blazinfatherted thanks for the heads up.

I have notified the team of your finding and I would expect they will respond in due course :+1:

I have a few more but there not high but would like you clever guys to review. I do a little reports for you.

Before you all read this I can’t stress enough not all of these are issues.
Some of the findings on this list just need to be verified. Some of the logs will include a statement “While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards” & “If you think any of this information is wrong please report it to the referenced community portal.”
These messages were generated by openvas so please do not take everything here at face value.

However, there is a reference to CVE-1999-05 ICMP Timestamp Detection, so no one should get too excited over this, panic or stop using the service. I’m not stopping because I love what these people do and as a contributor that enjoys using the product providing feedback.

Also the IP has been replaced with xxx.xxx.xxx.xxx some other info has been edited out.

ICMP Timestamp Detection

general/icmp
Summary
The remote host responded to an ICMP timestamp request. The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp. This information could theoretically be used to exploit weak time-based random number generators in other services.
Vulnerability Detection Result
Vulnerability was detected according to the Vulnerability Detection Method.
Log Method
Details: ICMP Timestamp Detection (OID: 1.3.6.1.4.1.25623.1.0.103190)
Version used: Revision: 10411
References
CVE: CVE-1999-0524

CERT: CB-K15/1514, CB-K14/0632, DFN-CERT-2014-0658

Other: http://www.ietf.org/rfc/rfc0792.txt

CGI Scanning Consolidation
`
2375/tcp
Summary
The script consolidates various information for CGI scanning.
This information is based on the following scripts / settings:

  • HTTP-Version Detection (OID: 1.3.6.1.4.1.25623.1.0.100034)
  • No 404 check (OID: 1.3.6.1.4.1.25623.1.0.10386)
  • Web mirroring / webmirror.nasl (OID: 1.3.6.1.4.1.25623.1.0.10662)
  • Directory Scanner / DDI_Directory_Scanner.nasl (OID: 1.3.6.1.4.1.25623.1.0.11032)
  • The configured ‘cgi_path’ within the ‘Scanner Preferences’ of the scan config in use
  • The configured ‘Enable CGI scanning’, ‘Enable generic web application scanning’ and ‘Add historic /scripts and /cgi-bin to directories for CGI scanning’ within the ‘Global variable settings’ of the scan config in use
    If you think any of this information is wrong please report it to the referenced community portal.
    Vulnerability Detection Result
    The Hostname/IP “” was used to access the remote host.

Generic web application scanning is disabled for this host via the “Enable generic web application scanning” option within the “Global variable settings” of the scan config in use.

Requests to this service are done via HTTP/1.1.

This service seems to be able to host PHP scripts.

This service seems to be able to host ASP scripts.

The User-Agent “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 9.0.3)” was used to access the remote host.

Historic /scripts and /cgi-bin are not added to the directories used for CGI scanning. You can enable this again with the “Add historic /scripts and /cgi-bin to directories for CGI scanning” option within the “Global variable settings” of the scan config in use.

The following directories were used for CGI scanning:

http://:2375/

While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards
Log Method
Details: CGI Scanning Consolidation (OID: 1.3.6.1.4.1.25623.1.0.111038)
Version used: Revision: 13679

CGI Scanning Consolidation

80/tcp
Summary
The script consolidates various information for CGI scanning.
This information is based on the following scripts / settings:

  • HTTP-Version Detection (OID: 1.3.6.1.4.1.25623.1.0.100034)
  • No 404 check (OID: 1.3.6.1.4.1.25623.1.0.10386)
  • Web mirroring / webmirror.nasl (OID: 1.3.6.1.4.1.25623.1.0.10662)
  • Directory Scanner / DDI_Directory_Scanner.nasl (OID: 1.3.6.1.4.1.25623.1.0.11032)
  • The configured ‘cgi_path’ within the ‘Scanner Preferences’ of the scan config in use
  • The configured ‘Enable CGI scanning’, ‘Enable generic web application scanning’ and ‘Add historic /scripts and /cgi-bin to directories for CGI scanning’ within the ‘Global variable settings’ of the scan config in use
    If you think any of this information is wrong please report it to the referenced community portal.
    Vulnerability Detection Result
    The Hostname/IP “” was used to access the remote host.

Generic web application scanning is disabled for this host via the “Enable generic web application scanning” option within the “Global variable settings” of the scan config in use.

Requests to this service are done via HTTP/1.1.

This service seems to be able to host PHP scripts.

This service seems to be able to host ASP scripts.

The User-Agent “Mozilla/5.0 [en] (X11, U; OpenVAS-VT 9.0.3)” was used to access the remote host.

Historic /scripts and /cgi-bin are not added to the directories used for CGI scanning. You can enable this again with the “Add historic /scripts and /cgi-bin to directories for CGI scanning” option within the “Global variable settings” of the scan config in use.

The following directories were used for CGI scanning:

http:///
http:///login
http:///public/build

While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards

The following directories were excluded from CGI scanning because the “Regex pattern to exclude directories from CGI scanning” setting of the NVT “Global variable settings” (OID: 1.3.6.1.4.1.25623.1.0.12288) for this scan was: “/(index.php|image|img|css|js$|js/|javascript|style|theme|icon|jquery|graphic|grafik|picture|bilder|thumbnail|media/|skins?/)”

http:///public/img
Log Method
Details: CGI Scanning Consolidation (OID: 1.3.6.1.4.1.25623.1.0.111038)
Version used: Revision: 13679

CPE Inventory
general/CPE-T
Summary
This routine uses information collected by other routines about CPE identities of operating systems, services and applications detected during the scan.
Vulnerability Detection Result
xxx.xxx.xxx.xxx|cpe:/a:docker:docker:17.13.3-dev
xxx.xxx.xxx.xxx|cpe:/a:_:dropbear_ssh_server:2017.75
xxx.xxx.xxx.xxx|cpe:/o:linux:kernel
Log Method
Details: CPE Inventory (OID: 1.3.6.1.4.1.25623.1.0.810002)
Version used: Revision: 14324

DIRB (NASL wrapper)

2375/tcp
Summary
This script uses DIRB to find directories and files on web applications via brute forcing. See the preferences section for configuration options.
Note: The plugin needs the ‘dirb’ binary found within the PATH of the user running the scanner and needs to be executable for this user. The existence of this binary is checked and reported separately within ‘Availability of scanner helper tools’ (OID: 1.3.6.1.4.1.25623.1.0.810000).
Vulnerability Detection Result
This are the directories/files found with brute force:

http://:2375/
Log Method
Details: DIRB (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.103079)
Version used: Revision: 13985

DIRB (NASL wrapper)

80/tcp
Summary
This script uses DIRB to find directories and files on web applications via brute forcing. See the preferences section for configuration options.
Note: The plugin needs the ‘dirb’ binary found within the PATH of the user running the scanner and needs to be executable for this user. The existence of this binary is checked and reported separately within ‘Availability of scanner helper tools’ (OID: 1.3.6.1.4.1.25623.1.0.810000).
Vulnerability Detection Result
This are the directories/files found with brute force:

http://:2375/
http://:80/
Log Method
Details: DIRB (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.103079)
Version used: Revision: 13985

Docker Detection

2375/tcp
Summary
The script sends a connection request to the server and attempts to extract the version number from the reply.
Vulnerability Detection Result
Detected Docker

Version: 17.13.3-dev (ApiVersion: 1.35)
Location: 2375/tcp
CPE: cpe:/a:docker:docker:17.13.3-dev

Concluded from version/product identification result:
Version":“17.13.3-dev”,

Concluded from version/product identification location:
/version

The following containers where detected running on the remote host:

Name: telegraf_1326573_994544
ID: 12a6317dadfac5f1c3a05530787cb30f39590c68f2960c1e42bfdd59b488f7bd
Image sha256:f7e1b3e3dca838fe1448e3bb6b93e3a80abece9ed8ee81c124866f7154e5c720
Ports: N/A

Name: grafana_1326571_994544
ID: c83a7c8a558f858ef754443da32d9d6308b7a310975a5edcfb73c28ebfed0dca
Image sha256:cbe1b4f2af15446b9fe1be4ed148c14d9e7e3ce465aa4e53ae77c42f62f8aff0
Ports: 0.0.0.0:80->80/tcp,

Name: sensor_1326572_994544
ID: 0a8bb420e44015befee947878d87676708e475e669a7624760e21dc4f392d288
Image sha256:45dc3eed9ee66b75c6138b2f423d7ffb16d5f129689f7c7275ae01390895ec0f
Ports: N/A

Name: influxdb_1326570_994544
ID: 55ce11f1b6aa204fb2e5f893ee379a786f8fd325360eada8c8909bb48e6db26b
Image sha256:e2456354b82667050471f47fb446e359040469cab3d816b09bbc39df2b59bc2f
Ports: N/A

Name: resin_supervisor
ID: cfad4f98d2b1d3d05e6e56ffaf66fbe69ea9cb6f02f67f64c0b165e74694382a
Image balena/rpi-supervisor:v9.14.0
Ports: N/A

Dropbear SSH Detection

22222/tcp
Summary
The script sends a connection request to the server and attempts to extract the version number from the reply.
Vulnerability Detection Result
Detected Dropbear

Version: 2017.75
Location: 22222/tcp
CPE: cpe:/a:_:dropbear_ssh_server:2017.75

Concluded from version/product identification result:
SSH-2.0-dropbear_2017.75
Log Method
Details: Dropbear SSH Detection (OID: 1.3.6.1.4.1.25623.1.0.105112)
Version used: Revision: 13576

HTTP Security Headers Detection

80/tcp
Summary
All known security headers are being checked on the host. On completion a report will hand back whether a specific security header has been implemented (including its value) or is missing on the target.
Vulnerability Detection Result
Header Name Header Value


X-Frame-Options : deny

Missing Headers

Content-Security-Policy
Referrer-Policy
X-Content-Type-Options
X-Permitted-Cross-Domain-Policies
X-XSS-Protection
Log Method
Details: HTTP Security Headers Detection (OID: 1.3.6.1.4.1.25623.1.0.112081)
Version used: Revision: 10899

Nikto (NASL wrapper)

2375/tcp
Summary
This plugin uses nikto to find weak CGI scripts and other known issues regarding web server security. See the preferences section for configuration options.
Note: The plugin needs the ‘nikto’ or ‘nikto.pl’ binary found within the PATH of the user running the scanner and needs to be executable for this user. The existence of this binary is checked and reported separately within ‘Availability of scanner helper tools’ (OID: 1.3.6.1.4.1.25623.1.0.810000).
Vulnerability Detection Result
Here is the Nikto report:

  • Nikto v2.1.6

  • Target IP: xxx.xxx.xxx.xxx
  • Target Hostname: xxx.xxx.xxx.xxx
  • Target Port: 2375
  • Virtual Host:
  • Start Time: 2019-07-27 12:21:22 (GMT0)

  • Server: No banner retrieved
  • The anti-clickjacking X-Frame-Options header is not present.
  • The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
  • The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  • No CGI Directories found (use ‘-C all’ to force check all possible dirs)
  • Server banner has changed from ‘’ to ‘Docker/17.13.3-dev (linux)’ which may suggest a WAF, load balancer or proxy is in place
  • Uncommon header ‘api-version’ found, with contents: 1.35
  • Uncommon header ‘docker-experimental’ found, with contents: true
  • Uncommon header ‘ostype’ found, with contents: linux
  • 7942 requests: 0 error(s) and 6 item(s) reported on remote host
  • End Time: 2019-07-27 12:24:26 (GMT0) (184 seconds)

  • 1 host(s) tested
    Log Method
    Details: Nikto (NASL wrapper) (OID: 1.3.6.1.4.1.25623.1.0.14260)
    Version used: Revision: 13985

OS Detection Consolidation and Reporting

general/tcp
Summary
This script consolidates the OS information detected by several NVTs and tries to find the best matching OS.
Furthermore it reports all previously collected information leading to this best matching OS. It also reports possible additional information which might help to improve the OS detection.
If any of this information is wrong or could be improved please consider to report these to the referenced community portal.
Vulnerability Detection Result
Best matching OS:

OS: Linux/Unix
CPE: cpe:/o:linux:kernel
Found by NVT: 1.3.6.1.4.1.25623.1.0.105112 (Dropbear SSH Detection)
Setting key “Host/runs_unixoide” based on this information
Log Method
Details: OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937)
Version used: 2019-07-22T05:49:21+0000
References
Other: https://community.greenbone.net/c/vulnerability-tests

robot(s).txt exists on the Web Server

80/tcp
Summary
Web Servers can use a file called /robot(s).txt to ask search engines to ignore certain files and directories. By nature this file can not be used to protect private files from public read access.
Vulnerability Detection Result
The file ‘robots.txt’ contains the following:
User-agent: *
Disallow: /
Solution
Solution type: Mitigation
Review the content of the robots file and consider removing the files from the server or protect them in other ways in case you actually intended non-public availability.
Vulnerability Insight
Any serious web search engine will honor the /robot(s).txt file and not scan the files and directories listed there.
Any entries listed in this file are not even hidden anymore.
Log Method
Details: robot(s).txt exists on the Web Server (OID: 1.3.6.1.4.1.25623.1.0.10302)
Version used: Revision: 13679

SSH Protocol Algorithms Supported

22222/tcp
Summary
This script detects which algorithms and languages are supported by the remote SSH Service
Vulnerability Detection Result
The following options are supported by the remote ssh service:

kex_algorithms:
curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,kexguess2@.ucc.asn.au

server_host_key_algorithms:
ssh-rsa

encryption_algorithms_client_to_server:
aes128-ctr,aes256-ctr

encryption_algorithms_server_to_client:
aes128-ctr,aes256-ctr

mac_algorithms_client_to_server:
hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5

mac_algorithms_server_to_client:
hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5

compression_algorithms_client_to_server:
zlib@openssh.com,none

compression_algorithms_server_to_client:
zlib@openssh.com,none
Log Method
Details: SSH Protocol Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105565)
Version used: Revision: 13581

Hi,

The hmac-md5, this was disabled recently, by switching to openssh, not sure if this was released in any OS yet, but it should be there soon. :wink: (https://github.com/balena-os/meta-balena/issues/1490)

If you are concerned about the ICMP timestamp request problem, it can be blocked by setting appropriate iptable rules. A user application can configure the hostOS firewall when the container is started with networking: host. Add rules to block icmp types 13 and 14. I’ll start an internal discussion if we should block this by default.

Everything on port 2375 is only visible, because you probably used the development version of the OS. The port exposes the docker socket to the network, to ease development, but please do not use development operating systems in production setups.

Everything on port 80 is probably your application, the grafana dashboard to be more precise.

I hope this clarifies the report. If you have any more questions let us know.

Best regards,