This page shows results from the Nessus scan run against NetBotz v4.6.3 and other relevant security vulnerability information related to the product.

Schneider Electric Vulnerability Management Policy

Nessus scan

Vulnerability

Answer

SNMP agent default community names

The community names of the remote SNMP server can be guessed.

 

Change the default community names.

SSL certificate cannot be trusted

The server's X.509 certificate does not have a signature from a known public certificate authority.

 

A self signed certificate is generated at installation. Replace the self signed certificate with a certificate signed by your own CA or an official CA.

SNMP 'GETBULK' reflection DDoS

The remote SNMP daemon is affected by a vulnerability that allows a reflected distributed denial of service attack.

 

Disable SNMP. If SNMP is required, consider using SNMPv3.

Change the SNMPv1 community names.

Set the local firewall (IP Filter) to only allow requests from specific IP addresses or authorized subnets.

Upgrade to NetBotz 4.6.3 which has disabled SNMPv2c. SNMPv3 still has this issue but is mitigated easily with the requirement that the attacker would have to know the SNMPv3 credentials.

Unencrypted Telnet server

The remote Telnet server transmits traffic in clear text.

 

Telnet is not enabled by default. Do not enable it unless customer support requires it and then disable it when it is not needed.

NetBotz relevant security information

Vulnerability

Answer

Zero Day (CVE-2016-0728)Not affected. NetBotz uses a 2.6.x Linux Kernel, affected kernels are 3.8 and higher.
Leap Second 2015

Not affected.

NTP (CVE-2014-9295)

Not affected. NetBotz does not use NTP.

Ghost (CVE-2015-0235)

Not affected. NetBotz does not use glibc.

Heartbleed (OpenSSL)Not affected. The OpenSSL version used in NetBotz 4.x versions is not vulnerable.
Shellshock (CVE-2014-6271 / CVE-2014-7169)

Not affected. NetBotz does not use BASH.

PoodleAddressed in NetBotz v4.4.1
FreakAddressed in NetBotz v4.5.0

OpenSSL Vulnerabilities listed here

NetBotz 4.5.3 includes OpenSSL 1.0.2h, these will be addressed in the NetBotz 4.5.4 release
Dirty COW (CVE-2016-5195)

NetBotz is based on Linux 2.6.12 and this vulnerability was introduced in 2.6.22.

“The Dirty COW vulnerability has been present in the Linux kernel since version 2.6.22 in 2007, and is also believed to be present in Android, which is powered by the Linux kernel.”
Devil's Ivy (CVE-2017-9765)Addressed in NetBotz v4.6.3. Note that the version of gsoap was not updated but the official patch from Genivia was applied.
Skip to end of metadata
Go to start of metadata
  • No labels
RELATED COMMUNITY QUESTIONS
WAS THIS ARTICLE HELPFUL?