This page shows results from the Nessus scan run against NetBotz v4.6.3 and other relevant security vulnerability information related to the product.
SNMP agent default community names
The community names of the remote SNMP server can be guessed.
Change the default community names.
SSL certificate cannot be trusted
The server's X.509 certificate does not have a signature from a known public certificate authority.
A self signed certificate is generated at installation. Replace the self signed certificate with a certificate signed by your own CA or an official CA.
SNMP 'GETBULK' reflection DDoS
The remote SNMP daemon is affected by a vulnerability that allows a reflected distributed denial of service attack.
Disable SNMP. If SNMP is required, consider using SNMPv3.
Change the SNMPv1 community names.
Set the local firewall (IP Filter) to only allow requests from specific IP addresses or authorized subnets.
Upgrade to NetBotz 4.6.3 which has disabled SNMPv2c. SNMPv3 still has this issue but is mitigated easily with the requirement that the attacker would have to know the SNMPv3 credentials.
Unencrypted Telnet server
The remote Telnet server transmits traffic in clear text.
Telnet is not enabled by default. Do not enable it unless customer support requires it and then disable it when it is not needed.
NetBotz relevant security information
|Zero Day (CVE-2016-0728)||Not affected. NetBotz uses a 2.6.x Linux Kernel, affected kernels are 3.8 and higher.|
|Leap Second 2015|
Not affected. NetBotz does not use NTP.
Not affected. NetBotz does not use glibc.
|Heartbleed (OpenSSL)||Not affected. The OpenSSL version used in NetBotz 4.x versions is not vulnerable.|
|Shellshock (CVE-2014-6271 / CVE-2014-7169)|
Not affected. NetBotz does not use BASH.
|Poodle||Addressed in NetBotz v4.4.1|
|Freak||Addressed in NetBotz v4.5.0|
OpenSSL Vulnerabilities listed here
|NetBotz 4.5.3 includes OpenSSL 1.0.2h, these will be addressed in the NetBotz 4.5.4 release|
|Dirty COW (CVE-2016-5195)|
NetBotz is based on Linux 2.6.12 and this vulnerability was introduced in 2.6.22.“The Dirty COW vulnerability has been present in the Linux kernel since version 2.6.22 in 2007, and is also believed to be present in Android, which is powered by the Linux kernel.”
|Devil's Ivy (CVE-2017-9765)||Addressed in NetBotz v4.6.3. Note that the version of gsoap was not updated but the official patch from Genivia was applied.|