1

OpenVAS is reporting the following vulnerability.

NVT: Cheops NG without password (OID: 1.3.6.1.4.1.25623.1.0.20161)

I'm not running that so it is probably a false positive. I'm wondering what rule it's using to flag that. My guess is it's an open port as I have a few non-standard ports open on that endpoint. Any pointers as to where to look for the rule sets etc?

Wayne Gemmell
  • 71
  • 1
  • 5

2 Answers2

1

The VT in question is flagging a service if the following VT is detecting a Cheops NG Agent service (on the default port 2300 but also on all ports with "unknown" services) previously:

  • Name: Cheops NG Agent Detection
  • OID: 1.3.6.1.4.1.25623.1.0.20160
  • Filename: cheopsNG_detect.nasl

As seen in the source code of that VT the detection of such an "unprotected" service happens if the service in question is responding to a probing request ("m2" variable) if all of the following constraints are matching for the response:

  1. The length of the received response needs to be >= 8
  2. The received response starts with "\0\0\0"
  3. There is an additional "\x01\x00\x00\x7f" somewhere in the received response

Disclaimer: VT Dev @ Greenbone

cfischer
  • 256
  • 1
  • 9
  • As a related note: The VT in question was running against every unknown service / port. But the last Cheops NG version is from 2005 and it is very unlikely that this tool is still running somewhere out in the wild (besides maybe lab environments). Due to this the VT had been updated to only check services running on the default port 2300. If the service in question where this problematic result occurs is running on a different port the report should be gone in one of the next feed updates. Thanks for your report. – cfischer May 12 '22 at 09:21
  • Thank you for sorting this out. It's an SMPP server we run on that port so this flag would have been an ongoing irritation. – Wayne Gemmell May 13 '22 at 07:41
-1

Port 3314 is the default port that Cheops NG listens on.

Wayne Gemmell
  • 71
  • 1
  • 5
  • To the best of my knowledge it is actually 2300, not 3314. – cfischer May 10 '22 at 07:46
  • It's in the source though. Not that my C is great. if { (eval echo configure:3314: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then – Wayne Gemmell May 11 '22 at 08:29
  • This doesn't look like a default port because there seems to be different lines like e.g. "if { (eval echo configure:706: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s onftest${ac_exeext}; then" in the "configure". The default port seems to be defined as 2300 in the "event.c" via "sin.sin_port = htons(2300);" which is also what has been defined in the VT question in the past by the developer of that VT. – cfischer May 12 '22 at 09:17