openvas

OpenVAS incorrectly flags Cheops NG as vulnerability


OpenVAS is reporting the following vulnerability.

NVT: Cheops NG without password (OID: 1.3.6.1.4.1.25623.1.0.20161) 

I'm not running that so it is probably a false positive. I'm wondering what rule it's using to flag that. My guess is it's an open port as I have a few non-standard ports open on that endpoint. Any pointers as to where to look for the rule sets etc?


Solution

  • The VT in question is flagging a service if the following VT is detecting a Cheops NG Agent service (on the default port 2300 but also on all ports with "unknown" services) previously:

    As seen in the source code of that VT the detection of such an "unprotected" service happens if the service in question is responding to a probing request ("m2" variable) if all of the following constraints are matching for the response:

    1. The length of the received response needs to be >= 8
    2. The received response starts with "\0\0\0"
    3. There is an additional "\x01\x00\x00\x7f" somewhere in the received response

    Disclaimer: VT Dev @ Greenbone