OpenVAS incorrectly flags Cheops NG as vulnerability

78 views Asked by At

OpenVAS is reporting the following vulnerability.

NVT: Cheops NG without password (OID: 1.3.6.1.4.1.25623.1.0.20161) 

I'm not running that so it is probably a false positive. I'm wondering what rule it's using to flag that. My guess is it's an open port as I have a few non-standard ports open on that endpoint. Any pointers as to where to look for the rule sets etc?

2

There are 2 answers

2
cfischer On BEST ANSWER

The VT in question is flagging a service if the following VT is detecting a Cheops NG Agent service (on the default port 2300 but also on all ports with "unknown" services) previously:

  • Name: Cheops NG Agent Detection
  • OID: 1.3.6.1.4.1.25623.1.0.20160
  • Filename: cheopsNG_detect.nasl

As seen in the source code of that VT the detection of such an "unprotected" service happens if the service in question is responding to a probing request ("m2" variable) if all of the following constraints are matching for the response:

  1. The length of the received response needs to be >= 8
  2. The received response starts with "\0\0\0"
  3. There is an additional "\x01\x00\x00\x7f" somewhere in the received response

Disclaimer: VT Dev @ Greenbone

3
Wayne Gemmell On

Port 3314 is the default port that Cheops NG listens on.