| VID |
23027 |
| Severity |
20 |
| Port |
119 |
| Protocol |
TCP |
| Class |
NNTP |
| Detailed Description |
The NNTP server allows to read newsgroups without authorization.
The NNTP is a TCP/IP protocol based upon text strings sent bidirectionally over TCP channels. It is used to support reading newsgroups, posting new articles, and transferring articles between news servers.
If the NNTP server allows the reading access to newsgroups without authorization, a remote attackers can obtain and read system resources. For example, it's may be the private company information, if the server is for private newsgroups. Addition, if this is possible, they can create a denial of service condition by continuously accessing the server, creating a strain on system resources.
* References:
http://www.iss.net/security_center/static/89.php |
| Recommendation |
Disable the NNTP service if it's unused.
-- OR --
Restrict access to newsgroups.
For Unix/Linux systems :
- To Disable :
1. Edit the /etc/inetd.conf (or equivalent) file.
2. Locate the line that controls the service.
3. Type a # at the beginning of the line to comment out the service.
4. Restart inetd
- To Restrict access :
1. Edit the /usr/lib/news/nntp_access file.
2. Change the line starting with default
hostname read|xfer|both|no post|no [!exceptgroups]
=> default no no
For Windows systems :
- To Disable :
1. Open the MMC(Microsoft Management Console).
2. Click the right-button of the NNTP virtual server and click the <STOP> menu.
- To Restrict access :
1. On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Click the virtual server that you want to configure.
3. Click <Authentication> from the <Access Control> section of the <Access> tab.
4. On the Action menu, click Properties.
5. On the Access tab, click Authentication.
6. Click to select any combination of <Basic>, <Windows Security Package> or <SSL Client Authentication> check boxes. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
