Security - Nessus check domain vulnerability incidents

I had Nessus run a test on the admin interface and other services and it found some results that could incidents the security of the services.

  1. Admin login page:

  2. Preinstalled SSH server (with upgrading from Hestia apt sources):

  3. and mail server (SMTP - plain password and low port 25), etc.

I suppose that could be enhanced.

Keep in mind that Ubuntu and Debian are patching the current versions so your current OpenSSH server 8.9p1 is not vulnerable to those issues (CVE-2023-48795, CVE-2023-51384 and CVE-2023-51385).

You can check it with apt changelog openssh-server command:

Ubuntu 22.04

openssh (1:8.9p1-3ubuntu0.6) jammy-security; urgency=medium

  * SECURITY UPDATE: incomplete PKCS#11 destination constraints
    - debian/patches/CVE-2023-51384.patch: apply destination constraints to
      all p11 keys in ssh-agent.c.
    - CVE-2023-51384
  * SECURITY UPDATE: command injection via shell metacharacters
    - debian/patches/CVE-2023-51385.patch: ban user/hostnames with most
      shell metacharacters in ssh.c.
    - CVE-2023-51385

 -- Marc Deslauriers <[email protected]>  Tue, 02 Jan 2024 11:54:04 -0500

openssh (1:8.9p1-3ubuntu0.5) jammy-security; urgency=medium

  * SECURITY UPDATE: Prefix truncation attack on BPP
    - debian/patches/CVE-2023-48795.patch: implement "strict key exchange"
      in PROTOCOL, kex.c, kex.h, packet.c, sshconnect2.c, sshd.c.
    - CVE-2023-48795
  * SECURITY UPDATE: smartcard constraints not added to agent
    - debian/patches/CVE-2023-28531.patch: include destination constraints
      for smartcard keys too in authfd.c.
    - CVE-2023-28531

 -- Marc Deslauriers <[email protected]>  Mon, 18 Dec 2023 11:28:16 -0500

Debian 12

openssh (1:9.2p1-2+deb12u2) bookworm-security; urgency=medium

  * Cherry-pick from upstream:
    - [CVE-2023-28531] ssh-add(1): when adding smartcard keys to
      ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...)
      added in OpenSSH 8.9, a logic error prevented the constraints from
      being communicated to the agent. This resulted in the keys being added
      without constraints. The common cases of non-smartcard keys and keys
      without destination constraints are unaffected. This problem was
      reported by Luci Stanescu (closes: #1033166).
    - [CVE-2023-48795] ssh(1), sshd(8): implement protocol extensions to
      thwart the so-called "Terrapin attack" discovered by Fabian Bäumer,
      Marcus Brinkmann and Jörg Schwenk. This attack allows a MITM to effect
      a limited break of the integrity of the early encrypted SSH transport
      protocol by sending extra messages prior to the commencement of
      encryption, and deleting an equal number of consecutive messages
      immediately after encryption starts. A peer SSH client/server would
      not be able to detect that messages were deleted.
    - [CVE-2023-51384] ssh-agent(1): when adding PKCS#11-hosted private keys
      while specifying destination constraints, if the PKCS#11 token
      returned multiple keys then only the first key had the constraints
      applied. Use of regular private keys, FIDO tokens and unconstrained
      keys are unaffected.
    - [CVE-2023-51385] ssh(1): if an invalid user or hostname that contained
      shell metacharacters was passed to ssh(1), and a ProxyCommand,
      LocalCommand directive or "match exec" predicate referenced the user
      or hostname via %u, %h or similar expansion token, then an attacker
      who could supply arbitrary user/hostnames to ssh(1) could potentially
      perform command injection depending on what quoting was present in the
      user-supplied ssh_config(5) directive. ssh(1) now bans most shell
      metacharacters from user and hostnames supplied via the command-line.

 -- Colin Watson <[email protected]>  Tue, 19 Dec 2023 14:51:56 +0000

I don’t know what low port 25 means… (port 25 is one of the standard ports for mail servers).

Regarding plain password, since Hestia 1.8.6, AUTH is not advertised on ports 25, 465 or 587 if you are not using a TLS connection (STARTTLS on ports 25 and 587 or TLS on port 465) so the plain password is not important because the connection is already encrypted.


And advanced test:


Feel free to disable it if you don’t need it how ever I don’t see any reason to disable to default…