On March 14, 2007, "George A. Theall" wrote:
> On 03/14/07 19:37, Dan Harkless wrote:
> > I talked to John in private email and he says that he confirmed that
> > 'Thorough tests' was causing his Citrix service DoS. He also says the
> > problem didn't start occurring until they applied some recent (at the time)
> > Citrix patches.
>
> Someone's reported this to Citrix, right?
I'm not sure. I haven't experienced the problem, so I wouldn't be able to
report it very effectively. I'll CC John on this mail in case he's not
still a subscriber and we can see what he says.
> > However, I also heard from a member of a different security group at my
> > company who saw my post, and he says that they use 'Thorough tests' against
> > Citrix servers without issue. That plus the fact that the IMA service
> > (which was getting stopped in John's caes) isn't exposed on the servers I'm
> > scanning (just the ICA service, 1494/tcp) indicates to me that it should be
> > safe to turn on 'Thorough tests'.
>
> As you note, the port range is indeed a consideration when enabling
> thorough tests. Many of the service detection plugins by default probe
> only the well-known port(s) associated with that service. Enabling
> thorough tests will cause those plugins to probe any open port which is
> still marked as an unknown service. So if you know that the only service
> that doesn't handle invalid input well is the the ICA service on port
> 1494 (because, say, of testing in a lab), you should be able to enable
> thorough tests and stay clear of trouble as long as you omit 1494 from
> the port range.
Actually it's the IMA service that apparently has the problem, with ICA /
1494 being okay. Thanks for the tip on excluding problem ports.
--
Dan Harkless
http://harkless.org/dan/
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
|