/build/static/layout/Breadcrumb_cap_w.png

K2000 PCI Scan (/kbox/datastore/internal/tftpboot/dummy)

Our K2000 is getting flagged during PCI scan has anyone had this problem? If so what was the approach to fixing it? Thank you in advance for the help. 

11356 (1) - NFS Exported Share Information Disclosure
Synopsis
It is possible to access NFS shares on the remote host.
Description
At least one of the NFS shares exported by the remote server could be mounted by the scanning host. An attacker may be able to leverage this to read (and possibly write) files on remote host.
Solution
Configure NFS on the remote host so that only authorized hosts can mount its remote shares.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
CVE CVE-1999-0170
CVE CVE-1999-0211
CVE CVE-1999-0554
XREF OSVDB:339
XREF OSVDB:8750
XREF OSVDB:11516
Exploitable With
Metasploit (true)
Plugin Information:
Published: 2003/03/12, Modified: 2018/02/20
Plugin Output

kace-dc (udp/2049)


The following NFS shares could be mounted :

+ /kbox/datastore/internal/tftpboot/dummy

0 Comments   [ + ] Show comments

Answers (1)

Posted by: JasonEgg 6 years ago
Red Belt
0
I got the same alert from Qualys (our security scan system) and contacted support about it. Turns out this is required for access to PXE/Netboot. There's no unexpected high security access like "/etc/passwd" found in results, only tftpboot, so it's not a security concern for us. We also only accept PXE/Netboot from wired connection from only our org's IP range, so access to the share is already limited.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ