Censys-Identified Risks (Reference)
This is a catalog of the risks that Censys surfaces in the Attack Surface Management platform.
Risk information is displayed in the Risks page, in columns on the IP-view of Hosts, on Host details pages, and in the logbook and asset APIs.
Risk Categories
Risks categories help you understand risks at a glance. A risk may belong to more than one category.
Misconfigurations
A misconfiguration is an incorrect or suboptimal configuration of an information system or system component.
-
Service Misconfiguration – A service misconfiguration is an incorrect or suboptimal configuration of a service component that provides functionality in larger processes.
-
Cloud Misconfiguration – A cloud misconfiguration is an incorrect or suboptimal configuration of a cloud component that provides functionality in larger processes.
-
Name Infrastructure Misconfiguration – A name infrastructure misconfiguration is an incorrect or suboptimal use of the Domain Name System.
Exposures
An exposure is a situation where sensitive information, devices, or services are exposed to the Internet.
-
Information Leakage – Information leakage is a type of exposure where sensitive information is unintentionally exposed to the Internet.
-
Device Exposure – An exposed device is a type of exposure in which a physical device is exposed to the Internet.
Vulnerabilities
A vulnerability is a weakness in an information system, system security procedure, internal control, or implementation that could be exploited or triggered by a threat source.
-
Software Vulnerability – A software vulnerability is a weakness specific to a software product that could be exploited or triggered by a threat source.
-
Web Application Security Vulnerability – Web application security vulnerabilities are related to vulnerabilities in web servers, web applications, and web services.
Compromise
Compromise is the disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object occurs.
-
Evidence of Compromise – Evidence of compromise is a category of compromise for which there is traceable evidence.
Risks Censys Identifies
The following risks will be shown on the Risks table if they are detected on any hosts in your attack surface.
Misconfigurations
These risks are the result of an unintended or suboptimal configuration:
-
Exposed EC2 Metadata – EC2 metadata service is exposed to the Internet, may include sensitive information such as IAM credentials.
-
FTP Does Not Require Authentication – This service did not require authentication to use the it.
-
Redis Server Does Not Require Authentication – This service did not require authentication to use the it.
-
Telnet Server Does Not Require Authentication – This service did not require authentication to use the it.
-
Unauthenticated Alibaba Mongoshake – This service did not require authentication to use the it in Alibaba-Cloud.
-
IMAP with No STARTTLS Support – This service does not support STARTTLS. Without encrypted connections via STARTTLS, this service transmits in plaintext, which allows an attacker to potentially intercept or modify transmitted data.
-
POP3 with No STARTTLS Support – This service does not support STARTTLS. Without encrypted connections via STARTTLS, this service transmits in plaintext, which allows an attacker to potentially intercept or modify transmitted data.
-
SMTP with No STARTTLS Support – This service does not support STARTTLS. Without encrypted connections via STARTTLS, this service is vulnerable to man-in-the-middle attacks.
-
Unencrypted CWMP – This service is transmitting data in plaintext, which allows an attacker to potentially intercept or modify transmitted data.
-
Unencrypted IMAP – This service is transmitting data in plaintext, which allows an attacker to potentially intercept or modify transmitted data.
-
Unencrypted POP3 – This service is transmitting data in plaintext, which allows an attacker to potentially intercept or modify transmitted data.
-
Unencrypted SMTP Service
-
Unencrypted login page – The affected login page does not use a secure TLS connection, which allows an attacker to potentially intercept or modify transmitted data.
-
Weak auth page - The affected web page uses basic or digest authentication, which may leave transmitted credentials susceptible to hash-cracking techniques.
-
Unencrypted weak auth page – The affected web page uses basic or digest authentication without a secure TLS connection, which may leave transmitted credentials susceptible to hash-cracking techniques.
Exposures
Some protocols and devices are inherently more risky than others because of their capabilities and lack of security controls, so their presence in your attack surface makes you a target.
-
AMQP – This service is designed to transmit data, capability that makes it a target. If unencrypted, an attacker may intercept communication data.
-
Bacnet – This service is designed to enable building automation and control and only newer versions of the protocol support authentication and data confidentiality and integrity.
-
DNP3 – This service transmits data in plaintext and does not require authentication, capability that makes it a target. There exist well known exploits that can cause denial-of-service, man-in-the-middle, time-manipulation, and alarm-suppression attacks. DNPSec v5 is designed to mitigate some of these exploits, but isn’t widely used yet.
-
Deprecated SMBv1 – SMB version 1 mishandles specially crafted packets from remote attackers to execute arbitrary code on the system (EternalBlue). Publicly available tools, such as Metasploit, have readily-available exploits for this vulnerability.
-
Elasticsearch – This service is designed to be used by trusted clients within trusted networks.
-
FOX – This service transmits data in plaintext, which allows an attacker to potentially intercept, modify, or replay transmitted data if on the same network.
-
FTP – This service transmits data in plaintext, which allows an attacker to potentially intercept or modify the data if on the same network. FTP servers can also be targets of password spraying and credential stuffing attacks.
-
IMAP – This unencrypted protocol means credentials and sensitive data can be intercepted by attackers easily.
-
Intel AMT – Attackers with stolen or brute-forced credentials have remote access to files and devices on the same network.
-
IPMI – This service enables remote administration over servers, including deployment and removal of software and system reboots, capability that makes it a target.
-
IPP – This service is designed to be used by trusted clients within trusted networks. Internet access allows unauthenticated users to print content on the connected printer.
-
Kubernetes – This services is designed to provide sensitive information about system infrastructure such as workspaces, pods, and containers.
-
LDAP – This services allows for NTLM authentication and Active Directory queries, capability that makes it a target.
-
Memcached – This service can be misused for amplification in distributed denial-of-service attacks against recipients of Memcached UDP traffic.
-
Modbus – This service is designed to connect industrial electronic devices and transmits data in plain text, capability that makes it a target for network reconnaissance.
-
MongoDB – This service is designed to store potentially sensitive information in a database, which makes it a target. Password spraying and credential stuffing attacks against the service are common.
-
MQTT – This service transmits data in plaintext, which allows an attacker to potentially intercept or modify transmitted data.
-
MSSQL – This service is designed to store potentially sensitive information in a database, which makes it a target. Password spraying and credential stuffing attacks against the service are common.
-
MySQL – This service is designed to store potentially sensitive information in a database, which makes it a target. Password spraying and credential stuffing attacks against the service are common.
-
NTP – This service is set up to provide a history of queries, capability that can be misused for amplification during a distributed denial-of-service (DDOS) attack, and if misconfigured, may introduce vulnerabilities related to time synchronization.
-
Oracle – This service is set up to provide a history of queries, capability that can be misused for amplification during a distributed denial-of-service (DDOS) attack, and if misconfigured, may introduce vulnerabilities related to time synchronization.
-
PCA – This service is designed to enable remote management, capability that attackers often target. Several vulnerabilities, including remote code execution, exist for this service.
-
Postgres – This service is designed to store potentially sensitive information in a database, which makes it a target. Password spraying and credential stuffing attacks against the service are common.
-
Prometheus – This service is designed to be used by trusted clients within trusted networks. Anyone with network access to Prometheus can run arbitrary SQL against its database.
-
QNAP Device Compromised by Deadbolt – The affected QNAP device is compromised and encrypted by Deadbolt Ransomware.
-
QNAP Device Exposed – This device is designed as network attached storage (NAS) device containing personal files which makes it susceptible to unauthorized access and ransomware attacks.
-
RDP – This service is designed to enable remote management, capability that attackers often target. Several vulnerabilities, including remote code execution, exist for this service. It also accepts NTLM credentials, has been targeted by ransomware groups in password spraying and credential stuffing attacks.
-
Recursive DNS – This service is set up to obtain DNS records from the authoritative source, capability that can be misused for amplification during a distributed denial-of-service (DDoS) attack.
-
Redis – This service is designed to be used by trusted clients within trusted networks.
-
S7 – This service is designed to enable supervision of machines and processes, making it a target. Many Siemens SIMATIC product versions easily exploitable vulnerabilities, resulting in denial-of-service attacks or credential theft.
-
SMB – This service is designed to enable supervision of machines and processes, making it a target. Many Siemens SIMATIC product versions easily exploitable vulnerabilities, resulting in denial-of-service attacks or credential theft.
-
SMTP – This service is designed to transmit electronic mail, capability that makes it a target.
-
SNMP – This service transmits data in plaintext, which allows an attacker to potentially intercept and replay SNMP requests in order to manage devices, such as network interfaces.
-
SSH – This service is designed to enable network communication between two devices, capability that makes it a target. Publicly available tools exist to target SSH services in password spraying and credential stuffing attacks.
-
Telnet – This service transmits data in plaintext, which allows an attacker to potentially intercept or modify transmitted data if on the same network.
-
VNC – Stolen or brute-forced VNC credentials allow attackers to take over the computer with this connection exposed.
Storage Bucket Exposures
-
Exposed AWS Secrets – The HTTP response contains AWS secrets, which may include secret keys or configuration access keys.
-
Exposed Storage Buckets – Storage buckets with loose read, write, or accessibility settings that may unnecessarily expose data.
-
S3 Bucket Sub-Domain Takeover – Censys identified a DNS record pointing to an AWS S3 bucket which no longer exists. An attacker may register an AWS S3 bucket using the sub-domain and perform a takeover. As a result, the attacker can host their own data, such as malware, on the taken sub-domain.
Information Exposures
-
Exposed DigitalOcean Credentials – The HTTP response may contain DigitalOcean credentials, which may include SSH keys or Access tokens.
-
Exposed Docker Credentials – The HTTP response contains Docker credentials, which may include passwords, secret keys, or API tokens.
-
Exposed Access Token [Generic] – An access token was identified in the HTTP body of the affected service. An attacker may use this to gain uanuthorized access to a service.
-
Exposed API Key [Generic] – An API Key was identified in the HTTP body of the affected service. An attacker may use this to gain uanuthorized access to a service.
-
Exposed FTP Credentials – The HTTP response may contain FTP credentials, which may include usernames or passwords.
-
Exposed GnuPG Credentials – The HTTP response may contain GnuPG credentials, which may include secret keys, private keys, or passwords.
-
Exposed Google Cloud IAM Credentials – The HTTP response may contain Google Cloud IAM credentials, which may include passwords, private keys, and API tokens.
-
Exposed Magento Credentials – The HTTP response potentially contained Magento credentials, which may include usernames and passwords.
-
Exposed MySQL Credentials – The HTTP response may contain MySQL credentials, which may include passwords or secrets.
-
Exposed Postgres Credentials – The HTTP response may contain Postgres credentials, which may include passwords or database names.
-
Exposed Database Credentials – The HTTP response may contain database credentials, which may include passwords or connection strings.
-
Exposed Production Credentials – The HTTP response may contain production credentials, which may include passwords or API keys.
-
Exposed OKTA OAuth Client Secret Token – The HTTP response may contain OKTA OAuth Client Secret Tokens. An attacker may use these tokens to gain unauthorized access to OKTA.
-
Exposed OpenSSH Private Key – The HTTP response contains an OpenSSH Private Key. An attacker may use this to gain unauthorized access to the host.
-
Exposed Private Key – The HTTP response contains a Private Key used for authentication. An attacker may use this to gain unauthorized access to the host.
-
Exposed RSA Private Key – The HTTP response contains an RSA Private Key. An attacker may use this to gain unauthorized access to the host.
-
Exposed RabbitMQ Credentials – The HTTP response may contain RabbitMQ credentials, which may include passwords, API keys, or SSH keys.
-
Exposed WordPress Database Credentials – The HTTP response may contain WordPress database credentials, which may include passwords, API keys, or SSH keys.
-
Sendinblue Business API Key Leak – An exposed Sendinblue API token was identified in the HTTP body of the affected service. An attacker may use this token to aid in phishing campaigns.
-
Exposed Picatic API Key – An unencrypted Picatic API Key was identified in the HTTP body of the affected service. The token may be used to interact with the Picatic API.
-
Exposed Sendgrid API Key – An unencrypted Sendgrid API Key was identified in the HTTP body of the affected service. The key may be used to interact with the Sendgrid API.
-
Exposed Stripe Restricted Key – An unencrypted Stripe Restricted Key was identified in the HTTP body of the affected service. The token may be used to view sensitive information within Stripe.
-
Exposed Stripe Secret Key – An unencrypted Stripe Secret Key was identified in the HTTP body of the affected service. By default, Stripe secret keys can be used to perform any API request without restriction.
-
Exposed Zapier Webhook – An unencrypted Zapier webhook was identified in the HTTP body of the affected service. The webhook can be used to read unauthorized Zapier information and can be weaponized in phishing campaigns.
-
Exposed Zoho Webhook – An unencrypted Zoho webhook was identified in the HTTP body of the affected service. The webhook can be used to read unauthorized Zoho information and can be weaponized in phishing campaigns.
-
Exposed Mailchimp API Access Key – A Mailchimp API Access Key was identified in the HTTP body of the affected service. The access key may grant an attacker unauthorized access to a Mailchimp account.
-
Exposed Microsoft Teams Webhook – An unencrypted Microsoft Teams Webhook was identified in the HTTP body of the affected service. The webhook can be used to send messages in Teams channels and can be weaponized in phishing campaigns.
-
Exposed New Relic Admin API Key – An unencrypted New Relic Admin API key was identified in the HTTP body of the affected service. The key can perform certain "restricted" operations, such as creation, deletion, or modification.
-
Exposed New Relic Insights Keys – An unencrypted New Relic Insights key was identified in the HTTP body of the affected service. The key may have the ability to query or insert into New Relic.
-
Exposed New Relic REST API Key – An unencrypted New Relic REST API key was identified in the HTTP body of the affected service. The key may be used for accessing the REST API for New Relic services, such as alerts.
-
Exposed New Relic Synthetics API Key – An unencrypted New Relic Synthetics API key was identified in the HTTP body of the affected service. The key may be used to create and manage synthetic monitors in New Relic.
-
Exposed PayPal Braintree Access Token – An unencrypted PayPal Braintree Access Token was identified in the HTTP body of the affected service. The token may be used to interact with the Braintree API.
-
Exposed JWT Token – A JSON Web Token (JWT) was identified in the HTTP body of the affected scope. An attacker may attempt to re-use the token or crack the hash for plaintext credentials.
-
Exposed Shoppable Service Auth Token – A Shoppable Service Authentication token was identified in the HTTP body of the affected service. This token can be passed as a bearer token to authenticate to the Shoppable API.
-
Exposed FCM Server Key – A Firebase Cloud Messaging (FCM) Server Key was identified in the HTTP body of the affected service. An attacker could use this key to build phishing campaigns.
-
Exposed Google API Key – A Google API Key was identified in the HTTP body of the affected service. An attacker may use this to create new apps in your GCP project.
-
Exposed Google Calendar URI – A Google Calendar URI was identified in the HTTP body of the affected service.
-
Exposed Google OAuth Access Key – A google OAuth Access Key was identified in the HTTP body of the affected service. An attacker may use this token to gain unauthorized access to a Google API, if the token is still valid.
-
Exposed JDBC Connection String – A JDBC connection string was identified in the HTTP body of the affected service. The connection string may contain encrypted and/or unencrypted credentials.
-
Exposed Amazon MWS Auth Token – A MWS authentication token was identified in the HTTP body of the affected service. The MWS authentication token can be used in conjunction with an AWS Access Key ID and Secret Key to use the Amazon Marketplace Web Service.
-
Exposed Amazon SNS Topic – The AWS Simple Notification Service (SNS) is a messaging service for parallel processing. If misconfigured, an unauthorized attacker could publish or subscribe to the affected SNS topic.
-
Exposed AWS Access Key ID – Censys identified an AWS access key in the HTTP body of the affected service. An attacker may attempt to use this in combination with a Secret Access Key to gain unauthorized access to your AWS instance.
-
Exposed Artifactory API Token – An exposed Artifactory API token was identified in the HTTP body of the affected service. An attacker can use this token to pull build artifacts and software packages from the Artifactory application.
-
Exposed Artifactory Password – An exposed Artifactory password was identified in the HTTP body of the affected service.
-
Exposed Bitly Secret Key – An exposed Bitly Secret Key was identified in the HTTP body of the affected service.
-
Exposed Cloudinary Credentials- Cloudinary credentials were identified in the HTTP body of the affected service.
-
Exposed Discord Webhook – An exposed Discord Webhook was identified in the HTTP body of the affected service. An attacker could use this to gain unauthorized access to a Discord server.
-
Exposed Slack Bot Access Token – An unencrypted Slack Bot Access Token was identified in the HTTP body of the affected service. The token can be used to control the Slack bot account and read Slack communications.
-
Exposed Slack User Access Token – An unencrypted Slack User Access Token was identified in the HTTP body of the affected service. The token can be used to control the Slack user account and read Slack communications.
-
Exposed Slack Webhook Token – An unencrypted Slack Webhook Token was identified in the HTTP body of the affected service. The webhook can be used to send messages to Slack channels and can be weaponized in phishing campaigns.
Software Vulnerabilities
-
AccessAlly WordPress Plugin < 3.5.7 [CVE-2021-24226] – In the AccessAlly WordPress plugin before 3.5.7, the file \"resource/frontend/product/product-shortcode.php\" responsible for the [accessally_order_form] shortcode is dumping serialize($_SERVER), which contains all environment variables. The leakage occurs on all public facing pages containing the [accessally_order_form] shortcode. No login or administrator role is required.
-
End of life software- Software versions that are no longer supported by their vendor and do not receive security patches.
-
EOL Apache HTTPD software versions
-
EOL Apache Traffic Server software versions
-
EOL Eclipse Jetty software versions
-
EOL Microsoft IIS software versions
-
EOL Nginx software versions
-
EOL OpenSSL software versions
-
EOL PHP software versions
-
EOL Red Hat JBoss EAP software versions
-
-
Outdated Exchange Cumulative Update – This Exchange server is not running the latest Cumulative Update issued from Microsoft, which may include major security updates.
-
Potentially Vulnerable Log4j software – Versions of this software (or a component of this software) that been identified as vulnerable to CVE-2021-44228.
-
Vulnerable Log4j Apache Solr Service
-
Vulnerable Log4j Cloudera Ambari
-
Vulnerable Log4j Generic
-
Vulnerable Log4j Metabase
-
Vulnerable Log4j Neo4j
-
Vulnerable Log4j OpenShift
-
Vulnerable Log4j PagerDuty Rundeck
-
Vulnerable Log4j UniFi Network Appliance
-
-
Vulnerable Apache HTTP/2 Cache-Digest DoS [CVE-2020-9490] – Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.
-
Vulnerable CentOS WebPanel – A service is running CentOS Web Panel, which may be vulnerable to CVE-2021-45467. This risk should be manually verified by internally obtaining the exact version running.
-
Vulnerable Confluence Server – A version of Atlassian Confluence Server that is vulnerable to CVE-2021-26084, a critical vulnerability (CVSSv3 9.8 out of 10). An attacker could abuse this OGNL injection issue to run arbitrary code on the server.
-
Vulnerable Dropbear SSH – All versions of Dropbear SSH before version 2016.74 allows remote attackers to execute arbitrary code via format string specifiers in the username or host argument(CVE-2016-7406).
-
Vulnerable Exim Server [CVE-2020-28026] – The Exim mail server is running a version < 4.94.2. As a result, the system is vulnerable to multiple exploits, including remote code execution.
-
Vulnerable NSS Version [CVE-2021-43527] – The affected Network Security Service (NSS) is vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures.
-
Vulnerable Kong Admin Rest API Unauth [CVE-2020-11710] – An issue was discovered in docker-kong (for Kong) through 2.0.3. The admin API port may be accessible on interfaces other than 127.0.0.1.
-
Vulnerable Samba Server – All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability, CVE-2021-44142, that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.
TLS Risks
-
Insecure TLS versions – Old TLS versions (v1.0, v1.1) that are not secure and may leave communications open to man-in-the-middle attacks.
-
Insecure TLS cipher suites – Weak cipher suites that are not secure and may leave communications open to man-in-the-middle attacks.
Comments
0 comments
Article is closed for comments.