MS 2012 R2 Server Misidentified as Windows Vista

Vulnerability Tests
1

I’m not sure what information is needed to improve this, it gives a vulnerability as being Windows Vista when 2012 R2 Server is installed:

Vulnerability Detection Result
The “Windows Vista” Operating System on the remote host has reached the end of life.

CPE: cpe:/o:microsoft:windows_vista
EOL date: 2017-04-11
EOL info: support.microsoft.com/en-us/lifecycle/search?sort=PN&alpha=Windows%20Vista&Filter=FilterNO

Vulnerability Detection Method

Details: [OS End Of Life Detection (OID: 1.3.6.1.4.1.25623.1.0.103674)]

Version used: $Revision: 8927 $

Product Detection Result

Best matching OS:

OS: Microsoft Windows
CPE: cpe:/o:microsoft:windows
Found by NVT: 1.3.6.1.4.1.25623.1.0.111067 (HTTP OS Identification)
Concluded from X-Powered-By Server banner on port 80/tcp: X-Powered-By: ASP.NET
Setting key “Host/runs_windows” based on this information

Other OS detections (in order of reliability):

OS: Microsoft Windows Server 2012 R2 or Microsoft Windows 8.1
CPE: cpe:/o:microsoft:windows
Found by NVT: 1.3.6.1.4.1.25623.1.0.111067 (HTTP OS Identification)
Concluded from HTTP Server banner on port 80/tcp: Server: Microsoft-IIS/8.5

OS: Microsoft Windows Vista
CPE: cpe:/o:microsoft:windows_vista
Found by NVT: 1.3.6.1.4.1.25623.1.0.111067 (HTTP OS Identification)
Concluded from HTTP Server banner on port 8082/tcp: Server: Jetty/5.1.x (Windows Vista/6.2 x86 java/1.6.0_03

OS: Microsoft Windows
CPE: cpe:/o:microsoft:windows
Found by NVT: 1.3.6.1.4.1.25623.1.0.100062 (Microsoft Remote Desktop Protocol Detection)
Concluded from Microsoft Remote Desktop Protocol on port 3389/tcp: Windows, possible Windows 8, 8.1 or Server 2012 based on binary response fingerprinting: 030000130ed00000123400020f080002000000

OS: Microsoft Windows
CPE: cpe:/o:microsoft:windows
Found by NVT: 1.3.6.1.4.1.25623.1.0.108044 (DCE/RPC and MSRPC Services Enumeration)
Concluded from DCE/RPC and MSRPC Services Enumeration on port 135/tcp

2

Thanks for your report. I’m indeed seeing two issues here:

Basically this should be the CPE / OS the OS End Of Life Detection (OID: 1.3.6.1.4.1.25623.1.0.103674) VT is using. But somehow it seems that a CPE from an other detection VT takes precedence.

It seems that NASL itself messing around with the order in some way or “forgetting” the correct order in the Redis-KB. I might have found a workaround for this, stay tuned for some updates in the next few days.

Not sure what to do about this. It seems your jetty server is wrongly advertising itself as as being a Windows Vista (which has the release version 6.0) and in contradiction being a Windows 8 / Windows Server 2012 (which both has the release version 6.2). And the actual running OS is Windows Server 2012 R2 (which has the release version 6.3).

The only solution for such broken version reporting is probably to only register a Windows (without any detailed OS reporting) instead.

3

Various improvements around both topics should be included in the feed today or the day after, please let us know if this is working out for you.

2 Likes