OpenVAS incorrectly flags Cheops NG as vulnerability

Question

OpenVAS is reporting the following vulnerability.

NVT: Cheops NG without password (OID: 1.3.6.1.4.1.25623.1.0.20161) 

I'm not running that so it is probably a false positive. I'm wondering what rule it's using to flag that. My guess is it's an open port as I have a few non-standard ports open on that endpoint. Any pointers as to where to look for the rule sets etc?

Answer 1

The VT in question is flagging a service if the following VT is detecting a Cheops NG Agent service (on the default port 2300 but also on all ports with "unknown" services) previously:

• Name: Cheops NG Agent Detection
• OID: 1.3.6.1.4.1.25623.1.0.20160
• Filename: cheopsNG_detect.nasl

As seen in the source code of that VT the detection of such an "unprotected" service happens if the service in question is responding to a probing request ("m2" variable) if all of the following constraints are matching for the response:

1. The length of the received response needs to be >= 8
2. The received response starts with "\0\0\0"
3. There is an additional "\x01\x00\x00\x7f" somewhere in the received response

Disclaimer: VT Dev @ Greenbone