False Positive Microsoft SQL (MSSQL) Server Brute Force Logins With Default Credentials (Remote)

PBSH · September 20, 2023, 9:33am

I’m experiencing a false positive for Microsoft SQL (MSSQL) Server Brute Force Logins With Default Credentials (Remote) with OID 1.3.6.1.4.1.25623.1.0.10862 on multiple host in multiple networks.

Result:

Testing of the following account(s) has been stopped due to reaching the configured threshold of "2":

sa
admin

However, these accounts are disabled/or do not exist. It seems like the scanner “thinks” it could login, while it could not.

Is anyone seeing this? How can I provide more information to troubleshoot?

cfi · September 20, 2023, 9:53am

It seems there is a misunderstanding on this result, this is just a “log level” / 0.0 score based informative result (via a used log_message()) that the VT in question has stopped to test these accounts because reaching the defined threshold of testing these (defined via the preferences of the VT in question).

No false positive is involved here as the message doesn’t say / tell that a log in was possible via these accounts and there is no severity assigned to this result.

PBSH · September 20, 2023, 9:59am

Thank you for your answer.

I see something is going wrong in my system.

The CVSS base vector and score indicate that this is a critical/high severity but I didn’t look at the log message field. Thank you

script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");