Port 2000 and 5060 - Vulnerability / Potentially Risky Service

[cfx47]

💡 Summary

A large number of IPs have BOTH and ONLY port 2000 and 5060, seemingly pointing to a Fortigate firewall detection. This is causing a large number of potential "false hosts" and a large increase in scan utilization. In an attempt to reduce these from being detected as hosts, we would like to notify stakeholders via by making this a low-medium severity vulnerability on their reports.

Motivation and context

Bringing these vulnerabilities to the attention of stakeholders provides an avenue for remediation. Should remediation be completed, scanner utilization would decrease exponentially.

How stakeholder could resolve issue: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Port-5060-and-port-2000-receives-getting-a/ta-p/290960

Implementation notes

• Only where instances of BOTH and ONLY ports 2000 and 5060 are found on an IP, will both a potentially risky service be reported for the ports as well as a low/medium severity vulnerability be marked for the associated IP in the report.
• These findings should reflect in the Report Card, the "potentially-risky-services.csv" attachment, and the "findings.csv".
• Note for Dev Team: The affected stakeholders will be contacted by the VS operators to inform them of the anticipated changes.

Acceptance criteria

• [ ] In instances where BOTH and ONLY ports 2000 and 5060 are found on an IP, this combined finding will be marked as a potentially risky service in the “Report Card”, as well as the “potentially-risky-services.csv” attachment of the CyHy report.
• [ ] In instances where both and only ports 2000 and 5060 are found on an IP, this combined finding will be marked as a low/medium severity vulnerability in the “Report Card” and “findings.csv” attachment of the CyHy report.