Home page logo
/

dailydave logo Dailydave mailing list archives

Re: Top10 Blowing Chunks :>
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 09 Sep 2013 12:52:01 -0400

IIRC the vulnerability did not affect Linux in practice as you needed to
find a memcpy that was broken backwards or use the SEH (in the case of
Windows) to handle the exception. I could be wrong though.

Is it possible that the Qualys check sees Apache server lines that have
no version and marks them as potentially vulnerable? This would explain
the prevalence of the check triggering in this day and age as more
people remove that information. It's also possible some WAF reacts
strangely to the check, causing a false positive (or a True Positive,
but against the WAF?)

Something here is worth digging into, but I'm not sure what the results
will be. Is it possible for Qualys to release some of the logic of the
check?

-dave


On 9/4/2013 2:34 PM, Wolfgang Kandek wrote:
Here is a bit more background on the data and our collection methods.

The Top 10 are collected every 3 months and include data for the
preceding 3 months. The aim is to give customers an idea on what is
prevalent at the moment.

External means that the data comes from the scanners that Qualys runs
on the Internet and that are used by Qualys customers to scan their
Internet connected machines. Internal means that the data comes from
the Scanner Appliances that customers run themselves and use to scan
their internal networks.  Our customers are free to run authenticated
scans with the external scanners and free to scan their Internet
connected machines with the Scanner Appliances as well, but it is fair
to say that most customers will use authenticated scans only on
Scanner Appliances and will scan their Internet connected machines
with our external scanners. It is worth to mention that our PCI
service uses the external scanners for all audits.

In November 2011 the "Apache Chunked encoding" vulnerability was
ranked #16 and did not make it into the Top 10 at the time. Since then
we have seen many of the of the Top 10 vulnerabilities drop in number,
so for example Win2000 obsolete has dropped fourfold, while Apache
Chunked encoding has actually gone up.

The vulnerability was pretty widespread at the time and affected
Apache 1.3 and 2.0 on many operating systems, including Linux and many
embedded devices, so it is possible that one of our customers has
started scanning these type of ranges.

The vulnerability is an active check (i.e. not banner based or software
version based), and the detection has not been modified for the last
couple of years. It affects the outcome of a PCI scan and we have had
no Support tickets regarding FPs, which is a pretty good measure as to
its accuracy.

If Rapid7 or Tenable can share some of they are seeing it would be helpful.

-
Wolfgang


On Tue, Sep 3, 2013 at 1:42 PM, Dave Aitel <dave () immunityinc com> wrote:
http://www.qualys.com/research/top10/

So I recently found out about the Qualys Top 10 vulnerabilities list,
which is a pretty cool resource really.  Any time a big company with a
lot of data offers a view into it, it is a useful thing, even if just to
understand the built-in filter on the data.

They have both "internal" and "external" which I think could better be
further broken down into "authenticated scans" and "unauthenticated
scans". You'll see client-side attacks predominating the "internal"
scans, which were obviously found by the kind of patch-and-file checking
that authenticated scans allow.

However, you'll also see very very strange things in the external scans.
The most weird is that Apache Chunked is a top-10 in August 2013, but
not in November of 2011. For it to be anywhere at all is strange,
because it's a 10 year old vulnerability that only affected Windows and
BSD-based Apache's in the first place (which are not the majority of
Apache installs, to say the least).

So what conclusions can you draw? Is it a false positive? Is it weirdly
common? If it is a false positive, is this an issue with a particular
check in Qualys or is this vulnerability very hard to correctly
determine in the first place? Also, MS08-067 seems to me to be something
that should no longer be in the top-10...Wolfgang said he's looking into
it, so maybe we can get a response to the list at some point.

It would be great if Tenable and Rapid7 and the other people in the VA
world would release similar numbers.

-dave




_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave



Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]