[Dailydave] Top10 Blowing Chunks :>

Wolfgang Kandek wkandek at qualys.com
Wed Sep 4 14:34:45 EDT 2013 

Here is a bit more background on the data and our collection methods.

The Top 10 are collected every 3 months and include data for the
preceding 3 months. The aim is to give customers an idea on what is
prevalent at the moment.

External means that the data comes from the scanners that Qualys runs
on the Internet and that are used by Qualys customers to scan their
Internet connected machines. Internal means that the data comes from
the Scanner Appliances that customers run themselves and use to scan
their internal networks.  Our customers are free to run authenticated
scans with the external scanners and free to scan their Internet
connected machines with the Scanner Appliances as well, but it is fair
to say that most customers will use authenticated scans only on
Scanner Appliances and will scan their Internet connected machines
with our external scanners. It is worth to mention that our PCI
service uses the external scanners for all audits.

In November 2011 the "Apache Chunked encoding" vulnerability was
ranked #16 and did not make it into the Top 10 at the time. Since then
we have seen many of the of the Top 10 vulnerabilities drop in number,
so for example Win2000 obsolete has dropped fourfold, while Apache
Chunked encoding has actually gone up.

The vulnerability was pretty widespread at the time and affected
Apache 1.3 and 2.0 on many operating systems, including Linux and many
embedded devices, so it is possible that one of our customers has
started scanning these type of ranges.

The vulnerability is an active check (i.e. no banner based or software
version based), and the detection has not been modified for the last
couple of years. It affects the outcome of a PCI scan and we have had
no Support tickets regarding FPs, which is a pretty good measure as to
its accuracy.

If Rapid7 or Tenable can share some of they are seeing it would be helpful.

-
Wolfgang


On Tue, Sep 3, 2013 at 1:42 PM, Dave Aitel <dave at immunityinc.com> wrote:
>
> http://www.qualys.com/research/top10/
>
> So I recently found out about the Qualys Top 10 vulnerabilities list,
> which is a pretty cool resource really.  Any time a big company with a
> lot of data offers a view into it, it is a useful thing, even if just to
> understand the built-in filter on the data.
>
> They have both "internal" and "external" which I think could better be
> further broken down into "authenticated scans" and "unauthenticated
> scans". You'll see client-side attacks predominating the "internal"
> scans, which were obviously found by the kind of patch-and-file checking
> that authenticated scans allow.
>
> However, you'll also see very very strange things in the external scans.
> The most weird is that Apache Chunked is a top-10 in August 2013, but
> not in November of 2011. For it to be anywhere at all is strange,
> because it's a 10 year old vulnerability that only affected Windows and
> BSD-based Apache's in the first place (which are not the majority of
> Apache installs, to say the least).
>
> So what conclusions can you draw? Is it a false positive? Is it weirdly
> common? If it is a false positive, is this an issue with a particular
> check in Qualys or is this vulnerability very hard to correctly
> determine in the first place? Also, MS08-067 seems to me to be something
> that should no longer be in the top-10...Wolfgang said he's looking into
> it, so maybe we can get a response to the list at some point.
>
> It would be great if Tenable and Rapid7 and the other people in the VA
> world would release similar numbers.
>
> -dave
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>

More information about the Dailydave mailing list