[Dailydave] Top10 Blowing Chunks :>

Dave Aitel dave at immunityinc.com
Mon Sep 9 12:52:01 EDT 2013 

IIRC the vulnerability did not affect Linux in practice as you needed to
find a memcpy that was broken backwards or use the SEH (in the case of
Windows) to handle the exception. I could be wrong though.

Is it possible that the Qualys check sees Apache server lines that have
no version and marks them as potentially vulnerable? This would explain
the prevalence of the check triggering in this day and age as more
people remove that information. It's also possible some WAF reacts
strangely to the check, causing a false positive (or a True Positive,
but against the WAF?)

Something here is worth digging into, but I'm not sure what the results
will be. Is it possible for Qualys to release some of the logic of the
check?

-dave


On 9/4/2013 2:34 PM, Wolfgang Kandek wrote:
> Here is a bit more background on the data and our collection methods.
>
> The Top 10 are collected every 3 months and include data for the
> preceding 3 months. The aim is to give customers an idea on what is
> prevalent at the moment.
>
> External means that the data comes from the scanners that Qualys runs
> on the Internet and that are used by Qualys customers to scan their
> Internet connected machines. Internal means that the data comes from
> the Scanner Appliances that customers run themselves and use to scan
> their internal networks.  Our customers are free to run authenticated
> scans with the external scanners and free to scan their Internet
> connected machines with the Scanner Appliances as well, but it is fair
> to say that most customers will use authenticated scans only on
> Scanner Appliances and will scan their Internet connected machines
> with our external scanners. It is worth to mention that our PCI
> service uses the external scanners for all audits.
>
> In November 2011 the "Apache Chunked encoding" vulnerability was
> ranked #16 and did not make it into the Top 10 at the time. Since then
> we have seen many of the of the Top 10 vulnerabilities drop in number,
> so for example Win2000 obsolete has dropped fourfold, while Apache
> Chunked encoding has actually gone up.
>
> The vulnerability was pretty widespread at the time and affected
> Apache 1.3 and 2.0 on many operating systems, including Linux and many
> embedded devices, so it is possible that one of our customers has
> started scanning these type of ranges.
>
> The vulnerability is an active check (i.e. not banner based or software
> version based), and the detection has not been modified for the last
> couple of years. It affects the outcome of a PCI scan and we have had
> no Support tickets regarding FPs, which is a pretty good measure as to
> its accuracy.
>
> If Rapid7 or Tenable can share some of they are seeing it would be helpful.
>
> -
> Wolfgang
>
>
> On Tue, Sep 3, 2013 at 1:42 PM, Dave Aitel <dave at immunityinc.com> wrote:
>> http://www.qualys.com/research/top10/
>>
>> So I recently found out about the Qualys Top 10 vulnerabilities list,
>> which is a pretty cool resource really.  Any time a big company with a
>> lot of data offers a view into it, it is a useful thing, even if just to
>> understand the built-in filter on the data.
>>
>> They have both "internal" and "external" which I think could better be
>> further broken down into "authenticated scans" and "unauthenticated
>> scans". You'll see client-side attacks predominating the "internal"
>> scans, which were obviously found by the kind of patch-and-file checking
>> that authenticated scans allow.
>>
>> However, you'll also see very very strange things in the external scans.
>> The most weird is that Apache Chunked is a top-10 in August 2013, but
>> not in November of 2011. For it to be anywhere at all is strange,
>> because it's a 10 year old vulnerability that only affected Windows and
>> BSD-based Apache's in the first place (which are not the majority of
>> Apache installs, to say the least).
>>
>> So what conclusions can you draw? Is it a false positive? Is it weirdly
>> common? If it is a false positive, is this an issue with a particular
>> check in Qualys or is this vulnerability very hard to correctly
>> determine in the first place? Also, MS08-067 seems to me to be something
>> that should no longer be in the top-10...Wolfgang said he's looking into
>> it, so maybe we can get a response to the list at some point.
>>
>> It would be great if Tenable and Rapid7 and the other people in the VA
>> world would release similar numbers.
>>
>> -dave
>>
>>
>>
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130909/da12e66e/attachment.sig>

More information about the Dailydave mailing list