[Dailydave] Top10 Blowing Chunks :>
Albert R. Campa
abcampa at gmail.com
Tue Sep 10 11:25:57 EDT 2013
This may be some of what the check looks for.
https://community.qualys.com/thread/2242
I like how Nessus has open checks so you can see the source code.
On Mon, Sep 9, 2013 at 11:52 AM, Dave Aitel <dave at immunityinc.com> wrote:
> IIRC the vulnerability did not affect Linux in practice as you needed to
> find a memcpy that was broken backwards or use the SEH (in the case of
> Windows) to handle the exception. I could be wrong though.
>
> Is it possible that the Qualys check sees Apache server lines that have
> no version and marks them as potentially vulnerable? This would explain
> the prevalence of the check triggering in this day and age as more
> people remove that information. It's also possible some WAF reacts
> strangely to the check, causing a false positive (or a True Positive,
> but against the WAF?)
>
> Something here is worth digging into, but I'm not sure what the results
> will be. Is it possible for Qualys to release some of the logic of the
> check?
>
> -dave
>
>
> On 9/4/2013 2:34 PM, Wolfgang Kandek wrote:
> > Here is a bit more background on the data and our collection methods.
> >
> > The Top 10 are collected every 3 months and include data for the
> > preceding 3 months. The aim is to give customers an idea on what is
> > prevalent at the moment.
> >
> > External means that the data comes from the scanners that Qualys runs
> > on the Internet and that are used by Qualys customers to scan their
> > Internet connected machines. Internal means that the data comes from
> > the Scanner Appliances that customers run themselves and use to scan
> > their internal networks. Our customers are free to run authenticated
> > scans with the external scanners and free to scan their Internet
> > connected machines with the Scanner Appliances as well, but it is fair
> > to say that most customers will use authenticated scans only on
> > Scanner Appliances and will scan their Internet connected machines
> > with our external scanners. It is worth to mention that our PCI
> > service uses the external scanners for all audits.
> >
> > In November 2011 the "Apache Chunked encoding" vulnerability was
> > ranked #16 and did not make it into the Top 10 at the time. Since then
> > we have seen many of the of the Top 10 vulnerabilities drop in number,
> > so for example Win2000 obsolete has dropped fourfold, while Apache
> > Chunked encoding has actually gone up.
> >
> > The vulnerability was pretty widespread at the time and affected
> > Apache 1.3 and 2.0 on many operating systems, including Linux and many
> > embedded devices, so it is possible that one of our customers has
> > started scanning these type of ranges.
> >
> > The vulnerability is an active check (i.e. not banner based or software
> > version based), and the detection has not been modified for the last
> > couple of years. It affects the outcome of a PCI scan and we have had
> > no Support tickets regarding FPs, which is a pretty good measure as to
> > its accuracy.
> >
> > If Rapid7 or Tenable can share some of they are seeing it would be
> helpful.
> >
> > -
> > Wolfgang
> >
> >
> > On Tue, Sep 3, 2013 at 1:42 PM, Dave Aitel <dave at immunityinc.com> wrote:
> >> http://www.qualys.com/research/top10/
> >>
> >> So I recently found out about the Qualys Top 10 vulnerabilities list,
> >> which is a pretty cool resource really. Any time a big company with a
> >> lot of data offers a view into it, it is a useful thing, even if just to
> >> understand the built-in filter on the data.
> >>
> >> They have both "internal" and "external" which I think could better be
> >> further broken down into "authenticated scans" and "unauthenticated
> >> scans". You'll see client-side attacks predominating the "internal"
> >> scans, which were obviously found by the kind of patch-and-file checking
> >> that authenticated scans allow.
> >>
> >> However, you'll also see very very strange things in the external scans.
> >> The most weird is that Apache Chunked is a top-10 in August 2013, but
> >> not in November of 2011. For it to be anywhere at all is strange,
> >> because it's a 10 year old vulnerability that only affected Windows and
> >> BSD-based Apache's in the first place (which are not the majority of
> >> Apache installs, to say the least).
> >>
> >> So what conclusions can you draw? Is it a false positive? Is it weirdly
> >> common? If it is a false positive, is this an issue with a particular
> >> check in Qualys or is this vulnerability very hard to correctly
> >> determine in the first place? Also, MS08-067 seems to me to be something
> >> that should no longer be in the top-10...Wolfgang said he's looking into
> >> it, so maybe we can get a response to the list at some point.
> >>
> >> It would be great if Tenable and Rapid7 and the other people in the VA
> >> world would release similar numbers.
> >>
> >> -dave
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Dailydave mailing list
> >> Dailydave at lists.immunityinc.com
> >> https://lists.immunityinc.com/mailman/listinfo/dailydave
> >>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130910/31391e32/attachment.html>
More information about the Dailydave
mailing list