<div dir="ltr">This may be some of what the check looks for.<div><a href="https://community.qualys.com/thread/2242">https://community.qualys.com/thread/2242</a><br></div><div><br></div><div>I like how Nessus has open checks so you can see the source code.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Sep 9, 2013 at 11:52 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">IIRC the vulnerability did not affect Linux in practice as you needed to<br>
find a memcpy that was broken backwards or use the SEH (in the case of<br>
Windows) to handle the exception. I could be wrong though.<br>
<br>
Is it possible that the Qualys check sees Apache server lines that have<br>
no version and marks them as potentially vulnerable? This would explain<br>
the prevalence of the check triggering in this day and age as more<br>
people remove that information. It's also possible some WAF reacts<br>
strangely to the check, causing a false positive (or a True Positive,<br>
but against the WAF?)<br>
<br>
Something here is worth digging into, but I'm not sure what the results<br>
will be. Is it possible for Qualys to release some of the logic of the<br>
check?<br>
<br>
-dave<br>
<div><div class="h5"><br>
<br>
On 9/4/2013 2:34 PM, Wolfgang Kandek wrote:<br>
> Here is a bit more background on the data and our collection methods.<br>
><br>
> The Top 10 are collected every 3 months and include data for the<br>
> preceding 3 months. The aim is to give customers an idea on what is<br>
> prevalent at the moment.<br>
><br>
> External means that the data comes from the scanners that Qualys runs<br>
> on the Internet and that are used by Qualys customers to scan their<br>
> Internet connected machines. Internal means that the data comes from<br>
> the Scanner Appliances that customers run themselves and use to scan<br>
> their internal networks. Our customers are free to run authenticated<br>
> scans with the external scanners and free to scan their Internet<br>
> connected machines with the Scanner Appliances as well, but it is fair<br>
> to say that most customers will use authenticated scans only on<br>
> Scanner Appliances and will scan their Internet connected machines<br>
> with our external scanners. It is worth to mention that our PCI<br>
> service uses the external scanners for all audits.<br>
><br>
> In November 2011 the "Apache Chunked encoding" vulnerability was<br>
> ranked #16 and did not make it into the Top 10 at the time. Since then<br>
> we have seen many of the of the Top 10 vulnerabilities drop in number,<br>
> so for example Win2000 obsolete has dropped fourfold, while Apache<br>
> Chunked encoding has actually gone up.<br>
><br>
> The vulnerability was pretty widespread at the time and affected<br>
> Apache 1.3 and 2.0 on many operating systems, including Linux and many<br>
> embedded devices, so it is possible that one of our customers has<br>
> started scanning these type of ranges.<br>
><br>
</div></div>> The vulnerability is an active check (i.e. not banner based or software<br>
<div class="HOEnZb"><div class="h5">> version based), and the detection has not been modified for the last<br>
> couple of years. It affects the outcome of a PCI scan and we have had<br>
> no Support tickets regarding FPs, which is a pretty good measure as to<br>
> its accuracy.<br>
><br>
> If Rapid7 or Tenable can share some of they are seeing it would be helpful.<br>
><br>
> -<br>
> Wolfgang<br>
><br>
><br>
> On Tue, Sep 3, 2013 at 1:42 PM, Dave Aitel <<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>> wrote:<br>
>> <a href="http://www.qualys.com/research/top10/" target="_blank">http://www.qualys.com/research/top10/</a><br>
>><br>
>> So I recently found out about the Qualys Top 10 vulnerabilities list,<br>
>> which is a pretty cool resource really. Any time a big company with a<br>
>> lot of data offers a view into it, it is a useful thing, even if just to<br>
>> understand the built-in filter on the data.<br>
>><br>
>> They have both "internal" and "external" which I think could better be<br>
>> further broken down into "authenticated scans" and "unauthenticated<br>
>> scans". You'll see client-side attacks predominating the "internal"<br>
>> scans, which were obviously found by the kind of patch-and-file checking<br>
>> that authenticated scans allow.<br>
>><br>
>> However, you'll also see very very strange things in the external scans.<br>
>> The most weird is that Apache Chunked is a top-10 in August 2013, but<br>
>> not in November of 2011. For it to be anywhere at all is strange,<br>
>> because it's a 10 year old vulnerability that only affected Windows and<br>
>> BSD-based Apache's in the first place (which are not the majority of<br>
>> Apache installs, to say the least).<br>
>><br>
>> So what conclusions can you draw? Is it a false positive? Is it weirdly<br>
>> common? If it is a false positive, is this an issue with a particular<br>
>> check in Qualys or is this vulnerability very hard to correctly<br>
>> determine in the first place? Also, MS08-067 seems to me to be something<br>
>> that should no longer be in the top-10...Wolfgang said he's looking into<br>
>> it, so maybe we can get a response to the list at some point.<br>
>><br>
>> It would be great if Tenable and Rapid7 and the other people in the VA<br>
>> world would release similar numbers.<br>
>><br>
>> -dave<br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Dailydave mailing list<br>
>> <a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
>> <a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
>><br>
<br>
<br>
</div></div><br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>