Dailydave mailing list archives
Re: Top10 Blowing Chunks :>
From: "Albert R. Campa" <abcampa () gmail com>
Date: Tue, 10 Sep 2013 10:25:57 -0500
This may be some of what the check looks for. https://community.qualys.com/thread/2242 I like how Nessus has open checks so you can see the source code. On Mon, Sep 9, 2013 at 11:52 AM, Dave Aitel <dave () immunityinc com> wrote:
IIRC the vulnerability did not affect Linux in practice as you needed to find a memcpy that was broken backwards or use the SEH (in the case of Windows) to handle the exception. I could be wrong though. Is it possible that the Qualys check sees Apache server lines that have no version and marks them as potentially vulnerable? This would explain the prevalence of the check triggering in this day and age as more people remove that information. It's also possible some WAF reacts strangely to the check, causing a false positive (or a True Positive, but against the WAF?) Something here is worth digging into, but I'm not sure what the results will be. Is it possible for Qualys to release some of the logic of the check? -dave On 9/4/2013 2:34 PM, Wolfgang Kandek wrote:Here is a bit more background on the data and our collection methods. The Top 10 are collected every 3 months and include data for the preceding 3 months. The aim is to give customers an idea on what is prevalent at the moment. External means that the data comes from the scanners that Qualys runs on the Internet and that are used by Qualys customers to scan their Internet connected machines. Internal means that the data comes from the Scanner Appliances that customers run themselves and use to scan their internal networks. Our customers are free to run authenticated scans with the external scanners and free to scan their Internet connected machines with the Scanner Appliances as well, but it is fair to say that most customers will use authenticated scans only on Scanner Appliances and will scan their Internet connected machines with our external scanners. It is worth to mention that our PCI service uses the external scanners for all audits. In November 2011 the "Apache Chunked encoding" vulnerability was ranked #16 and did not make it into the Top 10 at the time. Since then we have seen many of the of the Top 10 vulnerabilities drop in number, so for example Win2000 obsolete has dropped fourfold, while Apache Chunked encoding has actually gone up. The vulnerability was pretty widespread at the time and affected Apache 1.3 and 2.0 on many operating systems, including Linux and many embedded devices, so it is possible that one of our customers has started scanning these type of ranges. The vulnerability is an active check (i.e. not banner based or software version based), and the detection has not been modified for the last couple of years. It affects the outcome of a PCI scan and we have had no Support tickets regarding FPs, which is a pretty good measure as to its accuracy. If Rapid7 or Tenable can share some of they are seeing it would behelpful.- Wolfgang On Tue, Sep 3, 2013 at 1:42 PM, Dave Aitel <dave () immunityinc com> wrote:http://www.qualys.com/research/top10/ So I recently found out about the Qualys Top 10 vulnerabilities list, which is a pretty cool resource really. Any time a big company with a lot of data offers a view into it, it is a useful thing, even if just to understand the built-in filter on the data. They have both "internal" and "external" which I think could better be further broken down into "authenticated scans" and "unauthenticated scans". You'll see client-side attacks predominating the "internal" scans, which were obviously found by the kind of patch-and-file checking that authenticated scans allow. However, you'll also see very very strange things in the external scans. The most weird is that Apache Chunked is a top-10 in August 2013, but not in November of 2011. For it to be anywhere at all is strange, because it's a 10 year old vulnerability that only affected Windows and BSD-based Apache's in the first place (which are not the majority of Apache installs, to say the least). So what conclusions can you draw? Is it a false positive? Is it weirdly common? If it is a false positive, is this an issue with a particular check in Qualys or is this vulnerability very hard to correctly determine in the first place? Also, MS08-067 seems to me to be something that should no longer be in the top-10...Wolfgang said he's looking into it, so maybe we can get a response to the list at some point. It would be great if Tenable and Rapid7 and the other people in the VA world would release similar numbers. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Top10 Blowing Chunks :> Dave Aitel (Sep 03)
- Re: Top10 Blowing Chunks :> Wolfgang Kandek (Sep 05)
- Re: Top10 Blowing Chunks :> Dave Aitel (Sep 09)
- Re: Top10 Blowing Chunks :> Albert R. Campa (Sep 10)
- Re: Top10 Blowing Chunks :> dan (Sep 18)
- Re: Top10 Blowing Chunks :> Dave Aitel (Sep 18)
- Re: Top10 Blowing Chunks :> Wolfgang Kandek (Sep 19)
- Re: Top10 Blowing Chunks :> Dave Aitel (Sep 09)
- Re: Top10 Blowing Chunks :> Wolfgang Kandek (Sep 05)