This may be some of what the check looks for. https://community.qualys.com/thread/2242
I like how Nessus has open checks so you can see the source code. On Mon, Sep 9, 2013 at 11:52 AM, Dave Aitel <[email protected]> wrote: > IIRC the vulnerability did not affect Linux in practice as you needed to > find a memcpy that was broken backwards or use the SEH (in the case of > Windows) to handle the exception. I could be wrong though. > > Is it possible that the Qualys check sees Apache server lines that have > no version and marks them as potentially vulnerable? This would explain > the prevalence of the check triggering in this day and age as more > people remove that information. It's also possible some WAF reacts > strangely to the check, causing a false positive (or a True Positive, > but against the WAF?) > > Something here is worth digging into, but I'm not sure what the results > will be. Is it possible for Qualys to release some of the logic of the > check? > > -dave > > > On 9/4/2013 2:34 PM, Wolfgang Kandek wrote: > > Here is a bit more background on the data and our collection methods. > > > > The Top 10 are collected every 3 months and include data for the > > preceding 3 months. The aim is to give customers an idea on what is > > prevalent at the moment. > > > > External means that the data comes from the scanners that Qualys runs > > on the Internet and that are used by Qualys customers to scan their > > Internet connected machines. Internal means that the data comes from > > the Scanner Appliances that customers run themselves and use to scan > > their internal networks. Our customers are free to run authenticated > > scans with the external scanners and free to scan their Internet > > connected machines with the Scanner Appliances as well, but it is fair > > to say that most customers will use authenticated scans only on > > Scanner Appliances and will scan their Internet connected machines > > with our external scanners. It is worth to mention that our PCI > > service uses the external scanners for all audits. > > > > In November 2011 the "Apache Chunked encoding" vulnerability was > > ranked #16 and did not make it into the Top 10 at the time. Since then > > we have seen many of the of the Top 10 vulnerabilities drop in number, > > so for example Win2000 obsolete has dropped fourfold, while Apache > > Chunked encoding has actually gone up. > > > > The vulnerability was pretty widespread at the time and affected > > Apache 1.3 and 2.0 on many operating systems, including Linux and many > > embedded devices, so it is possible that one of our customers has > > started scanning these type of ranges. > > > > The vulnerability is an active check (i.e. not banner based or software > > version based), and the detection has not been modified for the last > > couple of years. It affects the outcome of a PCI scan and we have had > > no Support tickets regarding FPs, which is a pretty good measure as to > > its accuracy. > > > > If Rapid7 or Tenable can share some of they are seeing it would be > helpful. > > > > - > > Wolfgang > > > > > > On Tue, Sep 3, 2013 at 1:42 PM, Dave Aitel <[email protected]> wrote: > >> http://www.qualys.com/research/top10/ > >> > >> So I recently found out about the Qualys Top 10 vulnerabilities list, > >> which is a pretty cool resource really. Any time a big company with a > >> lot of data offers a view into it, it is a useful thing, even if just to > >> understand the built-in filter on the data. > >> > >> They have both "internal" and "external" which I think could better be > >> further broken down into "authenticated scans" and "unauthenticated > >> scans". You'll see client-side attacks predominating the "internal" > >> scans, which were obviously found by the kind of patch-and-file checking > >> that authenticated scans allow. > >> > >> However, you'll also see very very strange things in the external scans. > >> The most weird is that Apache Chunked is a top-10 in August 2013, but > >> not in November of 2011. For it to be anywhere at all is strange, > >> because it's a 10 year old vulnerability that only affected Windows and > >> BSD-based Apache's in the first place (which are not the majority of > >> Apache installs, to say the least). > >> > >> So what conclusions can you draw? Is it a false positive? Is it weirdly > >> common? If it is a false positive, is this an issue with a particular > >> check in Qualys or is this vulnerability very hard to correctly > >> determine in the first place? Also, MS08-067 seems to me to be something > >> that should no longer be in the top-10...Wolfgang said he's looking into > >> it, so maybe we can get a response to the list at some point. > >> > >> It would be great if Tenable and Rapid7 and the other people in the VA > >> world would release similar numbers. > >> > >> -dave > >> > >> > >> > >> > >> _______________________________________________ > >> Dailydave mailing list > >> [email protected] > >> https://lists.immunityinc.com/mailman/listinfo/dailydave > >> > > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
