Hi, On 20.06.2017 13:37, Jan Schwarzkopf wrote: > Hi, > > while scanning our Ubuntu hosts - most of them have installed a typical > lamp-stack - we recognized a large amount of false-positive results. This is > probably due to the special version number strings of Ubuntu. > > Here´s an example: > > NVT "PHP Version Detection" detects the following information: > > Detected PHP > Version: 5.5.9 > Location: tcp/443 > CPE: cpe:/a:php:php:5.5.9 > > Concluded from version identification result: > X-Powered-By: PHP/5.5.9-1ubuntu4.20 > > As a result many other NVTs based on this remote banner are detected, > although the security gaps have already been fixed by the ubuntu maintainers, > e.g. the NVT "PHP Denial of Service And Unspecified Vulnerabilities - 01 - > Jul16 (Linux)" / 1.3.6.1.4.1.25623.1.0.808607. The associated CVE was fixed > in package version 5.5.9+dfsg-1ubuntu4.17. > > https://www.ubuntu.com/usn/usn-2984-1/ > https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4342.html > > Is there any possibility to prevent this false-positive results from OpenVAS?
this is already prevented by default through the usage of the QoD concept described here: http://docs.greenbone.net/GSM-Manual/gos-3.1/en/glossary.html#quality-of-detection-qod So if you're getting results / vulnerabilities for PHP like for 1.3.6.1.4.1.25623.1.0.808607 this is because you have set a filter for the default QoD value below 70% in your Results / Report overview. > Many of the problems could already be solved by hiding the version numbers > but there are still some services where this error occurs. > > Best Regards > Jan Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
