Even after installing httpd patch provided by Apache, nessus scanning system is claiming:
55976 - Apache HTTP Server Byte Range DoS Synopsis The web server running on the remote host is affected by a denial of service vulnerability. Description The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive. Exploit code is publicly available and attacks have reportedly been observed in the wild. See Also http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html http://www.gossamer-threads.com/lists/apache/dev/401638 http://www.nessus.org/u?404627ec http://httpd.apache.org/security/CVE-2011-3192.txt http://www.nessus.org/u?1538124a http://www-01.ibm.com/support/docview.wss?uid=swg24030863 Solution Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192. Version 2.2.20 fixed the issue, but also introduced a regression. If the host is running a web server based on Apache httpd, contact the vendor for a fix. Risk Factor High CVSS Base Score 7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) CVSS Temporal Score 6.4 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C) References BID 49303 CVE CVE-2011-3192 XREF OSVDB:74721 XREF CERT:405811 26 XREF EDB-ID:17696 XREF EDB-ID:18221 Exploitable with Core Impact (true)Metasploit (true) Plugin Information: Publication date: 2011/08/25, Modification date: 2012/09/06 Ports tcp/443 Nessus determined the server is unpatched and is not using any of the suggested workarounds by making the following requests : -------------------- Testing for workarounds -------------------- HEAD /manual/rewrite/index.html HTTP/1.1 Host: 10.106.12.185 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.0 206 Partial Content Date: Mon, 01 Oct 2012 08:36:33 GMT Server: Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.7a Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Tue, 06 Jan 2009 21:40:05 GMT ETag: "bb44d-158f-401b9740;bb44c-ce-d99b0140" Accept-Ranges: bytes Content-Length: 836 Connection: close Content-Type: multipart/x-byteranges; boundary=4cafb4d91905b7f1 Content-Language: en -------------------- Testing for workarounds -------------------- -------------------- Testing for patch -------------------- HEAD /manual/rewrite/index.html HTTP/1.1 Host: 10.106.12.185 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=0-,1- Range: bytes=0-,1- Connection: Close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.0 206 Partial Content Date: Mon, 01 Oct 2012 08:36:33 GMT Server: Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.7a Content-Location: index.html.en Vary: negotiate,accept-language,accept-charset TCN: choice Last-Modified: Tue, 06 Jan 2009 21:40:05 GMT ETag: "bb44d-158f-401b9740;bb44c-ce-d99b0140" Accept-Ranges: bytes Content-Length: 11227 Connection: close Content-Type: multipart/x-byteranges; boundary=4cafb4d91ab998 [...]Ayelet Regev-Dabah System Software Platform TL Comverse Office: +972 3 6459362 [email protected] www.comverse.com -----Original Message----- From: Regev Ayelet [mailto:[email protected]] Sent: Tuesday, October 02, 2012 1:01 PM To: [email protected] Subject: RE: [users@httpd] availability of httpd 2.0.65 Any news on this issue? Ayelet Regev-Dabah System Software Platform TL Comverse Office: +972 3 6459362 [email protected] www.comverse.com -----Original Message----- From: Regev Ayelet [mailto:[email protected]] Sent: Sunday, September 30, 2012 4:08 PM To: [email protected] Subject: RE: [users@httpd] availability of httpd 2.0.65 In this link: http://wiki.apache.org/httpd/CVE-2011-3192 FIX ==== This vulnerability has been fixed in release 2.2.20 and further corrected in 2.2.21. You are advised to upgrade to version 2.2.21 (or newer) or the legacy 2.0.65 release, once this is published (anticipated in September). If you cannot upgrade, or cannot wait to upgrade - you can apply the appropriate source code patch and recompile a recent existing version; http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/ (for 2.2.9 - .14) http://www.apache.org/dist/httpd/patches/apply_to_2.2.19/ (for 2.2.15 - .19) http://www.apache.org/dist/httpd/patches/apply_to_2.0.64/ (for 2.0.55 - .64) If you cannot upgrade and/or cannot apply above patches in a timely manner then you should consider to apply one or more of the mitigation suggested below. Ayelet Regev-Dabah System Software Platform TL Comverse Office: +972 3 6459362 [email protected] www.comverse.com -----Original Message----- From: Eric Covener [mailto:[email protected]] Sent: Sunday, September 30, 2012 4:05 PM To: [email protected] Subject: Re: [users@httpd] availability of httpd 2.0.65 On Sun, Sep 30, 2012 at 9:56 AM, Regev Ayelet <[email protected]> wrote: > Hi All, > > According to apache.org , httpd 2.0.65 suppose to be released during > September. > Does anyone have updates on this issue? > I tried to install the patch, but my security system still claim there is a > security bug… > Where do you see a date listed for 2.0.65? --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [email protected]. Thank You.” --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [email protected]. Thank You.” --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] “This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Technology or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [email protected]. Thank You.”
