According to the versions of the httpd packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.(CVE-2014-0098)
A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the ‘apache’ user.(CVE-2014-0226)
It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning.(CVE-2016-8743)
A NULL pointer dereference flaw was found in the way the mod_cache httpd module handled Content-Type headers. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP server was configured to proxy to a server with caching enabled.(CVE-2014-3581)
Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding.
A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.(CVE-2015-3183)
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user’s credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, ‘en-US’ is truncated to ‘en’). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.(CVE-2017-15710)
A NULL pointer dereference flaw was found in the httpd’s mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request.(CVE-2017-3169)
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.(CVE-2016-5387)
A buffer over-read flaw was found in the httpd’s mod_mime module. A user permitted to modify httpd’s MIME configuration could use this flaw to cause httpd child process to crash.(CVE-2017-7679)
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache.
The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.(CVE-2018-1303)
It was discovered that the httpd’s mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.(CVE-2017-9788)
A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.(CVE-2013-5704)
A buffer over-read flaw was found in the httpd’s ap_find_token() function. A remote attacker could use this flaw to cause httpd child process to crash via a specially crafted HTTP request.(CVE-2017-7668)
A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration.
It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.(CVE-2019-0217)
A NULL pointer dereference flaw was found in the mod_cache httpd module. A malicious HTTP server could cause the httpd child process to crash when the Apache HTTP Server was used as a forward proxy with caching.
(CVE-2013-4352)
he dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request. (CVE-2013-6438)
A denial of service flaw was found in the mod_proxy httpd module. A remote attacker could send a specially crafted request to a server configured as a reverse proxy using a threaded Multi-Processing Modules (MPM) that would cause the httpd child process to crash.
(CVE-2014-0117)
A denial of service flaw was found in the way httpd’s mod_deflate module handled request body decompression (configured via the ‘DEFLATE’ input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system.(CVE-2014-0118)
A denial of service flaw was found in the way httpd’s mod_cgid module executed CGI scripts that did not read data from the standard input. A remote attacker could submit a specially crafted request that would cause the httpd child process to hang indefinitely.(CVE-2014-0231)
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied. (CVE-2015-3185)
It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user’s browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)
It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication.(CVE-2016-2161)
It was discovered that the use of httpd’s ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd.(CVE-2017-3167)
A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. (CVE-2018-1312)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(124922);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2013-4352",
"CVE-2013-5704",
"CVE-2013-6438",
"CVE-2014-0098",
"CVE-2014-0117",
"CVE-2014-0118",
"CVE-2014-0226",
"CVE-2014-0231",
"CVE-2014-3581",
"CVE-2015-3183",
"CVE-2015-3185",
"CVE-2016-0736",
"CVE-2016-2161",
"CVE-2016-5387",
"CVE-2016-8743",
"CVE-2017-15710",
"CVE-2017-3167",
"CVE-2017-3169",
"CVE-2017-7668",
"CVE-2017-7679",
"CVE-2017-9788",
"CVE-2017-9798",
"CVE-2018-1303",
"CVE-2018-1312",
"CVE-2019-0217"
);
script_bugtraq_id(
66303,
66550,
68678,
68740,
68742,
68745,
68863,
69248,
71656,
75963,
75965
);
script_name(english:"EulerOS Virtualization 3.0.1.0 : httpd (EulerOS-SA-2019-1419)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the httpd packages installed, the
EulerOS Virtualization installation on the remote host is affected by
the following vulnerabilities :
- The log_cookie function in mod_log_config.c in the
mod_log_config module in the Apache HTTP Server before
2.4.8 allows remote attackers to cause a denial of
service (segmentation fault and daemon crash) via a
crafted cookie that is not properly handled during
truncation.(CVE-2014-0098)
- A race condition flaw, leading to heap-based buffer
overflows, was found in the mod_status httpd module. A
remote attacker able to access a status page served by
mod_status on a server using a threaded
Multi-Processing Module (MPM) could send a specially
crafted request that would cause the httpd child
process to crash or, possibly, allow the attacker to
execute arbitrary code with the privileges of the
'apache' user.(CVE-2014-0226)
- It was discovered that the HTTP parser in httpd
incorrectly allowed certain characters not permitted by
the HTTP protocol specification to appear unencoded in
HTTP request headers. If httpd was used in conjunction
with a proxy or backend server that interpreted those
characters differently, a remote attacker could
possibly use this flaw to inject data into HTTP
responses, resulting in proxy cache
poisoning.(CVE-2016-8743)
- A NULL pointer dereference flaw was found in the way
the mod_cache httpd module handled Content-Type
headers. A malicious HTTP server could cause the httpd
child process to crash when the Apache HTTP server was
configured to proxy to a server with caching
enabled.(CVE-2014-3581)
- Multiple flaws were found in the way httpd parsed HTTP
requests and responses using chunked transfer encoding.
A remote attacker could use these flaws to create a
specially crafted request, which httpd would decode
differently from an HTTP proxy software in front of it,
possibly leading to HTTP request smuggling
attacks.(CVE-2015-3183)
- In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and
2.4.0 to 2.4.29, mod_authnz_ldap, if configured with
AuthLDAPCharsetConfig, uses the Accept-Language header
value to lookup the right charset encoding when
verifying the user's credentials. If the header value
is not present in the charset conversion table, a
fallback mechanism is used to truncate it to a two
characters value to allow a quick retry (for example,
'en-US' is truncated to 'en'). A header value of less
than two characters forces an out of bound write of one
NUL byte to a memory location that is not part of the
string. In the worst case, quite unlikely, the process
would crash which could be used as a Denial of Service
attack. In the more likely case, this memory is already
reserved for future use and the issue has no effect at
all.(CVE-2017-15710)
- A NULL pointer dereference flaw was found in the
httpd's mod_ssl module. A remote attacker could use
this flaw to cause an httpd child process to crash if
another module used by httpd called a certain API
function during the processing of an HTTPS
request.(CVE-2017-3169)
- It was discovered that httpd used the value of the
Proxy header from HTTP requests to initialize the
HTTP_PROXY environment variable for CGI scripts, which
in turn was incorrectly used by certain HTTP client
implementations to configure the proxy for outgoing
HTTP requests. A remote attacker could possibly use
this flaw to redirect HTTP requests performed by a CGI
script to an attacker-controlled proxy via a malicious
HTTP request.(CVE-2016-5387)
- A buffer over-read flaw was found in the httpd's
mod_mime module. A user permitted to modify httpd's
MIME configuration could use this flaw to cause httpd
child process to crash.(CVE-2017-7679)
- A specially crafted HTTP request header could have
crashed the Apache HTTP Server prior to version 2.4.30
due to an out of bound read while preparing data to be
cached in shared memory. It could be used as a Denial
of Service attack against users of mod_cache_socache.
The vulnerability is considered as low risk since
mod_cache_socache is not widely used, mod_cache_disk is
not concerned by this vulnerability.(CVE-2018-1303)
- It was discovered that the httpd's mod_auth_digest
module did not properly initialize memory before using
it when processing certain headers related to digest
authentication. A remote attacker could possibly use
this flaw to disclose potentially sensitive information
or cause httpd child process to crash by sending
specially crafted requests to a server.(CVE-2017-9788)
- A flaw was found in the way httpd handled HTTP Trailer
headers when processing requests using chunked
encoding. A malicious client could use Trailer headers
to set additional HTTP headers after header processing
was performed by other modules. This could, for
example, lead to a bypass of header restrictions
defined with mod_headers.(CVE-2013-5704)
- A buffer over-read flaw was found in the httpd's
ap_find_token() function. A remote attacker could use
this flaw to cause httpd child process to crash via a
specially crafted HTTP request.(CVE-2017-7668)
- A race condition was found in mod_auth_digest when the
web server was running in a threaded MPM configuration.
It could allow a user with valid credentials to
authenticate using another username, bypassing
configured access control restrictions.(CVE-2019-0217)
- A NULL pointer dereference flaw was found in the
mod_cache httpd module. A malicious HTTP server could
cause the httpd child process to crash when the Apache
HTTP Server was used as a forward proxy with caching.
(CVE-2013-4352)
- he dav_xml_get_cdata function in main/util.c in the
mod_dav module in the Apache HTTP Server before 2.4.8
does not properly remove whitespace characters from
CDATA sections, which allows remote attackers to cause
a denial of service (daemon crash) via a crafted DAV
WRITE request. (CVE-2013-6438)
- A denial of service flaw was found in the mod_proxy
httpd module. A remote attacker could send a specially
crafted request to a server configured as a reverse
proxy using a threaded Multi-Processing Modules (MPM)
that would cause the httpd child process to crash.
(CVE-2014-0117)
- A denial of service flaw was found in the way httpd's
mod_deflate module handled request body decompression
(configured via the 'DEFLATE' input filter). A remote
attacker able to send a request whose body would be
decompressed could use this flaw to consume an
excessive amount of system memory and CPU on the target
system.(CVE-2014-0118)
- A denial of service flaw was found in the way httpd's
mod_cgid module executed CGI scripts that did not read
data from the standard input. A remote attacker could
submit a specially crafted request that would cause the
httpd child process to hang
indefinitely.(CVE-2014-0231)
- It was discovered that in httpd 2.4, the internal API
function ap_some_auth_required() could incorrectly
indicate that a request was authenticated even when no
authentication was used. An httpd module using this API
function could consequently allow access that should
have been denied. (CVE-2015-3185)
- It was discovered that the mod_session_crypto module of
httpd did not use any mechanisms to verify integrity of
the encrypted session data stored in the user's
browser. A remote attacker could use this flaw to
decrypt and modify session data using a padding oracle
attack. (CVE-2016-0736)
- It was discovered that the mod_auth_digest module of
httpd did not properly check for memory allocation
failures. A remote attacker could use this flaw to
cause httpd child processes to repeatedly crash if the
server used HTTP digest authentication.(CVE-2016-2161)
- It was discovered that the use of httpd's
ap_get_basic_auth_pw() API function outside of the
authentication phase could lead to authentication
bypass. A remote attacker could possibly use this flaw
to bypass required authentication if the API was used
incorrectly by one of the modules used by
httpd.(CVE-2017-3167)
- A use-after-free flaw was found in the way httpd
handled invalid and previously unregistered HTTP
methods specified in the Limit directive used in an
.htaccess file. A remote attacker could possibly use
this flaw to disclose portions of the server memory, or
cause httpd child process to crash. (CVE-2017-9798)
- In Apache httpd 2.2.0 to 2.4.29, when generating an
HTTP Digest authentication challenge, the nonce sent to
prevent reply attacks was not correctly generated using
a pseudo-random seed. In a cluster of servers using a
common Digest authentication configuration, HTTP
requests could be replayed across servers by an
attacker without detection. (CVE-2018-1312)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1419
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4b195f8e");
script_set_attribute(attribute:"solution", value:
"Update the affected httpd packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:httpd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:httpd-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:mod_ssl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.1.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.1.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.1.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["httpd-2.4.6-80.1.h6",
"httpd-tools-2.4.6-80.1.h6",
"mod_ssl-2.4.6-80.1.h6"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "httpd");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4352
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0098
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0117
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0118
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0226
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0231
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3581
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3185
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0736
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2161
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15710
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7668
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7679
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1303
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1312
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0217
www.nessus.org/u?4b195f8e