This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-HTTPD-RHEL5.NASLRHEL 5 : httpd (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
-
httpd: mod_ssl NULL pointer dereference (CVE-2017-3169)
-
httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
-
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (CVE-2016-8743)
-
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user’s credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, ‘en-US’ is truncated to ‘en’). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all. (CVE-2017-15710)
-
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third- party modules outside of the authentication phase may lead to authentication requirements being bypassed.
(CVE-2017-3167) -
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type ‘Digest’ was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no ‘=’ assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. (CVE-2017-9788)
-
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user’s .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c. (CVE-2017-9798)
-
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage. (CVE-2018-1301)
-
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. (CVE-2019-0217)
-
A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL contains multiple consecutive slashes (‘/’), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. (CVE-2019-0220)
-
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. (CVE-2019-10092)
-
In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. (CVE-2019-10098)
-
In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. (CVE-2020-1934)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory httpd. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(195379);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2016-8743",
"CVE-2017-3167",
"CVE-2017-3169",
"CVE-2017-9788",
"CVE-2017-9798",
"CVE-2017-15710",
"CVE-2018-1301",
"CVE-2018-1312",
"CVE-2019-0217",
"CVE-2019-0220",
"CVE-2019-10092",
"CVE-2019-10098",
"CVE-2020-1934"
);
script_xref(name:"CEA-ID", value:"CEA-2019-0203");
script_name(english:"RHEL 5 : httpd (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 5 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- httpd: mod_ssl NULL pointer dereference (CVE-2017-3169)
- httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
- Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted
from requests and sent in response lines and headers. Accepting these different behaviors represented a
security concern when httpd participates in any chain of proxies or interacts with back-end application
servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request
smuggling, response splitting and cache pollution. (CVE-2016-8743)
- In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured
with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding
when verifying the user's credentials. If the header value is not present in the charset conversion table,
a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example,
'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of
one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the
process would crash which could be used as a Denial of Service attack. In the more likely case, this
memory is already reserved for future use and the issue has no effect at all. (CVE-2017-15710)
- In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-
party modules outside of the authentication phase may lead to authentication requirements being bypassed.
(CVE-2017-3167)
- In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization
headers of type 'Digest' was not initialized or reset before or between successive key=value assignments
by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of
uninitialized pool memory used by the prior request, leading to leakage of potentially confidential
information, and a segfault in other cases resulting in denial of service. (CVE-2017-9788)
- Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be
set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This
affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an
unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue
and thus secret data is not always sent, and the specific data depends on many factors including
configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in
server/core.c. (CVE-2017-9798)
- A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an
out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is
considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is
classified as low risk for common server usage. (CVE-2018-1301)
- In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a
threaded server could allow a user with valid credentials to authenticate using another username,
bypassing configured access control restrictions. (CVE-2019-0217)
- A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL
contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account
for duplicates in regular expressions while other aspects of the servers processing will implicitly
collapse them. (CVE-2019-0220)
- In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the
mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point
to a page of their choice. This would only be exploitable where a server was set up with proxying enabled
but was misconfigured in such a way that the Proxy Error page was displayed. (CVE-2019-10092)
- In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be
self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the
request URL. (CVE-2019-10098)
- In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a
malicious FTP server. (CVE-2020-1934)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3169");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-1312");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '5')) audit(AUDIT_OS_NOT, 'Red Hat 5.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'httpd', 'release':'5', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'httpd'}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'httpd');
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8743
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15710
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3167
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9788
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1301
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1312
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0217
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0220
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10092
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10098
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1934
Related
