The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured. (CVE-2019-17567)
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow (CVE-2020-35452)
Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)
Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with ‘MergeSlashes OFF’ (CVE-2021-30641)
A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
(CVE-2021-33193)
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)
A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier. (CVE-2022-22719)
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server 2.4.52 and earlier. (CVE-2022-22721)
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions. (CVE-2022-23943)
Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
(CVE-2022-26377)
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use the ‘ap_rputs’ function and may pass it a very large (INT_MAX or larger) string must be compiled against current headers to resolve the issue. (CVE-2022-28614)
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may hypothetically be affected. (CVE-2022-28615)
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0) may cause a denial of service due to no default limit on possible input size. (CVE-2022-29404)
If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
(CVE-2022-30522)
Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
(CVE-2022-36760)
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. (CVE-2022-37436)
HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. (CVE-2023-27522)
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server:
through 2.4.57. (CVE-2023-31122)
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. (CVE-2023-38709)
HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. (CVE-2024-24795)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory httpd. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(195442);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2019-17567",
"CVE-2020-35452",
"CVE-2021-26690",
"CVE-2021-30641",
"CVE-2021-33193",
"CVE-2021-36160",
"CVE-2022-22719",
"CVE-2022-22721",
"CVE-2022-23943",
"CVE-2022-26377",
"CVE-2022-28614",
"CVE-2022-28615",
"CVE-2022-29404",
"CVE-2022-30522",
"CVE-2022-31813",
"CVE-2022-36760",
"CVE-2022-37436",
"CVE-2023-27522",
"CVE-2023-31122",
"CVE-2023-38709",
"CVE-2024-24795"
);
script_name(english:"RHEL 7 : httpd (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
- Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configured on an URL that is not
necessarily Upgraded by the origin server was tunneling the whole connection regardless, thus allowing for
subsequent requests on the same connection to pass through with no HTTP validation, authentication or
authorization possibly configured. (CVE-2019-17567)
- Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in
mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team
could create one, though some particular compiler and/or compilation option might make it possible, with
limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow
(CVE-2020-35452)
- Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can
cause a NULL pointer dereference and crash, leading to a possible Denial Of Service (CVE-2021-26690)
- Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'
(CVE-2021-30641)
- A crafted method sent through HTTP/2 will bypass validation and be forwarded by mod_proxy, which can lead
to request splitting or cache poisoning. This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
(CVE-2021-33193)
- A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and
crash (DoS). This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 (inclusive). (CVE-2021-36160)
- A carefully crafted request body can cause a read to a random memory area which could cause the process to
crash. This issue affects Apache HTTP Server 2.4.52 and earlier. (CVE-2022-22719)
- If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems
an integer overflow happens which later causes out of bounds writes. This issue affects Apache HTTP Server
2.4.52 and earlier. (CVE-2022-22721)
- Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap
memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and
prior versions. (CVE-2022-23943)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of
Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This
issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.53 and prior versions.
(CVE-2022-26377)
- The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an
attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with
mod_luas r:puts() function. Modules compiled and distributed separately from Apache HTTP Server that use
the 'ap_rputs' function and may pass it a very large (INT_MAX or larger) string must be compiled against
current headers to resolve the issue. (CVE-2022-28614)
- Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to a read beyond bounds in
ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the
server can be coerced into such a call, third-party modules or lua scripts that use ap_strcmp_match() may
hypothetically be affected. (CVE-2022-28615)
- In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody(0)
may cause a denial of service due to no default limit on possible input size. (CVE-2022-29404)
- If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed in contexts where the input
to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
(CVE-2022-30522)
- Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of
Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This
issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions.
(CVE-2022-36760)
- Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated
early, resulting in some headers being incorporated into the response body. If the later headers have any
security purpose, they will not be interpreted by the client. (CVE-2022-37436)
- HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache
HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can
truncate/split the response forwarded to the client. (CVE-2023-27522)
- Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server:
through 2.4.57. (CVE-2023-31122)
- Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators
to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. (CVE-2023-38709)
- HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject
malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are
recommended to upgrade to version 2.4.59, which fixes this issue. (CVE-2024-24795)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-31813");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/06/01");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:httpd");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'httpd', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'httpd'}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'httpd');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17567
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35452
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26690
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30641
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33193
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36160
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22719
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22721
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23943
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26377
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28614
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28615
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29404
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30522
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31813
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36760
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37436
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27522
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31122
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38709
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24795