[4eyes] FW: [UCSB-OIT #526629] Vulnerabilities Found on 128.111.28.114

Wed Oct 30 13:55:23 PDT 2013

We have a vulnerability: machine 128.111.28.114 has versions of Apache and PHP that need to be updated. Whose machine is this? Please let Tobias and me know (so we'll know it's being addressed) and update appropriately.

Thanks,
	Matthew

-----Original Message-----
From: Todd Atkins via RT [mailto:vsc at oit.ucsb.edu] 
Sent: Wednesday, October 30, 2013 11:18 AM
To: support at cs.ucsb.edu
Subject: [UCSB-OIT #526629] Vulnerabilities Found on 128.111.28.114

Greetings:

Our vulnerability scanner has found a potentially vulnerable host on your network.  You should consider taking the recommended actions mentioned in this report in order to reduce the chances of this host being abused by an attacker.  If you believe any part of this report to be incorrect, please let us know so that we can work to improve our reporting accuracy.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Here is information about potential vulnerabilities that were found:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IP : 128.111.28.114
Name : ilab-114.cs.ucsb.edu
Scan Time : Mon Oct 28 08:58:25 2013
Service : http (80/tcp)
Script ID : 68915
Synopsis :

The remote web server may be affected by multiple cross-site scripting
vulnerabilities.

Description :

According to its banner, the version of Apache 2.2 installed on the
remote host is earlier than 2.2.25.  It is, therefore, potentially
affected by the following vulnerabilities :

  - A flaw exists in the 'RewriteLog' function where it
    fails to sanitize escape sequences from being written
    to log files, making it potentially vulnerable to
    arbitrary command execution. (CVE-2013-1862)

  - A denial of service vulnerability exists relating to
    the 'mod_dav' module as it relates to MERGE requests.
    (CVE-2013-1896)

Note that Nessus did not actually test for these issues, but instead has
relied on the version in the server's banner.

See also :

http://www.apache.org/dist/httpd/CHANGES_2.2.25
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.nessus.org/u?f050c342

Solution :

Either ensure that the affected modules are not in use or upgrade to
Apache version 2.2.25 or later.

CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 4.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Plugin output :

Version source    : Server: Apache/2.2.24
  Installed version : 2.2.24
  Fixed version     : 2.2.25

CVE : CVE-2013-1862, CVE-2013-1896
BID : 59826, 61129
Other references : OSVDB:93366, OSVDB:95498, IAVA:2013-A-0146
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IP : 128.111.28.114
Name : ilab-114.cs.ucsb.edu
Scan Time : Mon Oct 28 08:58:25 2013
Service : http (80/tcp)
Script ID : 69348
Synopsis :

The remote web server uses a version of PHP that is potentially
affected by a buffer overflow vulnerability.

Description :

According to its banner, the version of PHP 5.5.x installed on the
remote host is a version prior to 5.5.1.  It is, therefore, potentially
affected by a buffer overflow error that exists in the file
'ext/xml/xml.c'. 

Note that this plugin does not attempt to exploit this vulnerability,
but instead relies only on PHP's self-reported version number.

See also :

https://bugs.php.net/bug.php?id=65236
http://www.php.net/ChangeLog-5.php#5.5.1

Solution :

Apply the vendor patch or upgrade to PHP version 5.5.1 or later.

CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Plugin output :

Version source    : Server: Apache/2.2.24 (Unix) PHP/5.5.0RC1 DAV/2 mod_python/3.3.1 Python/2.7.1
  Installed version : 5.5.0RC1
  Fixed version     : 5.5.1

CVE : CVE-2013-4113
BID : 61128
Other references : OSVDB:95152
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IP : 128.111.28.114
Name : ilab-114.cs.ucsb.edu
Scan Time : Mon Oct 28 08:58:25 2013
Service : http (80/tcp)
Script ID : 69402
Synopsis :

The remote web server uses a version of PHP that is potentially
affected by multiple vulnerabilities.

Description :

According to its banner, the version of PHP 5.5.x installed on the
remote host is a version prior to 5.5.2.  It is, therefore,
potentially affected by the following vulnerabilities : 

  - An error exists related to the 'Sessions' subsystem
    that can allow an attacker to hijack the session of
    another user. (CVE-2011-4718 / Bug #60491)

  - An error exists related to certificate validation, the
    'subjectAltName' field and certificates containing NULL
    bytes. This error can allow spoofing attacks.
    (CVE-2013-4248)

Note that this plugin does not attempt to exploit these
vulnerabilities, but instead relies only on PHP's self-reported
version number.

See also :

https://bugs.php.net/bug.php?id=60491
http://www.php.net/ChangeLog-5.php#5.5.2

Solution :

Upgrade to PHP version 5.5.3 or later.

Note the 5.5.2 release contains an uninitialized memory read bug and
a compile error that prevent proper operation.

CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Plugin output :

Version source    : Server: Apache/2.2.24 (Unix) PHP/5.5.0RC1 DAV/2 mod_python/3.3.1 Python/2.7.1
  Installed version : 5.5.0RC1
  Fixed version     : 5.5.2

CVE : CVE-2011-4718, CVE-2013-4248
BID : 61776, 61929
Other references : OSVDB:96298, OSVDB:96316, IAVB:2013-B-0093
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-- 
E. Todd Atkins
Office of Information Technology
University of California, Santa Barbara

********************************************************************** 
The NOC's list of network contacts is used to determine who should
receive email such as this.  Please direct any requests for changes 
to this list of network contacts to noc at ucsb.edu.
********************************************************************** 