[4eyes] FW: [COE #72378] [UCSB-OIT #818041] High Vulnerabilities Found On 128.111.28.121
Matthew Turk
mturk at cs.ucsb.edu
Tue Aug 16 11:40:04 PDT 2016
Whose machine is 128.111.28.121? Please see ECI's email below.
-----Original Message-----
From: Tier II Support Issues via CoE Support [mailto:help at engineering.ucsb.edu]
Sent: Tuesday, August 16, 2016 11:15 AM
To: holl at cs.ucsb.edu; mturk at cs.ucsb.edu
Subject: [COE #72378] [UCSB-OIT #818041] High Vulnerabilities Found On 128.111.28.121
The following reply has been made regarding CoE Support ticket #72378:
Dear All,
OIT is concerned about a ilab machine in the open IP address pool that is
running an unsecured web server. Looks like it is just a test webpage. If the
owner of the machine does not need a webpage, the easiest way to deal with this
ticket is to simply disable and/or uninstall the apache server. Unfortunately I
cannot access the machine in question nor was the owner of said machine in the
lab when I stopped by.
Best Regards,
Marc Miller
Engineering Computing Infrastructure
3110 Harold Frank Hall, University of California
Santa Barbara, CA 93106-5120
Email: marcmiller at engineering.ucsb.edu
https://eci.ucsb.edu/eci/
On Tue Aug 16 09:54:50 2016, security at ucsb.edu wrote:
> Greetings:
>
> Our vulnerability scanner has found a potentially vulnerable host on
> your network. You should consider taking the recommended actions
> mentioned in this report in order to reduce the chances of this
> host being abused by an attacker. If you believe any part of this
> report to be incorrect, please let us know so that we can work to
> improve our reporting accuracy.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Here is information about potential vulnerabilities that were found:
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> IP: 128.111.28.121
> FQDN: ilab-121.cs.ucsb.edu
> Scanned From: on-campus address
> Scan Start: Sun Aug 14 02:30:47 2016 -0700 (PDT)
> Scan End: Sun Aug 14 02:36:16 2016 -0700 (PDT)
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Plugin Name: Apache HTTP Server Byte Range DoS (55976)
>
> Synopsis:
>
> The web server running on the remote host is affected by a denial of
> service vulnerability.
>
> Description:
>
> The version of Apache HTTP Server running on the remote host is
> affected by a denial of service vulnerability. Making a series of
> HTTP requests with overlapping ranges in the Range or Request-Range
> request headers can result in memory and CPU exhaustion. A remote,
> unauthenticated attacker could exploit this to make the system
> unresponsive.
>
> Exploit code is publicly available and attacks have reportedly been
> observed in the wild.
>
> See Also:
>
> http://archives.neohapsis.com/archives/fulldisclosure/2011-
> 08/0203.html
> http://www.gossamer-threads.com/lists/apache/dev/401638
> http://www.nessus.org/u?404627ec
> http://httpd.apache.org/security/CVE-2011-3192.txt
> http://www.nessus.org/u?1538124a
> http://www-01.ibm.com/support/docview.wss?uid=swg24030863
>
> Solution:
>
> Upgrade to Apache httpd 2.2.21 or later. Alternatively, apply one of
> the workarounds in Apache's advisories for CVE-2011-3192. Version
> 2.2.20 fixed the issue, but it also introduced a regression.
>
> If the host is running a web server based on Apache httpd, contact the
> vendor for a fix.
>
> Risk Factor: High
> CVSS Base Score: 7.8
> CVSS Temporal Score: 6.1
>
> References:
>
> edb-id: http://www.exploit-db.com/exploits/17696
> edb-id: http://www.exploit-db.com/exploits/18221
> cert: http://www.kb.cert.org/vuls/id/405811
> bid: http://www.securityfocus.com/bid/49303
> osvdb: http://osvdb.org/74721
> cve: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3192
>
> Plugin Information:
>
>
> Plugin Output:
>
> Port: 80 / tcp / www
> None
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
More information about the Ilab-users
mailing list