000025843 - Possible Apache vulnerabilities when scanned with McAfee Foundstone Enterprise

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000025843
Applies ToRSA Keon Registration Authority 6.5.1
RSA Keon Certificate Authority 6.5.1
Sun Solaris 2.8
McAfee Foundstone Enterprise
IssuePossible Apache vulnerabilities when scanned with McAfee Foundstone Enterprise
Customer recently scanned all of our Operational Environment (OE) servers for vulnerabilities using the McAfee Foundstone Enterprise. Vulnerabilities were identified on the KCA and KRA.
KCA Apache web server showing security vulnerability with scan due patch level/version
Customer's scanning tools inform them that the Apache web server is running a patch level/version that contains a security vulnerability
Resolution

HTTP Smuggling :
===============
As per the reports, Apache is vulnerable only if it is configured as proxy.

RCM /RRM is not compiled with mod_proxy. Hence, RCM, RRM are not susceptible to HTTP smuggling attack.


Memory Segment Overwriting:
==========================
Referred to the CVE link and our CC Vulnerability assessment document for KCA 6.5. Given below is the excerpt from the foot notes :
-----------------------------------------------------------------------------
The file at <http://www.apache.org/dist/httpd/CHANGES_1.3> describes Apache's fix for this vulnerability (search for CAN-2002-0839). The ShmemUIDisUser directive was added because now, by default, "Apache will no longer set the uid/gid of SysV shared memory scoreboard to User/Group, and it will therefore stay the uid/gid of the parent Apache process."

ShmemUIDisUser was added to allow some installations to preserve the old (vulnerable) behavior. The documentation for ShmemUIDisUser (http://httpd.apache.org/docs/mod/core.html#shmemuidisuser <http://httpd.apache.org/docs/mod/core.html>) states that "This directive has no effect on non-System V based scoreboards, such as mmap." In the Apache source code, the file src/include/ap_config.h defines the system-dependant parameters for building Apache. Under the definition for SOLARIS2 is the line:

#define HAVE_MMAP 1

This means that Solaris uses mmap scoreboards, rather than SysV scoreboards.

Other platforms that use mmap scoreboards in Apache include Linux and Win32.
----------------------------------------------------------------------
Hence, RCM and RRM are not susceptible to this attack also.


Apache Redirects and Subrequests Denial-of-Service
========================================
RCM 6.5.1 uses Apache version 1.3.26. RCM 6.5.1 Apache server is still vulnerable to this attack. The customer needs to upgrade to versions 6.6 or above.


Other solutions to view regarding vulnerabilities are:

Apache vulnerability 'Apache HTTP Server mod_rewrite' from scan - "Mod alias/mod rewrite"

Scan of RSA Certificate Manager 6.7 show vulnerabilities with Apache 1.3.33 - "SSLVerifyClient Bypass Restrictions", "mod_ssl ssl_engine_ext Format String Error ", "Cross Scripting"

Has RSA Security addressed possible vulnerabilities detected on Keon Certificate Authority 6.5.1 by Nessus Security Scanner? - "Web Server Supports Outdated SSLv2 Protocol"
NotesBZ 56233
Legacy Article IDa35077

Attachments

    Outcomes