000021844 - KCA Apache web server showing security vulnerability with scan due patch level/version

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021844
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Server SP4
Apache compiled with ModSSL and OpenSSL
Nessus vulnerability scan
IssueKCA Apache web server showing security vulnerability with scan due patch level/version
Customer's scanning tools inform them that the Apache web server is running a patch level/version that contains a security vulnerability
The remote web server appears to be running a version of Apache that is older than version 1.3.33. This version is vulnerable to a local buffer overflow in the get_tag()
function of the module 'mod_include' when a specially crafted document with malformed server-side includes is requested though an HTTP session. Successful exploitation can lead to execution of arbitrary code with escalated privileges, but requires that server-side includes (SSI) is enabled.

Solution: Disable SSI or upgrade to a newer version when available.
Risk factor: Medium
CVE : CAN-2004-0940
BID : 11471
Nessus ID : 15554

The remote host is using a version vulnerable of mod_ssl that is older than 2.8.19. There is a format string condition in the log functions of the remote module which may allow an attacker to execute arbitrary code on the remote host.

*** Some vendors patched older versions of mod_ssl, so this might be a false positive. Check with your vendor to determine if you have a version of mod_ssl that is patched for this vulnerability. ***

Solution : Upgrade to version 2.8.19 or newer
Risk factor : High
CVE : CAN-2004-0700
BID : 10736
Nessus ID : 13651
ResolutionThe Apache Server used in KCA has been modified by RSA to address all known security vulnerabilities. Below is the information received from RSA Security Engineering after they analyzed the above Scan report:


- All of these "vulnerabilities" either reside in features that are disabled in KCA (htpasswd, mod_proxy), or have been addressed in KCA patches

- RSA Security constantly monitors the Apache and vulnerability-tracking communities, and evaluates the impact on KCA of each issue when it arises. Careful analysis is undertaken to determine if KCA is truly vulnerable and, if so, to devise the most effective, fastest, and least disruptive solution to minimize any impact on our customers.

- Quite often, patching a vulnerability in KCA does not entail the installation of a new version of some embedded system (e.g. Apache or mod_ssl), as such "upgrades" generally include many unrelated tweaks and enhancements which can have unforeseen consequences on the KCA product. Rather than drop in a new subsystem and hope for the best, RSA identifies and addresses the specific cause of a vulnerability. By focusing on the root cause, KCA security updates can be released quickly with the lowest risk of introducing other bugs.

- The implication of this approach, however, is that naive scanning tools such as Nessus will raise false-positive alerts in KCA scans, because KCA reports the (technically correct) older version signatures of embedded components.

For more information, see http://vdc-bugzilla.na.rsa.net/show_bug.cgi?id=8958+
Legacy Article IDa25303