Other Software

ID #363

A security company says my server is vulnerable, what can I do?

Applies to: Grid System

Network, server, and application security is gaining importance and visibility for several reasons, including the wider adoption of industry security standards, and the continuing growth of electronic commerce. We are aware of this importance and take numerous measures to enhance security of our infrastructure.

While remote security scans can identify problems, our experience is that they also produce numerous false reports, which has led to the publication of our policy on vulnerability scanning.

Our Scan-Related Support:

  • Managed Servers: If a security company tells you that there are vulnerabilities on your Modwest managed server, please forward the complete report and we will assist you however we can.
  • Self-managed VPS: Please consult the documentation for your selected Linux distribution (Debian, Fedora, CentOS, or Ubuntu), and Parallels support resources (Knowledge Base, Forums) for information on making any changes needed.
  • Grid System (and Resellers): If a security scan produces an alert associated with server software (such as PHP), and you have been a customer since before May 2009, you should consider requesting upgrade to our new hosting environment. Updates are no longer available for the old environment.

    If you are already hosted in the new environment, please read below for information on interpreting scan results.

Notice to Security Vendors:

If you have produced a comprehensive report for a customer we share, and there are items which you require to be resolved for the customer to "pass" your scan, then please send a concise email to support@modwest.com (with our mutual customer CC'd), containing the following:
  • The company or organization name that has hired you to scan their site
  • The domain name of the website scanned
  • Your company and contact information
  • A concise list of the items that must be resolved for compliance. Including the IP address of the host being scanned, and individual issues identified by CVE ID.

Interpreting Scan Results:

Our experience is that security scans always produce "false positives"; that is, they report vulnerabilities which do not in fact exist. Some of the more common errors we've seen:

Web Application Installations: Some scans will conclude that a certain software package is installed in your website, such as Joomla, or Kayako eSupport, or PHproxy. If the report is correct and you or your webmaster have installed the software mentioned, you should contact the vendor or follow the recommended upgrade procedures. On the other hand, if the software does not exist anywhere in your site, then you should notify the security company that their scan produced a false positive.

Specific Vulnerability Reports: Many scan reports will include a "CVE #" along with each claimed vulnerability. Common false positives we've seen include:

  • CVE-2004-2320: This vulnerability exists in the BEA Weblogic server. We do not use that software at Modwest, and so a report that this vulnerability exists at Modwest is a false positive. The TRACE/TRACK HTTP methods are not vulnerabilities per se.
  • CVE-2006-3747: This bug in Apache's mod_rewrite module is only exploitable if Apache's LDAP module is also enabled. The LDAP module is not available on the Modwest grid system, and so a report of this vulnerability is meaningless and may be considered a false positive.
  • CVE-2007-3847: This vulnerability allows remote origin servers to cause a denial of service attack via crafted date headers when mod_proxy is enabled. Mod_proxy is not enabled on our grid system.
  • CVE-2006-3747: We do not provide LDAP functionality on the grid system, and hence this vulnerability is impossible to exploit.
  • CVE-2001-1013: We are unable to confirm that any such functionality/configuration exists on our grid system. If the security vendor can provide a reproducible test case we can take another look.
  • CVE-2006-3918: This vulnerability has been patched on the version of Apache we use.
  • CVE-2007-6388: Server-status is enabled, but only accessible by our INTERNAL management network.
  • CVE-2008-0005: We don't run mod_proxy_ftp.
  • CVE-2007-5000: We don't run mod_imap module.
  • CVE-2005-3352: We don't run mod_imap module.
  • CVE-2010-0397: Not vulnerable in our version of PHP.
  • CVE-2010-4018: The package php5 is vulnerable; however, the security impact is unimportant.
  • CVE-2009-3559: Is listed as being a disputed CVE. NOTE: a reliable third party reports that this is not a vulnerability, because it results in a more restrictive security policy.
  • CVE-2009-4017: Not vulnerable in our version of PHP
  • CVE-2009-2626: Not vulnerable in our version of PHP
  • CVE-1999-0569: We've discovered that this CVE is currently under review, but we don't have any details beyond that.
  • CVE-2010-1860 We've discovered that this CVE is currently under review, and the security impact is
    unimportant.
  • CVE-2010-1862 We've discovered that this CVE is currently under review, and the security impact is
    unimportant.
  • CVE-2010-1864 We've discovered that this CVE is currently under review, and the security impact is
    unimportant.
  • CVE-2010-2097 We've discovered that this CVE is currently under review, and the security impact is
    unimportant
  • CVE-2010-2100 We've discovered that this CVE is currently under review, and the security impact is
    unimportant.
  • CVE-2010-2101 We've discovered that this CVE is currently under review, and the security impact is
    unimportant.
  • CVE-2010-2190 We've discovered that this CVE is currently under review, and the security impact is
    unimportant.
  • CVE-2010-2191 We've discovered that this CVE is currently under review, and the security impact is
    unimportant.
  • CVE-2010-2484 We've discovered that this CVE is currently under review, and the security impact is
    unimportant.
  • CVE-2010-2225 This was fixed in 5.2.6.dsfg.1-1+lenny9
  • CVE-2010-3065 This was fixed in 5.2.6.dsfg.1-1+lenny9
  • CVE-2010-2531 We've discovered that this CVE is currently under review and is in a 'candidate' status, but we don't have any details beyond that.
  • CVE-2008-2371 This has been fixed in 7.4-1+lenny2
  • CVE-2008-2665 We've discovered that this CVE is currently under review and is in a 'candidate' status, but security impact is unimportant.
  • CVE-2008-2666 We've discovered that this CVE is currently under review, and the security impact is
    unimportant.
  • CVE-2008-2829 This was fixed in 5.2.5-3+lenny2
  • CVE-2008-3658 This was fixed in fixed in 5.2.6.dfsg.1-1+lenny9
  • CVE-2008-3659 This was fixed in 5.2.6.dfsg.1-1+lenny9
  • CVE-2008-3660 This was fixed in 5.2.6.dfsg.1-1+lenny9 (and we don't use FastCGI)
  • CVE-2008-5557 This was fixed in 5.2.6.dfsg.1-1+lenny3
  • CVE-2008-5624 This was fixed in 5.2.6.dfsg.1-1+lenny3
  • CVE-2008-5625 We've discovered that this CVE is currently under review and is in a 'candidate' status, but security impact is unimportant.
  • CVE-2008-5658 This was fixed in 5.2.6.dfsg.1-1+lenny3
  • CVE-2009-3557 We've discovered that this CVE is currently under review and is in a 'candidate' status, but security impact is unimportant.
  • CVE-2009-3558 We've discovered that this CVE is currently under review and is in a 'candidate' status, but security impact is unimportant.
  • CVE-2009-4017 This was fixed in 5.2.6.dfsg.1-1+lenny4
  • CVE-2009-4142 This was fixed in 5.2.6.dfsg.1-1+lenny6
  • CVE-2009-4143 This was fixed in 5.2.6.dfsg.1-1+lenny6
  • CVE-2010-1128 This has not yet been fixed in Debian: See http://security-tracker.debian.org/tracker/CVE-2010-1128
  • CVE-2010-1129 We've discovered that this CVE is currently under review and is in a 'candidate' status, but security impact is unimportant.
  • CVE-2010-1130  We've discovered that this CVE is currently under review and is in a 'candidate' status, but security impact is unimportant.
  • CVE-2008-5498 This was fixed in 5.2.6.dfsg.1-1+lenny9
  • CVE-2009-2687 This was fixed in 5.2.6.dfsg.1-1+lenny4
  • CVE-2009-3291 This was fixed in 5.2.6.dfsg.1-1+lenny4
  • CVE-2009-3293 This was fixed in 5.2.6.dfsg.1-1+lenny9
  • CVE-2009-3294 This was fixed in 5.2.6.dfsg.1-1+lenny9
  • CVE-2008-5498 This was fixed in 5.2.6.dfsg.1-1+lenny9
  • CVE-2009-2687 This was fixed in 5.2.6.dfsg.1-1+lenny4
  • CVE-2009-3291 This was fixed in 5.2.6.dfsg.1-1+lenny4
  • CVE-2009-3292 This was fixed in 5.2.6.dfsg.1-1+lenny4
  • CVE-2009-3293 This was fixed in 5.2.6.dfsg.1-1+lenny9
  • CVE-2009-3294 This was fixed in 5.2.6.dfsg.1-1+lenny9
  • CVE-2002-1700 This CVE is specifically for Coldusion. Modwest does not run ColdFusion.
  • CVE-2003-1543 This CVE is specifically for Bajie Http Web Server. Modwest does not run Bajie Http Web Server.
  • CVE-2005-2453 This CVE is specifically for NetworkActiv Web Server. Modwest does not run NetworkActiv Web Server.
  • CVE-2006-1681 This CVE is specifically for Cherokee HTTPD. Modwest does not run Cherokee HTTPD.

If you have further questions about a security company's scan results after reviewing the above, please feel free to contact us.


Last update: 2010-10-14 14:40
Author: FAQ Admin
Revision: 1.8

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 1.5 (2 Votes)

completely useless 1 2 3 4 5 most valuable

You can comment this FAQ