CVEs - Vulnerable HTTP Report
Description
The Hypertext Transfer Protocol (HTTP)
The Hypertext Transfer Protocol (HTTP) is a stateless protocol for fetching resources such as HyperText Markup Language (HTML) documents. It is the foundation of any data exchange on the World Wide Web. HTTP is a client-server protocol, which means requests are initiated by the recipient, usually the web browser. Clients and servers communicate by exchanging individual messages (as opposed to a stream of data). The messages sent by the client, usually a web browser, are called requests and the messages sent by the server as an answer are called responses.
HTTP is an application layer protocol that allows software to send and receive information and present data to users. Because a connection is controlled at the transport layer, it is out of the scope of HTTP., which requires a transport layer protocol that is connection based and reliable, hence HTTP relies on the Transmission Control Protocol (TCP) to establish a connection between the client and the server, over which HTTP., send and receive data.
The original version of HTTP released in 1996–97 was called HTTP/1.1. HTTP/2 and HTTP/3 are upgraded versions of the protocol itself. The data transfer system has been modified to make it more efficient. HTTP/2 exchanges data in binary instead of textual format. It also allows servers to proactively transmit responses to client caches instead of waiting for a new HTTP request. HTTP/3 builds on HTTP/2 supporting real-time streaming and other modern data transfer requirements more efficiently.
HTTP transmits data in plaintext unencrypted, which means that information sent from the client browser to the server can be intercepted and read by third parties.
HTTP listens on port 80/TCP and port 80/UDP.
The Hypertext Transfer Protocol Secure (HTTPS)
The Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.
The Transport Layer Security (TLS) is a security protocol that is used to encrypt information as it is being sent over the Internet. TLS is an improved version of the security protocol, and has replaced SSL, which has been deprecated. TLS uses more robust encryption algorithms and provides better security than SSL., although the two terms are often used interchangeably.
To enable HTTPS on a website, it must have a valid TLS certificate. This certificate is used to encrypt information as it is being sent between the client and the server. An TLS certificate contains a public key and a private key. The public key encrypts information, while the private key decrypts it.
TLS Certificates are issued by Certificate Authorities (CAs). A CA is an organization that verifies the identity of a website and then gives a certificate to that site. When a client browser connects to a website, the client browser checks to see if the website’s TLS Certificate is valid. This is indicated by a green padlock in the address bar. If it is not, a warning message "Not Secure" will be displayed in the address bar.
HTTPS Client Authentication is a more secure method of authentication. The server authenticates the client using the client's Public Key Certificate (PKC). The public key certificate can be likened to the digital equivalent of a passport. It has being issued by a trusted organisation, the CA., and provides identification for the bearer.
HTTPS with its TLS technology provides data encryption, server authentication, message integrity and optional client authentication for a TCP/IP connection.
Companies that operate eCommerce websites use HTTPS, to ensure that their customers data, such as login IDs, home addresses, credit card details, and other personal information is encrypted when transmitted, protecting themselves and their customers from the threat of identity fraud.
In 2014, the Google Limited Liability Company, in recognition of the importance of security, publicly called for an internet-wide use of HTTPS., and began using HTTPS as a ranking signal in its Search Engine Optimisation (SEO) algorithms. SEO is the process used to optimise a website's technical configuration, content relevance and link popularity so its pages can become easily findable, more relevant and popular towards user search queries, and as a consequence, ranking them better.
HTTPS listens on port 443/TCP and port 443/UDP.
Problem
On the 29th Sept 2023, the Shadowserver Foundation updated their Vulnerable HTTP Report in respect of the jurisdiction. The report, reference twenty nine (29) Common Vulnerabilities and Exposures (CVEs), that have been publicly disclosed, which affect software products, deployed by specific hosts identified in the report, together with other vulnerabilities, such as the implementation of Basic Authentication in plain HTTP and .git folders that are publicly internet accessible. Contained in the 'Tag' column of the report, are a list of terms, which indicate the particular vulnerability associated with each specific host, identified in the report.
Identified in the report are:-
| No. | Description |
|---|---|
| 1. | Hosts that deploy a software product affected by a Common Vulnerability & Exposure (CVE), that has been publicly disclosed. |
| 2. | Hosts that have implemented Basic Authentication in plain HTTP., in which case, information, such as users credentials, are transmitted in plaintext unencrypted and therefore, can be intercepted and read by third parties. |
| 3. | Internet accessible .git folders, used by software developers as a repository, to store their source code, together with previous versions of the source code, along with configuration files which may contain sensitive system information, such as database passwords and API keys. Unauthorised access to such information may result in the host identified being compromised. |
| 4. | Hosts that deploy AMI MegaRAC SP-X Baseboard Management Controller (BMC), to control and manage servers remotely. AMI MegaRAC have publicly disclosed two (2) CVEs., (CVE-2023-34329) & (CVE-2023-34330), when both are chaned together, they allow unauthorised access with superuser permissions and Remote Code Execution (RCE). |
| 5. | Hosts that deploy the MOVEit Transfer Service, which may possibly be compromised. On the 31st May 2023, Progress Software publicly disclosed CVE-2023-34362, which is a SQL Injection vulnerability, that could allow unauthorised access on the database engine used. An additional five (5) CVEs., have subsequently being publicly disclosed in relation to the MOVEit Transfer Service. |
Common Vulnerabilities & Exposures (CVEs)
Systems used for reporting and assessing the severity of security vulnerabilities.
| No. | System | Description |
|---|---|---|
| 1. | Common Vulnerabilities and Exposures (CVE). | The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures. |
| 2. | The Common Vulnerability Scoring System (CVSS). | CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability. |
CVSSv3.0 Metrics.
| No. | Base Score Range | Severity |
|---|---|---|
| 1. | 0.0 | None |
| 2. | 0.1 - 3.9 | Low |
| 3. | 4.0 - 6.9 | Medium |
| 4. | 7.0 - 8.9 | High |
| 5. | 9.0 - 10.0 | Critical |
List of CVEs - Vulnerable HTTP Report - Date: 29th Sep 2023.
| No. | CVE Report | Description | CVSSv3 | Advisory |
|---|---|---|---|---|
| 1. | CVE-2019-5544 |
Remote Code Execution (RCE) vulnerability in VMware ESXi Open Service Location Protocol (SLP) due to Heap-Based Buffer Overflow Issues. | 9.8 | VMware Security Advisory |
| 2. | CVE-2020-3992 |
Remote Code Execution (RCE) vulnerability in the OpenSLP Service of VMware ESXi & Horizon DaaS Appliances. | 9.8 | VMware Security Advisory |
| 3. | CVE-2021-21972 |
Remote Code Execution (RCE) vulnerability in the VMware vCenter Server vSphere Client (HTML5). | 9.8 | VMware Security Advisory |
| 4. | CVE-2021-21974 |
Remote Code Execution (RCE) vulnerability in the OpenSLP in VMware ESXi due to a heap overflow issue. | 8.8 | VMware Security Advisory |
| 5. | CVE-2021-35587 |
Vulnerability in the Oracle Fusion Middleware Access Manager allows an unauthenticated threat actor with network access via HTTP to compromise the Access Manager. | 9.8 | Oracle Security Alerts & Bulletin |
| 6. | CVE-2022-24816 |
Remote Code Execution (RCE) in GeoSolutions JAI-EXT due to improper Control of Generation of Code (Code Injection). | 9.8 | GeoSolutions Developer's Corner |
7. | CVE-2022-37042 |
Authentication Bypass vulnerability in MailboxImportServlet of the Zimbra Collaboration Suite (ZCS). | 9.8 | Zimbra Security Center |
| 8. | CVE-2022-40259 |
Arbitrary Code Execution vulnerability in the AMI MegaRAC Redfish Baseboard Management Controller (BMC). | 9.8 | AMI Security Advisory |
| 9. | CVE-2022-27510 |
Authentication Bypass vulnerability in Citrix NetScaler ADC & Gateway. | 9.8 | Citrix Security Bulletin |
| 10. | CVE-2022-42475 |
Remote Code Execution (RCE) vulnerability in Fortinet FortiOS SSL-VPN due to heap-based buffer overflow. | 9.8 | PSIRT Advisories |
| 11. | CVE-2023-20892 |
Remote Code Execution (RCE) vulnerability in VMware vCenter Server due to the usage of uninitialised memory in the implementation of the DCERPC protocol. | 9.8 | VMware Security Advisory |
| 12. | CVE-2023-23752 |
Authentication Bypass vulnerability that allows unauthenticated users to access sensitive information in Joomla! content management system (CMS). | 5.3 | Joomla! Security Announcements |
| 13. | CVE-2023-25157 |
SQL Injection vulnerability in the open source GeoServer platform & GeoTools Library. | 9.8 | GeoServer Vulnerability Statement |
| 14. | CVE-2023-25690 |
HTTP Request Smuggling vulnerability in mod_proxy configurations on Apache HTTP Server leading to unauthorised access. | 9.8 | Apache Vulnerabilities |
| 15. | CVE-2023-27898 |
Cross-site scripting (XSS) vulnerability in Jenkins open source automation server used for software development and testing. | 9.8 | Jenkins Security Advisory |
| 16. | CVE-2023-27997 |
Remote Code Execution (RCE) vulnerability in Fortinet FortiOS SSL-VPN due to a buffer overflow. | 9.8 | PSIRT Advisories |
| 17. | CVE-2023-34329 |
Authentication Bypass via HTTP Header Spoofing vulnerability in AMI MegaRAC SPx12 BMC. | 8.4 | AMI Security Advisory |
| 18. | CVE-2023-34330 |
Remote Code Injection vulnerability in AMI MegaRAC SPx12 Baseboard Management Controller (BMC) Dynamic Redfish Extension Interface. | 8.2 | AMI Security Advisory |
| 19. | CVE-2023-34362 |
SQL Injection vulnerability in Progress MOVEit Transfer & MOVEit Cloud which allows access without authentication to MOVEit Transfer's database. | 9.8 | Progress Vulnerability |
| 20. | CVE-2023-33308 |
Remote Code Execution (RCE) vulnerability Fortinet FortiOS & ForiProxy due to stack based overflow. | 9.8 | PSIRT Advisories |
| 21. | CVE-2023-3466 |
Reflected Cross-Site Scripting (XSS) vulnerability in Citrix NetScaler ADC & NetScaler Gateway. | 6.1 | Citrix Security Bulletin |
| 22. | CVE-2023-3467 |
Privilege Escalation to root administrator (nsroot) vulnerability in Citrix NetScaler ADC & NetScaler Gateway. | 8.0 | Citrix Security Bulletin |
| 23. | CVE-2023-3519 |
Remote Code Execution (RCE) vulnerability in Citrix NetScaler ADC & NetScaler Gateway. | 9.8 | Citrix Security Bulletin |
| 24. | CVE-2023-35078 |
Unauthorised access vulnerability to Ivanti Endpoint Manager Mobile (EPMM) users' Personally Identifiable Information (PII). | 9.8 | Ivanti API Access Vulnerability |
| 25. | CVE-2023-35082 |
Unauthorised access vulnerability, to restricted functionality or resources, in Ivanti Endpoint Manager Mobile (EPMM). | 9.8 | Ivanti API Access Vulnerability |
| 26. | CVE-2023-38646 |
Remote Code Execution (RCE) vulnerability, in open source Metabase, which is used for data instrumentation, visualization and querying. | 9.8 | Metabase Security Advisory |
| 27. | CVE-2023-39143 |
Remote Code Execution (RCE) vulnerability, in print management software PaperCut NG & PaperCut MF, when external device integration is enabled. | 9.8 | PaperCut Security Bulletin |
| 28. | CVE-2023-42793 |
Remote Code Execution (RCE) vulnerability, in JetBrains TeamCity build management & continuous integration server. | 9.8 | JetBrains Blog |
| 29. | CVE-2023-4966 |
Sensitive information disclosure vulnerability in appliance configured as a Citrix NetScaler Gateway. | 9.4 | Citrix Security Bulletin |
Note:
Solution
Shadowserver Foundation - Vulnerable HTTP Report - Tag Index.
Note:
| No. | System | Description |
|---|---|---|
| 1. | CVEs. | Common Vulnerability & Exposure affecting the software product deployed by the host identified. |
| 2. | basic-auth. | Hosts that have implemented Basic Authentication in plain HTTP. |
| 3. | git-config-file. | Internet accessible .git folders & content, due to insufficient protection or incorrect configuration. |
| 4. | megarac. | AMI MegaRAC Baseboard Management Controller (BMC), used to control and manage servers remotely, have reported two (2) CVEs., (CVE-2023-34329) & (CVE-2023-34330), when both are chained together, they allow unauthorised access with superuser permissions and a Remote Code Execution (RCE) vulnerability. |
| 5. | potential-megarac. | Potential AMI MegaRAC BMC vulnerability - (CVE-2023-34329) & (CVE-2023-34330). |
| 6. | moveit. | Possible compromised MOVEit Transfer software product due to CVE-2023-34362 - This is a SQL Injection Vulnerability that allows unauthorised access on the database engine used. |
Recommendations.
| No. | Tag | Recommendations |
|---|---|---|
| 1. | CVEs. | Ensure that the latest software patches & updates, released by the vendors of the software product affected be applied as soon as possible. Particular attention should be taken in relation to CVEs with a severity classification of 'Critical' or 'High' as indicated by their CVSSv3 Metrics. |
| 2. | basic-auth. | Hosts that have implemented Basic Authentication in plain HTTP., are requested to consider switching to HTTPS in order to ensure data encryption, server authentication, message integrity and optional client authentication for their TCP/IP connections. |
| 3. | git-config-file. | Ensure that .git folders are not publicly internet accessible, through the implementation of access restrictions or rules depending on the technology used, e.g. in the case of Apache HTTP Server, .htaccess files. |
| 4. | megarac. | Ensure that AMI MegaRAC SP-X Baseboard Management Controller (BMC) Redfish remote server management interface is not internet accessible. AMI MegaRAC Customers are advised to upgrade their BMC software to the latest firmware version available and to maintain strict access control to their BMC devices. |
| 5. | potential-megarac. | Ensure that AMI MegaRAC SP-X Baseboard Management Controller (BMC) Redfish remote server management interface is not internet accessible. AMI MegaRAC Customers are advised to upgrade their BMC software to the latest firmware version available and to maintain strict access control to their BMC devices. |
| 6. | moveit. | Ensure that the latest software patches & updates released by Progress Software in response to the public disclosure of CVE-2023-34362 be applied as soon as possible. See Advisory released by the Progress Community in response to the public disclosure of CVE-2023-34362, and of the additional five (5) CVEs that have been subsequently publicly disclosed - (CVE-2023-35036), (CVE-2023-35708), (CVE-2023-36932), (CVE-2023-36933), (CVE-2023-36934), and apply the latest software patches & updates, where & if necessary. |
Additional Information
Shadowserver Foundation - Vulnerable HTTP Report.An overview of HTTP.
GeeksforGeeks - Difference between http:// and https://.
GlobalSign - What's the difference between http and https?.
AWS - What's the difference between http and https?.
Baeldung - Networking: Stateless and Stateful Protocols.
NCSC-UK - Using TLS to protect data.
Internet Society - Transport Layer Security (TLS) - TLS Basics.
High Performance Browser Networking - Transport Layer Security (TLS).
NCSC-CH - Unprotected .git folders on the internet pose a security risk.
Apache HTTP Server Tutorial: .htaccess files.
Eclypsium - BMC&C: Lights Out Forever.
CSG-SG -Critical Vulnerabilities in AMI MegaRAC Baseboard Management Controler (BMC) Firmware.
Progress Community - MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362).