Vulnerabilities Report

Release 7.5
FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United
States and other countries. All other trademarks are the property of their respective
owners.
FireEye assumes no responsibility for any inaccuracies in this document. FireEye reserves
the right to change, modify, transfer, or otherwise revise this publication without notice.
Copyright © 2015 FireEye, Inc. All rights reserved.

Vulnerabilities Report
Release 7.5
Version 4

FireEye Contact Information:

Website: www.fireeye.com
Support Email: support@fireeye.com
Phone:
United States: 877.FIREEYE (877.347.3393)
United Kingdom: 44.203.106.4828
Other: 408.321.6300
CONTENTS

Introduction 1
Scan Parameters 1

Vulnerability Summary 2
Vulnerability Summary from Previous Releases 2

Vulnerability Details 4
High-Level Vulnerabilities 5

Medium-Level Vulnerabilities 7

References 12

© 2015 FireEye i
Release 7.5 Introduction

Introduction
This document provides an explanation of the findings in the vulnerability scan reports generated
via the QualysGuard Security Scanner product version 7.11.20-1. This document also includes
findings that were collected via manual analysis and field reports.

In the scan reports generated by QualysGuard, SNMP versions 1 and 2 are supported
for backward compatibility. However, SNMP version 3 needs to be used for authen-
tication.
CVE-2014-9295 has already been patched.
CVE-2015-0235 has already been patched.
These vulnerabilities have been addressed in version 7.5.1. To patch these
vulnerabilities for release 7.4.x and earlier, download hotfix images from FireEye
Technical Support. The hotfix ensures that the current installed binary is patched and
not vulnerable to an attack, as described in the CVEs. For backward compatibility, the
version number is not changed. Common vulnerability assessment tools and scanners,
which validate binary version numbers, might report that FireEye is still vulnerable to
these CVEs after the hotfix images are applied.

Scan Parameters
Scanner QualysGuard Security Scanner

Scanner Version 7.11.20-1

Audit Revision 2478

Audit Group(s) All Audits

<more test parameters> Ports: Common, HTTP, NetBIOS

Options: All

Credentials: admin

FireEye Product Version 7.5.0

Appliance Types FireEye NX Series

FireEye EX Series

FireEye FX Series

FireEye AX Series

FireEye CM Series

© 2015 FireEye 1
Release 7.5 Vulnerability Summary

Vulnerability Summary
Vulnerability Severity Related CVE-IDs Validity
Apache HTTPD Server Version Out Of Date High CVE-1999-0662 Not Valid

Apache HTTP Server Multiple Vul- High CVE-2013-1862 Not Valid

nerabilities (20130722) - Remote
CVE-2013-1896 Not Valid

CVE-2013-2249 Valid but FireEye

invulnerable

HTTP TRACE/TRACK Method Supported Medium CVE-2003-1567 Not Valid

CVE-2004-2320 Not Valid

CVE-2007-3008 Not Valid

CVE-2010-0386 Not Valid

Apache Reverse Proxy Crafted URI Medium CVE-2011-3368 Not Valid

Request Information Disclosure - Banner
CVE-2011-4317 Not Valid

Apache Multiple Vulnerabilities (20120131) Medium CVE-2012-0053 Not Valid

- Banner - TCP:80
CVE-2012-0031 Not Valid

CVE-2012-0021 Valid but FireEye

invulnerable

Apache Mod_SetEnvIf .htaccess Privilege Medium CVE-2011-3607 Not Valid

Escalation

Vulnerability Summary from Previous Releases

Related CVE-
Vulnerability Severity Validity
IDs
OpenSSH - Separation verification weakness High CVE-2006-5794 Not Valid

OpenSSH - x11 cookie privilege escalation High CVE-2007-4752 Not Valid

OpenSSH - Remote DOS Medium CVE-2006-4925 Valid but FireEye invul-

nerable

OpenSSH - Mac OS X DOS Medium CVE-2007-0726 Not Valid

© 2015 FireEye 2
Vulnerabilities Report

Related CVE-
Vulnerability Severity Validity
IDs
OpenSSH - System Account Enumeration if Medium CVE-2007-2243 Valid but FireEye invul-
S/KEY is used nerable

3 © 2015 FireEye
Release 7.5 Vulnerability Details

Vulnerability Details
Vulnerabilities fall into two classifications:
l High-level vulnerabilities
l Medium-level vulnerabilities

© 2015 FireEye 4
Release 7.5

High-Level Vulnerabilities
The following vulnerabilities are considered high level:
l Apache HTTPD Server Version Out Of Date
l Apache HTTP Server Multiple Vulnerabilities (20130722) - Remote

Apache HTTPD Server Version Out Of Date Vulnerability - High

Audit ID 3872

Risk Level High

Overall PCI Security Level High

Overall PCI Compliance Fail

Status

Highest CVSS Score 10 [AV:N/AC:L/Au:N/C:C/I:C/A:C]

Category Web Servers

Description The Apache HTTPD Server version detected on this system has been found
to be out of date. Versions that have not been updated after an excessive
time period could be susceptible to vulnerabilities that would otherwise be
resolved by upgrading to a newer version.

Audit 3872 and Audit 15585 are designed for Apache ver-
sions from Apache.org and may report false findings on
vendor-specific Apache backports.

How To Fix Upgrade to the latest Apache HTTPD Server version available.

Related Links Apache Archives

Related CVE Breakdown CVE-ID CVSS Score PCI Severity PCI Status

CVE-1999- 10 High CVSS Score) Fail

0662

Exploits CVE-ID Exploit Database Core Impact Metasploit

CVE-1999- No No No
0662

Validity Not valid

FireEye Response FireEye patched our version to the latest available security.

© 2015 FireEye 5
Vulnerabilities Report

Apache HTTP Server Multiple Vulnerabilities (20130722) - High

Audit ID 19748

Risk Level Medium

Overall PCI High

Severity Level

Overall PCI Fail

Compliance
Status

Highest CVSS 7.5 [AV:N/AC:L/Au:N/C:P/I:P/A:P]

Score

Category Web Servers

Description Apache HTTP Server contains multiple vulnerabilities when handling a crafted URI in
'mod_dav_svn' function and the 'dirty flag' when saving sessions. Successful exploitation
may allow a remote attacker to create denial-of-service conditions or potentially lead to a
compromise of the target system.

How To Fix Update the Apache HTTP Server to version 2.4.6, 2.2.25 or later.

Related CVE CVE-ID CVSS Score PCI Severity PCI Status

Breakdown
CVE-2013-1862 5.1 Medium (CVSS Score) Fail

CVE-2013-1896 4.3 Low (Denial of Service) Pass

CVE-2013-2249 7.5 High (CVSS Score) Fail

Exploits CVE-ID Exploit Database Core Impact Metasploit

CVE-2013-1862 No No No

CVE-2013-1896 No No No

CVE-2013-2249 No No No

Validity CVE-2013-1862 is not valid.

CVE-2013-1896 is not valid

CVE-2013-2249 is valid.

FireEye CVE-2013-1862 has already been patched.

Response
CVE-2013-1896 has already been patched.

For CVE-2013-2249, FireEye is not vulnerable because we do not use the mod_session_
dbd module.

6 © 2015 FireEye
Release 7.5

Medium-Level Vulnerabilities
The following vulnerabilities are considered medium level:
l HTTP TRACE/TRACK Method Supported
l Apache Reverse Proxy Crafted URI Request Information Disclosure - Banner
l Apache Multiple Vulnerabilities (20120131) - Banner - TCP:80
l Apache Mod_SetEnvIf .htaccess Privilege Escalation

HTTP TRACE/TRACK Method Supported Vulnerability - Medium

Audit ID 1329

Risk Level Information

Overall PCI Severity Medium

Level

Overall PCI Com- Fail

pliance Status

Highest CVSS 5.8 [AV:N/AC:M/Au:N/C:P/I:P/A:N]

Score

Category Web Servers

Description Retina has discovered that the target host supports the HTTP TRACE method (or the IIS
equivalent HTTP TRACK method). This method is known to allow attackers to gain
access to sensitive information such as cookies and authentication data.

How To Fix It is recommended that the TRACE method be disabled to prevent unauthorized dis-
closure of information.

Related CVE Break- CVE-ID CVSS Score PCI Severity PCI Status
down
CVE-2003- 5.8 Medium (CVSS Score) Fail
1567
5.8 Medium (CVSS Score) Fail
CVE-2004-
4.3 Medium (CVSS Score) Fail
2320
4.3 Medium (CVSS Score) Fail
CVE-2007-
3008

CVE-2010-
0386

© 2015 FireEye 7
Vulnerabilities Report

Exploits CVE-ID Exploit Database Core Impact Metasploit

CVE-2003- No No No
1567
No No No
CVE-2004-
No No No
2320
No No No
CVE-2007-
3008

CVE-2010-
0386

Validity Not valid

FireEye Response FireEye does not support Microsoft Internet Information Services (IIS), BEA WebLogic
Server and Express, Mbedthis AppWeb, or Sun Java System Application Server.

Apache Reverse Proxy Crafted URI Request Information Disclosure

- Medium

Audit ID 15366

Risk Level Medium

Overall PCI Medium

Severity Level

Overall PCI Fail

Compliance
Status

Category Web Servers

Description Apache contains a vulnerability handling crafted URI requests when using mod_proxy in
reverse proxy mode with certain configurations. Successful exploitation could allow an
attacker to connect to an arbitrary server, leveraging existing trust relationships to access
sensitive information from internal web servers not directly accessible to the attacker.

How To Fix Upgrade Apache to version 2.2.22, 2.0.65, or newer.

Related Link Apache HTTP Server - Release Announcement

Apache Release Announcement - 2.2.22-dev
Red Hat Security Advisory - RHSA-2011-1391
Red Hat Security Advisory - RHSA-2011-1392
Red Hat Security Advisory - RHSA-2012-0128

8 © 2015 FireEye
Release 7.5

Related CVE CVE-ID CVSS Score PCI Severity PCI Status

Breakdown
CVE-2011-3368 5 Medium (CVSS Score) Fail

CVE-2011-4317 4.3 Medium (CVSS Score) Fail

BugtraqID 49957
50802

Exploits CVE-ID Exploit Database Core Impact Metasploit

CVE-2011-3368 Yes No No

CVE-2011-4317 No No No

Validity Not valid

FireEye Already patched

Response

Apache Multiple Vulnerabilities (20120131) - Banner - Medium

Audit ID 15889

Risk Level Medium

Overall PCI Severity Medium

Level

Overall PCI Com- Fail

pliance Status

Highest CVSS Score 4.6 [AV:L/AC:L/Au:N/C:P/I:P/A:P]

Category Web Servers

Description Apache 2.2 contains multiple vulnerabilities when constructing 400 error documents,
when handling format strings in cookies, and when handling unspecified fields in
scoreboard shared memory. Successful exploitation may result in disclosure of
'httpOnly' cookies and denial of service conditions.

How To Fix Upgrade Apache to version 2.2.22 or newer.

Related Links Apache HTTP Server - Release Announcement

Apache httpd 2.2 Vulnerabilities

© 2015 FireEye 9
Vulnerabilities Report

Related CVE CVE-ID CVSS Score PCI Severity PCI Status

Breakdown
CVE-2012- 2.6 Low (Denial of Service) Pass
0021
4.6 Medium (CVSS Score) Fail
CVE-2012-
4.3 Medium (CVSS Score) Fail
0031

CVE-2012-
0053

BugtraqID 51407
51705
51706

Exploits CVE-ID Exploit Database Core Impact Metasploit

CVE-2012- No No No
0021
No No No
CVE-2012-
Yes No No
0031

CVE-2012-
0053

Validity CVE-2012-0021 is valid.

CVE-2012-0031 is not valid.

CVE-2012-0053 is not valid.

FireEye Response For CVE-2012-0021, FireEye is not vulnerable because the issue does not affect this
version.

CVE-2012-0031 has already been patched.

CVE-2012-0053 has already been patched.

Apache Mod_SetEnvIf .htaccess Privilege Escalation Vulnerability -

Medium
Audit ID 15584

Risk Level Medium

Overall PCI Severity Medium

Level

Overall PCI Com- Fail

pliance Status

10 © 2015 FireEye
Release 7.5

Highest CVSS Score 4.4 [AV:L/AC:M/Au:N/C:P/I:P/A:P]

Category Web Servers

Description Apache contains an integer overflow vulnerability in the ap_pregsub function in

server/util.c when handling a crafted SetEnvIf directive in conjunction with a crafted
HTTP request header and mod_setenvif is enabled. Successful exploitation could
allow a local attacker to execute arbitrary code with elevated privileges.

How To Fix Upgrade Apache to version 2.2.22 or newer.

Related Links Apache HTTP Server - Release Announcement

IBM ISS Xforce Advisory - 71093

Related CVE Break- CVE-ID CVSS Score PCI Severity PCI Status
down
CVE-2011-3607 4.4 Medium (CVSS Score) Fail

BugtraqID 50494

Exploits CVE-ID Exploit Database Core Impact Metasploit

CVE-2011-3607 No No No

Validity Not valid

FireEye Response Already patched

© 2015 FireEye 11
Release 7.5 References

References
l QualysGuard Vulnerability Scan report for FireEye NX Series
l QualysGuard Vulnerability Scan report for FireEye EX Series
l QualysGuard Vulnerability Scan report for FireEye AX Series
l QualysGuard Vulnerability Scan report for FireEye FX Series
l QualysGuard Vulnerability Scan report for FireEye CM Series

© 2015 FireEye 12