OpenVAS not detecting Apache2.x Server ETag Header


#1

OpenVAS can not detect Apache 2.x Server ETag Header.
Is it because inode is 64 bit?
I want to be able to detect it.

OID: 1.3.6.1.4.1.25623.1.0.103122
Apache Server ETag Header Information Disclosure


#2

The mentioned VT is only reporting if the web server is returning an ETag in the form of:

ETag: inode-size-mtime

in its header which discloses the inode of a requested file. You could verify this against your server with a call similar to:

curl --silent -I https://example.com 2>&1 | grep -i etag

to see if it actually returns such an inode or not.

As the related vulnerability:

https://nvd.nist.gov/vuln/detail/CVE-2003-1418

is quite old and already fixed since longer time (either directly in the OpenBSD source code or in default Apache configurations: https://httpd.apache.org/docs/current/mod/core.html#fileetag) you probably won’t see any reports of this VT these days.


#3

Thank you for your reply.

I have confirmed that there is an ETag in the response header of the target server.
The format is also as follows, but it is not detected.

ETag: inode-size-mtime

I checked nasl.
OpenVAS seems to confirm Etag by converting it from hexadecimal to decimal.
ETag inodes may be 64 bits.

ETag: xxxxxxxxxxxxx-size-mtime

In this case, I think that what converted the last five digits to decimal number becomes inode.
It is not detected because there is no such processing.


#4

Unfortunately this is not the case. The VT is doing a simple regex on the returned HTTP headers like:

etag = eregmatch(pattern:'ETag: "([^"]+)"', string:banner);
if(isnull(etag[1]))exit(0);

which is used to confirm in addition to the follwoing:

etag = split(etag[1], sep:"-",keep:FALSE);
if((max_index(etag)<3))exit(0);

if the affected system is vulnerable.

Keep in mind that this VT is only checking for a possible vulnerability on Apache servers and will exit / won’t report a vulnerability against all other Web-Servers like e.g. Nginx or if the Server: Apache header is hidden.


#5

Thank you for your reply.

It means that it has nothing to do with detection.

inode = (hex2dec (xvalue: inode));
size = (hex2dec (xvalue: size)); 

I understand that it is only for Apache.
I have also confirmed the response header.
Why is it not detected?

Server: Apache

I have confirmed that it is detected on other Apache servers.
I don’t think it’s a configuration issue.
All other Apache servers were displaying Apache version information.
If Apache version information is not displayed, will it not be detected?

Server: Apache / 1.3.37 (Unix)
Server: Apache / 2.2.31

#6

Hi,

Exactly. Both variables are only used for the reporting after the initial detection:

report = string("Information that was gathered:\nInode: ", inode,"\nSize: ", size,"\n");

Nice, this was the missing hint here. It seems its not related to the current discussed VT but to a previously dependency (gb_get_http_banner.nasl) which had used the following:

set_mandatory_key( key:"apache", regex:"Server: Apache/", banner:banner );

which means a detection could happen only if the version was exposed (only in this case the “/” was appended).

This will be fixed in one of the next feed updates, thanks again for providing this info to understand where the issue is coming from.