CVEs - Vulnerable HTTP Report
Description
The Hypertext Transfer Protocol (HTTP)
The Hypertext Transfer Protocol (HTTP) is a stateless protocol for fetching resources such as HyperText Markup Language (HTML) documents. It is the foundation of any data exchange on the World Wide Web. HTTP is a client-server protocol, which means requests are initiated by the recipient, usually the web browser. Clients and servers communicate by exchanging individual messages (as opposed to a stream of data). The messages sent by the client, usually a web browser, are called requests and the messages sent by the server as an answer are called responses.
HTTP is an application layer protocol that allows software to send and receive information and present data to users. Because a connection is controlled at the transport layer, it is out of the scope of HTTP., which requires a transport layer protocol that is connection based and reliable, hence HTTP relies on the Transmission Control Protocol (TCP) to establish a connection between the client and the server, over which HTTP., send and receive data.
The original version of HTTP released in 1996–97 was called HTTP/1.1. HTTP/2 and HTTP/3 are upgraded versions of the protocol itself. The data transfer system has been modified to make it more efficient. HTTP/2 exchanges data in binary instead of textual format. It also allows servers to proactively transmit responses to client caches instead of waiting for a new HTTP request. HTTP/3 builds on HTTP/2 supporting real-time streaming and other modern data transfer requirements more efficiently.
HTTP transmits data in plaintext unencrypted, which means that information sent from the client browser to the server can be intercepted and read by third parties.
HTTP listens on port 80/TCP and port 80/UDP.
The Hypertext Transfer Protocol Secure (HTTPS)
The Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.
The Transport Layer Security (TLS) is a security protocol that is used to encrypt information as it is being sent over the Internet. TLS is an improved version of the security protocol, and has replaced SSL, which has been deprecated. TLS uses more robust encryption algorithms and provides better security than SSL., although the two terms are often used interchangeably.
To enable HTTPS on a website, it must have a valid TLS certificate. This certificate is used to encrypt information as it is being sent between the client and the server. An TLS certificate contains a public key and a private key. The public key encrypts information, while the private key decrypts it.
TLS Certificates are issued by Certificate Authorities (CAs). A CA is an organization that verifies the identity of a website and then gives a certificate to that site. When a client browser connects to a website, the client browser checks to see if the website’s TLS Certificate is valid. This is indicated by a green padlock in the address bar. If it is not, a warning message "Not Secure" will be displayed in the address bar.
HTTPS Client Authentication is a more secure method of authentication. The server authenticates the client using the client's Public Key Certificate (PKC). The public key certificate can be likened to the digital equivalent of a passport. It has being issued by a trusted organisation, the CA., and provides identification for the bearer.
HTTPS with its TLS technology provides data encryption, server authentication, message integrity and optional client authentication for a TCP/IP connection.
Companies that operate eCommerce websites use HTTPS, to ensure that their customers data, such as login IDs, home addresses, credit card details, and other personal information is encrypted when transmitted, protecting themselves and their customers from the threat of identity fraud.
In 2014, the Google Limited Liability Company, in recognition of the importance of security, publicly called for an internet-wide use of HTTPS., and began using HTTPS as a ranking signal in its Search Engine Optimisation (SEO) algorithms. SEO is the process used to optimise a website's technical configuration, content relevance and link popularity so its pages can become easily findable, more relevant and popular towards user search queries, and as a consequence, ranking them better.
HTTPS listens on port 443/TCP and port 443/UDP.
Problem
On the 29th Sept 2023, the Shadowserver Foundation updated their Vulnerable HTTP Report in respect of the jurisdiction. The report, reference twenty nine (29) Common Vulnerabilities and Exposures (CVEs), that have been publicly disclosed, which affect software products, deployed by specific hosts identified in the report, together with other vulnerabilities, such as the implementation of Basic Authentication in plain HTTP and .git folders that are publicly internet accessible. Contained in the 'Tag' column of the report, are a list of terms, which indicate the particular vulnerability associated with each specific host, identified in the report.
Identified in the report are:-
| No. | Description |
|---|---|
| 1. | Hosts that deploy a software product affected by a Common Vulnerability & Exposure (CVE), that has been publicly disclosed. |
| 2. | Hosts that have implemented Basic Authentication in plain HTTP., in which case, information, such as users credentials, are transmitted in plaintext unencrypted and therefore, can be intercepted and read by third parties. |
| 3. | Internet accessible .git folders, used by software developers as a repository, to store their source code, together with previous versions of the source code, along with configuration files which may contain sensitive system information, such as database passwords and API keys. Unauthorised access to such information may result in the host identified being compromised. |
| 4. | Hosts that deploy AMI MegaRAC SP-X Baseboard Management Controller (BMC), to control and manage servers remotely. AMI MegaRAC have publicly disclosed two (2) CVEs., (CVE-2023-34329) & (CVE-2023-34330), when both are chaned together, they allow unauthorised access with superuser permissions and Remote Code Execution (RCE). |
| 5. | Hosts that deploy the MOVEit Transfer Service, which may possibly be compromised. On the 31st May 2023, Progress Software publicly disclosed CVE-2023-34362, which is a SQL Injection vulnerability, that could allow unauthorised access on the database engine used. An additional five (5) CVEs., have subsequently being publicly disclosed in relation to the MOVEit Transfer Service. |
Common Vulnerabilities & Exposures (CVEs)
Systems used for reporting and assessing the severity of security vulnerabilities.
| No. | System | Description |
|---|---|---|
| 1. | Common Vulnerabilities and Exposures (CVE). | The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures. |
| 2. | The Common Vulnerability Scoring System (CVSS). | CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability. |
CVSSv3.0 Metrics.
| No. | Base Score Range | Severity |
|---|---|---|
| 1. | 0.0 | None |
| 2. | 0.1 - 3.9 | Low |
| 3. | 4.0 - 6.9 | Medium |
| 4. | 7.0 - 8.9 | High |
| 5. | 9.0 - 10.0 | Critical |
List of CVEs - Vulnerable HTTP Report.
| No. | CVE Report | Description | CVSSv3 | Advisory |
|---|---|---|---|---|
| 1. | CVE-2019-5544 |
Remote Code Execution (RCE) vulnerability in VMware ESXi Open Service Location Protocol (SLP) due to Heap-Based Buffer Overflow Issues. | 9.8 | VMware Security Advisory |
| 2. | CVE-2020-3992 |
Remote Code Execution (RCE) vulnerability in the OpenSLP Service of VMware ESXi & Horizon DaaS Appliances. | 9.8 | VMware Security Advisory |
| 3. | CVE-2021-21972 |
Remote Code Execution (RCE) vulnerability in the VMware vCenter Server vSphere Client (HTML5). | 9.8 | VMware Security Advisory |
| 4. | CVE-2021-21974 |
Remote Code Execution (RCE) vulnerability in the OpenSLP in VMware ESXi due to a heap overflow issue. | 8.8 | VMware Security Advisory |
| 5. | CVE-2021-35587 |
Vulnerability in the Oracle Fusion Middleware Access Manager allows an unauthenticated threat actor with network access via HTTP to compromise the Access Manager. | 9.8 | Oracle Security Alerts & Bulletin |
| 6. | CVE-2022-24816 |
Remote Code Execution (RCE) in GeoSolutions JAI-EXT due to improper Control of Generation of Code (Code Injection). | 9.8 | GeoSolutions Developer's Corner |
| 7. | CVE-2022-27510 |
Authentication Bypass vulnerability in Citrix NetScaler ADC & Gateway. | 9.8 | Citrix Security Bulletin |
| 8. | CVE-2022-37042 |
Authentication Bypass vulnerability in MailboxImportServlet of the Zimbra Collaboration Suite (ZCS). | 9.8 | Zimbra Security Center |
| 9. | CVE-2022-40259 |
Arbitrary Code Execution vulnerability in the AMI MegaRAC Redfish Baseboard Management Controller (BMC). | 9.8 | AMI Security Advisory |
| 10. | CVE-2022-42475 |
Remote Code Execution (RCE) vulnerability in Fortinet FortiOS SSL-VPN due to heap-based buffer overflow. | 9.8 | PSIRT Advisories |
| 11. | CVE-2023-3466 |
Reflected Cross-Site Scripting (XSS) vulnerability in Citrix NetScaler ADC & NetScaler Gateway. | 6.1 | Citrix Security Bulletin |
| 12. | CVE-2023-3467 |
Privilege Escalation to root administrator (nsroot) vulnerability in Citrix NetScaler ADC & NetScaler Gateway. | 8.0 | Citrix Security Bulletin |
| 13. | CVE-2023-3519 |
Remote Code Execution (RCE) vulnerability in Citrix NetScaler ADC & NetScaler Gateway. | 9.8 | Citrix Security Bulletin |
| 14. | CVE-2023-4966 |
Sensitive information disclosure vulnerability in appliance configured as a Citrix NetScaler Gateway. | 9.4 | Citrix Security Bulletin |
| 15. | CVE-2023-20892 |
Remote Code Execution (RCE) vulnerability in VMware vCenter Server due to the usage of uninitialised memory in the implementation of the DCERPC protocol. | 9.8 | VMware Security Advisory |
| 16. | CVE-2023-23752 |
Authentication Bypass vulnerability that allows unauthenticated users to access sensitive information in Joomla! content management system (CMS). | 5.3 | Joomla! Security Announcements |
| 17. | CVE-2023-25157 |
SQL Injection vulnerability in the open source GeoServer platform & GeoTools Library. | 9.8 | GeoServer Vulnerability Statement |
| 18. | CVE-2023-25690 |
HTTP Request Smuggling vulnerability in mod_proxy configurations on Apache HTTP Server leading to unauthorised access. | 9.8 | Apache Vulnerabilities |
| 19. | CVE-2023-27898 |
Cross-site scripting (XSS) vulnerability in Jenkins open source automation server used for software development and testing. | 9.8 | Jenkins Security Advisory |
| 20. | CVE-2023-27997 |
Remote Code Execution (RCE) vulnerability in Fortinet FortiOS SSL-VPN due to a buffer overflow. | 9.8 | PSIRT Advisories |
| 21. | CVE-2023-33308 |
Remote Code Execution (RCE) vulnerability Fortinet FortiOS & ForiProxy due to stack based overflow. | 9.8 | PSIRT Advisories |
| 22. | CVE-2023-34329 |
Authentication Bypass via HTTP Header Spoofing vulnerability in AMI MegaRAC SPx12 BMC. | 8.4 | AMI Security Advisory |
| 23. | CVE-2023-34330 |
Remote Code Injection vulnerability in AMI MegaRAC SPx12 Baseboard Management Controller (BMC) Dynamic Redfish Extension Interface. | 8.2 | AMI Security Advisory |
| 24. | CVE-2023-34362 |
SQL Injection vulnerability in Progress MOVEit Transfer & MOVEit Cloud which allows access without authentication to MOVEit Transfer's database. | 9.8 | Progress Vulnerability |
| 25. | CVE-2023-35078 |
Unauthorised access vulnerability to Ivanti Endpoint Manager Mobile (EPMM) users' Personally Identifiable Information (PII). | 9.8 | Ivanti API Access Vulnerability |
| 26. | CVE-2023-35082 |
Unauthorised access vulnerability, to restricted functionality or resources, in Ivanti Endpoint Manager Mobile (EPMM). | 9.8 | Ivanti API Access Vulnerability |
| 27. | CVE-2023-38646 |
Remote Code Execution (RCE) vulnerability, in open source Metabase, which is used for data instrumentation, visualization and querying. | 9.8 | Metabase Security Advisory |
| 28. | CVE-2023-39143 |
Remote Code Execution (RCE) vulnerability, in print management software PaperCut NG & PaperCut MF, when external device integration is enabled. | 9.8 | PaperCut Security Bulletin |
| 29. | CVE-2023-42793 |
Remote Code Execution (RCE) vulnerability, in JetBrains TeamCity build management & continuous integration server. | 9.8 | JetBrains Blog |
| 30. | CVE-2023-46805 |
An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. | 8.2 | Ivanti Advisory |
| 31. | CVE-2023-48365 |
Unauthenticated remote code execution (RCE) vulnerability in Qlik Sense Enterprise for Windows as a consequence of an incomplete fix for CVE-2023-41265. Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to execute HTTP requests on the backend server that hosts the repository application. | 9.6 | Qlik Community - Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) |
| 32. | CVE-2024-0204 |
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 that allows an unauthorized user to create an admin user via the administration portal. | 9.8 | Forta Vendor Advisory |
| 33. | CVE-2024-1709 |
Authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve Remote Code Execution (RCE) by uploading a malicious extension module. ScreenConnect version 23.9.7 and below are affected. | 10.0 | ConnectWise ScreenConnect Vulnerability |
| 34. | CVE-2024-3273 |
A vulnerability found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. | 7.3 | D-Link Security Announcement |
| 35. | CVE-2024-3400 |
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. | 10.0 | Paloalto - How to Remedy CVE-2024-3400 |
| 36. | CVE-2024-4040 |
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | 10.0 | CrushFTP - Update - CVE-2024-4040 |
| 37. | CVE-2024-4358 |
In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability. | 9.8 | Progress Telerik Authentication Bypass Vulnerability |
| 38. | CVE-2024-6327 |
In Progress® Telerik® Report Server versions prior to 2024 Q2 (10.1.24.709), a remote code execution attack is possible through an insecure deserialization vulnerability. | 9.9 | Progress Telerik Authentication Insecure Deserialization Vulnerability |
| 39. | CVE-2024-20419 |
A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user. | 10.0 | Cisco Security Advisories |
| 40. | CVE-2024-21762 |
An out-of-bounds write vulnerability in FortiOS and FortiProxy which may allow a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests. | 9.8 | FortiGuard Labs PSIRT- Out-of-bound Write in sslvpnd |
| 41. | CVE-2024-21887 |
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure that allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet. | 9.1 | Ivanti Advisory |
| 42. | CVE-2024-21894 |
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure allows an unauthenticated user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack. In certain conditions this may lead to execution of arbitrary code. | 8.2 | Ivanti Advisory |
| 43. | CVE-2024-22024 |
An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. | 8.3 | Ivanti Advisory |
| 44. | CVE-2024-22053 |
A heap overflow vulnerability in IPSec component of Ivanti Connect Secure (9.x 22.x) and Ivanti Policy Secure allows an unauthenticated user to send specially crafted requests in-order-to crash the service thereby causing a DoS attack or in certain conditions read contents from memory. | 8.2 | Ivanti Advisory |
| 45. | CVE-2024-22252 |
VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. | 9.3 | Broadcom - VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities |
| 46. | CVE-2024-23897 |
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | 9.8 | Jenkins Security Advisory |
| 47. | CVE-2024-23917 |
Authentication bypass leading to Remote Code Execution possible in JetBrains TeamCity before 2023.11.3. | 9.8 | JetBrains Blog - Critical Security Issue Affecting TeamCity On-Premises (CVE-2024-23917) |
| 48. | CVE-2024-27198 |
Authentication bypass leading to Remote Code Execution (RCE) in JetBrains TeamCity prior to 2023.11.3. | 9.8 | JetBrains Blog - Critical Security Issue Affecting TeamCity On-Premises |
| 49. | CVE-2024-28986 |
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. It is recommend that all Web Help Desk customers apply the available patch. | 9.8 | Solarwinds Security Advisories |
| 50. | CVE-2024-28995 |
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine. | 8.6 | Solarwinds Security Advisories |
| 51. | CVE-2024-29849 |
Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface. | 9.8 | Veeam Backup Enterprise Manager Vulnerabilities |
| 52. | CVE-2024-37079 |
vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. | 9.8 | Broadcom Security Advisories |
| 53. | CVE-2024-37085 |
VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD. | 6.8 | Broadcom Security Advisories |
Note:
Solution
Shadowserver Foundation - Vulnerable HTTP Report - Tag Index.
Note:
| No. | System | Description |
|---|---|---|
| 1. | CVEs. | Common Vulnerability & Exposure affecting the software product deployed by the host identified. |
| 2. | basic-auth. | Hosts that have implemented Basic Authentication in plain HTTP. |
| 3. | git-config-file. | Internet accessible .git folders & content, due to insufficient protection or incorrect configuration. |
| 4. | megarac. | AMI MegaRAC Baseboard Management Controller (BMC), used to control and manage servers remotely, have reported two (2) CVEs., (CVE-2023-34329) & (CVE-2023-34330), when both are chained together, they allow unauthorised access with superuser permissions and a Remote Code Execution (RCE) vulnerability. |
| 5. | potential-megarac. | Potential AMI MegaRAC BMC vulnerability - (CVE-2023-34329) & (CVE-2023-34330). |
| 6. | moveit. | Possible compromised MOVEit Transfer software product due to CVE-2023-34362 - This is a SQL Injection Vulnerability that allows unauthorised access on the database engine used. |
Recommendations.
| No. | Tag | Recommendations |
|---|---|---|
| 1. | CVEs. | Ensure that the latest software patches & updates, released by the vendors of the software product affected be applied as soon as possible. Particular attention should be taken in relation to CVEs with a severity classification of 'Critical' or 'High' as indicated by their CVSSv3 Metrics. |
| 2. | basic-auth. | Hosts that have implemented Basic Authentication in plain HTTP., are requested to consider switching to HTTPS in order to ensure data encryption, server authentication, message integrity and optional client authentication for their TCP/IP connections. |
| 3. | git-config-file. | Ensure that .git folders are not publicly internet accessible, through the implementation of access restrictions or rules depending on the technology used, e.g. in the case of Apache HTTP Server, .htaccess files. |
| 4. | megarac. | Ensure that AMI MegaRAC SP-X Baseboard Management Controller (BMC) Redfish remote server management interface is not internet accessible. AMI MegaRAC Customers are advised to upgrade their BMC software to the latest firmware version available and to maintain strict access control to their BMC devices. |
| 5. | potential-megarac. | Ensure that AMI MegaRAC SP-X Baseboard Management Controller (BMC) Redfish remote server management interface is not internet accessible. AMI MegaRAC Customers are advised to upgrade their BMC software to the latest firmware version available and to maintain strict access control to their BMC devices. |
| 6. | moveit. | Ensure that the latest software patches & updates released by Progress Software in response to the public disclosure of CVE-2023-34362 be applied as soon as possible. See Advisory released by the Progress Community in response to the public disclosure of CVE-2023-34362, and of the additional five (5) CVEs that have been subsequently publicly disclosed - (CVE-2023-35036), (CVE-2023-35708), (CVE-2023-36932), (CVE-2023-36933), (CVE-2023-36934), and apply the latest software patches & updates, where & if necessary. |
Additional Information
Shadowserver Foundation - Vulnerable HTTP Report.An overview of HTTP.
GeeksforGeeks - Difference between http:// and https://.
GlobalSign - What's the difference between http and https?.
AWS - What's the difference between http and https?.
Baeldung - Networking: Stateless and Stateful Protocols.
NCSC-UK - Using TLS to protect data.
Internet Society - Transport Layer Security (TLS) - TLS Basics.
High Performance Browser Networking - Transport Layer Security (TLS).
NCSC-CH - Unprotected .git folders on the internet pose a security risk.
Apache HTTP Server Tutorial: .htaccess files.
Eclypsium - BMC&C: Lights Out Forever.
CSG-SG -Critical Vulnerabilities in AMI MegaRAC Baseboard Management Controler (BMC) Firmware.
Progress Community - MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362).