Nessus是否依賴或使用目錄路徑來確定版本？

Question

我在工作中遇到了一些困惑。我和一些工程師相信，nessus（就我們所知，是一個端口掃描器）不會在乎我想從/usr/java/apache-tomcat-5.5.33中重命名服務器上的tomcat目錄到/ usr/java/apache-tomcat。

我想這樣做是爲了生活，我們被迫當客戶哭升級我們的服務器下一次更容易「漏洞！」。

如此反覆，如果我想使Tomcat服務器路徑通用，Nessus的不會在乎一個位。該產品（Nessus）將能夠嗅出產品版本就好。

這是正確的嗎？

謝謝你的幫助。

-dklotz

CNC中 這是由客戶向我們報告掃描。

Apache Tomcat 5.5.x < 5.5.34 Multiple Vulnerabilities Category: Web Servers 
Description: 

According to its self-reported version number, the instance of Apache 
Tomcat 5.5.x listening on the remote host is earlier than 5.5.34 and 
is affected by multiple vulnerabilities: 

    - Several weaknesses were found in the HTTP Digest 
    authentication implementation. The issues are as 
    follows: replay attacks are possible, server nonces 
    are not checked, client nonce counts are not checked, 
    'quality of protection' (qop) values are not checked, 
    realm values are not checked and the server secret is 
    a hard-coded, known string. The effect of these issues 
    is that Digest authentication is no stronger than Basic 
    authentication. (CVE-2011-1184, CVE-2011-5062, 
    CVE-2011-5063, CVE-2011-5064) 

    - An error handling issue exists related to the 
    MemoryUserDatabase that allows user passwords to be 
    disclosed through log files. (CVE-2011-2204) 

    - An input validation error exists that allows a local 
    attacker to either bypass security or carry out denial 
    of service attacks when the APR or NIO connectors are 
    enabled. (CVE-2011-2526) 

    - A component that Apache Tomcat relies on called 'jsvc' 
    contains an error in that it does not drop capabilities 
    after starting and can allow access to sensitive files 
    owned by the super user. Note this vulnerability only 
    affects Linux operating systems and only when 'jsvc' is 
    compiled with libpcap and the '-user' parameter is 
    used. (CVE-2011-2729) 

    - Specially crafted requests are incorrectly processed by 
    Tomcat and can cause the server to allow injection of 
    arbitrary AJP messages. This can lead to authentication 
    bypass and disclosure of sensitive information. Note 
    this vulnerability only occurs when the 
    org.apache.jk.server.JkCoyoteHandler AJP connector is 
    not used, POST requests are accepted, and the request 
    body is not processed.(CVE-2011-3190) 

Note that Nessus did not actually test for the flaws but instead has 
relied on the version in Tomcat's banner or error page. 

    Vuln Publication Date: 6/27/2011 
Plugin Publication Date: 9/26/2011 
Easy to Exploit: Exploits are available 
Exploit Available: true 
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P 
CVSS Base Score: 7.5 
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C 
CVSS Temporal Score: 6.2 
CVE: CVE-2011-1184 
CVE-2011-2204 
CVE-2011-2526 
CVE-2011-2729 
CVE-2011-3190 
CVE-2011-5062 
CVE-2011-5063 
CVE-2011-5064 

Cross Reference: OSVDB:73429 
OSVDB:73797 
OSVDB:73798 
OSVDB:74541 
OSVDB:74818 
OSVDB:76189 

See Also: http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.34 

Bug Traq ID: 48456 
48667 
49143 
49353 
49762 

Answer 1

::從評論::

這是實際的漏洞報告做出答覆。如果它從tomcat橫幅獲得信息，它可以通過開放的Web服務端口完成，在這種情況下，沒有憑據，它不關心tomcat目錄的實際位置。這並不意味着沒有證書，但這意味着它有可能在沒有證書的情況下獲得這些信息。您可以嘗試移動並重新掃描以查看是否檢測到漏洞，或者編輯掃描並選擇「策略/憑據」部分，您可以查看是否爲特定掃描指定了憑據。

資格的掃描已經登錄信息，uncredentialed掃描沒有。

我看你還發現了能成立討論門戶網站 - 我要去那裏下一個點你！ :-)我同意喬治的最後一篇文章 - 「遠程檢查」=「uncredentialed」在我一直使用的條款。 HTH！