Bug 23214

Summary: nikto new security issue CVE-2018-11652
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, marja11, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: nikto-2.1.5-9.mga6.src.rpm CVE:
Status comment: Patches available from upstream and Fedora

Description David Walser 2018-06-21 00:20:19 CEST 
Fedora has issued an advisory today (June 20):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WP2HP7GAFORSGSAPANE4VPDGGYJT5Q3B/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-06-21 00:20:34 CEST

Status comment: (none) => Patches available from upstream and Fedora
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-06-21 08:00:55 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => guillomovitch
CC: (none) => marja11

Comment 2 Guillaume Rousse 2018-06-26 20:52:06 CEST 
Cauldron: fixed
Mageia 6: nikto-2.1.5-9.1.mga6 uploaded in update_testing
Mageia 5: EOL
Comment 3 Guillaume Rousse 2018-06-26 20:56:22 CEST 
Suggested adivsory:
This release fixes CVE-2018-11652 vulnerability (CSV injection via the Server field in an HTTP response header).

Assignee: guillomovitch => qa-bugs

Thomas Backlund 2018-06-26 21:07:11 CEST

CC: (none) => tmb
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 4 David Walser 2018-06-26 21:21:26 CEST 
Thanks Guillaume!

Advisory:
========================

Updated nikto package fixes security vulnerability:

CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers
to inject arbitrary OS commands via the Server field in an HTTP response header,
which is directly injected into a CSV report (CVE-2018-11652).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11652
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WP2HP7GAFORSGSAPANE4VPDGGYJT5Q3B/
Comment 5 Herman Viaene 2018-07-02 17:01:07 CEST 
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues for nikto-2.1.5-9.1.mga6.
At CLI:
$ nikto -host www.google.com
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          172.217.19.196
+ Target Hostname:    www.google.com
+ Target Port:        80
+ Start Time:         2018-07-02 16:59:00 (GMT2)
---------------------------------------------------------------------------
+ Server: gws
+ Cookie 1P_JAR created without the httponly flag
+ Cookie NID created without the httponly flag
+ Uncommon header 'x-xss-protection' found, with contents: 1; mode=block
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'referrer-policy' found, with contents: no-referrer
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server banner has changed from 'gws' to 'sffe' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-content-type-options' found, with contents: nosniff
+ File/dir '/search/about/' in robots.txt returned a non-forbidden or redirect HTTP code (301)
and loads more. Not sure what it all means, but looks sensible.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 6 Len Lawrence 2018-07-05 00:59:33 CEST 
Mageia 6, x86_64

Thanks Herman for taking the lead.
Had a look at the PoC at https://www.exploit-db.com/exploits/44899/ which involved installing nginx and nginx-extras.  Hit a dead-end there with the extras package and the /etc/nginx/ configuration files appeared to be incomplete.  Gave up on trying to inject a command string into a CSV document by scanning the nginx server with nikto.

Updated the package and used the command from comment 5.
$ nikto -host www.google.com
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          209.85.202.99
+ Target Hostname:    www.google.com
+ Target Port:        80
+ Start Time:         2018-07-04 23:51:50 (GMT1)
---------------------------------------------------------------------------
+ Server: gws
+ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
+ Uncommon header 'x-xss-protection' found, with contents: 1; mode=block
+ Cookie 1P_JAR created without the httponly flag
+ Cookie NID created without the httponly flag
[....]
+ "robots.txt" contains 271 entries which should be manually viewed.
+ Allowed HTTP Methods: GET, HEAD 

This is similar to the output in comment 5.
Looks OK for 64-bits or to put it another way
Gort: klaathu barada nikto

CC: (none) => tarazed25

Len Lawrence 2018-07-05 01:00:33 CEST

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Len Lawrence 2018-07-07 01:05:02 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-07-11 22:26:13 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2018-07-11 23:09:12 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0310.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED