The document provides instructions for securing a system by configuring various security settings and upgrading software components. It includes steps to configure SMB signing in Windows, disable unsafe HTTP methods in Apache, disable ICMP and TCP timestamps, restrict access to Apache modules and NetBIOS, remove SMB1, and upgrade Apache HTTPD to the latest version. Completing all the recommendations would resolve over 45 vulnerabilities.
The document provides instructions for securing a system by configuring various security settings and upgrading software components. It includes steps to configure SMB signing in Windows, disable unsafe HTTP methods in Apache, disable ICMP and TCP timestamps, restrict access to Apache modules and NetBIOS, remove SMB1, and upgrade Apache HTTPD to the latest version. Completing all the recommendations would resolve over 45 vulnerabilities.
The document provides instructions for securing a system by configuring various security settings and upgrading software components. It includes steps to configure SMB signing in Windows, disable unsafe HTTP methods in Apache, disable ICMP and TCP timestamps, restrict access to Apache modules and NetBIOS, remove SMB1, and upgrade Apache HTTPD to the latest version. Completing all the recommendations would resolve over 45 vulnerabilities.
The document provides instructions for securing a system by configuring various security settings and upgrading software components. It includes steps to configure SMB signing in Windows, disable unsafe HTTP methods in Apache, disable ICMP and TCP timestamps, restrict access to Apache modules and NetBIOS, remove SMB1, and upgrade Apache HTTPD to the latest version. Completing all the recommendations would resolve over 45 vulnerabilities.
Disable HTTP OPTIONS method Disable HTTP TRACE Method for Apache Disable ICMP timestamp responses Disable TCP timestamp responses on Windows versions since Vista Fix Apache Server mod_info is Publicly Accessible Fix Apache Server mod_status is Publicly Accessible Fix the subject's Common Name (CN) field in the certificate Remove/disable SMB1 Restrict access to NetBIOS Upgrade to the latest version of Apache HTTPD
Configure SMB signing for Windows
Configuration remediation steps Configure the system to enable or require SMB signing as appropriate. The method and effect of doing this is system specific so please see this Microsoft article for details. Note: ensure that SMB signing configuration is done for incoming connections (Server). Resolves 3 vulnerabilities
SMB signing disabled
SMB signing not required SMBv2 signing not required
Disable HTTP OPTIONS Method for Apache
Configuration remediation steps Disable the OPTIONS method by including the following in the Apache configuration: <Limit OPTIONS> Order deny,allow Deny from all </Limit> Resolves 1 vulnerability
HTTP OPTIONS Method Enabled
Disable HTTP OPTIONS method
Configuration remediation steps Disable HTTP OPTIONS method on your web server. Refer to your web server's instruction manual on how to do this. Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts. Resolves 1 vulnerability
HTTP OPTIONS Method Enabled
Disable HTTP TRACE Method for Apache
Configuration remediation steps Newer versions of Apache (1.3.34 and 2.0.55 and later) provide a configuration directive called TraceEnable. To deny TRACE requests, add the following line to the server configuration: TraceEnable off For older versions of the Apache webserver, use the mod_rewrite module to deny the TRACE requests: RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] In Apache Tomcat, the HTTP Trace can be disabled by adding security constraints into the Java Servlet specification within the web.xml configuration file and by setting the attribute allowTrace="False" to the HTTP connector in server.xml. For Spring Boot embedded Tomcat configuration, please refer here Resolves 1 vulnerability
HTTP TRACE Method Enabled
Disable ICMP timestamp responses
Configuration remediation steps Disable ICMP timestamp replies for the device. If the device does not support this level of configuration, the easiest and most effective solution is to configure your firewall to block incoming and outgoing ICMP packets with ICMP types 13 (timestamp request) and 14 (timestamp response). Resolves 1 vulnerability
ICMP timestamp response
Disable TCP timestamp responses on Windows versions since Vista
Configuration remediation steps TCP timestamps cannot be reliably disabled on this OS. If TCP timestamps present enough of a risk, put a firewall capable of blocking TCP timestamp packets in front of the affected assets. Resolves 1 vulnerability
TCP timestamp response
Fix Apache Server mod_info is Publicly Accessible
Configuration remediation steps The configuration file for apache (httpd.conf), reads: <Location /server-info> SetHandler server-info </Location> To remove the feature from Apache, rewrite this to: # comment everything out #<Location /server-info> # SetHandler server-info #</Location> To keep the feature, adding access control, rewrite it to: # add access control <Location/server-info> SetHandler server-info
Order deny,allow Deny from all Allow from 127.0.0.1 </Location> Once these changes have been made, the Apache server needs to be restarted. Resolves 1 vulnerability
Apache Server mod_info is Publicly Accessible
Fix Apache Server mod_status is Publicly Accessible
Configuration remediation steps The configuration file for apache (httpd.conf), reads: <Location /server-status> SetHandler server-status </Location> To remove the feature from Apache, rewrite this to: # comment everything out #<Location /server-status> # SetHandler server-status #</Location> To keep the feature, adding access control, rewrite this to: # add access control <Location/server-status> SetHandler server-status Order deny,allow Deny from all Allow from 127.0.0.1 </Location> Once these changes have been made, the Apache server needs to be restarted. Resolves 1 vulnerability
Apache Server mod_status is Publicly Accessible
Fix the subject's Common Name (CN) field in the certificate
Configuration remediation steps The subject's common name (CN) field in the X.509 certificate should be fixed to reflect the name of the entity presenting the certificate (e.g., the hostname). This is done by generating a new certificate usually signed by a Certification Authority (CA) trusted by both the client and server. Resolves 1 vulnerability
X.509 Certificate Subject CN Does Not Match the Entity Name
Remove/disable SMB1 Configuration remediation steps For Windows 8.1 and Windows Server 2012 R2, removing SMB1 is trivial. On older OS'es it can't be removed but should be disabled. This article contains system-specific details: How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server Resolves 1 vulnerability
SMB: Service supports deprecated SMBv1 protocol
Restrict access to NetBIOS
Configuration remediation steps NetBIOS can be important to the proper functioning of a Windows network depending on the design. Restrict access to the NetBIOS service to only trusted assets. Resolves 1 vulnerability
NetBIOS NBSTAT Traffic Amplification
Upgrade to the latest version of Apache HTTPD
Rollup patch remediation steps Download and apply the upgrade from: http://archive.apache.org/dist/httpd/httpd-2.4.54.tar.gz The latest version of Apache HTTPD is 2.4.54. Many platforms and distributions provide pre-built binary packages for Apache HTTP server. These pre-built packages are usually customized and optimized for a particular distribution, therefore we recommend that you use the packages if they are available for your operating system. Resolves 45 vulnerabilities
Apache HTTPD: bypass with a trailing newline in the file name (CVE-2017-15715) Apache HTTPD: Apache httpd URL normalization inconsistincy (CVE-2019-0220) Apache HTTPD: Denial of service in mod_lua r:parsebody (CVE-2022-29404) Apache HTTPD: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763) Apache HTTPD: DoS for HTTP/2 connections by crafted requests (CVE-2018-1333) Apache HTTPD: DoS for HTTP/2 connections via slow request bodies (CVE-2018-17189) Apache HTTPD: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier (CVE-2022-22720) Apache HTTPD: Improper Handling of Insufficient Privileges (CVE-2020-13938) Apache HTTPD: Information Disclosure in mod_lua with websockets (CVE-2022-30556) Apache HTTPD: Limited cross-site scripting in mod_proxy error page (CVE-2019-10092) Apache HTTPD: NULL pointer dereference in httpd core (CVE-2021-34798) Apache HTTPD: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710) Apache HTTPD: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier (CVE-2021-44224) Apache HTTPD: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (CVE-2021-44790) Apache HTTPD: Possible out of bound access after failure in reading the HTTP request (CVE-2018-1301) Apache HTTPD: Possible out of bound read in mod_cache_socache (CVE-2018-1303) Apache HTTPD: Possible write of after free on HTTP/2 stream shutdown (CVE-2018-1302) Apache HTTPD: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-11993) Apache HTTPD: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-9490) Apache HTTPD: Read beyond bounds in ap_strcmp_match() (CVE-2022-28615) Apache HTTPD: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193) Apache HTTPD: Tampering of mod_session data for CGI applications (CVE-2018-1283) Apache HTTPD: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312) Apache HTTPD: ap_escape_quotes buffer overflow (CVE-2021-39275) Apache HTTPD: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721) and 20 additional vulnerabilities ...
