This week Tenable released a new “plugin” (what they call a vulnerability detection) named “Web Server HTTP Header Information Disclosure”, plugin id 88099. In spite of even the title saying it only an information disclosure vulnerability, they rate this a medium. In my environment that means we need to address it. I think its a little crazy for an information disclosure vulnerability to be rated that high. It turns out Tenable has ceded vulnerability severity ratings to the CVSS system. So because this has a CVSS score of 5 it has to be rated moderate.
Now with SecurityCenter, I’d be able to change the security severity of this detection. I’m not sure that’s possible in Nessus. Even so, when scanning servers for other people, you cant just change the results of the scan. And now the problem, the other party’s security people dont have the ability to make rational security decisions. They just want all the detections gone.
Having a web server banner is one of those vulnerability detections from 15 years ago. Its kind of weird that Tenable is just writing this detection now. Having a server banner visible isn’t some vulnerability in the server software. Its part of the standard. Who is removing this information supposed to stop? It might stop a script that checks server versions and the applies a specific exploit or test (perhaps it would stop a naive vulnerability scanner). That’s about it.
It would be one thing if it were easy to change. For example removing “x-powered-by:asp.net” is easy to remove. Removing an IIS version is probably going to require URLscan as if this were IIS4.