[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed
Jesus Linares
jesus at wazuh.com
Wed Jul 5 15:30:14 UTC 2017
Hi Tyler,
The Ubuntu Security Team generates that file during CVE triage of newly
> assigned CVEs.
that is a manual process, right?.
Because all versions are affected. If the status is 'needed', it means
> that the Ubuntu Security team has not produced security updates that fix
> the CVE. Therefore, all systems with the xfsprogs deb package installed
> are affected.
So, right now, all systems with *xfsprogs *are vulnerable?. The cve was in
2012, it is not possible...
The description says that only affects to versions before 3.2.4. I think
you just need to update the file:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
changing the line:
xenial_xfsprogs: needed
to
> xenial_xfsprogs: released (version?)
*parse_package_status *function for *needed *status:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149
If that line has the version, the python script will generate the proper
oval file.
I think I can't help more here, because the error is in the input files,
not in the scripts.
What do you think?.
Thanks.
Regards.
On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <tyhicks at canonical.com> wrote:
> On 07/05/2017 09:57 AM, Jesus Linares wrote:
> > Hi,
> >
> > it seems there are more errors. For example, I get a "fail" for the
> > check: CVE-2012-2150.
> >
> > If we review the oval file for that check:
> >
> > <definition class="vulnerability"
> > id="oval:com.ubuntu.xenial:def:20122150000" version="1">
> > ...
> > <criteria>
> > <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
> > comment="Ubuntu 16.04 LTS (xenial) is installed."
> > applicability_check="true" />
> > <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
> > comment="The 'xfsprogs' package in xenial is affected and needs
> > fixing." />
> > </criteria>
> > </definition>
> > <linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20122150000"
> > version="1" check_existence="at_least_one_exists" check="all"
> > comment="Does the 'xfsprogs' package exist?">
> > <linux-def:object object_ref="oval:com.ubuntu.
> xenial:obj:20122150000"/>
> > </linux-def:dpkginfo_test>
> > <linux-def:dpkginfo_object
> > id="oval:com.ubuntu.xenial:obj:20122150000" version="1" comment="The
> > 'xfsprogs' package.">
> > <linux-def:name>xfsprogs</linux-def:name>
> > </linux-def:dpkginfo_object>
> >
> >
> > It is checking if the /xfsprogs /package exists. In my machine I have
> > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
> > properly. The point is: is my xfsprogs vulnerable?. If we take a look at
> > the input file to generate the
> > oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150
> >
> > xfs_metadump in *xfsprogs before 3.2.4* does not properly obfuscate
> > file data, which allows remote attackers to obtain sensitive
> > information by reading a generated image.
> >
> >
> > The description says: xfsprogs before 3.2.4 and I have the version 4.
> > Oval is only checking if the package exists, but not its version. The
> > reason is:
> >
> > The function /parse_package_status
> > (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/generate-oval#L117) /parses
> > the line:
> >
> > * "xenial_xfsprogs: needed"
> > of http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150
> > to
> > * "{'note': "The 'xfsprogs' package in trusty is affected and needs
> > fixing.", 'status': 'vulnerable'}".
> > * That means check only the package, not the version, because there is
> > no version
> > (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L220)
> >
> > If we take a look at other checks:
> >
> > * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
> > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/retired/CVE-2017-8386
> > is parsed to
> > * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git' package in
> > xenial was vulnerable but has been fixed (note:
> > '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
> > * Here the version is checked.
> >
> > So, my final questions are:
> >
> > * Who generates this
> > file http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150?
>
> The Ubuntu Security Team generates that file during CVE triage of newly
> assigned CVEs.
>
> > * Why there is no a specific version?
>
> Because all versions are affected. If the status is 'needed', it means
> that the Ubuntu Security team has not produced security updates that fix
> the CVE. Therefore, all systems with the xfsprogs deb package installed
> are affected.
>
> Do you know how that can be conveyed in the OVAL file?
>
> >
> > There are 109 fails after fix the issue that I commented in the previous
> > email and my OS is updated, so I suspect it is happening the same in the
> > rest of checks.
>
> Thanks for tracking down the issue you described in your previous email.
> I'll hold off on committing that change until you're able to get to the
> bottom of the issue you describe in this email.
>
> Tyler
>
> >
> > Thanks.
> > Regards.
> >
> >
> >
> >
> > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <jesus at wazuh.com
> > <mailto:jesus at wazuh.com>> wrote:
> >
> > Hi,
> >
> > finally I found the
> > issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L110
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L110>
> >
> > In that line there is an if-else. The /else /has the logic to add
> > the "negate" attribute, but the /if/ doesn't have it.
> >
> > It is neccesary to replace the lines 111 to 113, for:
> >
> > negation_attribute = 'negate = "true" ' if 'negate' in
> > test_refs[0] and test_refs[0]['negate'] else ''
> > mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
> > {2}/>'.format(test_refs[0]['id'],
> > escape(test_refs[0]['comment']), negation_attribute)
> >
> >
> > In this way, the scan reports 109 fails instead of 1750. Now, I'm
> > going to review these 109 fails.
> >
> > Please, update the script ASAP.
> >
> > Thanks.
> > Regards.
> >
> >
> > On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <jesus at wazuh.com
> > <mailto:jesus at wazuh.com>> wrote:
> >
> > Hi,
> >
> > I'm testing again the oval files for Xenial 16.04 (updated) and
> > OpenSCAP reports 1750 /fails/... Something weird is happening. I
> > will check out this issue again, but I would appreciate any help.
> >
> > Here an example:
> >
> > <linux-def:dpkginfo_test
> > id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
> > check_existence="any_exist" check="all" comment="*Returns
> > true whether or not the 'drupal7' package exists.*">
> > <linux-def:object
> > object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
> > </linux-def:dpkginfo_test>
> > <linux-def:dpkginfo_object
> > id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
> > comment="The 'drupal7' package.">
> > <linux-def:name>drupal7</linux-def:name>
> > </linux-def:dpkginfo_object>
> >
> >
> > If the check return always true, it doesn't make sense...
> >
> > Thanks.
> > Regards.
> >
> >
> >
> > On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <jesus at wazuh.com
> > <mailto:jesus at wazuh.com>> wrote:
> >
> > Hi,
> >
> > this is from the specific
> > CVE: xenial_libapache-mod-jk:not-
> affected(1:1.2.40+svn150520-1)
> >
> > So, if it is not affected for xenial, the check should
> > include the "negate" in order to return that is not a
> > vulnerability, right?.
> >
> > Regards.
> >
> >
> > On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
> > <seth.arnold at canonical.com
> > <mailto:seth.arnold at canonical.com>> wrote:
> >
> > On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
> > wrote:
> > > I think this test should have the "negate" due to the
> comment "While
> > > related to the CVE in some way, the 'libapache-mod-jk'
> > package in* xenial
> > > is not affected*". So, maybe the input of the script
> > is wrong?. Where is
> > > the input?.
> >
> > The input is from the ubuntu-cve-tracker bzr tree;
> >
> > https://code.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master
> > <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master>
> >
> > In the case of this specific CVE:
> >
> > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/active/CVE-2014-8111
> > <http://bazaar.launchpad.net/~
> ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
> >
> > Thanks
> >
> > --
> > ubuntu-hardened mailing list
> > ubuntu-hardened at lists.ubuntu.com
> > <mailto:ubuntu-hardened at lists.ubuntu.com>
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-
> hardened <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
> >
> >
>
>
>
--
*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170705/05e2a223/attachment-0001.html>
More information about the ubuntu-hardened
mailing list