[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed
Tyler Hicks
tyhicks at canonical.com
Thu Jul 6 15:25:53 UTC 2017
On 07/06/2017 06:24 AM, Jesus Linares wrote:
> Hi Tyler,
>
> thanks for the changes. Now, I have around 109 fails.
>
> According to the scripts, if a CVE has one of the following statuses:
>
> * needed
> * ignored
> * deferred
> * pending
>
> it is parsed as "vulnerable" status. The oval generated for "vulnerable"
> CVEs is: "check if the package exist". *It doesn't check any version*.
> This may make sense for some packages, but I think it is not possible to
> have 109 fails in an updated host.
>
> What mean those statuses?.
Package statuses are documented here:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README#L224
> I attached a file with the list of cve files that the Ubuntu Security
> Team should review.
Thanks but that's non-trivial to do.
This highlights a potential problem with the OVAL data. The Ubuntu CVE
Tracker is not always up-to-date so the OVAL data will always have some
number of false positives. It is simply not possible for us to keep
every CVE up-to-date in the tracker at all times.
You're more than welcome to contribute pull requests to the Ubuntu CVE
Tracker project as you triage CVEs:
https://launchpad.net/ubuntu-cve-tracker
We'd love to see you update any CVEs that you feel are out of date. Thanks!
Tyler
>
> OVAL is a great tool and the Ubuntu process to generate the oval checks
> is almost ready. I think it just need a little review and be very
> careful during the process of assign a status to the cve file. This will
> be very useful for the community.
>
> Thanks.
> Regards.
>
>
>
> On Wed, Jul 5, 2017 at 6:02 PM, Tyler Hicks <tyhicks at canonical.com
> <mailto:tyhicks at canonical.com>> wrote:
>
> On 07/05/2017 10:30 AM, Jesus Linares wrote:
> > Hi Tyler,
> >
> > The Ubuntu Security Team generates that file during CVE triage of
> > newly assigned CVEs.
> >
> >
> > that is a manual process, right?.
>
> Yes, it is manual.
>
> >
> > Because all versions are affected. If the status is 'needed', it means
> > that the Ubuntu Security team has not produced security updates that fix
> > the CVE. Therefore, all systems with the xfsprogs deb package installed
> > are affected.
> >
> >
> > So, right now, all systems with /xfsprogs /are vulnerable?. The
> cve was
> > in 2012, it is not possible...
> >
> > The description says that only affects to versions before 3.2.4. I think
> > you just need to update the
> > file: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
> > changing the line:
> >
> > xenial_xfsprogs: needed
> >
> > to
> >
> > xenial_xfsprogs: released (version?)
> >
> >
> > /parse_package_status /function for /needed
> > /status:
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149>
> >
> > If that line has the version, the python script will generate the proper
> > oval file.
>
> I thought that you were saying that, in general, a 'needed' status
> without a version number would generate problematic OVAL data. Now I
> understand that you were saying that CVE-2012-2150 needed to be
> retriaged. I've done that here:
>
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855>
>
> I've also committed the oval_lib.py change that you suggested:
>
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856>
>
> Thanks for debugging the issue and providing a fix! Let us know if you
> find any other issues in the generation of OVAL data.
>
> Tyler
>
> >
> >
> > I think I can't help more here, because the error is in the input files,
> > not in the scripts.
> >
> > What do you think?.
> > Thanks.
> > Regards.
> >
> >
> >
> > On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <tyhicks at canonical.com <mailto:tyhicks at canonical.com>
> > <mailto:tyhicks at canonical.com <mailto:tyhicks at canonical.com>>> wrote:
> >
> > On 07/05/2017 09:57 AM, Jesus Linares wrote:
> > > Hi,
> > >
> > > it seems there are more errors. For example, I get a "fail"
> for the
> > > check: CVE-2012-2150.
> > >
> > > If we review the oval file for that check:
> > >
> > > <definition class="vulnerability"
> > > id="oval:com.ubuntu.xenial:def:20122150000" version="1">
> > > ...
> > > <criteria>
> > > <extend_definition
> definition_ref="oval:com.ubuntu.xenial:def:100"
> > > comment="Ubuntu 16.04 LTS (xenial) is installed."
> > > applicability_check="true" />
> > > <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
> > > comment="The 'xfsprogs' package in xenial is affected
> and needs
> > > fixing." />
> > > </criteria>
> > > </definition>
> > > <linux-def:dpkginfo_test
> > id="oval:com.ubuntu.xenial:tst:20122150000"
> > > version="1" check_existence="at_least_one_exists"
> check="all"
> > > comment="Does the 'xfsprogs' package exist?">
> > > <linux-def:object
> > object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
> > > </linux-def:dpkginfo_test>
> > > <linux-def:dpkginfo_object
> > > id="oval:com.ubuntu.xenial:obj:20122150000" version="1"
> > comment="The
> > > 'xfsprogs' package.">
> > > <linux-def:name>xfsprogs</linux-def:name>
> > > </linux-def:dpkginfo_object>
> > >
> > >
> > > It is checking if the /xfsprogs /package exists. In my
> machine I have
> > > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
> > > properly. The point is: is my xfsprogs vulnerable?. If we
> take a look at
> > > the input file to generate the
> > > oval:
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
> >
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>>
> > >
> > > xfs_metadump in *xfsprogs before 3.2.4* does not properly
> > obfuscate
> > > file data, which allows remote attackers to obtain sensitive
> > > information by reading a generated image.
> > >
> > >
> > > The description says: xfsprogs before 3.2.4 and I have the
> version 4.
> > > Oval is only checking if the package exists, but not its
> version. The
> > > reason is:
> > >
> > > The function /parse_package_status
> > >
> >
> (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>
> >
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>>)
> > /parses
> > > the line:
> > >
> > > * "xenial_xfsprogs: needed"
> > > of
> > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>>
> > > to
> > > * "{'note': "The 'xfsprogs' package in trusty is affected and needs
> > > fixing.", 'status': 'vulnerable'}".
> > > * That means check only the package, not the version, because
> > there is
> > > no version
> > > (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220>
> >
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220>>)
> > >
> > > If we take a look at other checks:
> > >
> > > * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
> > > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386>
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386>>
> > > is parsed to
> > > * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git'
> > package in
> > > xenial was vulnerable but has been fixed (note:
> > > '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
> > > * Here the version is checked.
> > >
> > > So, my final questions are:
> > >
> > > * Who generates this
> > > file
> > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
> >
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>>?
> >
> > The Ubuntu Security Team generates that file during CVE triage of newly
> > assigned CVEs.
> >
> > > * Why there is no a specific version?
> >
> > Because all versions are affected. If the status is 'needed', it means
> > that the Ubuntu Security team has not produced security updates that fix
> > the CVE. Therefore, all systems with the xfsprogs deb package installed
> > are affected.
> >
> > Do you know how that can be conveyed in the OVAL file?
> >
> > >
> > > There are 109 fails after fix the issue that I commented in the previous
> > > email and my OS is updated, so I suspect it is happening the same in the
> > > rest of checks.
> >
> > Thanks for tracking down the issue you described in your previous email.
> > I'll hold off on committing that change until you're able to get to the
> > bottom of the issue you describe in this email.
> >
> > Tyler
> >
> > >
> > > Thanks.
> > > Regards.
> > >
> > >
> > >
> > >
> > > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
> <mailto:jesus at wazuh.com>>
> > > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
> <mailto:jesus at wazuh.com>>>> wrote:
> > >
> > > Hi,
> > >
> > > finally I found the
> > > issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>>
> > > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>>>
> > >
> > > In that line there is an if-else. The /else /has the logic to add
> > > the "negate" attribute, but the /if/ doesn't have it.
> > >
> > > It is neccesary to replace the lines 111 to 113, for:
> > >
> > > negation_attribute = 'negate = "true" ' if 'negate' in
> > > test_refs[0] and test_refs[0]['negate'] else ''
> > > mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
> > > {2}/>'.format(test_refs[0]['id'],
> > > escape(test_refs[0]['comment']), negation_attribute)
> > >
> > >
> > > In this way, the scan reports 109 fails instead of 1750. Now, I'm
> > > going to review these 109 fails.
> > >
> > > Please, update the script ASAP.
> > >
> > > Thanks.
> > > Regards.
> > >
> > >
> > > On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
> <mailto:jesus at wazuh.com>>
> > > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
> <mailto:jesus at wazuh.com>>>> wrote:
> > >
> > > Hi,
> > >
> > > I'm testing again the oval files for Xenial 16.04 (updated) and
> > > OpenSCAP reports 1750 /fails/... Something weird is
> > happening. I
> > > will check out this issue again, but I would appreciate any help.
> > >
> > > Here an example:
> > >
> > > <linux-def:dpkginfo_test
> > > id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
> > > check_existence="any_exist" check="all" comment="*Returns
> > > true whether or not the 'drupal7' package exists.*">
> > > <linux-def:object
> > > object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
> > > </linux-def:dpkginfo_test>
> > > <linux-def:dpkginfo_object
> > > id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
> > > comment="The 'drupal7' package.">
> > > <linux-def:name>drupal7</linux-def:name>
> > > </linux-def:dpkginfo_object>
> > >
> > >
> > > If the check return always true, it doesn't make sense...
> > >
> > > Thanks.
> > > Regards.
> > >
> > >
> > >
> > > On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
> <mailto:jesus at wazuh.com>>
> > > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
> <mailto:jesus at wazuh.com>>>> wrote:
> > >
> > > Hi,
> > >
> > > this is from the specific
> > > CVE:
> > xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
> > >
> > > So, if it is not affected for xenial, the check should
> > > include the "negate" in order to return that is not a
> > > vulnerability, right?.
> > >
> > > Regards.
> > >
> > >
> > > On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
> > > <seth.arnold at canonical.com <mailto:seth.arnold at canonical.com>
> <mailto:seth.arnold at canonical.com <mailto:seth.arnold at canonical.com>>
> > > <mailto:seth.arnold at canonical.com <mailto:seth.arnold at canonical.com>
> <mailto:seth.arnold at canonical.com
> <mailto:seth.arnold at canonical.com>>>> wrote:
> > >
> > > On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
> > > wrote:
> > > > I think this test should have the "negate" due to the comment "While
> > > > related to the CVE in some way, the 'libapache-mod-jk'
> > > package in* xenial
> > > > is not affected*". So, maybe the input of the script
> > > is wrong?. Where is
> > > > the input?.
> > >
> > > The input is from the ubuntu-cve-tracker bzr tree;
> > >
> > > https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
> <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>>
> > > <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
> <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>>>
> > >
> > > In the case of this specific CVE:
> > >
> > > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>>
> > > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>>>
> > >
> > > Thanks
> > >
> > > --
> > > ubuntu-hardened mailing list
> > > ubuntu-hardened at lists.ubuntu.com
> <mailto:ubuntu-hardened at lists.ubuntu.com>
> > <mailto:ubuntu-hardened at lists.ubuntu.com
> <mailto:ubuntu-hardened at lists.ubuntu.com>>
> > > <mailto:ubuntu-hardened at lists.ubuntu.com
> <mailto:ubuntu-hardened at lists.ubuntu.com>
> > <mailto:ubuntu-hardened at lists.ubuntu.com
> <mailto:ubuntu-hardened at lists.ubuntu.com>>>
> > >
> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
> > <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>
> > <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
> > <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>>
> > >
> > >
> > >
> > >
> > > --
> > > *Jesus Linares*
> > > /IT Security Engineer/
> > > /
> > > /
> > >
> > >
> > >
> > >
> > > --
> > > *Jesus Linares*
> > > /IT Security Engineer/
> > > /
> > > /
> > >
> > >
> > >
> > >
> > > --
> > > *Jesus Linares*
> > > /IT Security Engineer/
> > > /
> > > /
> > >
> > >
> > >
> > >
> > > --
> > > *Jesus Linares*
> > > /IT Security Engineer/
> > > /
> > > /
> > >
> > >
> >
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
>
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170706/65c9c144/attachment.pgp>
More information about the ubuntu-hardened
mailing list