[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed

Jesus Linares jesus at wazuh.com
Wed Jul 5 14:57:22 UTC 2017 

Hi,

it seems there are more errors. For example, I get a "fail" for the
check: CVE-2012-2150.

If we review the oval file for that check:

<definition class="vulnerability"
> id="oval:com.ubuntu.xenial:def:20122150000" version="1">
>     ...
> <criteria>
> <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
> comment="Ubuntu 16.04 LTS (xenial) is installed."
> applicability_check="true" />
> <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000" comment="The
> 'xfsprogs' package in xenial is affected and needs fixing." />
> </criteria>
> </definition>
> <linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20122150000"
> version="1" check_existence="at_least_one_exists" check="all" comment="Does
> the 'xfsprogs' package exist?">
> <linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
> </linux-def:dpkginfo_test>
> <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20122150000"
> version="1" comment="The 'xfsprogs' package.">
> <linux-def:name>xfsprogs</linux-def:name>
> </linux-def:dpkginfo_object>


It is checking if the *xfsprogs *package exists. In my machine I have
*xfsprogs 4.3.0+nmu1ubuntu1* installed. So, the oscap is working properly.
The point is: is my xfsprogs vulnerable?. If we take a look at the input
file to generate the oval:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150

xfs_metadump in *xfsprogs before 3.2.4* does not properly obfuscate
> file data, which allows remote attackers to obtain sensitive information
> by reading a generated image.


The description says: xfsprogs before 3.2.4 and I have the version 4. Oval
is only checking if the package exists, but not its version. The reason is:

The function *parse_package_status
(http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
<http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>)
*parses
the line:

   - "xenial_xfsprogs: needed" of
   http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
   to
   - "{'note': "The 'xfsprogs' package in trusty is affected and needs
   fixing.", 'status': 'vulnerable'}".
   - That means check only the package, not the version, because there is
   no version (
   http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
   )

If we take a look at other checks:

   - "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
   http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
   is parsed to
   - {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git' package in
   xenial was vulnerable but has been fixed (note: '1:2.7.4-0ubuntu1.1').",
   'status': 'fixed'}
   - Here the version is checked.

So, my final questions are:

   - Who generates this file
   http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
   ?
   - Why there is no a specific version?

There are 109 fails after fix the issue that I commented in the previous
email and my OS is updated, so I suspect it is happening the same in the
rest of checks.

Thanks.
Regards.




On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <jesus at wazuh.com> wrote:

> Hi,
>
> finally I found the issue: http://bazaar.launchpad.net/~ubuntu-
> security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>
> In that line there is an if-else. The *else *has the logic to add the
> "negate" attribute, but the *if* doesn't have it.
>
> It is neccesary to replace the lines 111 to 113, for:
>
> negation_attribute = 'negate = "true" ' if 'negate' in test_refs[0] and
>> test_refs[0]['negate'] else ''
>> mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
>> {2}/>'.format(test_refs[0]['id'], escape(test_refs[0]['comment']),
>> negation_attribute)
>
>
> In this way, the scan reports 109 fails instead of 1750. Now, I'm going to
> review these 109 fails.
>
> Please, update the script ASAP.
>
> Thanks.
> Regards.
>
>
> On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <jesus at wazuh.com> wrote:
>
>> Hi,
>>
>> I'm testing again the oval files for Xenial 16.04 (updated) and OpenSCAP
>> reports 1750 *fails*... Something weird is happening. I will check out
>> this issue again, but I would appreciate any help.
>>
>> Here an example:
>>
>>> <linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20176919000"
>>> version="1" check_existence="any_exist" check="all" comment="*Returns
>>> true whether or not the 'drupal7' package exists.*">
>>> <linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
>>> </linux-def:dpkginfo_test>
>>> <linux-def:dpkginfo_object id="oval:com.ubuntu.xenial:obj:20076752000"
>>> version="1" comment="The 'drupal7' package.">
>>> <linux-def:name>drupal7</linux-def:name>
>>> </linux-def:dpkginfo_object>
>>
>>
>> If the check return always true, it doesn't make sense...
>>
>> Thanks.
>> Regards.
>>
>>
>>
>> On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <jesus at wazuh.com> wrote:
>>
>>> Hi,
>>>
>>> this is from the specific CVE: xenial_libapache-mod-jk: not-affected (1:
>>> 1.2.40+svn150520-1)
>>>
>>> So, if it is not affected for xenial, the check should include the
>>> "negate" in order to return that is not a vulnerability, right?.
>>>
>>> Regards.
>>>
>>>
>>> On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold <seth.arnold at canonical.com>
>>> wrote:
>>>
>>>> On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares wrote:
>>>> > I think this test should have the "negate" due to the comment "While
>>>> > related to the CVE in some way, the 'libapache-mod-jk' package in*
>>>> xenial
>>>> > is not affected*". So, maybe the input of the script is wrong?. Where
>>>> is
>>>> > the input?.
>>>>
>>>> The input is from the ubuntu-cve-tracker bzr tree;
>>>>
>>>> https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
>>>>
>>>> In the case of this specific CVE:
>>>>
>>>> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-trac
>>>> ker/master/view/head:/active/CVE-2014-8111
>>>>
>>>> Thanks
>>>>
>>>> --
>>>> ubuntu-hardened mailing list
>>>> ubuntu-hardened at lists.ubuntu.com
>>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>>>>
>>>>
>>>
>>>
>>> --
>>> *Jesus Linares*
>>> *IT Security Engineer*
>>>
>>>
>>
>>
>> --
>> *Jesus Linares*
>> *IT Security Engineer*
>>
>>
>
>
> --
> *Jesus Linares*
> *IT Security Engineer*
>
>


-- 
*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170705/e5cc4738/attachment-0001.html>

More information about the ubuntu-hardened mailing list