[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed
Tyler Hicks
tyhicks at canonical.com
Wed Jul 5 15:12:48 UTC 2017
On 07/05/2017 09:57 AM, Jesus Linares wrote:
> Hi,
>
> it seems there are more errors. For example, I get a "fail" for the
> check: CVE-2012-2150.
>
> If we review the oval file for that check:
>
> <definition class="vulnerability"
> id="oval:com.ubuntu.xenial:def:20122150000" version="1">
> ...
> <criteria>
> <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
> comment="Ubuntu 16.04 LTS (xenial) is installed."
> applicability_check="true" />
> <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
> comment="The 'xfsprogs' package in xenial is affected and needs
> fixing." />
> </criteria>
> </definition>
> <linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20122150000"
> version="1" check_existence="at_least_one_exists" check="all"
> comment="Does the 'xfsprogs' package exist?">
> <linux-def:object object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
> </linux-def:dpkginfo_test>
> <linux-def:dpkginfo_object
> id="oval:com.ubuntu.xenial:obj:20122150000" version="1" comment="The
> 'xfsprogs' package.">
> <linux-def:name>xfsprogs</linux-def:name>
> </linux-def:dpkginfo_object>
>
>
> It is checking if the /xfsprogs /package exists. In my machine I have
> /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
> properly. The point is: is my xfsprogs vulnerable?. If we take a look at
> the input file to generate the
> oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>
> xfs_metadump in *xfsprogs before 3.2.4* does not properly obfuscate
> file data, which allows remote attackers to obtain sensitive
> information by reading a generated image.
>
>
> The description says: xfsprogs before 3.2.4 and I have the version 4.
> Oval is only checking if the package exists, but not its version. The
> reason is:
>
> The function /parse_package_status
> (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117) /parses
> the line:
>
> * "xenial_xfsprogs: needed"
> of http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> to
> * "{'note': "The 'xfsprogs' package in trusty is affected and needs
> fixing.", 'status': 'vulnerable'}".
> * That means check only the package, not the version, because there is
> no version
> (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220)
>
> If we take a look at other checks:
>
> * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
> is parsed to
> * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git' package in
> xenial was vulnerable but has been fixed (note:
> '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
> * Here the version is checked.
>
> So, my final questions are:
>
> * Who generates this
> file http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150?
The Ubuntu Security Team generates that file during CVE triage of newly
assigned CVEs.
> * Why there is no a specific version?
Because all versions are affected. If the status is 'needed', it means
that the Ubuntu Security team has not produced security updates that fix
the CVE. Therefore, all systems with the xfsprogs deb package installed
are affected.
Do you know how that can be conveyed in the OVAL file?
>
> There are 109 fails after fix the issue that I commented in the previous
> email and my OS is updated, so I suspect it is happening the same in the
> rest of checks.
Thanks for tracking down the issue you described in your previous email.
I'll hold off on committing that change until you're able to get to the
bottom of the issue you describe in this email.
Tyler
>
> Thanks.
> Regards.
>
>
>
>
> On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <jesus at wazuh.com
> <mailto:jesus at wazuh.com>> wrote:
>
> Hi,
>
> finally I found the
> issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
>
> In that line there is an if-else. The /else /has the logic to add
> the "negate" attribute, but the /if/ doesn't have it.
>
> It is neccesary to replace the lines 111 to 113, for:
>
> negation_attribute = 'negate = "true" ' if 'negate' in
> test_refs[0] and test_refs[0]['negate'] else ''
> mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
> {2}/>'.format(test_refs[0]['id'],
> escape(test_refs[0]['comment']), negation_attribute)
>
>
> In this way, the scan reports 109 fails instead of 1750. Now, I'm
> going to review these 109 fails.
>
> Please, update the script ASAP.
>
> Thanks.
> Regards.
>
>
> On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <jesus at wazuh.com
> <mailto:jesus at wazuh.com>> wrote:
>
> Hi,
>
> I'm testing again the oval files for Xenial 16.04 (updated) and
> OpenSCAP reports 1750 /fails/... Something weird is happening. I
> will check out this issue again, but I would appreciate any help.
>
> Here an example:
>
> <linux-def:dpkginfo_test
> id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
> check_existence="any_exist" check="all" comment="*Returns
> true whether or not the 'drupal7' package exists.*">
> <linux-def:object
> object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
> </linux-def:dpkginfo_test>
> <linux-def:dpkginfo_object
> id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
> comment="The 'drupal7' package.">
> <linux-def:name>drupal7</linux-def:name>
> </linux-def:dpkginfo_object>
>
>
> If the check return always true, it doesn't make sense...
>
> Thanks.
> Regards.
>
>
>
> On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <jesus at wazuh.com
> <mailto:jesus at wazuh.com>> wrote:
>
> Hi,
>
> this is from the specific
> CVE: xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
>
> So, if it is not affected for xenial, the check should
> include the "negate" in order to return that is not a
> vulnerability, right?.
>
> Regards.
>
>
> On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
> <seth.arnold at canonical.com
> <mailto:seth.arnold at canonical.com>> wrote:
>
> On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
> wrote:
> > I think this test should have the "negate" due to the comment "While
> > related to the CVE in some way, the 'libapache-mod-jk'
> package in* xenial
> > is not affected*". So, maybe the input of the script
> is wrong?. Where is
> > the input?.
>
> The input is from the ubuntu-cve-tracker bzr tree;
>
> https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
> <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
>
> In the case of this specific CVE:
>
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
>
> Thanks
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> <mailto:ubuntu-hardened at lists.ubuntu.com>
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170705/584b6e37/attachment.pgp>
More information about the ubuntu-hardened
mailing list