[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed

Jesus Linares jesus at wazuh.com
Wed Jul 5 15:30:14 UTC 2017


Hi Tyler,

The Ubuntu Security Team generates that file during CVE triage of newly
> assigned CVEs.


that is a manual process, right?.

Because all versions are affected. If the status is 'needed', it means
> that the Ubuntu Security team has not produced security updates that fix
> the CVE. Therefore, all systems with the xfsprogs deb package installed
> are affected.


So, right now, all systems with *xfsprogs *are vulnerable?. The cve was in
2012, it is not possible...

The description says that only affects to versions before 3.2.4. I think
you just need to update the file:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
changing the line:

xenial_xfsprogs: needed

to

> xenial_xfsprogs: released (version?)


*parse_package_status *function for *needed *status:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149

If that line has the version, the python script will generate the proper
oval file.


I think I can't help more here, because the error is in the input files,
not in the scripts.

What do you think?.
Thanks.
Regards.



On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <tyhicks at canonical.com> wrote:

> On 07/05/2017 09:57 AM, Jesus Linares wrote:
> > Hi,
> >
> > it seems there are more errors. For example, I get a "fail" for the
> > check: CVE-2012-2150.
> >
> > If we review the oval file for that check:
> >
> >     <definition class="vulnerability"
> >     id="oval:com.ubuntu.xenial:def:20122150000" version="1">
> >         ...
> >     <criteria>
> >     <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
> >     comment="Ubuntu 16.04 LTS (xenial) is installed."
> >     applicability_check="true" />
> >     <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
> >     comment="The 'xfsprogs' package in xenial is affected and needs
> >     fixing." />
> >     </criteria>
> >     </definition>
> >     <linux-def:dpkginfo_test id="oval:com.ubuntu.xenial:tst:20122150000"
> >     version="1" check_existence="at_least_one_exists" check="all"
> >     comment="Does the 'xfsprogs' package exist?">
> >     <linux-def:object object_ref="oval:com.ubuntu.
> xenial:obj:20122150000"/>
> >     </linux-def:dpkginfo_test>
> >     <linux-def:dpkginfo_object
> >     id="oval:com.ubuntu.xenial:obj:20122150000" version="1" comment="The
> >     'xfsprogs' package.">
> >     <linux-def:name>xfsprogs</linux-def:name>
> >     </linux-def:dpkginfo_object>
> >
> >
> > It is checking if the /xfsprogs /package exists. In my machine I have
> > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
> > properly. The point is: is my xfsprogs vulnerable?. If we take a look at
> > the input file to generate the
> > oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150
> >
> >     xfs_metadump in *xfsprogs before 3.2.4* does not properly obfuscate
> >     file data, which allows remote attackers to obtain sensitive
> >     information by reading a generated image.
> >
> >
> > The description says: xfsprogs before 3.2.4 and I have the version 4.
> > Oval is only checking if the package exists, but not its version. The
> > reason is:
> >
> > The function /parse_package_status
> > (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/generate-oval#L117) /parses
> > the line:
> >
> >   * "xenial_xfsprogs: needed"
> >     of http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150
> >     to
> >   * "{'note': "The 'xfsprogs' package in trusty is affected and needs
> >     fixing.", 'status': 'vulnerable'}".
> >   * That means check only the package, not the version, because there is
> >     no version
> >     (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L220)
> >
> > If we take a look at other checks:
> >
> >   * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
> >     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/retired/CVE-2017-8386
> >     is parsed to
> >   * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git' package in
> >     xenial was vulnerable but has been fixed (note:
> >     '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
> >   * Here the version is checked.
> >
> > So, my final questions are:
> >
> >   * Who generates this
> >     file http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/12851/active/CVE-2012-2150?
>
> The Ubuntu Security Team generates that file during CVE triage of newly
> assigned CVEs.
>
> >   * Why there is no a specific version?
>
> Because all versions are affected. If the status is 'needed', it means
> that the Ubuntu Security team has not produced security updates that fix
> the CVE. Therefore, all systems with the xfsprogs deb package installed
> are affected.
>
> Do you know how that can be conveyed in the OVAL file?
>
> >
> > There are 109 fails after fix the issue that I commented in the previous
> > email and my OS is updated, so I suspect it is happening the same in the
> > rest of checks.
>
> Thanks for tracking down the issue you described in your previous email.
> I'll hold off on committing that change until you're able to get to the
> bottom of the issue you describe in this email.
>
> Tyler
>
> >
> > Thanks.
> > Regards.
> >
> >
> >
> >
> > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <jesus at wazuh.com
> > <mailto:jesus at wazuh.com>> wrote:
> >
> >     Hi,
> >
> >     finally I found the
> >     issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L110
> >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/scripts/oval_lib.py#L110>
> >
> >     In that line there is an if-else. The /else /has the logic to add
> >     the "negate" attribute, but the /if/ doesn't have it.
> >
> >     It is neccesary to replace the lines 111 to 113, for:
> >
> >         negation_attribute = 'negate = "true" ' if 'negate' in
> >         test_refs[0] and test_refs[0]['negate'] else ''
> >         mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
> >         {2}/>'.format(test_refs[0]['id'],
> >         escape(test_refs[0]['comment']), negation_attribute)
> >
> >
> >     In this way, the scan reports 109 fails instead of 1750. Now, I'm
> >     going to review these 109 fails.
> >
> >     Please, update the script ASAP.
> >
> >     Thanks.
> >     Regards.
> >
> >
> >     On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <jesus at wazuh.com
> >     <mailto:jesus at wazuh.com>> wrote:
> >
> >         Hi,
> >
> >         I'm testing again the oval files for Xenial 16.04 (updated) and
> >         OpenSCAP reports 1750 /fails/... Something weird is happening. I
> >         will check out this issue again, but I would appreciate any help.
> >
> >         Here an example:
> >
> >             <linux-def:dpkginfo_test
> >             id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
> >             check_existence="any_exist" check="all" comment="*Returns
> >             true whether or not the 'drupal7' package exists.*">
> >             <linux-def:object
> >             object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
> >             </linux-def:dpkginfo_test>
> >             <linux-def:dpkginfo_object
> >             id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
> >             comment="The 'drupal7' package.">
> >             <linux-def:name>drupal7</linux-def:name>
> >             </linux-def:dpkginfo_object>
> >
> >
> >         If the check return always true, it doesn't make sense...
> >
> >         Thanks.
> >         Regards.
> >
> >
> >
> >         On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <jesus at wazuh.com
> >         <mailto:jesus at wazuh.com>> wrote:
> >
> >             Hi,
> >
> >             this is from the specific
> >             CVE: xenial_libapache-mod-jk:not-
> affected(1:1.2.40+svn150520-1)
> >
> >             So, if it is not affected for xenial, the check should
> >             include the "negate" in order to return that is not a
> >             vulnerability, right?.
> >
> >             Regards.
> >
> >
> >             On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
> >             <seth.arnold at canonical.com
> >             <mailto:seth.arnold at canonical.com>> wrote:
> >
> >                 On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
> >                 wrote:
> >                 > I think this test should have the "negate" due to the
> comment "While
> >                 > related to the CVE in some way, the 'libapache-mod-jk'
> >                 package in* xenial
> >                 > is not affected*". So, maybe the input of the script
> >                 is wrong?. Where is
> >                 > the input?.
> >
> >                 The input is from the ubuntu-cve-tracker bzr tree;
> >
> >                 https://code.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master
> >                 <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master>
> >
> >                 In the case of this specific CVE:
> >
> >                 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-
> tracker/master/view/head:/active/CVE-2014-8111
> >                 <http://bazaar.launchpad.net/~
> ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
> >
> >                 Thanks
> >
> >                 --
> >                 ubuntu-hardened mailing list
> >                 ubuntu-hardened at lists.ubuntu.com
> >                 <mailto:ubuntu-hardened at lists.ubuntu.com>
> >                 https://lists.ubuntu.com/mailman/listinfo/ubuntu-
> hardened <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
> >
> >
> >
> >
> >             --
> >             *Jesus Linares*
> >             /IT Security Engineer/
> >             /
> >             /
> >
> >
> >
> >
> >         --
> >         *Jesus Linares*
> >         /IT Security Engineer/
> >         /
> >         /
> >
> >
> >
> >
> >     --
> >     *Jesus Linares*
> >     /IT Security Engineer/
> >     /
> >     /
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
> >
> >
>
>
>


-- 
*Jesus Linares*
*IT Security Engineer*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170705/05e2a223/attachment-0001.html>


More information about the ubuntu-hardened mailing list