[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed
Tyler Hicks
tyhicks at canonical.com
Wed Jul 5 16:02:10 UTC 2017
On 07/05/2017 10:30 AM, Jesus Linares wrote:
> Hi Tyler,
>
> The Ubuntu Security Team generates that file during CVE triage of
> newly assigned CVEs.
>
>
> that is a manual process, right?.
Yes, it is manual.
>
> Because all versions are affected. If the status is 'needed', it means
> that the Ubuntu Security team has not produced security updates that fix
> the CVE. Therefore, all systems with the xfsprogs deb package installed
> are affected.
>
>
> So, right now, all systems with /xfsprogs /are vulnerable?. The cve was
> in 2012, it is not possible...
>
> The description says that only affects to versions before 3.2.4. I think
> you just need to update the
> file: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> changing the line:
>
> xenial_xfsprogs: needed
>
> to
>
> xenial_xfsprogs: released (version?)
>
>
> /parse_package_status /function for /needed
> /status: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149
>
> If that line has the version, the python script will generate the proper
> oval file.
I thought that you were saying that, in general, a 'needed' status
without a version number would generate problematic OVAL data. Now I
understand that you were saying that CVE-2012-2150 needed to be
retriaged. I've done that here:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855
I've also committed the oval_lib.py change that you suggested:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856
Thanks for debugging the issue and providing a fix! Let us know if you
find any other issues in the generation of OVAL data.
Tyler
>
>
> I think I can't help more here, because the error is in the input files,
> not in the scripts.
>
> What do you think?.
> Thanks.
> Regards.
>
>
>
> On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <tyhicks at canonical.com
> <mailto:tyhicks at canonical.com>> wrote:
>
> On 07/05/2017 09:57 AM, Jesus Linares wrote:
> > Hi,
> >
> > it seems there are more errors. For example, I get a "fail" for the
> > check: CVE-2012-2150.
> >
> > If we review the oval file for that check:
> >
> > <definition class="vulnerability"
> > id="oval:com.ubuntu.xenial:def:20122150000" version="1">
> > ...
> > <criteria>
> > <extend_definition definition_ref="oval:com.ubuntu.xenial:def:100"
> > comment="Ubuntu 16.04 LTS (xenial) is installed."
> > applicability_check="true" />
> > <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
> > comment="The 'xfsprogs' package in xenial is affected and needs
> > fixing." />
> > </criteria>
> > </definition>
> > <linux-def:dpkginfo_test
> id="oval:com.ubuntu.xenial:tst:20122150000"
> > version="1" check_existence="at_least_one_exists" check="all"
> > comment="Does the 'xfsprogs' package exist?">
> > <linux-def:object
> object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
> > </linux-def:dpkginfo_test>
> > <linux-def:dpkginfo_object
> > id="oval:com.ubuntu.xenial:obj:20122150000" version="1"
> comment="The
> > 'xfsprogs' package.">
> > <linux-def:name>xfsprogs</linux-def:name>
> > </linux-def:dpkginfo_object>
> >
> >
> > It is checking if the /xfsprogs /package exists. In my machine I have
> > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
> > properly. The point is: is my xfsprogs vulnerable?. If we take a look at
> > the input file to generate the
> > oval: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
> >
> > xfs_metadump in *xfsprogs before 3.2.4* does not properly
> obfuscate
> > file data, which allows remote attackers to obtain sensitive
> > information by reading a generated image.
> >
> >
> > The description says: xfsprogs before 3.2.4 and I have the version 4.
> > Oval is only checking if the package exists, but not its version. The
> > reason is:
> >
> > The function /parse_package_status
> >
> (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>)
> /parses
> > the line:
> >
> > * "xenial_xfsprogs: needed"
> > of
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
> > to
> > * "{'note': "The 'xfsprogs' package in trusty is affected and needs
> > fixing.", 'status': 'vulnerable'}".
> > * That means check only the package, not the version, because
> there is
> > no version
> > (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220>)
> >
> > If we take a look at other checks:
> >
> > * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
> > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386>
> > is parsed to
> > * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git'
> package in
> > xenial was vulnerable but has been fixed (note:
> > '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
> > * Here the version is checked.
> >
> > So, my final questions are:
> >
> > * Who generates this
> > file
> http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>?
>
> The Ubuntu Security Team generates that file during CVE triage of newly
> assigned CVEs.
>
> > * Why there is no a specific version?
>
> Because all versions are affected. If the status is 'needed', it means
> that the Ubuntu Security team has not produced security updates that fix
> the CVE. Therefore, all systems with the xfsprogs deb package installed
> are affected.
>
> Do you know how that can be conveyed in the OVAL file?
>
> >
> > There are 109 fails after fix the issue that I commented in the previous
> > email and my OS is updated, so I suspect it is happening the same in the
> > rest of checks.
>
> Thanks for tracking down the issue you described in your previous email.
> I'll hold off on committing that change until you're able to get to the
> bottom of the issue you describe in this email.
>
> Tyler
>
> >
> > Thanks.
> > Regards.
> >
> >
> >
> >
> > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <jesus at wazuh.com <mailto:jesus at wazuh.com>
> > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com>>> wrote:
> >
> > Hi,
> >
> > finally I found the
> > issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>>
> >
> > In that line there is an if-else. The /else /has the logic to add
> > the "negate" attribute, but the /if/ doesn't have it.
> >
> > It is neccesary to replace the lines 111 to 113, for:
> >
> > negation_attribute = 'negate = "true" ' if 'negate' in
> > test_refs[0] and test_refs[0]['negate'] else ''
> > mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
> > {2}/>'.format(test_refs[0]['id'],
> > escape(test_refs[0]['comment']), negation_attribute)
> >
> >
> > In this way, the scan reports 109 fails instead of 1750. Now, I'm
> > going to review these 109 fails.
> >
> > Please, update the script ASAP.
> >
> > Thanks.
> > Regards.
> >
> >
> > On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <jesus at wazuh.com <mailto:jesus at wazuh.com>
> > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com>>> wrote:
> >
> > Hi,
> >
> > I'm testing again the oval files for Xenial 16.04 (updated) and
> > OpenSCAP reports 1750 /fails/... Something weird is
> happening. I
> > will check out this issue again, but I would appreciate any help.
> >
> > Here an example:
> >
> > <linux-def:dpkginfo_test
> > id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
> > check_existence="any_exist" check="all" comment="*Returns
> > true whether or not the 'drupal7' package exists.*">
> > <linux-def:object
> > object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
> > </linux-def:dpkginfo_test>
> > <linux-def:dpkginfo_object
> > id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
> > comment="The 'drupal7' package.">
> > <linux-def:name>drupal7</linux-def:name>
> > </linux-def:dpkginfo_object>
> >
> >
> > If the check return always true, it doesn't make sense...
> >
> > Thanks.
> > Regards.
> >
> >
> >
> > On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <jesus at wazuh.com <mailto:jesus at wazuh.com>
> > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com>>> wrote:
> >
> > Hi,
> >
> > this is from the specific
> > CVE:
> xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
> >
> > So, if it is not affected for xenial, the check should
> > include the "negate" in order to return that is not a
> > vulnerability, right?.
> >
> > Regards.
> >
> >
> > On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
> > <seth.arnold at canonical.com <mailto:seth.arnold at canonical.com>
> > <mailto:seth.arnold at canonical.com <mailto:seth.arnold at canonical.com>>> wrote:
> >
> > On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
> > wrote:
> > > I think this test should have the "negate" due to the comment "While
> > > related to the CVE in some way, the 'libapache-mod-jk'
> > package in* xenial
> > > is not affected*". So, maybe the input of the script
> > is wrong?. Where is
> > > the input?.
> >
> > The input is from the ubuntu-cve-tracker bzr tree;
> >
> > https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
> > <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>>
> >
> > In the case of this specific CVE:
> >
> > http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
> > <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
> <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>>
> >
> > Thanks
> >
> > --
> > ubuntu-hardened mailing list
> > ubuntu-hardened at lists.ubuntu.com
> <mailto:ubuntu-hardened at lists.ubuntu.com>
> > <mailto:ubuntu-hardened at lists.ubuntu.com
> <mailto:ubuntu-hardened at lists.ubuntu.com>>
> >
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
> <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
> <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
> >
> >
> >
> >
> > --
> > *Jesus Linares*
> > /IT Security Engineer/
> > /
> > /
> >
> >
>
>
>
>
>
> --
> *Jesus Linares*
> /IT Security Engineer/
> /
> /
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170705/dc8ac8c7/attachment.pgp>
More information about the ubuntu-hardened
mailing list