[ubuntu-hardened] OVAL shows vulnerabilities when software is not installed

Tyler Hicks tyhicks at canonical.com
Thu Jul 6 15:25:53 UTC 2017


On 07/06/2017 06:24 AM, Jesus Linares wrote:
> Hi Tyler,
> 
> thanks for the changes. Now, I have around 109 fails.
> 
> According to the scripts, if a CVE has one of the following statuses:
> 
>   * needed
>   * ignored
>   * deferred
>   * pending
> 
> it is parsed as "vulnerable" status. The oval generated for "vulnerable"
> CVEs is: "check if the package exist". *It doesn't check any version*.
> This may make sense for some packages, but I think it is not possible to
> have 109 fails in an updated host.
> 
> What mean those statuses?.

Package statuses are documented here:

 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README#L224

> I attached a file with the list of cve files that the Ubuntu Security
> Team should review.

Thanks but that's non-trivial to do.

This highlights a potential problem with the OVAL data. The Ubuntu CVE
Tracker is not always up-to-date so the OVAL data will always have some
number of false positives. It is simply not possible for us to keep
every CVE up-to-date in the tracker at all times.

You're more than welcome to contribute pull requests to the Ubuntu CVE
Tracker project as you triage CVEs:

  https://launchpad.net/ubuntu-cve-tracker

We'd love to see you update any CVEs that you feel are out of date. Thanks!

Tyler

> 
> OVAL is a great tool and the Ubuntu process to generate the oval checks
> is almost ready. I think it just need a little review and be very
> careful during the process of assign a status to the cve file. This will
> be very useful for the community.
> 
> Thanks.
> Regards.
> 
> 
> 
> On Wed, Jul 5, 2017 at 6:02 PM, Tyler Hicks <tyhicks at canonical.com
> <mailto:tyhicks at canonical.com>> wrote:
> 
>     On 07/05/2017 10:30 AM, Jesus Linares wrote:
>     > Hi Tyler,
>     >
>     >     The Ubuntu Security Team generates that file during CVE triage of
>     >     newly assigned CVEs.
>     >
>     >
>     > that is a manual process, right?.
> 
>     Yes, it is manual.
> 
>     >
>     >     Because all versions are affected. If the status is 'needed', it means
>     >     that the Ubuntu Security team has not produced security updates that fix
>     >     the CVE. Therefore, all systems with the xfsprogs deb package installed
>     >     are affected.
>     >
>     >
>     > So, right now, all systems with /xfsprogs /are vulnerable?. The
>     cve was
>     > in 2012, it is not possible...
>     >
>     > The description says that only affects to versions before 3.2.4. I think
>     > you just need to update the
>     > file: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     > changing the line:
>     >
>     >     xenial_xfsprogs: needed
>     >
>     > to
>     >
>     >     xenial_xfsprogs: released (version?)
>     >
>     >
>     > /parse_package_status /function for /needed
>     > /status:
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L149>
>     >
>     > If that line has the version, the python script will generate the proper
>     > oval file.
> 
>     I thought that you were saying that, in general, a 'needed' status
>     without a version number would generate problematic OVAL data. Now I
>     understand that you were saying that CVE-2012-2150 needed to be
>     retriaged. I've done that here:
> 
>      http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12855>
> 
>     I've also committed the oval_lib.py change that you suggested:
> 
>      http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/revision/12856>
> 
>     Thanks for debugging the issue and providing a fix! Let us know if you
>     find any other issues in the generation of OVAL data.
> 
>     Tyler
> 
>     >
>     >
>     > I think I can't help more here, because the error is in the input files,
>     > not in the scripts.
>     >
>     > What do you think?.
>     > Thanks.
>     > Regards.
>     >
>     >
>     >
>     > On Wed, Jul 5, 2017 at 5:12 PM, Tyler Hicks <tyhicks at canonical.com <mailto:tyhicks at canonical.com>
>     > <mailto:tyhicks at canonical.com <mailto:tyhicks at canonical.com>>> wrote:
>     >
>     >     On 07/05/2017 09:57 AM, Jesus Linares wrote:
>     >     > Hi,
>     >     >
>     >     > it seems there are more errors. For example, I get a "fail"
>     for the
>     >     > check: CVE-2012-2150.
>     >     >
>     >     > If we review the oval file for that check:
>     >     >
>     >     >     <definition class="vulnerability"
>     >     >     id="oval:com.ubuntu.xenial:def:20122150000" version="1">
>     >     >         ...
>     >     >     <criteria>
>     >     >     <extend_definition
>     definition_ref="oval:com.ubuntu.xenial:def:100"
>     >     >     comment="Ubuntu 16.04 LTS (xenial) is installed."
>     >     >     applicability_check="true" />
>     >     >     <criterion test_ref="oval:com.ubuntu.xenial:tst:20122150000"
>     >     >     comment="The 'xfsprogs' package in xenial is affected
>     and needs
>     >     >     fixing." />
>     >     >     </criteria>
>     >     >     </definition>
>     >     >     <linux-def:dpkginfo_test
>     >     id="oval:com.ubuntu.xenial:tst:20122150000"
>     >     >     version="1" check_existence="at_least_one_exists"
>     check="all"
>     >     >     comment="Does the 'xfsprogs' package exist?">
>     >     >     <linux-def:object
>     >     object_ref="oval:com.ubuntu.xenial:obj:20122150000"/>
>     >     >     </linux-def:dpkginfo_test>
>     >     >     <linux-def:dpkginfo_object
>     >     >     id="oval:com.ubuntu.xenial:obj:20122150000" version="1"
>     >     comment="The
>     >     >     'xfsprogs' package.">
>     >     >     <linux-def:name>xfsprogs</linux-def:name>
>     >     >     </linux-def:dpkginfo_object>
>     >     >
>     >     >
>     >     > It is checking if the /xfsprogs /package exists. In my
>     machine I have
>     >     > /xfsprogs 4.3.0+nmu1ubuntu1/ installed. So, the oscap is working
>     >     > properly. The point is: is my xfsprogs vulnerable?. If we
>     take a look at
>     >     > the input file to generate the
>     >     > oval:
>     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >   
>      <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>>
>     >     >
>     >     >     xfs_metadump in *xfsprogs before 3.2.4* does not properly
>     >     obfuscate
>     >     >     file data, which allows remote attackers to obtain sensitive
>     >     >     information by reading a generated image.
>     >     >
>     >     >
>     >     > The description says: xfsprogs before 3.2.4 and I have the
>     version 4.
>     >     > Oval is only checking if the package exists, but not its
>     version. The
>     >     > reason is:
>     >     >
>     >     > The function /parse_package_status
>     >     >
>     >   
>      (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>
>     >   
>      <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/generate-oval#L117>>)
>     >     /parses
>     >     > the line:
>     >     >
>     >     >   * "xenial_xfsprogs: needed"
>     >     >     of
>     >     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>>
>     >     >     to
>     >     >   * "{'note': "The 'xfsprogs' package in trusty is affected and needs
>     >     >     fixing.", 'status': 'vulnerable'}".
>     >     >   * That means check only the package, not the version, because
>     >     there is
>     >     >     no version
>     >     >     (http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220>
>     >   
>      <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L220>>)
>     >     >
>     >     > If we take a look at other checks:
>     >     >
>     >     >   * "xenial_git: released (1:2.7.4-0ubuntu1.1)" of
>     >     >     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/retired/CVE-2017-8386>>
>     >     >     is parsed to
>     >     >   * {'fix-version': '1:2.7.4-0ubuntu1.1', 'note': "The 'git'
>     >     package in
>     >     >     xenial was vulnerable but has been fixed (note:
>     >     >     '1:2.7.4-0ubuntu1.1').", 'status': 'fixed'}
>     >     >   * Here the version is checked.
>     >     >
>     >     > So, my final questions are:
>     >     >
>     >     >   * Who generates this
>     >     >     file
>     >     http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>
>     >   
>      <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/12851/active/CVE-2012-2150>>?
>     >
>     >     The Ubuntu Security Team generates that file during CVE triage of newly
>     >     assigned CVEs.
>     >
>     >     >   * Why there is no a specific version?
>     >
>     >     Because all versions are affected. If the status is 'needed', it means
>     >     that the Ubuntu Security team has not produced security updates that fix
>     >     the CVE. Therefore, all systems with the xfsprogs deb package installed
>     >     are affected.
>     >
>     >     Do you know how that can be conveyed in the OVAL file?
>     >
>     >     >
>     >     > There are 109 fails after fix the issue that I commented in the previous
>     >     > email and my OS is updated, so I suspect it is happening the same in the
>     >     > rest of checks.
>     >
>     >     Thanks for tracking down the issue you described in your previous email.
>     >     I'll hold off on committing that change until you're able to get to the
>     >     bottom of the issue you describe in this email.
>     >
>     >     Tyler
>     >
>     >     >
>     >     > Thanks.
>     >     > Regards.
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > On Wed, Jul 5, 2017 at 3:19 PM, Jesus Linares <jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
>     <mailto:jesus at wazuh.com>>
>     >     > <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
>     <mailto:jesus at wazuh.com>>>> wrote:
>     >     >
>     >     >     Hi,
>     >     >
>     >     >     finally I found the
>     >     >     issue: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>>
>     >     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/scripts/oval_lib.py#L110>>>
>     >     >
>     >     >     In that line there is an if-else. The /else /has the logic to add
>     >     >     the "negate" attribute, but the /if/ doesn't have it.
>     >     >
>     >     >     It is neccesary to replace the lines 111 to 113, for:
>     >     >
>     >     >         negation_attribute = 'negate = "true" ' if 'negate' in
>     >     >         test_refs[0] and test_refs[0]['negate'] else ''
>     >     >         mapping['criteria'] = '<criterion test_ref="{0}" comment="{1}"
>     >     >         {2}/>'.format(test_refs[0]['id'],
>     >     >         escape(test_refs[0]['comment']), negation_attribute)
>     >     >
>     >     >
>     >     >     In this way, the scan reports 109 fails instead of 1750. Now, I'm
>     >     >     going to review these 109 fails.
>     >     >
>     >     >     Please, update the script ASAP.
>     >     >
>     >     >     Thanks.
>     >     >     Regards.
>     >     >
>     >     >
>     >     >     On Tue, Jul 4, 2017 at 7:50 PM, Jesus Linares <jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
>     <mailto:jesus at wazuh.com>>
>     >     >     <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
>     <mailto:jesus at wazuh.com>>>> wrote:
>     >     >
>     >     >         Hi,
>     >     >
>     >     >         I'm testing again the oval files for Xenial 16.04 (updated) and
>     >     >         OpenSCAP reports 1750 /fails/... Something weird is
>     >     happening. I
>     >     >         will check out this issue again, but I would appreciate any help.
>     >     >
>     >     >         Here an example:
>     >     >
>     >     >             <linux-def:dpkginfo_test
>     >     >             id="oval:com.ubuntu.xenial:tst:20176919000" version="1"
>     >     >             check_existence="any_exist" check="all" comment="*Returns
>     >     >             true whether or not the 'drupal7' package exists.*">
>     >     >             <linux-def:object
>     >     >             object_ref="oval:com.ubuntu.xenial:obj:20076752000"/>
>     >     >             </linux-def:dpkginfo_test>
>     >     >             <linux-def:dpkginfo_object
>     >     >             id="oval:com.ubuntu.xenial:obj:20076752000" version="1"
>     >     >             comment="The 'drupal7' package.">
>     >     >             <linux-def:name>drupal7</linux-def:name>
>     >     >             </linux-def:dpkginfo_object>
>     >     >
>     >     >
>     >     >         If the check return always true, it doesn't make sense...
>     >     >
>     >     >         Thanks.
>     >     >         Regards.
>     >     >
>     >     >
>     >     >
>     >     >         On Wed, Nov 2, 2016 at 11:29 AM, Jesus Linares <jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
>     <mailto:jesus at wazuh.com>>
>     >     >         <mailto:jesus at wazuh.com <mailto:jesus at wazuh.com> <mailto:jesus at wazuh.com
>     <mailto:jesus at wazuh.com>>>> wrote:
>     >     >
>     >     >             Hi,
>     >     >
>     >     >             this is from the specific
>     >     >             CVE:
>     >     xenial_libapache-mod-jk:not-affected(1:1.2.40+svn150520-1)
>     >     >
>     >     >             So, if it is not affected for xenial, the check should
>     >     >             include the "negate" in order to return that is not a
>     >     >             vulnerability, right?.
>     >     >
>     >     >             Regards.
>     >     >
>     >     >
>     >     >             On Fri, Oct 28, 2016 at 9:10 PM, Seth Arnold
>     >     >             <seth.arnold at canonical.com <mailto:seth.arnold at canonical.com>
>     <mailto:seth.arnold at canonical.com <mailto:seth.arnold at canonical.com>>
>     >     >             <mailto:seth.arnold at canonical.com <mailto:seth.arnold at canonical.com>
>     <mailto:seth.arnold at canonical.com
>     <mailto:seth.arnold at canonical.com>>>> wrote:
>     >     >
>     >     >                 On Fri, Oct 28, 2016 at 11:19:21AM +0200, Jesus Linares
>     >     >                 wrote:
>     >     >                 > I think this test should have the "negate" due to the comment "While
>     >     >                 > related to the CVE in some way, the 'libapache-mod-jk'
>     >     >                 package in* xenial
>     >     >                 > is not affected*". So, maybe the input of the script
>     >     >                 is wrong?. Where is
>     >     >                 > the input?.
>     >     >
>     >     >                 The input is from the ubuntu-cve-tracker bzr tree;
>     >     >
>     >     >                 https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
>     <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
>     <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>>
>     >     >                 <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>
>     <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master
>     <https://code.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master>>>
>     >     >
>     >     >                 In the case of this specific CVE:
>     >     >
>     >     >                 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>>
>     >     >                 <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>
>     >     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111
>     <http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/active/CVE-2014-8111>>>
>     >     >
>     >     >                 Thanks
>     >     >
>     >     >                 --
>     >     >                 ubuntu-hardened mailing list
>     >     >                 ubuntu-hardened at lists.ubuntu.com
>     <mailto:ubuntu-hardened at lists.ubuntu.com>
>     >     <mailto:ubuntu-hardened at lists.ubuntu.com
>     <mailto:ubuntu-hardened at lists.ubuntu.com>>
>     >     >                 <mailto:ubuntu-hardened at lists.ubuntu.com
>     <mailto:ubuntu-hardened at lists.ubuntu.com>
>     >     <mailto:ubuntu-hardened at lists.ubuntu.com
>     <mailto:ubuntu-hardened at lists.ubuntu.com>>>
>     >     >
>     >      https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
>     >     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>
>     >     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>
>     >     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>     <https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened>>>
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >             --
>     >     >             *Jesus Linares*
>     >     >             /IT Security Engineer/
>     >     >             /
>     >     >             /
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >         --
>     >     >         *Jesus Linares*
>     >     >         /IT Security Engineer/
>     >     >         /
>     >     >         /
>     >     >
>     >     >
>     >     >
>     >     >
>     >     >     --
>     >     >     *Jesus Linares*
>     >     >     /IT Security Engineer/
>     >     >     /
>     >     >     /
>     >     >
>     >     >
>     >     >
>     >     >
>     >     > --
>     >     > *Jesus Linares*
>     >     > /IT Security Engineer/
>     >     > /
>     >     > /
>     >     >
>     >     >
>     >
>     >
>     >
>     >
>     >
>     > --
>     > *Jesus Linares*
>     > /IT Security Engineer/
>     > /
>     > /
> 
> 
> 
> 
> 
> -- 
> *Jesus Linares*
> /IT Security Engineer/
> /
> /


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20170706/65c9c144/attachment.pgp>


More information about the ubuntu-hardened mailing list