Hey guys
Hoping someone can help me understand how to patch vulnerabilities detected by Nexpose.
I am running a test instance of CentOS in AWS and have run yum update and installed all available updates. This has addressed the majority of vulnerabilities detected by Nexpose using a fully-authenticated scan.
However there are still 3 vulnerabilities that I am having a hard time validating/remediating:
CESA-2013:0568: dbus-glib security update (proof: dbus-glib - version 0.86-6.el6 is installed)
CESA-2015:2636: kernel security and bug fix update (proof: kernel - version 2.6.32-573.12.1.el6 is installed)
CESA-2015:1930: ntp security update (proof: ntp - version 4.2.6p5-5.el6.centos.2 is installed)
I have confirmed these versions are installed but am not sure how to remediate since there are no available updates for these 3 packages.
Can anyone suggest how I go about addressing these issues ?
Thanks
Help Understanding CentOS 6.7 Security Updates
Re: Help Understanding CentOS 6.7 Security Updates
Those are indeed the latest released versions of those packages. Does Nexpose show you the CVE IDs? Without knowing which vulnerability Nexpose is complaining about, it's hard to give you any good advice.
Re: Help Understanding CentOS 6.7 Security Updates
Hey Avij
Thanks for responding.
Here are additional details (I should have added previously....)
CESA-2015:2636: kernel security and bug fix update
https://web.nvd.nist.gov/view/vuln/deta ... -2015-2925
https://web.nvd.nist.gov/view/vuln/deta ... -2015-5307
https://web.nvd.nist.gov/view/vuln/deta ... -2015-7613
https://web.nvd.nist.gov/view/vuln/deta ... -2015-7872
https://web.nvd.nist.gov/view/vuln/deta ... -2015-8104
CESA-2013:0568: dbus-glib security update
https://web.nvd.nist.gov/view/vuln/deta ... -2013-0292
RH advisory: https://rhn.redhat.com/errata/RHSA-2013-0568.html
CESA-2015:1930: ntp security update
CVE-2015-5300 - no details published at this time
CVE-2015-7704 - no details published at this time
RH advisory: https://rhn.redhat.com/errata/RHSA-2015-1930.html
The kernel and ntp vulns look to be fairly recent, so its possible that there is a potential patch in the pipeline. The dbus-glib vuln is a couple of years old, so that is more surprising. What I would like to understand is how best to advise engineers to address these vulns.
Thanks again!
Thanks for responding.
Here are additional details (I should have added previously....)
CESA-2015:2636: kernel security and bug fix update
https://web.nvd.nist.gov/view/vuln/deta ... -2015-2925
https://web.nvd.nist.gov/view/vuln/deta ... -2015-5307
https://web.nvd.nist.gov/view/vuln/deta ... -2015-7613
https://web.nvd.nist.gov/view/vuln/deta ... -2015-7872
https://web.nvd.nist.gov/view/vuln/deta ... -2015-8104
CESA-2013:0568: dbus-glib security update
https://web.nvd.nist.gov/view/vuln/deta ... -2013-0292
RH advisory: https://rhn.redhat.com/errata/RHSA-2013-0568.html
CESA-2015:1930: ntp security update
CVE-2015-5300 - no details published at this time
CVE-2015-7704 - no details published at this time
RH advisory: https://rhn.redhat.com/errata/RHSA-2015-1930.html
The kernel and ntp vulns look to be fairly recent, so its possible that there is a potential patch in the pipeline. The dbus-glib vuln is a couple of years old, so that is more surprising. What I would like to understand is how best to advise engineers to address these vulns.
Thanks again!
Re: Help Understanding CentOS 6.7 Security Updates
A better title for this topic would have been "Help understanding Nexpose output". As far as I can see, all the CVEs you mentioned have been fixed in the package versions as listed in your first message, which you said you had verified that you have installed. I don't know why Nexpose thinks something is not right. As for the kernel, have you rebooted after you installed the kernel update? Does uname -r show the latest version, 2.6.32-573.12.1?
Re: Help Understanding CentOS 6.7 Security Updates
Hey Avij
Nexpose output is something I am very familiar with, I am less familiar with how CentOS patching, hence the post.
Looking at the notification:
- CESA-2013:0568: dbus-glib security update (proof: dbus-glib - version 0.86-6.el6 is installed)
From the CVE detail: "The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1" I take this to indicate that we would indeed be vulnerable since the version of dbus-glib is earlier than 0.100.1 ? Is that an accurate assesment ?
For the other 2 issues, it does look like the version installed is the latest, so I will open a case with Rapid7
Thanks
Nexpose output is something I am very familiar with, I am less familiar with how CentOS patching, hence the post.
Looking at the notification:
- CESA-2013:0568: dbus-glib security update (proof: dbus-glib - version 0.86-6.el6 is installed)
From the CVE detail: "The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1" I take this to indicate that we would indeed be vulnerable since the version of dbus-glib is earlier than 0.100.1 ? Is that an accurate assesment ?
For the other 2 issues, it does look like the version installed is the latest, so I will open a case with Rapid7
Thanks
Re: Help Understanding CentOS 6.7 Security Updates
No, it's completely wrong. You can't determine if you are vulnerable just by looking at version numbers because of Red Hat's policy of backporting security fixes. See also CentOS FAQs #21 and #22dssec wrote: - CESA-2013:0568: dbus-glib security update (proof: dbus-glib - version 0.86-6.el6 is installed)
From the CVE detail: "The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1" I take this to indicate that we would indeed be vulnerable since the version of dbus-glib is earlier than 0.100.1 ? Is that an accurate assesment ?
Re: Help Understanding CentOS 6.7 Security Updates
If you run rpm -q dbus-glib --changelog you should see the following:
* Mon Feb 20 2012 Colin Walters <walters@redhat.com> - 0.86-6
- Add patch from upstream for CVE-2013-0292
Resolves: #913077
This means CVE-2013-0292 has been fixed in dbus-glib-0.86-6.el6 as packaged by RHEL/CentOS.
* Mon Feb 20 2012 Colin Walters <walters@redhat.com> - 0.86-6
- Add patch from upstream for CVE-2013-0292
Resolves: #913077
This means CVE-2013-0292 has been fixed in dbus-glib-0.86-6.el6 as packaged by RHEL/CentOS.
Re: Help Understanding CentOS 6.7 Security Updates
I don't know Nexpose at all, but often those kind of things just do string match on versions anyway...