On Apr 1, 2010, at 11:28 AM, David Downin wrote:
Does anyone know if there is somewhere that I can find out of a particular CVE applies to macs?
Basically, our site (NSWCCD) as well as the folks at NCDOC have been scanning our network for vulnerabilities using the Retina Network Security Scanner by eEye. I personally have been using it as well to scan the macs in our group and remediate them.
I’ve noticed a lot of times, that Retina will report a vulnerability simply because of the version of something. One example:
Audit ID: 8151
Samba Daemon DOS Filemode Override ACL Bypass
CVE-2009-1888
This is reported on a machine running 10.6.3 (client) simply because Retina is running “smbd –V” and is getting “3.0.25B-apple”. Retina does note that the audit is for versions of Samba obtained from samba.org and may be a false finding on vendor specific backports. So, is there any way for me verify that this is indeed a false positive or not?
I have managed to get rid of the Retina warning temporarily by changing the version number that is reported – but for some reason that I have yet to discover why it eventually reverts back to the original version (it’s not because of a software update). Below is what I am doing to change the reported version.
#!/bin/bash
sudo perl -pi.$TIME -e "s/3\.0\.28/4\.0\.28/" /usr/sbin/smbd
_______________________________________________________
Dave Downin
NSWC Carderock
Facility Engineering and Operations Department / Code 5104
David,
I just wanted to point out a few things to help you and others in these situations....
smbd • smbd is the smb service which provides Windows Sharing out from a Mac to other systems via SAMBA. - This is *only* active when you enable SMB in the System Prefs -> Sharing -> File Sharing -> Options -> SMB - The configuration around SAMBA can be manipulated by Mac OS X, but not SAMBA source itself - no back port. - This is *NOT* the service that is used by Mac OS X to connect TO a Window's Share Point.
Samba is not enabled by default and DOS Filemode is not enabled by default.
Scanners are inherently problematic, since they work with static information and cause a fair amount of false positives without a considerable amount of persistent massaging as you have had to do.
CVEs In addition to including all of the relevant CVE identifiers within every OS and Security Update, Apple also publishes all CVE and CPE information to the NVD National Vulnerability Database.
Apple Security Updates http://support.apple.com/kb/HT1222
NVD (advanced Search) http://web.nvd.nist.gov/view/vuln/search-advanced (search on Vendor: Apple)
- Shawn _____________________________________________________ Shawn Geddis - Security Consulting Engineer - Apple Enterprise
|