Re: [Fed-Talk] Vulnerability Management (Repost)
Re: [Fed-Talk] Vulnerability Management (Repost)
- Subject: Re: [Fed-Talk] Vulnerability Management (Repost)
- From: Michael Kluskens <email@hidden>
- Date: Mon, 26 Apr 2010 09:09:57 -0400
Regarding CVE's, Retina, and running OS X at our site
#1) Apple's security documentation is lacking in reports about CVE's that do not apply to OS X, unless they apply to one version of OS X but not a different version.
#2) Our security managers don't care if a service is enabled by default or not, they want it fixed, i.e. clean Retina report.
#3) Our security managers answer to any Retina report is to delete the offending service to get a clean Retina report.
Specific issues, from hard to easy:
CVE-2008-2476 - IPv6 Neighbor Discovery Protocol. Retina finds this on OS X, Apple has no documentation to say that OS X is not affected, only that Time Capsule and Airport Base Station firmware has been fixed, our Security managers demand we fix this problem by deleting the offending service. This one I have NO solution for, I doubt this is an executable that exists on its own or can be deleted without major side effects.
CVE-2009-1252 - ntpd, Apple ships 4.2.4p4, should be 4.2.4p7 or 4.2.5p74 or later. OS X documented as status "unknown", Apple notified 2009-05-06, almost a year later and no response, deleting would be bad on clustered systems as time sync is critical to operation. I know I could build a new version and maybe pass a Retina scan.
CVE-2010-0740, CVE-2010-0433 - OpenSSL 0.9.8n (no Apple solution)
CVE-2009-3245 - OpenSSL 0.9.8m (no Apple solution)
CVE-2009-3555 - OpenSSL 0.9.8l (fixed by SecUpd 2010-001, 10.5.8 & 10.6.2 affected)
CVE-2009-0668 - Cyrus SASL (fixed by SecUpd 2010-002, 10.5.8 was affected and 10.6 is not affected)
My understanding is that these issues continued to appear on 10.5.8 and 10.6.3 even after being patched.
Regarding, OpenSSL - will OS X Server "run" with all OpenSSL components deleted. It should since Apple Engineering says "Most cryptographic/certificate functionality on our platform comes from Common Crypto." I know very well that I can build the newer version myself, whether or not Retina will be happy is another matter.
Michael
>> From: "Shawn A. Geddis" <email@hidden>
>> Date: April 24, 2010 5:52:06 PM EDT
>>
>> On Apr 1, 2010, at 11:28 AM, David Downin wrote:
>>> Does anyone know if there is somewhere that I can find out of a particular CVE applies to macs?
>>>
>>> Basically, our site (NSWCCD) as well as the folks at NCDOC have been scanning our network for vulnerabilities using the Retina Network Security Scanner by eEye. I personally have been using it as well to scan the macs in our group and remediate them. ...
>>
>> David,
>>
>> I just wanted to point out a few things to help you and others in these situations....
>> ....
>> Scanners are inherently problematic, since they work with static information and cause a fair amount of false positives without a considerable amount of persistent massaging as you have had to do.
>>
>>
>> CVEs
>> In addition to including all of the relevant CVE identifiers within every OS and Security Update, Apple also publishes all CVE and CPE information to the NVD National Vulnerability Database.
>>
>> Apple Security Updates http://support.apple.com/kb/HT1222
>> NVD (advanced Search) http://web.nvd.nist.gov/view/vuln/search-advanced (search on Vendor: Apple)
>>
>> - Shawn
>> _____________________________________________________
>> Shawn Geddis - Security Consulting Engineer - Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden