Re: [Fed-Talk] Vulnerability Management (Repost)
Re: [Fed-Talk] Vulnerability Management (Repost)
- Subject: Re: [Fed-Talk] Vulnerability Management (Repost)
- From: "Downin, David M CIV NSWCCD W. Bethesda, 5104" <email@hidden>
- Date: Mon, 26 Apr 2010 09:50:13 -0400
- Thread-topic: [Fed-Talk] Vulnerability Management (Repost)
We're in the same boat here... All they care about is a clean scan. See my
notes below:
On 4/26/10 9:09 AM, "Michael Kluskens" <email@hidden> wrote:
> Regarding CVE's, Retina, and running OS X at our site
>
> Specific issues, from hard to easy:
>
> CVE-2008-2476 - IPv6 Neighbor Discovery Protocol. Retina finds this on OS X,
> Apple has no documentation to say that OS X is not affected, only that Time
> Capsule and Airport Base Station firmware has been fixed, our Security
> managers demand we fix this problem by deleting the offending service. This
> one I have NO solution for, I doubt this is an executable that exists on its
> own or can be deleted without major side effects.
I ended up writing a small wrapper that keys on the username logged in as
(for Macs here they create an account on the machine to scan it), and either
redirects you to the actual executable (which I move) or gives Retina what
it wants.
My wrapper (saved as "/bin/wrapper")
#!/bin/sh
if [ "$USER" = "retina" ]; then
$0.bin "$@" &> /dev/null
else
$0.bin "$@"
fi
Then for this specific issue:
sudo mv /usr/bin/sw_vers /usr/bin/sw_vers.bin
Note, this will kind of show in a Retina scan as Retina will not have any
idea what version of OS X you are running. Our network guys haven't said
anything. My guess is you could just do a rename of the sw_vers and be
fine.
> CVE-2009-1252 - ntpd, Apple ships 4.2.4p4, should be 4.2.4p7 or 4.2.5p74 or
> later. OS X documented as status "unknown", Apple notified 2009-05-06, almost
> a year later and no response, deleting would be bad on clustered systems as
> time sync is critical to operation. I know I could build a new version and
> maybe pass a Retina scan.
I change the version number on the executable:
sudo perl -pi.bak -e "s/4\.2\.4p4/9\.2\.4p4/" /usr/sbin/ntpd
> CVE-2010-0740, CVE-2010-0433 - OpenSSL 0.9.8n (no Apple solution)
>
> CVE-2009-3245 - OpenSSL 0.9.8m (no Apple solution)
>
Not sure about these, don't think I've seen them show up on a scan.
>
> My understanding is that these issues continued to appear on 10.5.8 and 10.6.3
> even after being patched.
>
> Regarding, OpenSSL - will OS X Server "run" with all OpenSSL components
> deleted. It should since Apple Engineering says "Most
> cryptographic/certificate functionality on our platform comes from Common
> Crypto." I know very well that I can build the newer version myself, whether
> or not Retina will be happy is another matter.
>
> Michael
>
If you are interested, I have a shell script that takes care of most things
Retina finds (maybe not fixing a vulnerability - but giving a clean scan).
It may not be pretty (as I usually only have a day or two, if that, to fix
things before a scan), and I can't say it won't break something - but so far
it has done a good job of getting our Macs to pass. I haven't tried it on
OS X Server - only the client version.
If interested, you can grab a copy at:
https://code5100.dt.navy.mil/retina/
Comments or suggestions are welcome - but I generally don't have time to
provide support, so consider that before you run it on a system...
Especially if you haven't looked at the script or understand what it is
doing. BTW, there are fixes in there for things that Apple has already
fixed. It is what it is... a quick fix.
>>> From: "Shawn A. Geddis" <email@hidden>
>>> Date: April 24, 2010 5:52:06 PM EDT
>>>
>>> On Apr 1, 2010, at 11:28 AM, David Downin wrote:
>>>> Does anyone know if there is somewhere that I can find out of a particular
>>>> CVE applies to macs?
>>>>
>>>> Basically, our site (NSWCCD) as well as the folks at NCDOC have been
>>>> scanning our network for vulnerabilities using the Retina Network Security
>>>> Scanner by eEye. I personally have been using it as well to scan the macs
>>>> in our group and remediate them. ...
>>>
>>> David,
>>>
>>> I just wanted to point out a few things to help you and others in these
>>> situations....
>>> ....
>>> Scanners are inherently problematic, since they work with static information
>>> and cause a fair amount of false positives without a considerable amount of
>>> persistent massaging as you have had to do.
>>>
>>>
>>> CVEs
>>> In addition to including all of the relevant CVE identifiers within every OS
>>> and Security Update, Apple also publishes all CVE and CPE information to the
>>> NVD National Vulnerability Database.
>>>
>>> Apple Security Updates http://support.apple.com/kb/HT1222
>>> NVD (advanced Search) http://web.nvd.nist.gov/view/vuln/search-advanced
>>> (search on Vendor: Apple)
>>>
>>> - Shawn
>>> _____________________________________________________
>>> Shawn Geddis - Security Consulting Engineer - Apple Enterprise
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________________
Dave Downin
NSWC Carderock
Facility Engineering and Operations Department / Code 5104
9500 MacArthur Blvd.
West Bethesda, MD 20817-5000
(301) 227-4873 / Work
(301) 247-3520 / Cell
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden