Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
- Subject: Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
- From: "Miller, Timothy J." <email@hidden>
- Date: Fri, 24 Oct 2014 13:34:09 +0000
- Thread-topic: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
Yeah, now that's just lazy. :)
-- T
>-----Original Message-----
>From: Taylor Armstrong - NOAA Affiliate [mailto:email@hidden]
>Sent: Friday, October 24, 2014 7:53 AM
>To: Miller, Timothy J.
>Cc: John Oliver; Apple Fed-Talk
>Subject: Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
>
>At least in my case, Timothy, I can confirm that this is NOT the case.
>
>Full credentialed scan. Our problem is that the scoring is "highest common
>denominator". The 10.10 issue (Tenable plugin #78550) checks for OS version
>of 10.10 or greater. If it sees an OS less than that, it gets flagged.
>
>The issue is that since 10.10 includes the shellshock "fix", which is rated
>"critical", it is being flagged by many agencies as "lacking the shellshock fix"
>despite having been previously patched, and despite Security Update 2014-
>005 including the patch, and thus it is getting a significant amount of negative
>publicity at the moment.
>
>On Fri, Oct 24, 2014 at 8:22 AM, Miller, Timothy J. <email@hidden
><mailto:email@hidden> > wrote:
>
>
> I'll speculate that the issue is likely that the Nessus scanner server
>doesn't have a credential to do a local check by remote access, or remote
>access is disabled. In this case the engine falls back on the OS fingerprint and
>open services to filter the findings list. This is typical behavior for agentless
>security tools.
>
> Confidence in security scan results can only be had by combining
>agentless and agent-based (e.g., McAfee ePO with ACCM, or an SCAP auditing
>tool) reports. Note that this is exactly what DISA's CMRS does.
>
> Problems arise when the auditing team doesn't understand this.
>
> -- T
>
> >-----Original Message-----
> >From: fed-talk-bounces+tmiller=email@hidden
><mailto:email@hidden> [mailto:fed-talk- <mailto:fed-talk->
> >bounces+tmiller=email@hidden
><mailto:email@hidden> ] On Behalf Of John Oliver
> >Sent: Thursday, October 23, 2014 3:30 PM
> >To: Apple Fed-Talk
> >Subject: Re: [Fed-Talk] OS X < 10.10 a "Critical" finding in ACAS
> >
>
> >*Exactly* what I’m talking about :-) (ACAS *is* Tenable’s Security
>Center)
> >
> >It looks like the plugin author picked the highest category of
> >vulnerability and assigned that to a test for “Is this Yosemite or not”
> >I’ve made the point that ACAS is *not* testing for vulns, but merely
> >testing for OS version.
> >
> >If you’re right, then this should be, at most, a Medium finding. And I
> >can live with that… maybe Apple will fix more issues in the next few
>weeks
> >or so, maybe not, but we have 90 days IIRC to address Mediums,
>which is
> >far more reasonable to ensure that the operational challenges of
>Yosemite
> >are addressed.
> >
> >
> >
> >
> >On 10/23/14, 1:13 PM, "Taylor Armstrong - NOAA Affiliate"
> ><email@hidden <mailto:email@hidden>
>> wrote:
> >
> >>Tenable (Nessus/Security Center) also are showing the same, but
>I'm
> >>pushing
> >>back by pointing out that the only CVE with a true "Critical" rating at
> >>this point is Shellshock-related, and we've already patched that via
>other
> >>means. We'll see how it goes....
> >>
> >>On Thu, Oct 23, 2014 at 3:53 PM, JEFFREY COMPTON
> ><email@hidden <mailto:email@hidden> >
> >>wrote:
> >>
> >>> Doug,
> >>>
> >>> I would venture to say that 99% of us have that page
>bookmarked.
> >>>
> >>> To John's original point - yes - we understand that a few critical
>CVE's
> >>> have been addressed for 10.9.5 with 2014-005, but there is still a
>long
> >>> list of other CVE's that are "not" addressed for 10.8 and 10.9.
> >>>
> >>> I think Tim's assumptions are probably most valid. But what is so
> >>> frustrating is that every year we are left to do just that --
>"assume."
> >>>
> >>> A policy statement would be most welcome. Just a statement. It
>can't
> >>>be
> >>> that hard.
> >>>
> >>> Sent from iCloud to
> >>>
> >>>
> >>> On Oct 23, 2014, at 03:22 PM, Doug Kruth <email@hidden
><mailto:email@hidden> > wrote:
> >>>
> >>> I will chime in with the following KB Link for your reference:
> >>> http://support.apple.com/kb/ht1222
> >>>
> >>>
> >>> Doug Kruth
> >>> Systems Engineering Manager
> >>> Apple Enterprise Sales
> >>> m: 571.218.0805 <tel:571.218.0805>
> >>> o: 703.264.3236 <tel:703.264.3236>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> > On Oct 23, 2014, at 12:45 PM, John Oliver
><email@hidden <mailto:email@hidden> >
> >>> wrote:
> >>> >
> >>> > Agreed. And I *just* pushed a SecUpdate to my Mavericks
>hosts at the
> >>>same
> >>> > time as this whole ballyhoo started. The problem is the
>indication /
> >>> > possibility that Apple is not fixing every security problem, that
>they
> >>> may
> >>> > consider some as “unimportant” or unnecessary to fix if a fix is
> >>>included
> >>> > in a newer major release. My first push-back was because of
>the
> >>> > perception that they were mandating a move simply because a
>newer OS
> >>>was
> >>> > available. That was not the case… they enumerated a couple of
>dozen
> >>>or so
> >>> > CVEs that they claim are unresolved in Mavericks, which moots
>your
> >>>last
> >>> > two paragraphs :-)
> >>> >
> >>> > As far as Apple chiming in, I think we all know that they’ve
> >>>steadfastly
> >>> > refused to provide any information on product lifecycles. So,
>while
> >>>they
> >>> > *should*, they won’t. Which is another problem.
> >>> >
> >>> >
> >>> >
> >>> >
> >>> > On 10/23/14, 9:16 AM, "Miller, Timothy J." <email@hidden
><mailto:email@hidden> > wrote:
> >>> >
> >>> >> I couldn't find a concise FAQ on corporate support policy, but
>on
> >>> Apple's
> >>> >> OS X Support Downloads page I note that they've been
>actively
> >>>updating
> >>> >> Mavericks, Mountain Lion, and Lion with security critical
>updates;
> >>>and
> >>> >> Mavericks & Mountain Lion with regular Security Updates.
>From past
> >>> >> behavior, tiny version updates have been released for the
>most-recent
> >>> but
> >>> >> not current version.
> >>> >>
> >>> >> From this I surmise the support policy is at least:
> >>> >>
> >>> >> Critical security -- current, current-1, current-2;
> >>> >> Security -- current, current-1;
> >>> >> All other updates -- current, current-1.
> >>> >>
> >>> >> Likely there's an age cutoff in there somewhere, but I don't
>know
> >>>what
> >>> it
> >>> >> is. Previously, tiny versions of (current-1) were available for
>some
> >>> >> period after the release of (current), but that seems to have
>tapered
> >>> off
> >>> >> in recent years.
> >>> >>
> >>> >> This would be a good place for Shaun or one of the other
>Apple guys
> >>>to
> >>> >> chime in. :)
> >>> >>
> >>> >> That said, yes, the availability through the App Store of the
>major
> >>> >> updates certainly creates a pressure to update, but if your
>corporate
> >>> >> governance and IT processes are in line that should only cause
>minor
> >>> >> complaining and isn't a crisis. If they're not, you have more
> >>>pressing
> >>> >> problems that kvetching about the App Store.
> >>> >>
> >>> >> If your CND / IT Security people can't tell the difference
>between
> >>> >> "public release" and "release to the organization" then you
>also have
> >>> >> bigger problems. Even FDCC lags releases of Windows.
> >>> >>
> >>> >> -- T
> >>> > _______________________________________________
> >>> > Do not post admin requests to the list. They will be ignored.
> >>> > Fed-talk mailing list (email@hidden <mailto:Fed-
>email@hidden> )
> >>> > Help/Unsubscribe/Update your Subscription:
>talk/email@hidden
> >>> >
> >>> > This email sent to email@hidden
><mailto:email@hidden>
> >>>
> >>> _______________________________________________
> >>> Do not post admin requests to the list. They will be ignored.
> >>> Fed-talk mailing list (email@hidden <mailto:Fed-
>email@hidden> )
> >>> Help/Unsubscribe/Update your Subscription:
> >>>
> >talk/email@hidden <http://40me.com>
> >>>
> >>> This email sent to email@hidden
><mailto:email@hidden>
> >>>
> >>>
> >>> _______________________________________________
> >>> Do not post admin requests to the list. They will be ignored.
> >>> Fed-talk mailing list (email@hidden <mailto:Fed-
>email@hidden> )
> >>> Help/Unsubscribe/Update your Subscription:
> >>>
> >>>
> >talk/taylor.armstrong@noaa.
> >>>gov
> >>>
> >>> This email sent to email@hidden
><mailto:email@hidden>
> >>>
> >>
> >>
> >>
> >>--
> >>Taylor Armstrong
> >>Contractor at NOAA
> >>Macintosh Systems Administrator
> >>Tel: 301-713-1156, ext 195 <tel:301-713-1156, ext 195>
> >> _______________________________________________
> >>Do not post admin requests to the list. They will be ignored.
> >>Fed-talk mailing list (email@hidden <mailto:Fed-
>email@hidden> )
> >>Help/Unsubscribe/Update your Subscription:
>talk/john.n.oliver.ctr@navy.
> >>mil
> >>
> >>This email sent to email@hidden
><mailto:email@hidden>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden <mailto:Fed-
>email@hidden> )
> Help/Unsubscribe/Update your Subscription:
>
>talk/email@hidden
>
>
> This email sent to email@hidden
><mailto:email@hidden>
>
>
>
>
>--
>
>Taylor Armstrong
>Contractor at NOAA
>Macintosh Systems Administrator
>Tel: 301-713-1156, ext 195
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden