For the best in Secure Managed Hosting, call: 01904 500 272

Call now on: 01904 500 272

ha247ha247

Vulnerability Scanning & False Positives

Published by Nick Fox

Vulnerability Scanning & False Positives

Many recurring issues from vulnerability scanning, in particular with websites, are false positives. For instance, these may occur when the scanner can only read the HTTP header. On Ubuntu 14.04 servers, Nginx may show 1.4.6 even when the full version may be 1.4.6-1ubuntu3.7, which contains all software fixes that have been backported.


Vulnerability scanners can’t always access the information that they need to determine whether a vulnerability exists or not. This leads to false positives.

Making sure you’re secure

Following the steps below we can work out if our Nginx package has had a security patch backported.

CVE-2016-4450 – os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service.

Browse to https://people.canonical.com/~ubuntu-security/cve/ and search for “2016-4450”

This shows the vulnerability has been fixed in Nginx (1.4.6-1ubuntu3.5)

Now we need to check to see if the package has been installed on our server.
dpkg -l|grep nginx;
ii nginx 1.4.6-1ubuntu3.7 all small, powerful, scalable web/proxy server
ii nginx-common 1.4.6-1ubuntu3.7 all small, powerful, scalable web/proxy server - common files
ii nginx-full 1.4.6-1ubuntu3.7 amd64 nginx web/proxy server (standard version)

Here we can see that we are running “nginx 1.4.6-1ubuntu3.7”, which the contains security patch for CVE-2016-4450.

Ubuntu CVE status and their meanings

The CVE page can be a confusing place, here are the status codes and what they mean;

  • “DNE” means that the package does not exist within the lineage
  • “ignored” means that energy is not being expended for determining whether the problem exists in the particular package within the lineage, because support has ended for one reason or another.
  • “needs triage” means that the package within the lineage is still supported, but work is needed to determine if the reported problem actually exists within that package-lineage pair.
  • “not affected” means that the underlying source code vulnerability exists in the particular package within the lineage, but triage determined that for some other reason the issue will not occur.
  • “needed” of course means that triage has determined that the package within the lineage is affected, but work to apply the fix to the particular package within the lineage is still needed.
  • “pending” means that the work needed to apply the fix to the particular package within the lineage has been done, a version has been cut, and a release is in the works.
  • “released” means that the fix for the package within the lineage has been released

HA247 make sure your secure

The Ubuntu Security Team represents multiple teams of people dedicated to keeping Ubuntu and its users secure through fixing vulnerabilities and contributing to its security development.

HA247 automatically install all security updates that have been made available by The Ubuntu Security Team

Back

Find out how we help. CALL 01904 500272.

Or fill out the fields below and we will call you back.