Thursday, May 29, 2014

Re: [389-users] Retna Scan Results

I believe they are false positives. I am just searching for "proof" to provide to person running sans.


On Thu, May 29, 2014 at 1:23 PM, Rob Crittenden <rcritten@redhat.com> wrote:
John Trump wrote:
> In /etc/dirsrv/admin-serv there is a httpd.conf file. Does the
> admin-serv use the httpd system rpm or does it use a http server
> distributed with the admin-serv rpm? If it is distributed with the
> admin-serv rpm than I would say the scan is saying that the
> vulnerabilities exist in that http server. The httpd rpm installed on
> the system is the latest httpd-2.2.15-30

389-admin runs a separate instance of the system httpd.

I know nothing about this scanner but based on these logs it is just
doing server version string comparisons which are rather meaningless in
this context. There seems to be a lot of false-positives merely because
the Apache version is 2.2.

rob

>
>
> On Thu, May 29, 2014 at 12:28 PM, Noriko Hosoi <nhosoi@redhat.com
> <mailto:nhosoi@redhat.com>> wrote:
>
>     John Trump wrote:
>>
>>     Does the admin server or admin console run a webserver?
>>
>     Yes, the admin server depends upon httpd.
>
>>     On May 29, 2014 11:59 AM, "Noriko Hosoi" <nhosoi@redhat.com
>>     <mailto:nhosoi@redhat.com>> wrote:
>>
>>         Sorry, I don't know what the tool does.  You may want to ask
>>         the tool's provider the question.
>>         Thanks.
>>
>>         John Trump wrote:
>>>
>>>         I am running RHEL 6. Why does the scan show the
>>>         vulnerabilities on the port that directory administration
>>>         server is using?
>>>
>>>         On May 28, 2014 8:25 PM, "Noriko Hosoi" <nhosoi@redhat.com
>>>         <mailto:nhosoi@redhat.com>> wrote:
>>>
>>>             Hello, as you mentioned, all of the CVEs are quite old
>>>             (older than RHEL-6).  For instance, the last one
>>>             CVE-2009-1956 was fixed in apr-util-1.2.7-7.el5_3.1.  As
>>>             long as you use RHEL-6, the CVEs you listed are all
>>>             fixed.  Also, please note that the CVEs are all httpd
>>>             related, not 389-ds.
>>>
>>>             CVE:
>>>             CVE-2008-0005
>>>             CVE-2007-6388
>>>             CVE-2007-6422
>>>             CVE-2007-6420
>>>             CVE-2007-5000
>>>             CVE-2007-6421
>>>             CVE-2008-1678
>>>
>>>             CVE-2007-1862
>>>             CVE-2007-3847
>>>             CVE-2007-3304
>>>             CVE-2006-5752
>>>             CVE-2007-1863
>>>
>>>             CVE-2009-1891
>>>             CVE-2009-1955
>>>             CVE-2009-1191
>>>             CVE-2009-0023
>>>             CVE-2009-1956
>>>             CVE-2009-1195
>>>             CVE-2009-1890
>>>
>>>             John Trump wrote:
>>>>             I have a system running 389-ds that was scanned using
>>>>             retna. Retna showed vulnerabilities which are fairly
>>>>             old. Can anyone confirm that these were fixed. Only
>>>>             thing using port 9830 is the admin-serv. Below are the
>>>>             rpm versions I have installed and the CVE's retna
>>>>             supposidly detected.
>>>>
>>>>             389-adminutil-1.1.19-1.el6.x86_64
>>>>             389-ds-console-doc-1.2.6-1.el6.noarch
>>>>             389-admin-1.1.35-1.el6.x86_64
>>>>             389-admin-console-1.1.8-5.fc19.noarch
>>>>             389-console-1.1.7-1.el6.noarch
>>>>             389-ds-1.2.2-1.el6.noarch
>>>>             389-ds-base-libs-1.2.11.25-1.el6.x86_64
>>>>             389-ds-base-1.2.11.25-1.el6.x86_64
>>>>             389-dsgw-1.1.11-1.el6.x86_64
>>>>             389-ds-console-1.2.6-1.el6.noarch
>>>>             389-admin-console-doc-1.1.8-5.fc19.noarch
>>>>
>>>>             Audit ID:6310Vul ID:N/A
>>>>             Risk Level:Medium
>>>>             Sev Code:Category II
>>>>             PCI Level:Medium (Fail) - CVSS Score
>>>>             CVSS Score:5 [AV:N/AC:L/Au:N/C:N/I:N/A:P]
>>>>             BugTraq ID27234,26838,27236,27237
>>>>             CVE:CVE-2008-0005,CVE-2007-6388,CVE-2007-6422,CVE-2007-64
>>>>             20,CVE-2007-5000,CVE-2007-6421,CVE-2008-1678
>>>>             CCE:N/A
>>>>             Exploit:No
>>>>             IAV:N/A
>>>>             STIG:
>>>>             Context:TCP:9830
>>>>             Result:Success
>>>>             Tested Value:BR T WB Server:
>>>>             (Apache(\([[]^)]*\))?/((2\.((2(\.[[]0-7])?)|(0(\.([[]1-5]?[[]0-9]|6[[]0-2]))
>>>>             ?)|(1(\..*)?)))|(1\.((3(\.([[]1-3]?[[]0-9]|40))?)|([[]0-2](\..*)?)))|(0+\..*))
>>>>             ($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\))*[[]^()]*$))
>>>>             Found Value:Server: Apache/2.2##Content-Length:
>>>>             301##Connection:
>>>>             close##Content-Type: text/html;
>>>>             charset[=]iso-8859-1####<!DOCTYPE HTML PUBLIC
>>>>             "-//IETF//DTD HTML 2.0//EN">#<html><head>#<title>404 Not
>>>>             Found</title>#</head><body>#<h1>Not Found</h1>
>>>>             (truncated...)
>>>>
>>>>             Audit ID:6059Vul ID:N/A
>>>>             Risk Level:Medium
>>>>             Sev Code:Category II
>>>>             PCI Level:Medium (Fail) - CVSS Score
>>>>             CVSS Score:5 [AV:N/AC:L/Au:N/C:P/I:N/A:N]
>>>>             BugTraq ID24215,24645,25489,24649,24553
>>>>             CVE:CVE-2007-1862,CVE-2007-3847,CVE-2007-3304,CVE-2006-57
>>>>             52,CVE-2007-1863
>>>>             CCE:N/A
>>>>             Exploit:No
>>>>             IAV:N/A
>>>>             STIG:
>>>>             Context:TCP:9830
>>>>             Result:Success
>>>>             Tested Value:RR T WB
>>>>             (Apache(\([[]^)]*\))?/(2\.2(\.[[]0-5])?)($|[[]^0-9.]([[]^(]*\([[]^R][[]^)]*\)
>>>>             )*[[]^()]*$))
>>>>             Found Value:Apache/2.2
>>>>
>>>>             Audit ID:9820Vul ID:N/A
>>>>             Risk Level:Medium
>>>>             Sev Code:Category II
>>>>             PCI Level:High (Fail) - CVSS Score
>>>>             CVSS Score:7.8 [AV:N/AC:L/Au:N/C:N/I:N/A:C]
>>>>             BugTraq ID35565,35253,35623,35251,34663,35221,35115
>>>>             CVE:CVE-2009-1891,CVE-2009-1955,CVE-2009-1191,CVE-2009-00
>>>>             23,CVE-2009-1956,CVE-2009-1195,CVE-2009-1890
>>>>             CCE:N/A
>>>>             Exploit:Yes
>>>>             IAV:N/A
>>>>             STIG:
>>>>             Context:TCP:9830
>>>>             Result:Success
>>>>             Tested
>>>>             Value:APACHE(-ADVANCEDEXTRANETSERVER)?/2\.2(\.(1[[]01]|[[]0
>>>>             -9])(\.[[]0-9]+)*)?($|[[]^0-9.])
>>>>             Found Value:APACHE/2.2
>>>>
>>>>
>>>>
>>>>
>>>>             --
>>>>             389 users mailing list
>>>>             389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>>>>             https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>             --
>>>             389 users mailing list
>>>             389-users@lists.fedoraproject.org
>>>             <mailto:389-users@lists.fedoraproject.org>
>>>             https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>
>>>         --
>>>         389 users mailing list
>>>         389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>>>         https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>         --
>>         389 users mailing list
>>         389-users@lists.fedoraproject.org
>>         <mailto:389-users@lists.fedoraproject.org>
>>         https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>>     --
>>     389 users mailing list
>>     389-users@lists.fedoraproject.org <mailto:389-users@lists.fedoraproject.org>
>>     https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>     --
>     389 users mailing list
>     389-users@lists.fedoraproject.org
>     <mailto:389-users@lists.fedoraproject.org>

No comments:

Post a Comment