반품
-
제목
Nessus vulnerability scans failing for NV 12.x & NV 13.x -
설명
Do OpenSSL and libcurl vulnerabilities causing Nessus security scans to fail affect NV 12.x & NV 13.x?
Potential CVE notices when running NV 12.x:
OpenSSL 1.0.1 < 1.0.1i Multiple Vulnerabilities:- CVE-2011-4108
- CVE-2011-4576
- CVE-2011-4577
- CVE-2011-4619
- CVE-2012-0027
- CVE-2019-1559
- CVE-2010-5298
- CVE-2014-0195
- CVE-2014-0198
- CVE-2014-0221
- CVE-2014-0224
- CVE-2014-3470
- CVE-2015-0292
** Seems to be an issue for Linux NV Clients failing Nessus vulnerability scans, but not Windows NV Clients.
-----------------------------
Potential Nessus scan failures when running NV 13.x:
OpenSSL and Libcurl Vulnerabilities
Example from our Tenable Nessus OpenSSL scan results:
Path : /usr/netvault/dynlib/oca-libs/usr/lib64/libssl.so
Reported version: 1.0.1g
Fixed version: 1.0.1s
There are also vulnerabilities possibly found in NetVault's libcurl.
Example from our Tenable NESSUS libcurl scan results:
Path : /usr/netvault/dynlib/qsobject-libs/usr/lib/libcurl.so.4
Installed version: 7.77.0
Fixed version: 8.4.0
-
원인
Nessus, as well as many other vulnerability scans, in the case of many vulnerabilities being scanned, look for the existence of an API or library, however, the scans do not test if the API or library is been accessed by the software and thus if the vulnerability can be exploited.
For Linux Operating Systems, when upgrading to NetVault Server version 13.2, the installer does not remove files of older versions of libssl 1.0.1, libssl 1.0.2, and libcurl 7.77.0 that are located in the dynlib directory under the NetVault installation folder. As a result, vulnerability scans might encounter the files of older versions of libssl and libcurl under the NetVault dynlib directory, and list the files as a part of the scan results. NetVault Server 13.2 does not access or use, directly or indirectly, these files of older versions of libssl and libcurl and does not access or use any of the related functionality. Therefore, NetVault is not affected by the vulnerabilities listed for older versions of libssl and libcurl libraries. -
해결 방안
NetVault Engineering has determined the following:
- NetVault Server OpenSSL was upgraded to version 3.0.8 with NetVault Server 13.2.
- In a new install of NetVault Server 13.2, there are no deployed files of older versions of libssl and libcurl libraries.
- In an upgrade install to NetVault Server 13.2, the installer is leaving behind files of older, unused versions of libssl and libcurl libraries (libssl 1.0.1, 1.0.2 and libcurl 7.77.0), which can be manually removed.
- The files with older versions of libssl and libcurl libraries are left in the ../netvault/dynlib directory where QoreStor objects, binaries, and libraries are deployed. The old libssl and libcurl files in this directory can be removed. Do not remove the whole directory.
- NetVault 13,2 does not access the older versions of libssl and libcurl libraries.
- NetVault uses the QoreStor libraries librofsoca.so and librofsobjectoca.so.
- Neither of the QoreStor libraries ('librofsoca.so' and 'librofsobjectoca.so') access the older versions of libssl and libcurl libraries.
- Versions prior to NetVault Server 13.2 might have to be upgraded to NetVault Server 13.2 or later in order to benefit of the upgrade to OpenSSL version 3.0.8
- Future versions of NetVault Server will be updated to newer versions of OpenSSL