Help Understanding CentOS 6.7 Security Updates

Support for security such as Firewalls and securing linux
dssec
Posts: 3
Joined: 2016/01/20 20:21:03

Help Understanding CentOS 6.7 Security Updates

Postby dssec » 2016/01/20 21:21:31

Hey guys

Hoping someone can help me understand how to patch vulnerabilities detected by Nexpose.

I am running a test instance of CentOS in AWS and have run yum update and installed all available updates. This has addressed the majority of vulnerabilities detected by Nexpose using a fully-authenticated scan.

However there are still 3 vulnerabilities that I am having a hard time validating/remediating:

CESA-2013:0568: dbus-glib security update (proof: dbus-glib - version 0.86-6.el6 is installed)
CESA-2015:2636: kernel security and bug fix update (proof: kernel - version 2.6.32-573.12.1.el6 is installed)
CESA-2015:1930: ntp security update (proof: ntp - version 4.2.6p5-5.el6.centos.2 is installed)

I have confirmed these versions are installed but am not sure how to remediate since there are no available updates for these 3 packages.
Can anyone suggest how I go about addressing these issues ?

Thanks

User avatar
avij
Forum Moderator
Posts: 2172
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Help Understanding CentOS 6.7 Security Updates

Postby avij » 2016/01/20 23:20:34

Those are indeed the latest released versions of those packages. Does Nexpose show you the CVE IDs? Without knowing which vulnerability Nexpose is complaining about, it's hard to give you any good advice.

dssec
Posts: 3
Joined: 2016/01/20 20:21:03

Re: Help Understanding CentOS 6.7 Security Updates

Postby dssec » 2016/01/21 01:27:37

Hey Avij
Thanks for responding.

Here are additional details (I should have added previously....)

CESA-2015:2636: kernel security and bug fix update
https://web.nvd.nist.gov/view/vuln/deta ... -2015-2925
https://web.nvd.nist.gov/view/vuln/deta ... -2015-5307
https://web.nvd.nist.gov/view/vuln/deta ... -2015-7613
https://web.nvd.nist.gov/view/vuln/deta ... -2015-7872
https://web.nvd.nist.gov/view/vuln/deta ... -2015-8104

CESA-2013:0568: dbus-glib security update
https://web.nvd.nist.gov/view/vuln/deta ... -2013-0292
RH advisory: https://rhn.redhat.com/errata/RHSA-2013-0568.html

CESA-2015:1930: ntp security update
CVE-2015-5300 - no details published at this time
CVE-2015-7704 - no details published at this time
RH advisory: https://rhn.redhat.com/errata/RHSA-2015-1930.html

The kernel and ntp vulns look to be fairly recent, so its possible that there is a potential patch in the pipeline. The dbus-glib vuln is a couple of years old, so that is more surprising. What I would like to understand is how best to advise engineers to address these vulns.

Thanks again!

User avatar
avij
Forum Moderator
Posts: 2172
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Help Understanding CentOS 6.7 Security Updates

Postby avij » 2016/01/21 03:46:50

A better title for this topic would have been "Help understanding Nexpose output". As far as I can see, all the CVEs you mentioned have been fixed in the package versions as listed in your first message, which you said you had verified that you have installed. I don't know why Nexpose thinks something is not right. As for the kernel, have you rebooted after you installed the kernel update? Does uname -r show the latest version, 2.6.32-573.12.1?

dssec
Posts: 3
Joined: 2016/01/20 20:21:03

Re: Help Understanding CentOS 6.7 Security Updates

Postby dssec » 2016/01/22 20:01:39

Hey Avij

Nexpose output is something I am very familiar with, I am less familiar with how CentOS patching, hence the post.

Looking at the notification:

- CESA-2013:0568: dbus-glib security update (proof: dbus-glib - version 0.86-6.el6 is installed)
From the CVE detail: "The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1" I take this to indicate that we would indeed be vulnerable since the version of dbus-glib is earlier than 0.100.1 ? Is that an accurate assesment ?

For the other 2 issues, it does look like the version installed is the latest, so I will open a case with Rapid7

Thanks

markkuk
Posts: 730
Joined: 2007/09/07 10:56:28
Location: Finland

Re: Help Understanding CentOS 6.7 Security Updates

Postby markkuk » 2016/01/22 22:59:03

dssec wrote:- CESA-2013:0568: dbus-glib security update (proof: dbus-glib - version 0.86-6.el6 is installed)
From the CVE detail: "The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1" I take this to indicate that we would indeed be vulnerable since the version of dbus-glib is earlier than 0.100.1 ? Is that an accurate assesment ?

No, it's completely wrong. You can't determine if you are vulnerable just by looking at version numbers because of Red Hat's policy of backporting security fixes. See also CentOS FAQs #21 and #22

User avatar
avij
Forum Moderator
Posts: 2172
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Help Understanding CentOS 6.7 Security Updates

Postby avij » 2016/01/23 03:23:36

If you run rpm -q dbus-glib --changelog you should see the following:

* Mon Feb 20 2012 Colin Walters <walters@redhat.com> - 0.86-6
- Add patch from upstream for CVE-2013-0292
Resolves: #913077


This means CVE-2013-0292 has been fixed in dbus-glib-0.86-6.el6 as packaged by RHEL/CentOS.

aks
Posts: 2498
Joined: 2014/09/20 11:22:14

Re: Help Understanding CentOS 6.7 Security Updates

Postby aks » 2016/01/23 17:57:57

I don't know Nexpose at all, but often those kind of things just do string match on versions anyway...