Dolan- Gavitt, Brendan F.
2006-Jun-30 21:06 UTC
Determining vulnerability to issues described by SAs
Hi, I've been trying for the past few days to come up with a method for checking a FreeBSD system to see if it is vulnerable to an issue described by a FreeBSD security advisory in some automated way, similar to the way portaudit can use VuXML to check for vulnerabilities in ports. Right now, I'm a bit stuck--there seem to be fairly major issues with all the methods I've come up with: [1] Checking the patchlevel as reported by uname -r. [2] Checking the RCS version tags in the source files listed as changed by the SA [3] Using ident on the binaries affected to extract the RCS tags of the source files used to compile them. [1] Can fail if the user updates through binary patches of the sort offered by freebsd-update; as far as I can tell, these do not affect the output of uname unless they directly patch the kernel. Worse, the patchlevel reported may be up-to-date even if the userland is still vulnerable to an issue mentioned in an SA (eg if the user does a make buildkernel but not a make buildworld). [2] Can fail if the user does not build from source to update the system. [3] Should work in all cases (aside from custom modifications to the sources, but there's really no way to handle this case), but I don't know of any way to automatically determine what binary to ident based on the list of source files given in a security advisory. All of the situations mentioned seem like they could be quite common. I'm fairly new to FreeBSD, so I may just be missing something here--is there a reliable way to determine if a system is patched according to a particular security advisory? Thanks, Brendan Dolan-Gavitt
Dolan- Gavitt, Brendan F. wrote:> I've been trying for the past few days to come up with a method for > checking a FreeBSD system to see if it is vulnerable to an issue > described by a FreeBSD security advisory in some automated way [...]Yes, this is a problem.> [1] Checking the patchlevel as reported by uname -r. > [2] Checking the RCS version tags in the source files listed as > changed by the SA > [3] Using ident on the binaries affected to extract the RCS > tags of the source files used to compile them. > > [1] Can fail if the user updates through binary patches of the sort > offered by freebsd-update; as far as I can tell, these do not affect > the output of uname unless they directly patch the kernel. Worse, the > patchlevel reported may be up-to-date even if the userland is still > vulnerable to an issue mentioned in an SA (eg if the user does a make > buildkernel but not a make buildworld).Yes. Also, the instructions contained in advisories usually involve rebuilding only the affected part(s) of FreeBSD -- we've considered having a "kernel patch number" and "userland patch number" separately, but even this wouldn't really work.> [2] Can fail if the user does not build from source to update the > system.It would also fail if people update their src tree by applying the patches distributed on http://security.freebsd.org/, since these patches don't modify the $FreeBSD$ CVS tags.> [3] Should work in all cases (aside from custom modifications to the > sources, but there's really no way to handle this case), but I don't > know of any way to automatically determine what binary to ident based > on the list of source files given in a security advisory.Most binaries do not include $FreeBSD$ tags corresponding to all of the source files used to compile them, so this approach doesn't work very well, even if the user is updating their source tree with a method which propagates the $FreeBSD$ tags. In addition, FreeBSD Update does not include updated $FreeBSD$ tags, since the new values in those tags are generated at commit time, well after the FreeBSD Update builds are run.> I'm fairly new to FreeBSD, so I may just be missing something > here--is there a reliable way to determine if a system is patched > according to a particular security advisory?In short, no. If you have any ideas, let me know. :-) Colin Percival