Alert Logic appliances are scanned by customers with a variety of network-based vulnerability scanners, and vulnerabilities are often reported in these scan results. Depending on what has been discovered, remediation or mitigation may be necessary, or may have already been applied in some cases. Utilize the information and table within this article to validate and/or dispute observations you encounter in your environment.
Regarding Network Vulnerability Scanner Behavior
It is important to note that there are many different network vulnerability scanners available in the market. Scanners vary in how they identify and classify vulnerabilities; however, one common challenge for scanners involves the inability to reliably enumerate software versions. This results in the potential for false alarms to be raised based on the scan results.
Generic port scans can detect the services that are running and the ports that are open. This is true whether credentials are being used for scans or not. Since scanners only have access to the headers when running, it is difficult to determine which version of a given software application is running.
For example, a customer may utilize Apache HTTPD as the chosen web server application. From scanning the customer’s web servers, the scanner may determine that Apache is running on the instance, but if it cannot enumerate the Apache version, it will report that the instance may have one or more of any of the Apache vulnerabilities ever identified.
Managing Scanner Variability
Due to the variability in the findings and results between vulnerability scanning engines, Alert Logic conducts scans against appliances with the Alert Logic vulnerability scanner. By standardizing the scans against the appliances with our own engine, Alert Logic can eliminate the variability of responding to scan results escalated using multiple scanning engines. Still, observations may be inferred from a detected OS version and may or may not be valid due to hardening and minimization of the OS to only serve specific functions of the applications running on the instance.
Observation Validation
Based on risk and impact, true positives should be either mitigated or remediated, the appliance should be upgraded to the latest version, and—depending on the purpose of the scan—invalid observations may need to be disputed.
The table below lists detected and verified observations along with affected versions and mitigation / remediation actions:
Vulnerability | CVSS Risk | Appliance Affected | Mitigation | National Vulnerability Database | Vendor |
CVE-2004-1653 - OpenSSH - Port-Bouncing Issue | Medium | None | Mitigated Only admin ssh users on appliance sshd listener limited to specific trusted source IPs |
https://nvd.nist.gov/vuln/detail/CVE-2004-1653 | https://access.redhat.com/security/cve/cve-2004-1653 |
CVE-2007-2768 - OpenSSH - Information Disclosure Issue | Medium | None | Not affected OPIE not included with WSM OS |
https://nvd.nist.gov/vuln/detail/CVE-2007-2768 | https://access.redhat.com/security/cve/cve-2007-2768 |
CVE-2010-4478 - OpenBSD - OpenSSH - Security Bypass Issue | High | None | Not affected J-PAKE not included in WSM OS |
https://nvd.nist.gov/vuln/detail/CVE-2010-4478 | https://access.redhat.com/security/cve/cve-2010-4478 |
CVE-2010-4755 - OpenBSD - OpenSSH - Denial of Service Issue | Medium | None | Mitigated Only admin ssh users, sshd listener limited to specific trusted source IPs WSM OS (CentOS 6) not affected according to OS provider |
https://nvd.nist.gov/vuln/detail/CVE-2010-4755 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4755 |
CVE-2010-5107 - OpenBSD - OpenSSH - Denial of Service Issue | Medium | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2010-5107 | https://access.redhat.com/errata/RHSA-2013:1591 |
CVE-2014-1692 - OpenSSH - Memory Corruption Issue | High | None | Not affected J-PAKE not included with WSM OS |
https://nvd.nist.gov/vuln/detail/CVE-2014-1692 | https://access.redhat.com/security/cve/cve-2014-1692 |
CVE-2014-2532 - OpenBSD - OpenSSH - Security Bypass Issue | Medium | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2014-2532 | https://access.redhat.com/security/cve/cve-2014-2532 https://access.redhat.com/errata/RHSA-2014:1552 |
CVE-2014-2653 - OpenBSD - OpenSSH - Security Bypass Issue | Medium | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2014-2653 | https://access.redhat.com/errata/RHSA-2014:1552 |
CVE-2015-5352 - OpenSSH - Security Bypass Issue | Medium | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2015-5352 | https://access.redhat.com/security/cve/cve-2015-5352 https://access.redhat.com/errata/RHSA-2016:0741 |
CVE-2015-5600 - OpenSSH - Denial of Service Issue | High | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2015-5600 | https://access.redhat.com/errata/RHSA-2016:0466 |
CVE-2015-6564 - OpenSSH - Use-After-Free Issue | High | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2015-6564 | https://access.redhat.com/security/cve/cve-2015-6564 https://access.redhat.com/errata/RHSA-2016:0741 |
CVE-2015-8325 - OpenSSH - Privilege Escalation Issue | High | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2015-8325 | https://access.redhat.com/errata/RHSA-2017:0641 |
CVE-2016-0777 - OpenSSH - Information Disclosure Issue | Medium | None | Not affected WSM OS version (CentOS 6) not affected according to OS provider |
https://nvd.nist.gov/vuln/detail/CVE-2016-0777 | https://access.redhat.com/security/cve/cve-2016-0777 |
CVE-2016-0778 - OpenSSH - Buffer Overflow Issue | High | None | Not affected WSM OS version (CentOS 6) not affected according to OS provider |
https://nvd.nist.gov/vuln/detail/CVE-2016-0778 | https://access.redhat.com/security/cve/cve-2016-0778 |
CVE-2016-10009 - OpenSSH - Untrusted Search Path Issue | High | All | Mitigated Outbound ssh connections (if any) are only made to trusted hosts in trusted networks; this is enforced in the recommended firewall configuration for outbound connections from WSM |
https://nvd.nist.gov/vuln/detail/CVE-2016-10009 | https://access.redhat.com/security/cve/cve-2016-10009 |
CVE-2016-10010 - OpenSSH - Privilege Escalation Issue | High | None | Not affected WSM OS version (CentOS 6) not affected according to OS provider |
https://nvd.nist.gov/vuln/detail/CVE-2016-10010 | https://access.redhat.com/security/cve/cve-2016-10010 |
CVE-2016-10012 - OpenSSH - Privilege Escalation Issue | High | Yes | Very low risk, as presence and successful exploitation of another remotely-exploitable vulnerability that provides access to the sandboxed privilege, separation process is required sshd listener limited to specific trusted source IPs Risk of exploitation considered too low by OS provider to warrant fixing |
https://nvd.nist.gov/vuln/detail/CVE-2016-10012 | https://access.redhat.com/security/cve/cve-2016-10012 |
CVE-2016-10708 - OpenSSH - Denial of Service Issue | High | Yes | Mitigated Only affects the ssh session in which vulnerability is exploited sshd listener limited to specific trusted source IPs Testing by OS provider shows that successful exploitation of the vulnerability only affects the ssh session in which the exploitation takes place - not the ssh daemon, itself |
https://nvd.nist.gov/vuln/detail/CVE-2016-10708 | https://access.redhat.com/security/cve/cve-2016-10708 |
CVE-2016-1908 - OpenSSH - Privilege Escalation Issue | Critical | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2016-1908 | https://access.redhat.com/errata/RHSA-2016:0741 |
CVE-2016-3115 - OpenSSH - Multiple CRLF Injection Issues | Medium | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2016-3115 | https://access.redhat.com/errata/RHSA-2016:0466 |
CVE-2016-6210 - OpenSSH - Weak Encryption Issue | Medium | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2016-6210 | https://access.redhat.com/errata/RHSA-2017:2563 |
CVE-2016-6515 - OpenSSH - Denial of Service Issue | High | Yes, < 4.5.9.0 (unreleased) | Upstream patch applied | https://nvd.nist.gov/vuln/detail/CVE-2016-6515 | https://access.redhat.com/security/cve/cve-2016-6515 |
CVE-2017-15906 - OpenSSH - Security Bypass Issue | Medium | None | Not relevant, as all users that connect to appliance can create files Only admin users on appliance - no read only users WSM OS (CentOS) not affected according to OS provider |
https://nvd.nist.gov/vuln/detail/CVE-2017-15906 | https://access.redhat.com/security/cve/cve-2017-15906 |
CVE-2018-15473 - OpenSSH - User Enumeration Issue | Medium | Yes, < 4.5.8.0 | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2018-15473 | https://access.redhat.com/security/cve/cve-2018-15473 https://access.redhat.com/errata/RHSA-2019:0711 |
CVE-2019-6109 - OpenSSH - Man-in-the-Middle Issue | Medium | All | Mitigated Outbound SSH connections (if any) are only made to trusted networks; this is enforced in the recommended firewall configuration for outbound connections from WSM |
https://nvd.nist.gov/vuln/detail/CVE-2019-6109 | https://access.redhat.com/security/cve/cve-2019-6109 |
CVE-2019-6110 - OpenSSH - Man-in-the-Middle Issue | Medium | All | Mitigated Outbound SSH connections (if any) are only made to trusted networks; this is enforced in the recommended firewall configuration for outbound connections from WSM |
https://nvd.nist.gov/vuln/detail/CVE-2019-6110 | https://access.redhat.com/security/cve/cve-2019-6110 |
CVE-2019-6111 - OpenSSH - Arbitrary File Overwrite Issue | Medium | All | Mitigated Outbound SSH connections (if any) are only made to trusted networks; this is enforced in the recommended firewall configuration for outbound connections from WSM |
https://nvd.nist.gov/vuln/detail/CVE-2019-6111 | https://access.redhat.com/security/cve/cve-2019-6111 |
TLS/SSL Self-signed Certificate | High | All | Mitigated Appliance admin interface only exposed to private network and Alert Logic backend |
N/A | N/A |
OpenSSH - Weak ciphers supported | Medium | Yes, < 4.5.7.0 | Vendor patch applied | N/A | N/A |
OpenSSH - Insecure DH Group | Medium | Yes, < 4.5.7.0 | Vendor patch applied | N/A | N/A |
OpenSSH - Weak MAC Algorithms | Medium | Yes, < 4.5.7.0 | Vendor patch applied | N/A | N/A |
HTTP TRACE - Cross-Site Tracking (XST) | Medium | Yes, < 4.5.8.0 | Remediated Support for method in admin service removed |
N/A | N/A |
SSL - Certificate Hostname Discrepancy (Subject: wsm.alertlogic.com) | Medium | All | Mitigated Admin interface only exposed to private network and Alert Logic backend |
N/A | N/A |
CVE-1999-0524 - ICMP Timestamp Request | Low | All | Not considered vulnerability by OS provider Enumeration of timestamp and netmask only; No risk of loss of Confidentiality, Integrity, or Availability |
https://nvd.nist.gov/vuln/detail/CVE-1999-0524 | N/A |
CVE-2012-0814 - OpenSSH - Information Disclosure Issue | Low | All | Mitigated No impact, as only admin ssh users on appliance |
https://nvd.nist.gov/vuln/detail/CVE-2012-0814 | https://access.redhat.com/security/cve/cve-2012-0814 |
CVE-2011-5000 - OpenSSH - Denial of Service Issue | Low | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2011-5000 | https://access.redhat.com/errata/RHSA-2012:0884 |
CVE-2011-4327 - OpenSSH - Information Disclosure Issue | Low | None | Not affected WSM OS version (CentOS 6) not affected according to OS provider |
https://nvd.nist.gov/vuln/detail/CVE-2011-4327 | https://bugzilla.redhat.com/show_bug.cgi?id=755640 |
CVE-2015-6563 - OpenSSH - Spoofing Issue | Low | None | Vendor patch applied | https://nvd.nist.gov/vuln/detail/CVE-2015-6563 | https://access.redhat.com/errata/RHSA-2016:0741 |
CVE-2016-10011 - OpenSSH - Information Disclosure Issue | Low | All |
Mitigated
|
https://nvd.nist.gov/vuln/detail/CVE-2016-10011 | https://access.redhat.com/security/cve/cve-2016-10011 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-10011 |
CVE-2018-20685 - OpenSSH - Access Bypass Issue | Low | All | Mitigated Outbound SSH connections (if any) are only made to trusted networks; this is enforced in the recommended firewall configuration for outbound connections from WSM |
https://nvd.nist.gov/vuln/detail/CVE-2018-20685 |
https://access.redhat.com/security/cve/cve-2018-20685 |
Web Service is Running | Low | All | False positive Required for product user interface running on the observed port |
N/A | N/A |
Comments
0 comments
Please sign in to leave a comment.