From owner-freebsd-security@FreeBSD.ORG Fri Jun 30 21:06:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4774916A407 for ; Fri, 30 Jun 2006 21:06:32 +0000 (UTC) (envelope-from brendandg@mitre.org) Received: from smtp-bedford.mitre.org (smtpproxy1.mitre.org [192.160.51.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE2B943D45 for ; Fri, 30 Jun 2006 21:06:31 +0000 (GMT) (envelope-from brendandg@mitre.org) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with SMTP id k5UL6UTa020737 for ; Fri, 30 Jun 2006 17:06:31 -0400 Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (Postfix) with ESMTP id CCA73BF00 for ; Fri, 30 Jun 2006 17:06:30 -0400 (EDT) Received: from IMCFE1.MITRE.ORG (imcfe1.mitre.org [129.83.29.3]) by smtp-bedford.mitre.org (8.12.11.20060308/8.12.11) with ESMTP id k5UL6UXP020732 for ; Fri, 30 Jun 2006 17:06:30 -0400 Received: from IMCSRV3.MITRE.ORG ([129.83.20.198]) by IMCFE1.MITRE.ORG with Microsoft SMTPSVC(6.0.3790.1830); Fri, 30 Jun 2006 17:06:30 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Fri, 30 Jun 2006 17:06:29 -0400 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Determining vulnerability to issues described by SAs thread-index: AcaciQ5+NK8812/ySzmQI+WbzlWxpQ== From: "Dolan- Gavitt, Brendan F." To: X-OriginalArrivalTime: 30 Jun 2006 21:06:30.0547 (UTC) FILETIME=[0F298630:01C69C89] Subject: Determining vulnerability to issues described by SAs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jun 2006 21:06:32 -0000 Hi, I've been trying for the past few days to come up with a method for checking a FreeBSD system to see if it is vulnerable to an issue described by a FreeBSD security advisory in some automated way, similar to the way portaudit can use VuXML to check for vulnerabilities in ports. Right now, I'm a bit stuck--there seem to be fairly major issues with all the methods I've come up with: [1] Checking the patchlevel as reported by uname -r. [2] Checking the RCS version tags in the source files listed as changed by the SA [3] Using ident on the binaries affected to extract the RCS tags of the source files used to compile them. [1] Can fail if the user updates through binary patches of the sort offered by freebsd-update; as far as I can tell, these do not affect the output of uname unless they directly patch the kernel. Worse, the patchlevel reported may be up-to-date even if the userland is still vulnerable to an issue mentioned in an SA (eg if the user does a make buildkernel but not a make buildworld). [2] Can fail if the user does not build from source to update the system. [3] Should work in all cases (aside from custom modifications to the sources, but there's really no way to handle this case), but I don't know of any way to automatically determine what binary to ident based on the list of source files given in a security advisory. All of the situations mentioned seem like they could be quite common. I'm fairly new to FreeBSD, so I may just be missing something here--is there a reliable way to determine if a system is patched according to a particular security advisory? Thanks, Brendan Dolan-Gavitt