Determining vulnerability to issues described by SAs
Dolan- Gavitt, Brendan F.
brendandg at mitre.org
Fri Jun 30 21:06:32 UTC 2006
Hi,
I've been trying for the past few days to come up with a method for
checking a FreeBSD system to see if it is vulnerable to an issue
described by a FreeBSD security advisory in some automated way, similar
to the way portaudit can use VuXML to check for vulnerabilities in
ports. Right now, I'm a bit stuck--there seem to be fairly major issues
with all the methods I've come up with:
[1] Checking the patchlevel as reported by uname -r.
[2] Checking the RCS version tags in the source files listed as
changed by the SA
[3] Using ident on the binaries affected to extract the RCS
tags of the source files used to compile them.
[1] Can fail if the user updates through binary patches of the sort
offered by freebsd-update; as far as I can tell, these do not affect
the output of uname unless they directly patch the kernel. Worse, the
patchlevel reported may be up-to-date even if the userland is still
vulnerable to an issue mentioned in an SA (eg if the user does a make
buildkernel but not a make buildworld).
[2] Can fail if the user does not build from source to update the
system.
[3] Should work in all cases (aside from custom modifications to the
sources, but there's really no way to handle this case), but I don't
know of any way to automatically determine what binary to ident based
on the list of source files given in a security advisory.
All of the situations mentioned seem like they could be quite common.
I'm fairly new to FreeBSD, so I may just be missing something
here--is there a reliable way to determine if a system is patched
according to a particular security advisory?
Thanks,
Brendan Dolan-Gavitt
More information about the freebsd-security
mailing list