From owner-freebsd-questions@freebsd.org Thu Aug 11 22:33:04 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 508E3BB76C4 for ; Thu, 11 Aug 2016 22:33:04 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2CEFF1715 for ; Thu, 11 Aug 2016 22:33:03 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id B4B0C20282 for ; Thu, 11 Aug 2016 18:33:02 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute7.internal (MEProxy); Thu, 11 Aug 2016 18:33:02 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-sasl-enc :x-sasl-enc; s=smtpout; bh=nVPwMvkdnefYIkgNU9G0pvvH8fc=; b=JAYEi vCDC8hPpjRUVlGRbxSYXTns2o23KC4GIP0fScESlyRlgtC7gaw/DQdnPvJ1cNZJn xwhkp/nauc8YFad3Jj/wOlwmQGa5o4EoP3vmQ565FRzzcVQXMmJFA7uzbHSkKgF6 qGQzygP8lQLM1EushunJq6VxCXDtXAHDlvttdc= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 7C042CC742; Thu, 11 Aug 2016 18:33:02 -0400 (EDT) Message-Id: <1470954782.1073917.692948769.21D9FF94@webmail.messagingengine.com> X-Sasl-Enc: ehyKS6KTzf+7K2BewNpY/8/2E3ZOAQosDL0cXcKbVN6p 1470954782 From: Mark Felder To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-3a386667 Subject: Monitoring FreeBSD Base System Vulnerabilities Date: Thu, 11 Aug 2016 17:33:02 -0500 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 22:33:04 -0000 The FreeBSD base system has been difficult to monitor for published vulnerabilities for a very long time. This will improve drastically when we finally achieve a packaged base system, but that leaves users of currently supported -RELEASE systems without a standardized option. The freebsd-version(1) utility has existed since FreeBSD 10.0. This script is capable of correctly identifying the version of the FreeBSD kernel and the FreeBSD base system. It is an important step forward in helping users be confident in identifying the FreeBSD system's patch level. I do not like reinventing the wheel, and it occurred to me that for a long time the FreeBSD SA announcements were properly documented in vuxml. This provided an opportunity and scratched an itch I had at work, so here goes nothing: I am presenting here a useful albeit unsupported method of monitoring FreeBSD for base system vulnerabilities via the pkg(8) utility utilizing entries in the vuxml database. The pkg(8) utility as you probably know can check your system for known vulnerable packages. It does this with the "pkg audit" command. Additionally you can pass any package name and version string as an argument and it will check the database for results. It is possible to check your system against the vuxml database by converting the freebsd-version(1) output to the correct string and passing it to "pkg audit". Example of checking the base system (note, this is /bin/sh syntax): $ freebsd-version -u 10.3-RELEASE-p2 $ pkg audit $(freebsd-version -u | sed 's,-RELEASE-p,_,') FreeBSD-10.3_2 is vulnerable: FreeBSD -- Multiple vulnerabilities of ntp CVE: CVE-2016-4957 CVE: CVE-2016-4956 CVE: CVE-2016-4955 CVE: CVE-2016-4954 CVE: CVE-2016-4953 WWW: https://vuxml.FreeBSD.org/freebsd/7cfcea05-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-10.3_2 is vulnerable: libarchive -- multiple vulnerabilities CVE: CVE-2015-2304 CVE: CVE-2013-0211 WWW: https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html FreeBSD-10.3_2 is vulnerable: FreeBSD -- Heap vulnerability in bspatch CVE: CVE-2014-9862 WWW: https://vuxml.FreeBSD.org/freebsd/7d4f4955-600a-11e6-a6c3-14dae9d210b8.html Now we have results for the base system! Let's check the kernel: $ pkg audit $(freebsd-version -k | sed 's,-RELEASE-p,_,') FreeBSD-kernel-10.3_2 is vulnerable: FreeBSD -- Buffer overflow in keyboard driver CVE: CVE-2016-1886 WWW: https://vuxml.FreeBSD.org/freebsd/7bbc0e8c-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-kernel-10.3_2 is vulnerable: FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer WWW: https://vuxml.FreeBSD.org/freebsd/7cad4795-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-kernel-10.3_2 is vulnerable: FreeBSD -- Kernel stack disclosure in Linux compatibility layer WWW: https://vuxml.FreeBSD.org/freebsd/7c5d64dd-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-kernel-10.3_2 is vulnerable: FreeBSD -- Incorrect argument handling in sendmsg(2) CVE: CVE-2016-1887 WWW: https://vuxml.FreeBSD.org/freebsd/7c0bac69-600a-11e6-a6c3-14dae9d210b8.html The results speak for themselves. I have recently finished adding all missing entries to the vuxml database that affect -RELEASE systems since 2013. This covers the tail end of 8.x, much of 9.x, and bleeds into the 10.x RELEASE lifetime. Systems older are End of Life and never supported the FreeBSD pkg(8) utility anyway, so I have not put in the effort to search out those missing entries. This method can be used on FreeBSD systems that do not have the freebsd-version(1) utility, but you will not have a reliable method to get the version of the FreeBSD base system. You can pull the kernel version from uname(1), but you will have to devise your own method of keeping track of the base system version. Beware of the leopard, etc. I hope you find this a valuable method for discovering vulnerabilities affecting your servers and help you assess risk and plan patch management. Please remember this is not endorsed by secteam and is liable to be full of errors or out of date. I would suggest using this as one several method of assessing your systems. Moving forward I hope to better coordinate with secteam to ensure we have new FreeBSD SA's entered in the vuxml database in a timely manner. -- Mark Felder ports-secteam member feld@FreeBSD.org