Educause Security Discussion mailing list archives

Re: False positives scanning Red Hat servers running Apache

From: Allison Henry <akhenry () BERKELEY EDU>
Date: Thu, 26 Apr 2007 08:57:07 -0700

Yes we see this problem with many vendors that backport patches --
Apple, Ubuntu, RedHat, etc. And it is also possible that the sysadmin
has taken other actions to mitigate the vulnerability, such as disabling
the affected Apache modules, and we can't detect that either with
version checking scans. We add a short disclaimer to our vulnerability
notices:

    Be aware that in some cases the "vulnerability" shown points
    only to a potential problem:  for example, the scanner may have
    detected a version of software that would be vulnerable only if
    not patched, yet it cannot tell that a patch has been applied.

While our scanner is capable of intrusive checks, I believe it is best
to pass on the information we collect to the sysadmins for
investigation, rather than risk running a DoS attack on our own network.
It is a minor inconvenience to the sysadmins to check out a potential
vulnerability than to restore a service brought down by the scanners.

Allison Henry
System and Network Security
University of California, Berkeley
http://security.berkeley.edu

Clifford Collins wrote:

I've recently been scanning some servers on our campus that have
returned known vulnerabilities for Apache. I forwarded the results to
our Linux systems administrator. He investigated the claims and declared
them as false positives. His explanation was that Red Hat "backports"
patches to stable versions rather than deploying the newer version
because newer versions can introduce new features or changes that render
an existing server non-functional.  He was also critical of the scanner
for failing to detect the patches and relying on the reported version
number from a web query.

Has anybody encountered this problem? Is there a solution or a product
that can detect undeclared patches on a Red Hat server without actually
doing a penetration test? Is there a query that will yield the patch
level? Your suggestions and comments are welcome!

Clifford A. Collins
Network Security Administrator
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"

Current thread:

False positives scanning Red Hat servers running Apache Clifford Collins (Apr 26)
- <Possible follow-ups>
- Re: False positives scanning Red Hat servers running Apache Julian Y. Koh (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Wyman Miles (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Aaron Lafferty (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Allison Henry (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Wyman Miles (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Steve Brukbacher (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Russell Fulton (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Clifford Collins (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Bill Ogle (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Mark Rogowski (Apr 26)
- Re: False positives scanning Red Hat servers running Apache Chris Green (Apr 30)
- Re: False positives scanning Red Hat servers running Apache Wyman Miles (Apr 30)