False identification of Adobe Reader on iLO device

false_positive

#1

OpenVAS is identifying all of our iLO cards (HP Lights-Out 100) as having Adobe Reader. The cards are very dumb, and do not even support installing software, let alone something like Adobe Reader. They’re not really even “modern” devices, although we do provide OpenVAS with SSH credentials to them.

They’re hardware version 1.0, firmware version 4.26, and list their description as DL160 G6, if that helps anyone somehow.

We show many medium and high Adobe vulnerabilities on these devices, with obviously bungled “Location” tags, making me think a parsing error has occurred in some CPE lister somewhere.

I know that …800108 is not an oid that carries risk, but I thought its output (two different firings of 800108 in the same scan) might be helpful in diagnosing why this is happening. Its output is below, and the descriptions are given exactly as they appear - mismatched quotes, trailing periods, and all (although indented for this forum):

From one:

port: general/tcp
oid: 1.3.6.1.4.1.25623.1.0.800108
qod value: 80
qod type: executable version
description:
    Detected Adobe Reader

    Version:  7
    Location: /bin/sh -c 'LANG=C; LC_ALL=C; find "/" -maxdepth 7 -mindepth 1 \( -path "*/proc"
    CPE:      cpe:/a:adobe:acrobat_reader:7

    Concluded from version/product identification result:
    7

From another:

port: general/tcp
oid: 1.3.6.1.4.1.25623.1.0.800108
qod value: 80
qod type: executable version
description:
    Detected Adobe Reader

    Version:  .
    Location:  -o -path "/run" -o -path "/dev" -o -path "/sys" -o -path "/media" -o -path "/tm
    CPE:      cpe:/a:adobe:acrobat_reader:.

    Concluded from version/product identification result:
    .

Does anyone have the faintest clue how to address this issue? Thanks in advance!


#2

Thanks for your report and the detailed information provided. There seems to be indeed something uncommon on this iLO device so that the functions trying to find a file and extracting the information from it showns an unexpected behavior.

If you have the possibility and an installation with the openvas-nasl command line tool at hand it would be great if you could provide the output (please use a terminal with unlimited scrolling as it might be a longer output) either as an attachment here or via a direct message to me (if it contains too much sensitive data):

openvas-nasl -X -B -d -i /var/lib/openvas/plugins -t <target> --kb="Services/ssh=22" --kb="Secret/SSH/login=<username>" --kb="Secret/SSH/password=<password>" --kb="global_settings/ssh/debug=1" gather-package-list.nasl os_detection.nasl gb_unknown_os_service_reporting.nasl gb_adobe_prdts_detect_lin.nasl

Before running the command you might need to change into the /var/lib/openvas/plugins folder (path depends on your installation and might be adapted on your environment).


#3

Thanks for your reply. Attached is the output of the command you provided. iLO-ov-output (13.4 KB)

Just a bit more background about the device, in case it helps. The prompt for the device is

/./->

and is not configurable. There is no /bin/sh, or any sh or bash anywhere for that matter. It’s a pretty rudimentary command line, and I think the only valid commands are “cd”, “version”, “exit”, “show”, and “help”.

The device does have a web console, which is how one manages it.

Note that the output is the same for all of our iLO devices (except of course the IP).


#4

Just realized stderr did not make it into that file. Attached is the output of that same command, but including stderr. iLO-ov-output-with-stderr (17.6 KB)


#5

Thanks again for your response and for providing such detailed information, this has helped quite a lot to understand whats happening here.

Two changes where made which should solve this seen issue:

  1. Basic detection of such an HP iLO device was implemented (stay tuned for an additional detection and version gathering script in the next few weeks). This also includes setting the internal information within the SSH implementation on NASL side to not launch VTs which requires linux/unix tools like find, cat etc. available on the target system.

  2. The Adobe Reader Detection script was updated to be less error prone once such unexpected responses are received.

Those changes have arrived the feed once the “Determine OS and list of installed packages via SSH login” VT (OID: 1.3.6.1.4.1.25623.1.0.50282) has reached the feed with revision r13537.