False positive for KB4480056 - issue with the "Less than xxx" comparison?


#1

Expected behavior

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine.dll file version 4.7.3282.0 is not affected by KB4480056/CVE-2019-0545

Current behavior

The current scan shows that it is affected with the output:

Vulnerability Detection Result

File checked:      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine.dll
File version:      4.7.3282.0
Vulnerable range:  Less than 4.7.3282.0

Is there an issue with the “Less than xxx” comparison?

Steps to reproduce

  1. Authenticated Scan of a windows host with .NET 2.1.11 (Core 2.1.507) installed

GVM versions

gsa: (gsad --version)

Greenbone Security Assistant 7.0.3
Copyright (C) 2010-2016 Greenbone Networks GmbH
License GPLv2+: GNU GPL version 2 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gvm: (gvmd --version)

openvas-scanner: (openvassd --version)

OpenVAS Scanner 5.1.3
Most new code since 2005: (C) 2016 Greenbone Networks GmbH
Nessus origin: (C) 2004 Renaud Deraison <deraison@nessus.org>
License GPLv2: GNU GPL version 2
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gvm-libs:

openvas-smb:

Environment

Operating system:

Kali Linux Rolling

Installation method / source: (packages, source installation)

Kali Linux package and openvas-setup

| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version      Architecture Description
+++-======================-============-============-==================================================
ii  libopenvas9:amd64      9.0.3-1+b1   amd64        remote network security auditor - shared libraries
ii  openvas                9.0.3kali1   all          remote network security auditor - dummy package
ii  openvas-cli            1.4.5-2      amd64        Command Line Tools for OpenVAS
ii  openvas-manager        7.0.3-1      amd64        Manager Module of OpenVAS
ii  openvas-manager-common 7.0.3-1      all          architecture independent files for openvas-manager
ii  openvas-scanner        5.1.3-2      amd64        remote network security auditor - scanner
openvas-check-setup 2.3.7
  Test completeness and readiness of OpenVAS-9
  (add '--v6' or '--v7' or '--v8'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 5.1.3.
        OK: redis-server is present in version v=5.0.3.
        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /var/run/redis-openvas/redis-server.sock
        OK: redis-server is running and listening on socket: /var/run/redis-openvas/redis-server.sock.
        OK: redis-server configuration is OK and redis-server is running.
        OK: NVT collection in /var/lib/openvas/plugins contains 51135 NVTs.
        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
        WARNING: The initial NVT cache has not yet been generated.
        SUGGEST: Start OpenVAS Scanner for the first time to generate the cache.
Step 2: Checking OpenVAS Manager ... 
        OK: OpenVAS Manager is present in version 7.0.3.
        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
        OK: OpenVAS Manager database is at revision 184.
        OK: OpenVAS Manager expects database at revision 184.
        OK: Database schema is up to date.
        OK: OpenVAS Manager database contains information about 51135 NVTs.
        OK: At least one user exists.
        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
        OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
        OK: xsltproc found.
Step 3: Checking user configuration ... 
        WARNING: Your password policy is empty.
        SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ... 
        OK: Greenbone Security Assistant is present in version 7.0.3.
        OK: Your OpenVAS certificate infrastructure passed validation.
Step 5: Checking OpenVAS CLI ... 
        OK: OpenVAS CLI version 1.4.5.
Step 6: Checking Greenbone Security Desktop (GSD) ... 
        SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ... 
        OK: netstat found, extended checks of the OpenVAS services enabled.
        OK: OpenVAS Scanner is running and listening on a Unix domain socket.
        WARNING: OpenVAS Manager is running and listening only on the local interface.
        This means that you will not be able to access the OpenVAS Manager from the
        outside using GSD or OpenVAS CLI.
        SUGGEST: Ensure that OpenVAS Manager listens on all interfaces unless you want
        a local service only.
        OK: Greenbone Security Assistant is listening on port 80, which is the default port.
Step 8: Checking nmap installation ...
        WARNING: Your version of nmap is not fully supported: 7.70
        SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
        OK: pdflatex found.
        OK: PDF generation successful. The PDF report format is likely to work.
        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
        OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
        OK: alien found, LSC credential package generation for DEB based targets is likely to work.
        OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.

It seems like your OpenVAS-9 installation is OK.

On the windows system:

PS C:\> dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   2.1.507
 Commit:    e8520940d7

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.17763
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\2.1.507\

Host (useful for support):
  Version: 2.1.11
  Commit:  d6a5616240

.NET Core SDKs installed:
  2.1.507 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download

#2

Hi,

Thanks for the detailed information, We are not able reproduce the issue. Will let you know if any further information is required.

Thanks,
Antu


#3

Hi,

It is fixed now, Updated VT is available in next feed update.

Thanks You!

Regards,
Antu


#4

It should be noted that this wasn’t a false positive but just a wrong reporting in this specific VT if multiple versions of the .NET framework was installed. The VT had detected the vulnerable version but the reporting of the vulnerable version / path was overwritten in the later reporting by the not-affected version.

With the next feed update you should still get a correct vulnerability report but with the correct path and version used for the detection.