False positives on Centos6 kernel VT?

false_positive
solved

#1

New user here, so it’s certainly possible I’m missing something fundamental, but… we’re seeing what looks like a large number of false positives on CentOS 6 kernel version checks on any system with the kernel-debuginfo-common-x86_64 RPM installed.

Here’s an example from “CentOS Update for kernel CESA-2018:2846 centos6 (OID: 1.3.6.1.4.1.25623.1.0.882957)”

Vulnerability Detection Result

Package kernel-firmware version kernel-debuginfo-common-x86_64-2.6.32-754.9.1.el6 is installed which is known to be vulnerable.

Note that
a) “kernel-debuginfo-common-x86_64” is not actually “kernel-firmware”
b) the fixed version of kernel-firmware for this VT is 2.6.32-754.6.3.el6

We see this issue on every kernel check that isn’t actually vulnerable (the ones that are report correctly) against this kernel-firmware/kernel-debuginfo mismatch. After looking over the plugins I think something funny is going on in pkg-lib-rpm.inc, probably to do with an underscore in a kernel-* package name.

Actual packages on this server:
[root@abergynolwyn ~]#rpm -qa | grep ^kernel
kernel-debuginfo-common-x86_64-2.6.32-754.9.1.el6.x86_64
kernel-2.6.32-754.9.1.el6.x86_64
kernel-debuginfo-2.6.32-754.9.1.el6.x86_64
kernel-firmware-2.6.32-754.9.1.el6.noarch

Any advice? I’m happy to run further testing, splice logging statements into the NVT etc. etc. if helpful.


#2

Thanks for your report.

Today a huge update to the .inc file (pkg-lib-rpm.inc) handling such package checks was done (not included in the feed yet) which might already solve this.

Please re-run a scan once pkg-lib-rpm.inc doesn’t include the function kernel_packge_check anymore (should happen with one of the next feed updates). You can inspect the file on your filesystem at e.g. /path/to/var/lib/openvas/plugins/pkg-lib-rpm.inc to check the above.


#3

This has resolved it! (Currently running community NVT feed 201903071508).

Thanks for the response.