Suspected false positive

false_negative
false_positive

#1

Hi,

I’m new to this forum, but I’ve used OpenVAS many times over the past few years.

Recently I invoke OpenVAS to scan a Linux system.
The scan report shows several entries of “High” threat level, all are related to GNU Bash :

High (CVSS: 10.0)
NVT: GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 03 (OID:1.3.6.1.4.1.25623.1.0.802085)
Used command: openvas_test=’() { echo vulnerable; }’ bash -c openvas_test
Result: openvas_test=() { echo vulnerable; }: Command not found.
Affected Software/OS
GNU Bash through 4.3 bash43-026

High (CVSS: 10.0)
NVT: GNU Bash Off-by-one aka ‘word_lineno’ Buffer Overflow Vulnerability (LSC) (OID:1.3.6.1.4.1.25623.1.0.802084)

High (CVSS: 10.0)
NVT: GNU Bash Environment Variable Handling Shell RCE Vulnerability (LSC) - 04 (OID:1.3.6.1.4.1.25623.1.0.802086)

The target system has “Bash-4.3.30” installed, which should not be affected.

On the other hand, it is found that the account on the target system whose username & password are set as OpenVAS credential has “/bin/tcsh” as login shell.

The scan is then repeated with the target account login shell changed to “/bin/bash”, the vulnerabilities said above vanished.

I think this should be a case of false positive.


#2

Hi,

and thanks for your report.

It seems indeed that the initial implementation back in 2014 haven’t taken possible different login shells into account which could cause such false positives. Additional false negatives could be also possible if a different login shell is used but a vulnerable bash version exists on the target.

All 6 existing VTs related to authenticated scans for the Shellshock vulnerability have been updated today to always make use of a previously detected bash binary even if a different login shell was configured.

This should fix both, possible false positives and false negatives when using a different login shell for the scanning user. Those changes should arrive in the feed within the next few days.