False positives resulting from package names not matching for ubuntu fips

marksg · October 30, 2023, 7:55pm

Hi there,

I’m getting a lot of false positives from vulnerability scans because openvas does not understand the ‘fips’ versions of ubuntu packages.

Is there a workaround that doesn’t involve overrides?
I’m running the latest community edition

Cheers

Mark Guz

Summary
The remote host is missing an update for the 'strongswan' package(s) announced via the USN-5250-1 advisory.
Detection Result
Vulnerable package:   libstrongswan
Installed version:    libstrongswan-5.8.2-1ubuntu3.fips.3.5
Fixed version:      >=libstrongswan-5.8.2-1ubuntu3.4

Vulnerable package:   strongswan
Installed version:    strongswan-5.8.2-1ubuntu3.fips.3.5
Fixed version:      >=strongswan-5.8.2-1ubuntu3.4

rippledj · October 31, 2023, 8:14am

I guess you could duplicate the NVT’s .nasl file, give it a new NVT OID, and customize the detection to include .fips packages then import it to the scan configuration.

cfi · October 31, 2023, 9:38am

Hello and welcome to this community forums.

The version comparison of package based checks are done on (notus-)scanner side. Could you please create a new issue over at GitHub - greenbone/notus-scanner: Notus is a vulnerability scanner for creating results from local security checks so that the team working on this component could add something similar to e.g. the below for Debian based systems?

github.com/greenbone/notus-scanner

Fix: RPM package comparison by adding exceptions for version

greenbone:main ← greenbone:add-rpm-exceptions

opened 08:53AM - 12 Oct 22 UTC

Kraemii

+41 -0

**What**: In some cases RPM package versions containing a '.ksplice' or a '_fip…s' string. These versions are not comparable with other Versions missing this string. SC-690  **Why**: **How**:  **Checklist**: - [ ] Tests - [ ] [CHANGELOG](https://github.com/greenbone/notus-scanner/blob/master/CHANGELOG.md) Entry - [ ] Documentation

cfi · October 31, 2023, 5:06pm

For tracking purposes / references the newly created issue, thanks a lot.

github.com/greenbone/notus-scanner

False positives (negatives?) received on nvts due to ubuntu fips packages not being understood by Notus

opened 02:29PM - 31 Oct 23 UTC

mguzsklk

Hi, I'm using the latest community edition of greenbone and have discovered t…hat my FIPS compliant hosts are being reported as having vulnerabilities due to the scanner not interpreting the fips in the package names. For Example: ``` Detection Result Vulnerable package: openssl Installed version: openssl-1.1.1f-1ubuntu2.fips.18 Fixed version: >=openssl-1.1.1f-1ubuntu2.15 ``` I posted a question on the community board about this and they asked me to open an issue with you. Let me know if you need more information Cheers Mark Guz