Monitoring FreeBSD Base System Vulnerabilities with pkg auditFri 12 August 2016 by feld
The FreeBSD base system has been difficult to monitor for published vulnerabilities for a long time. This will improve when we achieve a packaged base system, but that leaves users of currently supported -RELEASE systems without a standardized option.
The freebsd-version(1) utility has existed since FreeBSD 10.0. This script is capable of correctly identifying the version of the FreeBSD kernel and the FreeBSD base system. It is an important step forward in helping users be confident in identifying the FreeBSD system's patch level.
I do not like reinventing the wheel, and it occurred to me that for a long time the FreeBSD SA announcements were properly documented in vuxml. This provided an opportunity and scratched an itch I had at work, so here goes nothing:
I am presenting here a useful albeit unsupported method of monitoring FreeBSD for base system vulnerabilities via pkg(8) utilizing entries in the vuxml database.
The pkg(8) utility as you probably know can check your system for known vulnerable packages. It does this with the pkg audit command. Additionally you can pass any package name and version string as an argument and it will check the database for results. It is possible to check your system against the vuxml database by converting the freebsd-version(1) output to the correct string and passing it to pkg audit.
Example of checking the base system (note, this is /bin/sh syntax):
$ freebsd-version -u 10.3-RELEASE-p2 $ pkg audit $(freebsd-version -u | sed 's,^,FreeBSD-,;s,-RELEASE-p,_,;s,-RELEASE$,,') FreeBSD-10.3_2 is vulnerable: FreeBSD -- Multiple vulnerabilities of ntp CVE: CVE-2016-4957 CVE: CVE-2016-4956 CVE: CVE-2016-4955 CVE: CVE-2016-4954 CVE: CVE-2016-4953 WWW: https://vuxml.FreeBSD.org/freebsd/7cfcea05-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-10.3_2 is vulnerable: libarchive -- multiple vulnerabilities CVE: CVE-2015-2304 CVE: CVE-2013-0211 WWW: https://vuxml.FreeBSD.org/freebsd/7c63775e-be31-11e5-b5fe-002590263bf5.html FreeBSD-10.3_2 is vulnerable: FreeBSD -- Heap vulnerability in bspatch CVE: CVE-2014-9862 WWW: https://vuxml.FreeBSD.org/freebsd/7d4f4955-600a-11e6-a6c3-14dae9d210b8.html
Now we have results for the base system! Let's check the kernel:
$ pkg audit $(freebsd-version -k | sed 's,^,FreeBSD-kernel-,;s,-RELEASE-p,_,;s,-RELEASE$,,') FreeBSD-kernel-10.3_2 is vulnerable: FreeBSD -- Buffer overflow in keyboard driver CVE: CVE-2016-1886 WWW: https://vuxml.FreeBSD.org/freebsd/7bbc0e8c-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-kernel-10.3_2 is vulnerable: FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer WWW: https://vuxml.FreeBSD.org/freebsd/7cad4795-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-kernel-10.3_2 is vulnerable: FreeBSD -- Kernel stack disclosure in Linux compatibility layer WWW: https://vuxml.FreeBSD.org/freebsd/7c5d64dd-600a-11e6-a6c3-14dae9d210b8.html FreeBSD-kernel-10.3_2 is vulnerable: FreeBSD -- Incorrect argument handling in sendmsg(2) CVE: CVE-2016-1887 WWW: https://vuxml.FreeBSD.org/freebsd/7c0bac69-600a-11e6-a6c3-14dae9d210b8.html
The results speak for themselves.
I have recently finished adding all missing entries to the vuxml database that affect -RELEASE systems since 2013. This covers the tail end of 8.x, much of 9.x, and bleeds into the 10.x RELEASE lifetime. Systems older are End of Life and never supported the FreeBSD pkg(8) utility anyway, so I have not put in the effort to search out those missing entries. This method is useful on FreeBSD systems that do not have the freebsd-version(1) utility, but you will not have a reliable method to get the version of the FreeBSD base system. You can pull the kernel version from uname(1), but you will have to devise your own method of keeping track of the base system version. Beware of the leopard, etc.
I hope you find this a valuable method for discovering vulnerabilities affecting your servers and help you assess risk and plan patch management. Please remember this is not endorsed by secteam and is liable to be full of errors or out of date. I suggest using this as a compliment to your other monitoring practices. Moving forward I hope to better coordinate with secteam to ensure we have new FreeBSD SA's entered in the vuxml database in a timely manner.
This post originally appeared on the freebsd-questions mailing list and has been lightly edited.
Java KVM Troubles on OSX
I was having troubles on OSX getting access to the KVM at work which is a Dell KVM 4322DS. The connection errors from Java about security settings were not resolved by whitelisting the site in the Java console. Turns out newer Java disables some SSL/TLS algorithms and settings that ...read more
Fixing Time Machine / Netatalk (error (null))
Recently I was setting up a new Time Machine backup on my wife's MacBook so it would use my FreeBSD/ZFS server. My own personal MacBook was already backing up to it successfully and has been for quite some time. When I attempted to start a new backup to ...read more
Mono's DNS is broken
Routing a FreeBSD Jail through OpenVPN
I decided I wanted to concoct a solution where I could force all applications in a jail or jails through a VPN connection without affecting the internet connectivity of other daemons on the system. After some headbanging I was able to make this work. The OS version being used in ...read more
Braindead FreeBSD Backups with Tarsnap and ACTS
IPv6 via 6rd on FreeBSD
My ISP is Charter and they support 6rd for IPv6. Unfortunately 6rd support does not exist in the stf(4) driver in FreeBSD yet. There is a work-in-progress implementation available from hrs in ports, net/stf-6rd-kmod. However, I haven't found very good documentation on exactly how to use it ...read more
BSD License Audit
I recently did an audit of the "BSD" licenses in the FreeBSD ports tree. This pertains strictly to those defined as LICENSE=BSD which could be one of several licenses. It was an extremely tedious process manually verifying the license of each port, and except for a dozen which are ...read more
Outlook-compatible WebDav with Nginx
Microsoft Outlook has a Publish Online feature for sharing specific calendar information by publishing iCal files to WebDav. I don't use Apache on my personal servers, so here's how to configure it on Nginx.
You first need to ensure that you have both Nginx WebDav modules installed. They ...read more
Setting up Xymon with Nginx
Xymon has been a favorite monitoring tool of mine for quite some time now largely due to its simplicity and flexibility. However, I despise running Apache unless absoultely neccessary. Previous attempts at getting Nginx and Xymon to play nice were not successful without some lazy hacks, but I finally sat ...read more