Vulnerabilities (CVEs) for custom Linux kernels

[noahtalerman]

Goal

User story
As a vulnerability management engineer,
I want to see vulnerabilities (CVEs) for my custom kernels
so that I can see which vulnerabilities affect my Linux hosts.

Context

• Product designer: @noahtalerman

Changes

Product

• [x] Vulnerability processing changes: Surface CVEs for custom kernels (variants not recognized in OVAL). For example if there's a CVE for version 5.17.15, surface this CVE if a host has a kernel image w/ version 5.17.15 or 5.17.15-foo.bar~hotdog.
• [x] UI changes: No UI changes. Custom kernels now show CVEs in the UI.
• [x] REST API changes: No API changes. Custom kernels now show CVEs in the UI.
• [x] Permissions changes: No permissions changes.
• [x] Outdated documentation changes: Add 1 sentence about how CVEs are mapped to custom kernels in the Coverage section on the Vulnerability processing page:
• [x] Changes to paid features or tiers: CVEs are available in Fleet Free and Fleet Premium. EPSS, CVSS, CISA KEV, publish date, and description are Premium only.

Engineering

• [ ] Database schema migrations: TODO
• [ ] Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

[sharon-fdm]

@noahtalerman @lukeheath since this is urgent for the customer, do we want to consider releasing it as part of Patch 4.51.1 ?(outside of our process)

[lukeheath]

@sharon-fdm Unless it's a priority ticket I don't think so. We'd need to run an unscheduled minor release since this is a change and not a bug fix.

[noahtalerman]

since this is urgent for the customer, do we want to consider releasing it as part of Patch 4.51.1 ?(outside of our process)

Hey @zayhanlon do you think we want to consider accelerating this feature? Or can it wait until the next minor release? Targeted for 2024-06-24.

[lucasmrod]

@mostlikelee Do you know how we can QA this? Any publicly available custom kernels you know of that we could install?

[mostlikelee]

@mostlikelee Do you know how we can QA this? Any publicly available custom kernels you know of that we could install?

Not that i know of, so I think our best bet is to enroll an Ubuntu host and update any software table entries starting with linux-image-*. ie. linux-image-5.4.0-163-generic -> linux-image-5.4.0-163-customfoo

[lucasmrod]

QA

Steps to test this issue

After many tries (because of the manual steps) I was able to verify this change.

1. Enroll a Ubuntu host.
2. linux-image-6.5.0-35-generic, 6.5.0-35.35~22.04.1 is in the host software list.
3. Run vulnerability processing cron (fleetctl trigger --name vulnerabilities).
4. Vulnerability count for the kernel is 150 (all CVEs have source=1, meaning they come from from OVAL).
5. Manually change software name from linux-image-6.5.0-35-generic to linux-image-6.5.0-35-hotdog, and manually delete the found OVAL vulnerabilities.

   update software SET name = 'linux-image-6.5.0-35-hotdog' where id = 3842;
   delete from software_cve where software_id = 3842;

6. Run vulnerability processing cron (fleetctl trigger --name vulnerabilities).
7. Vulnerability count for the kernel is 364 (all CVEs have source=0, meaning they come from from NVD).

Notes

I did not analyze all the 364 CVEs found on NVD for the custom kernel. There could be false positives. I picked 5 and they looked like true positives.

[marko-lisica]

Hey @mostlikelee when you get the chance, can you please take the docs updates for this one.

Outdated documentation changes: Add 1 sentence about how CVEs are mapped to custom kernels in the Coverage section on the Vulnerability processing page

[marko-lisica]

Hey @Patagonia121, this story has shipped. We want to make sure docs TODOs from the comment above are merged in before we notify customers.

[Patagonia121]

@marko-lisica I was planning to post a general release summary for all customer channels in Slack where I would mention this update, so you're saying I should hold off until doc changes are merged? @mostlikelee do you think this will happen today? Thank you both!

[mostlikelee]

@Patagonia121 @marko-lisica not a problem, I'll get those up today

[noahtalerman]

Hey @mostlikelee just checking in, did you get to those docs updates?

[mostlikelee]

@noahtalerman can you review? https://github.com/fleetdm/fleet/pull/20125

[rachaelshaw]

@Patagonia121 docs are merged ✅

[fleet-release]

Custom kernel's glow, Vulnerabilities show, Safety in the know.