search

uyuni-project / uyuni

Source code for Uyuni
https://www.uyuni-project.org/
GNU General Public License v2.0
419 stars 175 forks source link

Audit CVE Scan not Working #8314

Open hsh-it opened 5 months ago

hsh-it commented 5 months ago

Problem description

If i search for some cve and try to "Audit servers" i get this: image

if i take a look to the pages: https://www.suse.com/security/cve/CVE-2024-0209.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-0209

i found the cve number

if i search for https://www.suse.com/security/cve/CVE-2024-0056.html at uyuni i get a result (newest cve number) image

List should be up to date: image

Steps to reproduce

Go to Uyuni and search for some cve numbers

Uyuni version

# zypper info Uyuni-Server-release
Retrieving repository 'Update repository with updates from SUSE Linux Enterprise 15' metadata ........................................................[done]
Building repository 'Update repository with updates from SUSE Linux Enterprise 15' cache .............................................................[done]
Retrieving repository 'Hauptaktualisierungs-Repository' metadata .....................................................................................[done]
Building repository 'Hauptaktualisierungs-Repository' cache ..........................................................................................[done]
Loading repository data...
Warning: Repository 'Update repository of openSUSE Backports' metadata expired since 2024-02-05 14:25:26 CET.

    Warning: Repository metadata expired: Check if 'autorefresh' is turned on (zypper lr), otherwise
    manualy refresh the repository (zypper ref). If this does not solve the issue, it could be that
    you are using a broken mirror or the server has actually discontinued to support the repository.

Reading installed packages...

Information for package Uyuni-Server-release:
---------------------------------------------
Repository     : uyuni-server-stable
Name           : Uyuni-Server-release
Version        : 2023.04-220400.204.2.uyuni2
Arch           : x86_64
Vendor         : obs://build.opensuse.org/systemsmanagement:Uyuni
Support Level  : Level 3
Installed Size : 1.4 KiB
Installed      : Yes (automatically)
Status         : up-to-date
Source package : Uyuni-Server-release-2023.04-220400.204.2.uyuni2.src
Summary        : Uyuni Server
Description    :
    Uyuni lets you efficiently manage physical, virtual,
    and cloud-based Linux systems. It provides automated and cost-effective
    configuration and software management, asset management, and system
    provisioning.

Uyuni proxy version (if used)

No response

Useful logs

no

Additional information

How i can check all Systems for CVE numbers ?

deneb-alpha commented 5 months ago

Hi @hsh-it looking at the Uyuni version reported, it looks like you are using a really old version.

Is there any chance you could try to update to 2024.01 that is currently the last released Uyuni version? Please, also note that the version you are currently using (2023.04) is based on Leap 15.4 that is also EOL already from December 2023.

Starting from Uyuni 2023.09 we bumped the base operating system to Leap 15.5.

I suggest you to also check the release notes and the documentation for this major upgrade too.

hsh-it commented 5 months ago 
# zypper info Uyuni-Server-release
Loading repository data...
Warning: Repository 'Update repository of openSUSE Backports' metadata expired since 2024-02-05 14:25:26 CET.

    Warning: Repository metadata expired: Check if 'autorefresh' is turned on (zypper lr), otherwise
    manually refresh the repository (zypper ref). If this does not solve the issue, it could be that
    you are using a broken mirror or the server has actually discontinued to support the repository.

Reading installed packages...

Information for package Uyuni-Server-release:
---------------------------------------------
Repository     : uyuni-server-stable
Name           : Uyuni-Server-release
Version        : 2024.01-230900.212.1.uyuni3
Arch           : x86_64
Vendor         : obs://build.opensuse.org/systemsmanagement:Uyuni
Support Level  : Level 3
Installed Size : 1.4 KiB
Installed      : Yes (automatically)
Status         : out-of-date (version 2023.04-220400.204.2.uyuni2 installed)
Source package : Uyuni-Server-release-2024.01-230900.212.1.uyuni3.src
Summary        : Uyuni Server
Description    :
    Uyuni lets you efficiently manage physical, virtual,
    and cloud-based Linux systems. It provides automated and cost-effective
    configuration and software management, asset management, and system
    provisioning.
# cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.4"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.4"
PRETTY_NAME="openSUSE Leap 15.4"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.4"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Leap"
LOGO="distributor-logo-Leap"

It actually seems to have helped. I have tested the first systems. However, I have noticed that it would be good to have feedback when you enter a new CVE so that you can see that the systems have been checked again.

Is there any other tip or hint on how I can work with this in the future? Is there an automatic process that regularly checks the systems for vulnerable CVEs?

Since the update I always get this window: image

I know that this is logical with a self-signed certificate, but the problem did not exist before. So it seems to be related to the update.

Thanks for your tip and your help

cFabij commented 5 months ago

Just to make sure: From your above logs it seems you run Uyuni Server 2024.01 on openSUSE 15.4. As @deneb-alpha mentioned: Uyuni needs openSUSE 15.5 since version 2023.09.

Your status from zypper info Uyuni-Server-release also reads

Status : out-of-date (version 2023.04-220400.204.2.uyuni2 installed)

hinting maybe at a problem with your update.

For your certificate issue: If that's the same browser you used before and where you already added the self signed certificate as trusted then I guess the first steps would be to clear your browser cache and check your system time and the server time for discrepancies.

That being said: So far I did not have problems with the self signed certificate on my end after updating.

hsh-it commented 5 months ago

I have updated Suse and Uyuni. Everything seems to be working now. Thanks for the help.

The problem with the certificate is local to my browser. Other browsers and users are not affected.

hsh-it commented 4 months ago

It looks like the problem is still there. There is a Kerberos CVE vulnerability: CVE-2024-26458, CVE-2024-26461, CVE-2024-26462

to be found here: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0485

When I search for CVE 26458 in uyuni I find nothing: "The specified CVE number was not found in our database. For more information on this CVE, please refer to the links below."

likewise when I search for it: 26461 and 26462

In fact opensuse does not have this vulnerability: https://www.suse.com/security/cve/CVE-2024-26462.html

but mitre does have it: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=26462

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26462 image

But I can't search for it in Uyuni. image

I have scanned the channel for the security gaps: Single run of cve-server-channels-bunch bunch was scheduled for 2024-02-29 13:03:20 CET. image image image

uyuni:~ # cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.4"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.4"
PRETTY_NAME="openSUSE Leap 15.4"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.4"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Leap"
LOGO="distributor-logo-Leap"
uyuni:~ # zypper info Uyuni-Server-release
Loading repository data...
Warning: Repository 'Update repository of openSUSE Backports' metadata expired since 2024-02-05 14:25:26 CET.

    Warning: Repository metadata expired: Check if 'autorefresh' is turned on (zypper lr), otherwise
    manually refresh the repository (zypper ref). If this does not solve the issue, it could be that
    you are using a broken mirror or the server has actually discontinued to support the repository.

Reading installed packages...

Information for package Uyuni-Server-release:
---------------------------------------------
Repository     : uyuni-server-stable
Name           : Uyuni-Server-release
Version        : 2024.02-230900.213.1.uyuni3
Arch           : x86_64
Vendor         : obs://build.opensuse.org/systemsmanagement:Uyuni
Support Level  : Level 3
Installed Size : 1.4 KiB
Installed      : Yes (automatically)
Status         : out-of-date (version 2023.04-220400.204.2.uyuni2 installed)
Source package : Uyuni-Server-release-2024.02-230900.213.1.uyuni3.src
Summary        : Uyuni Server
Description    :
    Uyuni lets you efficiently manage physical, virtual,
    and cloud-based Linux systems. It provides automated and cost-effective
    configuration and software management, asset management, and system
    provisioning.
cFabij commented 4 months ago

It is my understanding that Uyuni's CVE Audit relies on information provided by patches - which are part of the respective repositories. If no patch in the database addresses a particular CVE, there will be no match in Uyuni's CVE Audit (regardless of whether a CVE is actually present in the system). So, as long as the respective repository owner does not provide a patch, Uyuni will be kept in the dark (looking at you, EOL distributions).

This project addresses this issue: https://gist.github.com/HoussemNasri/023088c1831b534e5acca5195e35d5f3 and from what I can see, implementation is tested right now.

rjmateus commented 4 months ago

Hey @cFabij that is correct. The current implementation only looks for release patches. We are on the final touches to merge the code with the new implementation that relies on oval data. It should be ready soon (one PR already merged, and we are finishing the review of some more PR's)

hsh-it commented 2 months ago

Hey now i updated successfully to the latest Version 2024.03 with new features for CVE Scans https://www.uyuni-project.org/doc/2024.03/release-notes-uyuni-server.html#_enhanced_cve_audit

But if i search for "CVE-2024-2660" he did not find something. Same for "CVE-2024-0074" image

But here it is: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-0074 https://www.suse.com/security/cve/CVE-2024-0074.html

I was stared a Instant schedule: Single run of cve-server-channels-bunch bunch was scheduled for 2024-05-08 11:21:10 MESZ.

image

But he did not find the CVE number.

Best regards

HoussemNasri commented 1 month ago

Hello @hsh-it,

The code that implements the algorithm to audit systems using OVAL is merged, which explains the entry in the release notes, however it was decided to "turn-off" the feature for now as the code to synchronize the OVAL metadata is currently under review. This is the PR that implements the synchronization: https://github.com/uyuni-project/uyuni/pull/7509, and it is in the latest stages to be merged. I don't know however if the feature would be available in the next release, probably not. More testing is needed.

Once that PR is merged, auditing against CVE-2024-0074 would return the correct result as there is an entry for it in the OVAL metadata. However, I haven't found an entry for CVE-2024-2660 so the result would be the same. I don't know why it was not included, we might need to open a ticket in Bugzilla and ask about it.

hsh-it commented 1 month ago

Wow! Thank you for your great work. I've had a look and I think you've done a fantastic job. It's a big step if this feature works reliably and an essential feature to quickly and easily assess the security of the infrastructure.