Jeff Jones writes an ongoing security blog for CSO Online. A recent post about scrubbing and verifying data from repositories such as National Vulnerability Database caught our attention. In it, he takes a look at how difficult it can be to collect information about security alerts for projects such as the Linux kernel, verify whether or not customers are actually using the impacted modules given the wide distribution packages of Linux, and the accuracy rates on vulnerability reporting.
The technology side of Palamida whole-heartedly agrees with Mr. Jones. From a vulnerability standpoint, code scanning products often leave security and engineering teams with a massive number of false positive alerts. It's not enough, for example, to just say that Linux kernel 2.6.9 has a vulnerability associated with it. Linux distributions are often customized by distributors and/or made up of large amount of independently developed software components, which all means that the version of Linux used inside your enterprise may or may not have the module with the associated vulnerability.
This kind of issue is what our engineers grappled with four years ago when we first developed our detection engine inside IP Amplifier and built our Compliance Library database with signatures of commonly used open source software projects. Take for example a recent alert on NVD, CVE-2007-1217, a Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, which allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet. The amazing community around the kernel, of course, already has a fix found in patch 2.6.21-rc2-git2. But just because you are running Linux 2.6.9, doesn't mean you have a potential issue.
The real question is, does the version of Linux you're running from your distributor include the module? The only way to find out is to have one of your engineers check the source for each individual distribution and verify applicability manually or (wait for the company plug), use a product like Palamida's that has the technology to provide you with ongoing fingerprints to help you verify a) whether you're running files from the module b) where they are (maybe you have them but aren't utilizing them) and c) whether or not you're already running the patch.
With 900 Linux-related matches on NVD alone, it's becoming harder and harder to wade through the warnings that pertain to you without automated help.
-Theresa Bui Friday