FreeBSD security vulnerabilities in FreeNAS that are not fixed but supposed to be.

[jamoses]

Colleagues,

I have FreeNAS 8.3.1-REL based upon FreeBSD 8.3p6. Security scanning reveals that bzip2(ver 1.0.5), nptd2(ver 4.2.4p5) and openssl(ver 0.9.8q) need to be upgraded in order to patch the vulnerabilities to 1.0.6, 4.2.4p7 and 1.0.0h respectively.

I posted to FreeBSD forums to try and get to the bottom of the issues and possible resolve the security vulnerabilities in FreeNAS/FreeBSD. What is odd is that the community says that the vulnerabilities in ntpd and bzip2 were fixed long ago and should NOT be present in FreeNAS 8.3.1-REL/FreeBSD 8.3p6 --but they STILL are.

Reference:http://forums.freebsd.org/showthread.php?p=216392&posted=1#post216392

Anyone know why the BSD community says this stuff is patched since 8.1 and the problems still show up in FreeNAS as of only a couple months ago? The vulnerabilities are years old now.

-Jim

 

[cyberjock]

Re: FreeBSD security vulnerabilities in FreeNAS that are not fixed but supposed to be

I've created a ticket of this issue. I'd track the ticket and see what the developers have to say....


https://support.freenas.org/ticket/2121

 

[joeschmuck]

Re: FreeBSD security vulnerabilities in FreeNAS that are not fixed but supposed to be

Is this the reason 8.3.1-p2 is getting prepared?

EDIT: Nevermind, I should have jumped to the timeline before I posted.

 

[tingo]

Re: FreeBSD security vulnerabilities in FreeNAS that are not fixed but supposed to be

I have FreeNAS 8.3.1-REL based upon FreeBSD 8.3p6. Security scanning reveals that bzip2(ver 1.0.5), nptd2(ver 4.2.4p5) and openssl(ver 0.9.8q) need to be upgraded in order to patch the vulnerabilities to 1.0.6, 4.2.4p7 and 1.0.0h respectively.

You don't say what kind of security scanning / tool you used.
Hopefully, it is not just a tool that only checks version numbers. The vulnerabilities might have been patched even if the version numbers hasn't changed...

 

[jgreco]

Re: FreeBSD security vulnerabilities in FreeNAS that are not fixed but supposed to be

Hopefully, it is not just a tool that only checks version numbers.

If you haven't actually installed the stuff yourself, that's generally one of the accepted ways to determine what's installed - it's part of why things carry (and advertise, in many cases) version numbers.

The vulnerabilities might have been patched even if the version numbers hasn't changed...

Well, that's just evil for any number of reasons.

 

[tingo]

Re: FreeBSD security vulnerabilities in FreeNAS that are not fixed but supposed to be

If you haven't actually installed the stuff yourself, that's generally one of the accepted ways to determine what's installed - it's part of why things carry (and advertise, in many cases) version numbers.

I agree that version numbers is a way to find out what's installed.
However, for security scanning, relying on version numbers is a bad thing. What happens if some malware installs itself and patches the version number of the vulnerable program / part it used to gain access?

 

[jgreco]

Re: FreeBSD security vulnerabilities in FreeNAS that are not fixed but supposed to be

Yeah? What if? You cannot fix every problem with one technique. You have to detect malicious intrusions that modify files with a tool designed for that task, such as mtree or tripwire. Version numbering is a lightweight way to monitor that you are not running old software. It obviously cannot prove that your software has not been compromised.

 

[tingo]

Re: FreeBSD security vulnerabilities in FreeNAS that are not fixed but supposed to be

Exactly. It seems we agree then.