Skip to content
This repository has been archived by the owner on Sep 16, 2022. It is now read-only.

CVE list: Show only the currently running kernel meta-package #791

Merged

Conversation

rptrchv
Copy link
Contributor

@rptrchv rptrchv commented Mar 16, 2020

closes #750
My solution description:

  1. We receive kernel meta-package info from agents.
  2. We save it into the new (kernel_meta_package) Device model's field.
  3. I've created regexp patterns (for Debian and Ubuntu) for all kernel-related packages we want to hide from the vulns list.
  4. With those regexp patterns we skip packages matching them and don't send the to check for vulns.
  5. I've created a data migration for deleting existing vulns for those packages.
  6. I've created a new RA for the case when we need to reboot the node - this required when we have installed a kernel meta-package of newer version than a running kernel image's package.

My solution is based on few assumptions:

  1. Kernel meta-package is always installed alongside with the rest of kernel-related packages (image, modules, headers).
  2. Kernel meta-package has the same package version as its dependant kernel image package.
  3. All kernel-related packages dependant to the kernel meta-package match my regexp patterns. Currently that's truth for all standard kernel packages of all distros I've checked. But in the future we can simply adjust those patterns to support some newly found unsupported packages.

Checked distros:

  • Ubuntu: 'xenial', 'bionic'
  • Debian: 'jessie', 'stretch', 'buster'
  • In AWS: 'buster', 'bionic'

Снимок экрана 2020-03-16 в 13 14 07

@rptrchv rptrchv requested a review from a-martynovich March 16, 2020 07:56
@rptrchv
Copy link
Contributor Author

rptrchv commented Mar 16, 2020

@vpetersson Pls provide texts for the new RA

@a-martynovich
Copy link
Contributor

@rptrchv Please list which distros and kernel packages you've tested.

@rptrchv
Copy link
Contributor Author

rptrchv commented Mar 16, 2020

@rptrchv Please list which distros and kernel packages you've tested.

Updated the PR description above with this info

Copy link
Contributor

@a-martynovich a-martynovich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So now we have regexes for kernel packages in agent and in api? Why can't we make this decision in one place?
Also you could simply hide the packages you don't need in CVEView by processing the list in Python. Then you wouldn't need to modify vulnerability scanning and write migrations to remove extra vulnerabilities.

Edit: On second thought, I guess there's no other way, so ignore this comment.

1. Every excluded kernel-related package *always* has a meta-package
installed.
2. All kernel meta-packages *always* have the same (including zero)
vulnerabilities as their children kernel-related packages.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's not true for Debian. Example: linux-image-4.9.0-11-amd64 is vulnerable to CVE-2019-14901 because it's built from linux source package but linux-image-amd64 is not because it's built from linux-latest source package.

Copy link
Contributor Author

@rptrchv rptrchv Mar 16, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. Looks like this feature (Show only the currently running kernel meta-package) should not work in Debian at all. Reasons:

  1. Debian does not have a bunch of kernel-related packages (image, modules, headers), but only one package for everything and one meta-package for it. So there's no many packages to hide
  2. The kernel package and its meta-package have different vunls, so we need to display both.

@vpetersson WDYT?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The kernel package and its meta-package have different vunls, so we need to display both.

Sure, if it's just two, i guess that's fine. Assuming they are prone to different vulns.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version-locked package is not updateable and therefore not actionable

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Since those packages are not upgradable - we still need to hide them. So I'm leaving everything as it works now.

@@ -701,7 +701,7 @@ def get_context_data(self, **kwargs):
vuln_names = Vulnerability.objects.filter(vuln_query)\
.values('name').distinct()
vuln_pub_dates_qs = Vulnerability.objects.filter(name__in=vuln_names) \
.values('name').annotate(pubdate=Max('pub_date')).distinct()
.values('name').distinct().annotate(pubdate=Max('pub_date'))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what does this change?


- title: Reboot required
class: RebootRequiredAction
subtitle: To boot updated kernel please reboot the node.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

subtitles are not needed for most of the actions (unless explicitly provided by Viktor)


@classmethod
def _is_affected(cls, device) -> bool:
return device.reboot_required is True
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please implement _affected_devices()

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The one from the parent class is ok

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know, but if it can be done with a simple query, then why not

@@ -475,9 +495,25 @@ def set_meta_tags(self):

@property
def vulnerable_packages(self):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this method is used anywhere.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Forgot to remove it

@vpetersson
Copy link
Contributor

@vpetersson Pls provide texts for the new RA

What are the exact RAs you're looking for?

@rptrchv
Copy link
Contributor Author

rptrchv commented Mar 16, 2020

@vpetersson Pls provide texts for the new RA

What are the exact RAs you're looking for?

See my screenshot and the new RA description above.

@a-martynovich
Copy link
Contributor

@rptrchv Am I correct in my understanding that meta-packages for Debian kernels are not yet added?

@rptrchv rptrchv closed this Mar 17, 2020
@rptrchv rptrchv reopened this Mar 17, 2020
@rptrchv
Copy link
Contributor Author

rptrchv commented Mar 17, 2020

@rptrchv Am I correct in my understanding that meta-packages for Debian kernels are not yet added?

Yes. I've not finished with this yet. That's why I haven't asked for review

I had to do that because kernel image package version often is not the same as its meta-package's version.
@rptrchv rptrchv force-pushed the 750-cve-kernel-meta-packages branch from 71b448e to 3083d7e Compare March 19, 2020 06:47
@rptrchv rptrchv requested a review from a-martynovich March 19, 2020 06:52
@rptrchv
Copy link
Contributor Author

rptrchv commented Mar 19, 2020

@vpetersson Pls provide texts for the new RA

@vpetersson
Copy link
Contributor

RA for Reboot.

Title: Reboot required
Tl;dr: Reboot required for kernel upgrade to complete
Detailed:
You have recently installed a new Linux kernel, but the system is currently running an older version. In order to apply the kernel upgrade, you need to reboot your system.
Command: sudo shutdown -r now

@rptrchv
Copy link
Contributor Author

rptrchv commented Mar 19, 2020

RA for Reboot.

Done

@a-martynovich
Copy link
Contributor

@rptrchv so we don't need kernel_meta_package?

@rptrchv
Copy link
Contributor Author

rptrchv commented Mar 19, 2020

@rptrchv so we don't need kernel_meta_package?

yes

@@ -24,7 +24,8 @@
apt_pkg.init()

DEBIAN_SUITES = ('jessie', 'stretch', 'buster') # Supported Debian suite names.
UBUNTU_SUITES = ('xenial', 'bionic') # Supported Ubuntu suite names.
UBUNTU_SUITES = ('xenial', 'bionic') # Supported Ubuntu suite (16.04, 18.04) names.
UBUNTU_KERNEL_PACKAGES_RE_PATTERN = r'linux-(?:headers|aws-headers|image|modules)-.+'
Copy link
Contributor

@a-martynovich a-martynovich Mar 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would also add (gcp|kvm|oem|oem-osp1|azure|azure-edge|oracle|gke|raspi2)-headers here (see linux-headers)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@a-martynovich a-martynovich merged commit 06f7d05 into WoTTsecurity:master Mar 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE list: Show only the currently running kernel meta-package
4 participants