topic Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes in Cortex XDR Discussions

Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

fb-pan — Tue, 18 May 2021 14:52:31 GMT

Dear community

When using the Vulnerability Assessment with Linux hosts, the results may include a lot of false positives.

Distributions which are backporting security fixes (CentOS / Debian) do may not change the App Version when they got patched.

https://access.redhat.com/security/updates/backporting

"Backporting has a number of advantages for customers, but it can create confusion when it is not understood. Customers need to be aware that just looking at the version number of a package will not tell them if they are vulnerable or not"

"We also supply OVAL definitions (machine-readable versions of our advisories) that third-party vulnerability tools can use to determine the status of vulnerabilities, even when security fixes have been backported."

I didn't see much in the documentation, and I'm not sure if this is "working as expected" or if there is a way to improve the configuration for better detection.

Cheers

Fabian

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

gjenkins — Tue, 20 Jul 2021 22:52:20 GMT

@fb-pan wrote:
Dear community

When using the Vulnerability Assessment with Linux hosts, the results may include a lot of false positives.
Distributions which are backporting security fixes (CentOS / Debian) do may not change the App Version when they got patched.
https://access.redhat.com/security/updates/backporting

"Backporting has a number of advantages for customers, but it can create confusion when it is not understood. Customers need to be aware that just looking at the version number of a package will not tell them if they are vulnerable or not"

"We also supply OVAL definitions (machine-readable versions of our advisories) that third-party vulnerability tools can use to determine the status of vulnerabilities, even when security fixes have been backported."

I didn't see much in the documentation, and I'm not sure if this is "working as expected" or if there is a way to improve the configuration for better detection.

Cheers
Fabian

Hi @fb-pan,

Hi Fabian,

Thank you for reporting on the backporting strategy implemented by RedHat and other potential Linux vendors. Are you finding that your endpoints encountering an increase in false positives in their vulnerability assessments as a result? I'm certain that Palo Alto Networks Engineers would be interested in hearing about your results and analyzing any data you could provide regarding the concern/issue.

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

fb-pan — Wed, 21 Jul 2021 06:22:14 GMT

Hi gjenkins

Thanks for your answer. I was in contact with a PAN Cortex SE and he told me, that they know about this (by design)..

He did open an FR (not sure about the FR ID). If you want to vote for this FR, I can ask for the ID.

Regards

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

NathanBradley — Wed, 21 Jul 2021 16:44:16 GMT

Ive also brought this up to out SE and sales when vulnerability assessment was added, I was told its working and the endpoint is vulnerable.

I provided examples of applications that are patched and never received an acceptable answer

Its unusable as a means to gauge a Linux devices vulnerability posture

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

gjenkins — Wed, 21 Jul 2021 17:55:22 GMT

Hi @fb-pan ,

It's quite understandable that a feature request had been logged as backporting had not been considered. In this case, monitoring for support in the next iteration of the Vulnerability Assessment would be the best next step. I look forward to seeing how this would be accomplished.

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

NathanBradley — Fri, 20 May 2022 13:39:00 GMT

Any updates on this?

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

NathanBradley — Fri, 20 May 2022 13:56:14 GMT

Here is a specific example.

A Centos server is reporting a vulnerability(cve-2018-10906) in fuse

Fuse has been patched via a backported update, as the changelog shows proof

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

Antony_Chan — Wed, 01 Jun 2022 09:44:01 GMT

Just wondering, any support ticket filed for this? If not, any feature request to vote for... improve accuracy?

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

NathanBradley — Tue, 07 Jun 2022 16:52:04 GMT

We worked with our SE and support previously, we never received an acceptable resolution\explanation.

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

afurze — Tue, 07 Jun 2022 17:22:42 GMT

@Antony_Chan wrote:
Just wondering, any support ticket filed for this? If not, any feature request to vote for... improve accuracy?

Hi Myu06kkn,

Please reach out to your Sales Engineer/Account Team to get added to this Feature Request and track progress.

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

NathanBradley — Wed, 22 Jun 2022 19:44:11 GMT

I recently opened a ticket and worked with support again. They stated its currently working as designed, XDR looks at the NIST database for the version only

This time they opened an "internal ticket to explain the issue to the backend team" and gave me the ticket ID

Suggested i reach out to my sales rep to get improvement followups with the feature

I assume the more customers the better

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

ADurban Martin — Thu, 26 Jan 2023 05:20:34 GMT

Hello Nathan,
Any Updates on the topic? we are in the same situation as you where.

Re: Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

NathanBradley — Thu, 26 Jan 2023 15:44:33 GMT

I am not aware of any updates.

Maybe the more customers who contact support regarding the issue it will get more attention?