Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

cancel
Showing results for 
Search instead for 
Did you mean: 

Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

L2 Linker

Dear community

 

When using the Vulnerability Assessment with Linux hosts, the results may include a lot of false positives.

Distributions which are backporting security fixes (CentOS / Debian) do may not change the App Version when they got patched.

https://access.redhat.com/security/updates/backporting

 

"Backporting has a number of advantages for customers, but it can create confusion when it is not understood. Customers need to be aware that just looking at the version number of a package will not tell them if they are vulnerable or not"

 

"We also supply OVAL definitions (machine-readable versions of our advisories) that third-party vulnerability tools can use to determine the status of vulnerabilities, even when security fixes have been backported."

 

I didn't see much in the documentation, and I'm not sure if this is "working as expected" or if there is a way to improve the configuration for better detection.

 

Cheers

Fabian

 

4 REPLIES 4

L4 Transporter

@fb-pan wrote:

Dear community

 

When using the Vulnerability Assessment with Linux hosts, the results may include a lot of false positives.

Distributions which are backporting security fixes (CentOS / Debian) do may not change the App Version when they got patched.

https://access.redhat.com/security/updates/backporting

 

"Backporting has a number of advantages for customers, but it can create confusion when it is not understood. Customers need to be aware that just looking at the version number of a package will not tell them if they are vulnerable or not"

 

"We also supply OVAL definitions (machine-readable versions of our advisories) that third-party vulnerability tools can use to determine the status of vulnerabilities, even when security fixes have been backported."

 

I didn't see much in the documentation, and I'm not sure if this is "working as expected" or if there is a way to improve the configuration for better detection.

 

Cheers

Fabian

 


Hi @fb-pan,

 

Hi Fabian,

Thank you for reporting on the backporting strategy implemented by RedHat and other potential Linux vendors. Are you finding that your endpoints encountering an increase in false positives in their vulnerability assessments as a result? I'm certain that Palo Alto Networks Engineers would be interested in hearing about your results and analyzing any data you could provide regarding the concern/issue.

--gjenkins

Hi gjenkins

Thanks for your answer. I was in contact with a PAN Cortex SE and he told me, that they know about this (by design)..

He did open an FR (not sure about the FR ID). If you want to vote for this FR, I can ask for the ID.

Regards

L1 Bithead

Ive also brought this up to out SE and sales when vulnerability assessment was added, I was told its working and the endpoint is vulnerable.

I provided examples of applications that are patched and never received an acceptable answer

Its unusable as a means to gauge a Linux devices vulnerability posture

 

L4 Transporter

Hi @fb-pan ,

It's quite understandable that a feature request had been logged as backporting had not been considered. In this case, monitoring for support in the next iteration of the Vulnerability Assessment would be the best next step. I look forward to seeing how this would be accomplished.

--gjenkins
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!