Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR Vulnerability Assessment - Linux Backporting Security Fixes

L2 Linker

Dear community

 

When using the Vulnerability Assessment with Linux hosts, the results may include a lot of false positives.

Distributions which are backporting security fixes (CentOS / Debian) do may not change the App Version when they got patched.

https://access.redhat.com/security/updates/backporting

 

"Backporting has a number of advantages for customers, but it can create confusion when it is not understood. Customers need to be aware that just looking at the version number of a package will not tell them if they are vulnerable or not"

 

"We also supply OVAL definitions (machine-readable versions of our advisories) that third-party vulnerability tools can use to determine the status of vulnerabilities, even when security fixes have been backported."

 

I didn't see much in the documentation, and I'm not sure if this is "working as expected" or if there is a way to improve the configuration for better detection.

 

Cheers

Fabian

 

12 REPLIES 12

L4 Transporter

@fb-pan wrote:

Dear community

 

When using the Vulnerability Assessment with Linux hosts, the results may include a lot of false positives.

Distributions which are backporting security fixes (CentOS / Debian) do may not change the App Version when they got patched.

https://access.redhat.com/security/updates/backporting

 

"Backporting has a number of advantages for customers, but it can create confusion when it is not understood. Customers need to be aware that just looking at the version number of a package will not tell them if they are vulnerable or not"

 

"We also supply OVAL definitions (machine-readable versions of our advisories) that third-party vulnerability tools can use to determine the status of vulnerabilities, even when security fixes have been backported."

 

I didn't see much in the documentation, and I'm not sure if this is "working as expected" or if there is a way to improve the configuration for better detection.

 

Cheers

Fabian

 


Hi @fb-pan,

 

Hi Fabian,

Thank you for reporting on the backporting strategy implemented by RedHat and other potential Linux vendors. Are you finding that your endpoints encountering an increase in false positives in their vulnerability assessments as a result? I'm certain that Palo Alto Networks Engineers would be interested in hearing about your results and analyzing any data you could provide regarding the concern/issue.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

Hi gjenkins

Thanks for your answer. I was in contact with a PAN Cortex SE and he told me, that they know about this (by design)..

He did open an FR (not sure about the FR ID). If you want to vote for this FR, I can ask for the ID.

Regards

L3 Networker

Ive also brought this up to out SE and sales when vulnerability assessment was added, I was told its working and the endpoint is vulnerable.

I provided examples of applications that are patched and never received an acceptable answer

Its unusable as a means to gauge a Linux devices vulnerability posture

 

L4 Transporter

Hi @fb-pan ,

It's quite understandable that a feature request had been logged as backporting had not been considered. In this case, monitoring for support in the next iteration of the Vulnerability Assessment would be the best next step. I look forward to seeing how this would be accomplished.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

L3 Networker

Any updates on this?

L3 Networker

Here is a specific example. 

A Centos server is reporting a vulnerability(cve-2018-10906) in fuse

Fuse has been patched via a backported update, as the changelog shows proof

 

Vuln_Linux.JPG

L2 Linker

Just wondering, any support ticket filed for this? If not, any feature request to vote for... improve accuracy?

AC

We worked with our SE and support previously, we never received an acceptable resolution\explanation.

 

 


@Antony_Chan wrote:

Just wondering, any support ticket filed for this? If not, any feature request to vote for... improve accuracy?


Hi Myu06kkn,

 

Please reach out to your Sales Engineer/Account Team to get added to this Feature Request and track progress.

I recently opened a ticket and worked with support again. They stated its currently working as designed, XDR looks at the NIST database for the version only

This time they opened an "internal ticket to explain the issue to the backend team" and gave me the ticket ID

Suggested i reach out to my sales rep to get improvement followups with the feature

I assume the more customers the better

L0 Member

Hello Nathan,
Any Updates on the topic? we are in the same situation as you where.

I am not aware of any updates.

Maybe the more customers who contact support regarding the issue it will get more attention?

  • 7304 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!