new to kace - OVAL scan questions
I queued up an oval scan on my PC and found a bunch of vulnerabilities, I was kind of shocked by the ones that it found because alot of them relate back to Microsoft patches that should have been applied.
I've been searching through the vulnerablities an if I check the items they have a portion of what KACE is checking to determine if the PC in question has the vulnerabilitiy. example below
Title:
DataGrid Control Memory Corruption Vulnerability
OVAL-ID:
oval:org.mitre.oval:def:5894 ( ACCEPTED )
Class:
vulnerability
Ref-ID:
CVE-2008-4252
Description:
The DataGrid ActiveX control in Microsoft Visual Basic 6.0 and Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2 does not properly handle errors during access to incorrectly initialized objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to corruption of the "system state," aka "DataGrid Control Memory Corruption Vulnerability."
.inputFormat li {
list-style-type: disc;
margin-left: -2em;
}
Definition:
The item above under definition states that "Mscomct2.ocx version is less than 6.1.98.12" I don't have VB installed and Mscomct2.ocx does not exist on my PC. If both of these cases are not relevant why should Kace report the vulnerability?
How does KACE determine if a vulnerability exists?
I've been searching through the vulnerablities an if I check the items they have a portion of what KACE is checking to determine if the PC in question has the vulnerabilitiy. example below
Title:
DataGrid Control Memory Corruption Vulnerability
OVAL-ID:
oval:org.mitre.oval:def:5894 ( ACCEPTED )
Class:
vulnerability
Ref-ID:
CVE-2008-4252
Description:
The DataGrid ActiveX control in Microsoft Visual Basic 6.0 and Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2 does not properly handle errors during access to incorrectly initialized objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to corruption of the "system state," aka "DataGrid Control Memory Corruption Vulnerability."
.inputFormat li {
list-style-type: disc;
margin-left: -2em;
}
Definition:
- Microsoft Visual Basic 6.0 is installed
- AND Mscomct2.ocx version is less than 6.1.98.12
The item above under definition states that "Mscomct2.ocx version is less than 6.1.98.12" I don't have VB installed and Mscomct2.ocx does not exist on my PC. If both of these cases are not relevant why should Kace report the vulnerability?
How does KACE determine if a vulnerability exists?
0 Comments
[ + ] Show comments
Answers (4)
Please log in to answer
Posted by:
ktm_2000
13 years ago
I understand the criteria of how Oval is evaluating, it appears to be using boolean logic, I'm asking how KACE is interpreting these results
from the Oval description it should be evaluating the following items:
Definition:
Microsoft Visual Basic 6.0 is installed
AND Mscomct2.ocx version is less than 6.1.98.12
my evaluation of the criteria by checking the PC
Microsoft Visual Basic 6.0 is installed = Not sure what it is looking for, guessing similar to earlier posting that components are there = True
AND Mscomct2.ocx version is less than 6.1.98.12 = FALSE
Combined statement = FALSE
So If I evaluate those items in a boolean perspective, If I get a False answer and with that the vulnerability should not be applicable.
I am asking how is KACE evaluating these statements because it is returning a True
from the Oval description it should be evaluating the following items:
Definition:
Microsoft Visual Basic 6.0 is installed
AND Mscomct2.ocx version is less than 6.1.98.12
my evaluation of the criteria by checking the PC
Microsoft Visual Basic 6.0 is installed = Not sure what it is looking for, guessing similar to earlier posting that components are there = True
AND Mscomct2.ocx version is less than 6.1.98.12 = FALSE
Combined statement = FALSE
So If I evaluate those items in a boolean perspective, If I get a False answer and with that the vulnerability should not be applicable.
I am asking how is KACE evaluating these statements because it is returning a True
Posted by:
cblake
13 years ago
VB is often part of other programs and most likely exists in some way (E.G. Installing MS Office, Autodesk products, etc. almost always adds this functionality). That might be the case here; it's present even if it isn't explicitly being installed by you. VBscripting support is also part of most operating systems as well, so some portions of the VB environment are always present.
My general recommendation is to take the OVAL results with a grain of salt, so to speak. Meaning that if you find things on the list that don't really concern you or don't cause issues they can possibly be ignored -- or remediated with a patch, managed install of newer software, or a script. I try to read the report on some regular basis and determine what's important or potentially harmful to the organization. You will almost always see known exceptions and other items, the exercise here is mostly to determine what makes sense to your company to address. The definitions are defined by MITRE (http://oval.mitre.org), so they'd have to explain the behavior in more detail I think.
My general recommendation is to take the OVAL results with a grain of salt, so to speak. Meaning that if you find things on the list that don't really concern you or don't cause issues they can possibly be ignored -- or remediated with a patch, managed install of newer software, or a script. I try to read the report on some regular basis and determine what's important or potentially harmful to the organization. You will almost always see known exceptions and other items, the exercise here is mostly to determine what makes sense to your company to address. The definitions are defined by MITRE (http://oval.mitre.org), so they'd have to explain the behavior in more detail I think.
Posted by:
GillySpy
13 years ago
How does KACE determine if a vulnerability exists?
We're running the oval scan engine which is using this criteria here:
http://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/5894/DataGrid-Control-Memory-Corruption-Vulnerability.html
Posted by:
GillySpy
13 years ago
The scan engine outputs and XML file. Are you saying:
BTW, the xml can be viewed by running this manually:
A few xml files are spti out
- that the results in the XML file are what you expect but the results in the GUI are not? If so then please open a support ticket?
- Or are you saying that you believe those to be false and want to know the details?
BTW, the xml can be viewed by running this manually:
ovaldi.exe -m -o windows.definitions.xml A few xml files are spti out
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.