[prev in list] [next in list] [prev in thread] [next in thread]
List: openvas-plugins
Subject: Re: [Openvas-plugins] [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong Mozilla Firefox ver
From: CAMPBELL Jeremy <jcampbell () scorvelogica ! com>
Date: 2018-03-01 20:17:22
Message-ID: MWHPR08MB3565A0EE1309062D9738C1A5D6C60 () MWHPR08MB3565 ! namprd08 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Karl,
You can create a group policy object in your Windows environment to delete those \
keys. That makes the problem go away.
Regards,
Jeremy
This message was classified PUBLIC by CAMPBELL Jeremy on Thursday, March 1, 2018 at \
3:17:16 PM.
From: Openvas-plugins [mailto:openvas-plugins-bounces@wald.intevation.org] On Behalf \
Of Karl Fox
Sent: Thursday, March 1, 2018 1:50 PM
To: openvas-plugins@wald.intevation.org
Subject: [Openvas-plugins] [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong \
Mozilla Firefox version
Thank you for your response.
Yes, I understand that this issue is triggered because Firefox sloppily leaves behind \
a registry entry when it uninstalls or upgrades, but Nessus, for example, doesn't get \
tripped up by that, and there are thousands of machines out there that will have \
these extraneous entries until the end of time. Would it be possible to modify \
gb_firefox_detect_win.nasl to not make this incorrect assumption? Perhaps check the \
uninstall hive to see if the software is still actually installed?
Thanks,
Karl
---------- Forwarded message ---------
From: <noreply@wald.intevation.org<mailto:noreply@wald.intevation.org>>
Date: Thu, Mar 1, 2018 at 1:32 PM
Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong Mozilla Firefox \
version
To: <noreply@wald.intevation.org<mailto:noreply@wald.intevation.org>>
Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer
You can respond by visiting:
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
> Status: Closed
Priority: 3
Submitted By: Lithik Systems (lithik)
Assigned to: Nobody (None)
Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
Architecture: 64 bits
Product: OpenVAS
Operating System: Linux
Component: openvas-plugins
Version: None
Severity: normal
> Resolution: Won't Fix
Hardware: PC
URL:
Initial Comment:
We have seen many 64-bit machines where OpenVAS throws up to dozens of Mozilla \
Firefox (not ESR) vulnerabilities even though Firefox is in fact up to date. We have \
tracked this down to what appears to be an incompletely uninstalled 32-bit version of \
Firefox where the current 64-bit Firefox is installed and running.
The following registry values remain:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org<http://mozilla.org> (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org<http://mozilla.org>\Mozilla \
(folder) HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org<http://mozilla.org>\Mozilla\CurrentVersion \
(REG_SZ)
OpenVAS reports the value of CurrentVersion as being too old. No other fields exist \
under the Wow6432Node\mozilla.org<http://mozilla.org> folder.
The following filesystem items remain:
C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\Mozilla Firefox\browser
C:\Program Files (x86)\Mozilla Firefox\browser\defaults
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences
C:\Program Files (x86)\Mozilla \
Firefox\browser\defaults\preferences\disable-autoupdate.js
No other files or folders exist under C:\Program Files (x86)\Mozilla Firefox
The folder C:\Program Files\Mozilla Firefox exists and contains a complete and \
current Firefox installation.
The registry value HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org<http://mozilla.org>\Mozilla\CurrentVersion \
exists and contains the version number of the current Firefox installation.
If I remove the old registry entry, OpenVAS does not report false positives. But I \
continue to run into hundreds of machines with this problem. Perhaps \
gb_firefox_detect_win.nasl can be made to avoid this false positive.
In the specific case I am using for this report, the uninstalled version is 44.0.2 \
and the currently installed version is 56.0.2.
----------------------------------------------------------------------
> Comment By: Christian Fischer (cfi)
Date: 2018-03-01 18:32
Message:
Hi,
thanks for your report. Please note that this bugtracker is abandoned and issues \
related to NVTs are better placed at \
https://lists.wald.intevation.org/pipermail/openvas-plugins/
Firefox itself is known to leave traces like this behind causing some possible false \
detections. See e.g. \
https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html \
for some background.
For now i'm closing this as the false detection will go away once the Firefox upgrade \
routines are correctly doing its job or the targets registry is cleaned up from such \
traces.
Suggestions to improve the situation or even patches are still welcome at the \
mentioned openvas-plugins mailing list.
----------------------------------------------------------------------
You can respond by visiting:
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
________________________________
This message, including attachments, is intended for the above-mentioned addressees \
only. It may contain confidential information the review, dissemination or disclosure \
of which is strictly prohibited. Should you receive this message in error, please \
delete it and notify the sender to the e-mail address indicated above.
________________________________
[Attachment #3 (text/html)]
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head><body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><a name="_MailEndCompose">Karl,<o:p></o:p></a></p>
<p class="MsoNormal"><span \
style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="mso-bookmark:_MailEndCompose">You can create a group \
policy object in your Windows environment to delete those keys. That makes the \
problem go away.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span \
style="mso-bookmark:_MailEndCompose">Regards,<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="mso-bookmark:_MailEndCompose">Jeremy<o:p></o:p></span></p> <p \
class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"></span><span \
style="mso-bookmark:_MailEndCompose"></span><span \
style="mso-bookmark:_MailEndCompose"><span \
style="font-size:10.0pt;font-family:"Verdana",sans-serif">This message was \
classified <b><span style="color:#009900">PUBLIC</span><span style="color:red"> \
</span></b>by<span style="color:red"> </span>CAMPBELL Jeremy on Thursday, March 1, \
2018 at 3:17:16 PM.</span></span><span \
style="mso-bookmark:_MailEndCompose"><o:p></o:p></span></p> <p \
class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"></span><span \
style="mso-bookmark:_MailEndCompose"><o:p> </o:p></span></p> <span \
style="mso-bookmark:_MailEndCompose"></span> <p class="MsoNormal"><a \
name="_____replyseparator"></a><b>From:</b> Openvas-plugins \
[mailto:openvas-plugins-bounces@wald.intevation.org] <b>On Behalf Of </b>Karl Fox<br>
<b>Sent:</b> Thursday, March 1, 2018 1:50 PM<br>
<b>To:</b> openvas-plugins@wald.intevation.org<br>
<b>Subject:</b> [Openvas-plugins] [openvas-Bugs][6942] gb_firefox_detect_win.nasl \
gets wrong Mozilla Firefox version<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <div>
<p class="MsoNormal">Thank you for your response.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Yes, I understand that this issue is triggered because Firefox \
sloppily leaves behind a registry entry when it uninstalls or upgrades, but Nessus, \
for example, doesn't get tripped up by that, and there are thousands of machines out \
there that will have these extraneous entries until the end of time. Would it be \
possible to modify gb_firefox_detect_win.nasl to not make this incorrect assumption? \
Perhaps check the uninstall hive to see if the software is still actually \
installed?<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Karl<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">---------- Forwarded message ---------<br>
From: <<a href="mailto:noreply@wald.intevation.org">noreply@wald.intevation.org</a>><br>
Date: Thu, Mar 1, 2018 at 1:32 PM<br>
Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong Mozilla Firefox \
version<br>
To: <<a href="mailto:noreply@wald.intevation.org">noreply@wald.intevation.org</a>><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer<br>
You can respond by visiting:<br>
<a href="https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29" \
target="_blank">https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29</a><br>
<br>
>Status: Closed<br>
Priority: 3<br>
Submitted By: Lithik Systems (lithik)<br>
Assigned to: Nobody (None)<br>
Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version<br>
Architecture: 64 bits<br>
Product: OpenVAS<br>
Operating System: Linux<br>
Component: openvas-plugins<br>
Version: None<br>
Severity: normal<br>
>Resolution: Won't Fix<br>
Hardware: PC<br>
URL:<br>
<br>
<br>
Initial Comment:<br>
We have seen many 64-bit machines where OpenVAS throws up to dozens of Mozilla \
Firefox (not ESR) vulnerabilities even though Firefox is in fact up to date. We have \
tracked this down to what appears to be an incompletely uninstalled 32-bit version of \
Firefox where the current 64-bit Firefox is installed and running.<br>
<br>
The following registry values remain:<br>
<br>
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<a href="http://mozilla.org" \
target="_blank">mozilla.org</a> (folder)<br> \
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<a href="http://mozilla.org" \
target="_blank">mozilla.org</a>\Mozilla (folder)<br> \
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<a href="http://mozilla.org" \
target="_blank">mozilla.org</a>\Mozilla\CurrentVersion (REG_SZ)<br> <br>
OpenVAS reports the value of CurrentVersion as being too old. No other fields exist \
under the Wow6432Node\<a href="http://mozilla.org" target="_blank">mozilla.org</a> \
folder.<br> <br>
The following filesystem items remain:<br>
<br>
C:\Program Files (x86)\Mozilla Firefox<br>
C:\Program Files (x86)\Mozilla Firefox\browser<br>
C:\Program Files (x86)\Mozilla Firefox\browser\defaults<br>
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences<br>
C:\Program Files (x86)\Mozilla \
Firefox\browser\defaults\preferences\disable-autoupdate.js<br> <br>
No other files or folders exist under C:\Program Files (x86)\Mozilla Firefox<br>
<br>
The folder C:\Program Files\Mozilla Firefox exists and contains a complete and \
current Firefox installation.<br> <br>
The registry value HKEY_LOCAL_MACHINE\SOFTWARE\<a href="http://mozilla.org" \
target="_blank">mozilla.org</a>\Mozilla\CurrentVersion exists and contains the \
version number of the current Firefox installation.<br> <br>
If I remove the old registry entry, OpenVAS does not report false positives. But I \
continue to run into hundreds of machines with this problem. Perhaps \
gb_firefox_detect_win.nasl can be made to avoid this false positive.<br> <br>
In the specific case I am using for this report, the uninstalled version is 44.0.2 \
and the currently installed version is 56.0.2.<br> <br>
----------------------------------------------------------------------<br>
<br>
>Comment By: Christian Fischer (cfi)<br>
Date: 2018-03-01 18:32<br>
<br>
Message:<br>
Hi,<br>
<br>
thanks for your report. Please note that this bugtracker is abandoned and issues \
related to NVTs are better placed at <a \
href="https://lists.wald.intevation.org/pipermail/openvas-plugins/" target="_blank"> \
https://lists.wald.intevation.org/pipermail/openvas-plugins/</a><br> <br>
Firefox itself is known to leave traces like this behind causing some possible false \
detections. See e.g. <a \
href="https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html" \
target="_blank"> https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html</a> \
for some background.<br> <br>
For now i'm closing this as the false detection will go away once the Firefox upgrade \
routines are correctly doing its job or the targets registry is cleaned up from such \
traces.<br> <br>
Suggestions to improve the situation or even patches are still welcome at the \
mentioned openvas-plugins mailing list.<br> <br>
----------------------------------------------------------------------<br>
<br>
You can respond by visiting:<br>
<a href="https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29" \
target="_blank">https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29</a><o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<hr>
<br>
This message, including attachments, is intended for the above-mentioned addressees \
only. It may contain confidential information the review, dissemination or disclosure \
of which is strictly prohibited. Should you receive this message in error, please \
delete it and notify the sender to the e-mail address indicated above.<br>
<br>
<hr>
</div>
</body></html>
_______________________________________________
Openvas-plugins mailing list
Openvas-plugins@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
--===============0231297482==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic