Hello guys, first I'm sorry if I posted on the wrong topic but I didn't find a specific security.
I have the following doubts:
I installed a server with debian 10.9 and as soon as the installation was finished, I tried to update it.
As this server is part of a company infrastructure, I left it registered to do vulnerability scans in an automated way.
When running nmap using script, I noticed that it was with the vulnerable ssh service as shown in the text below:
root@debian:/home/slater# nmap -sV --script vulners --script-args mincvss=5.0 x.x.x.x
Starting Nmap 7.70 ( https://nmap.org ) at 2021-04-08 11:21 -03
Nmap scan report for x.x.x.x
Host is up (0.00026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.6p1:
| EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOIT ... 8837551A19 *EXPLOIT*
| EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOIT ... DDD97F9E97 *EXPLOIT*
| EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT*
| CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111
| SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT*
| PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT*
| MSF:AUXILIARY/SCANNER/SSH/SSH_ENUMUSERS 5.0 https://vulners.com/metasploit/MSF:AUXI ... _ENUMUSERS *EXPLOIT*
| EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOIT ... B764E13FB0 *EXPLOIT*
| EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOIT ... 4B75563283 *EXPLOIT*
| EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT*
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
| CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
| 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730 *EXPLOIT*
| EDB-ID:45233 4.6 https://vulners.com/exploitdb/EDB-ID:45233 *EXPLOIT*
| PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
| EDB-ID:46193 0.0 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT*
| 1337DAY-ID-32009 0.0 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT*
|_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT*
MAC Address: 08:00:27:0F:EC:DA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.32 seconds
What surprised me is that there are vulnerabilities in 2018 in the text above.
Shouldn't debian have updated these packages with security holes?
Below is my sources.list to see if something is wrong.
root@debian:/home/slater# cat /etc/apt/sources.list
#
# deb cdrom:[Debian GNU/Linux 10.9.0 _Buster_ - Official amd64 NETINST 20210327-10:38]/ buster main
#deb cdrom:[Debian GNU/Linux 10.9.0 _Buster_ - Official amd64 NETINST 20210327-10:38]/ buster main
deb http://deb.debian.org/debian/ buster main
deb-src http://deb.debian.org/debian/ buster main
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
# buster-updates, previously known as 'volatile'
deb http://deb.debian.org/debian/ buster-updates main
deb-src http://deb.debian.org/debian/ buster-updates main
deb http://security.debian.org/debian-security buster/updates main contrib non-free
# This system was installed using small removable media
# (e.g. netinst, live or single CD). The matching "deb cdrom"
# entries were disabled at the end of the installation process.
# For information about how to configure apt package sources,
# see the sources.list(5) manual.
Thanks
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Security Updates
- FreewheelinFrank
- Global Moderator
- Posts: 2082
- Joined: 2010-06-07 16:59
- Has thanked: 38 times
- Been thanked: 225 times
Re: Security Updates
You have to look at the vulnerability reports and see what has been fixed and what hasn't and why.
For example, one link refers to CVE-2019-6110 and CVE-2019-6111. You will see that one of these has been fixed and the other is marked as unimportant, with a link to a discussion of why it's unimportant.
https://security-tracker.debian.org/tra ... -2019-6110
https://security-tracker.debian.org/tra ... -2019-6111
https://lists.mindrot.org/pipermail/ope ... 37475.html
It's your job to read these and evaluate them and decide if and how you are going to mitigate the unfixed ones if you don't agree they are unimportant. Have fun!
For example, one link refers to CVE-2019-6110 and CVE-2019-6111. You will see that one of these has been fixed and the other is marked as unimportant, with a link to a discussion of why it's unimportant.
https://security-tracker.debian.org/tra ... -2019-6110
https://security-tracker.debian.org/tra ... -2019-6111
https://lists.mindrot.org/pipermail/ope ... 37475.html
It's your job to read these and evaluate them and decide if and how you are going to mitigate the unfixed ones if you don't agree they are unimportant. Have fun!