NSX Network Detection and Response - How to investigate CVE vulnerabilities
search cancel

NSX Network Detection and Response - How to investigate CVE vulnerabilities

book

Article ID: 323944

calendar_today

Updated On:

Products

VMware

Issue/Introduction

NSX ATP Standalone is built on top of Ubuntu Server. Any CVE/Vulnerabilities are likely with the packages installed inside Ubuntu. This article will walk you through the process to check if the vulnerable package is still installed or if it's running a patched version. We always try to ensure the latest packages are installed when we QA our software for release.


Resolution

Before starting, we recommend to run the command # sudo apt-get update to check the repositories and then # sudo apt-get -y upgrade to install any available candidate (new) package version. (When prompted, enter the monitoring user's password to allow the commands to run). This will ensure the appliances have installed the latest version of the packages.


1. Checking Ubuntu release version:
      1. Printing the Ubuntu release version: 
        # lsb_release -a
        Distributor ID: Ubuntu
        Description:    Ubuntu 18.04.6 LTS
        Release:        18.04
        Codename:       bionic

2. To investigate the vulnerabilities, we start by searching the CVE ID through the oficial Ubuntu documentation. Go to https://ubuntu.com/security/cves, enter the specific CVE ID and click on Go to CVE:

Picture 1:

image.png
3. In the result page, we are going to see a table like this:

Picture 2:
image.png
 

In the table, we can see the CVE ID, the package column which tell us all the package names that could be affected by this vulnerability depending on the Ubuntu OS version, in our case we focus on the column 18.04 ESM (Bionic).

The possible values for the column 18.04 ESM are:

Does not exist: The package is not installed by default that Ubuntu version.
Not vulnerable: The package installed on that Ubuntu version is not vulnerable.
Ignored: The vulnerability was chosen to not be addressed due to different reasons, for example: Ubuntu version reached its End of Life, changes are too intrusive, among other.
Released: The package installed on that Ubuntu version is vulnerable and a new version was released to address the security issue.
Needs triage: The package installed on that version needs more investigation from the Ubuntu team in order to determine whether it is vulnerable or not.
Needed: The package is vulnerable but the fix has not been released yet.
- : Not vulnerable in the Ubuntu release version.

Once we validated the Ubuntu release version, we need to pay attention to the value under the column 18.04 ESM of the Picture 2if it says Released, we need to confirm whether a package with the exact same name is installed on the appliances or not.

Picture 3:
image.png

4. Checking packages:

      1. To validate if a single package is installed: 
        # dpkg -l | grep <package-name> 

      1.1 To validate multiple packages: 
        # dpkg -l | grep -e <package-name1> -e <package-name2> -e <package-name3>

If the output of the command is empty, it means the package is not installed on the appliance.
If the output of the command is not empty, we should compare the installed version with the released version. To check the released version, we click on the CVE ID hyperlink to show additional details:

Picture 4:
image.png

Scroll down to the Status section, search the package name, the Ubuntu release version and the Status column, then compare it to the installed version:

Picture 5:
image.png 

Reference: CVE-2022-0185


In some cases, the vulnerabilities affect drivers on specific kernel versions.

i.e: CVE-2019-12881: Which affects systems with Intel GPUs that utilize the i915 graphics driver in the Linux kernel 4.15.0 on Ubuntu 18.04.2

To investigate this cases, we need to run 2 additional commands.
      1. Check the installed kernel version: 
        # uname -a
        Linux 5.4.0-146-generic


      2. Check the Ubuntu release version:
        # lsb_release -a
        Description:    Ubuntu 18.04.6 LTS
        Release:        18.04
        Codename:       bionic 


      3. Check drivers, in this case the GPU diver:
        # lspci -k | grep -EA3 'VGA|3D|Display'
        VGA compatible controller: VMware SVGA II Adapter


From those steps we can conclude that the appliance is not vulnerable because:
a. The vulnerable kernel version is 4.15.0 and we use 5.4.0-146.
b. The vulnerable Ubuntu version is Bionic 18.04.2 and we use Bionic 18.04.6.
c. The appliance used for the example is not using Intel graphics drivers.


Reference: CVE-2019-12881
 

Notes: 

  • With every new release, we will update packages as needed.
  • Starting with 9.6 and newer we have a pipeline to QA and push critical patches out as needed.
  • If you are running an old version, you should update to the latest release and scan for vulnerabilities again.
  • As stated in the article VMware NSX Network Detection and Response - FAQ: Ubuntu Bionic 18.04.6 LTS End of Standard Support and Focal upgrade timeline (91429), the appliances are going to continue receiving security updates, in order to get access to the Ubuntu Expanded Security Maintenance (ESM) repositories to download new security updates the appliances must run 9.7.3 (Release Notes). 
  • If you are not sure about something you found is or is not applicable, feel free to open a Support Request.



Powered by Wolken Software