Thursday, April 15, 2004

Using Portaudit to Improve FreeBSD Security

I've started using the security/portaudit port to check the security status of FreeBSD's applications, so I thought I'd document my findings. Portaudit uses the Vulnerability and eXposure Markup Language, "an XML application for documenting security issues in a software package collection" like the FreeBSD ports system. You can browse the FreeBSD or OpenBSD VuXML pages to see vulnerabilities recorded since the VuXML project began in late 2003.

Using the VuXML database is as simple as installing the Portaudit port. Be sure to have an up-to-date ports tree (perhaps by using net/cvsup as documented here). Install Portaudit, and then run it as shown to check installed packages for problems. The -F flag tells Portaudit to fetch a new copy of the vulnerability database, while -a says check all installed ports/packages.

moog:/root# portaudit -F -a
>> Attempting to fetch from ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/eik/.
new database installed.
Affected package: racoon-20040116a
Type of problem: racoon remote denial of service vulnerability (ISAKMP header length field).
Reference: ccd698df-8e20-11d8-90d1-0020ed76ef5a.html>

Affected package: racoon-20040116a
Type of problem: racoon remote denial of service vulnerability (IKE Generic Payload Header).
Reference: 40fcf20f-8891-11d8-90d1-0020ed76ef5a.html>

Affected package: racoon-20040116a
Type of problem: racoon fails to verify signature during Phase 1.
Reference: d8769838-8814-11d8-90d1-0020ed76ef5a.html>

Affected package: racoon-20040116a
Type of problem: tcpdump ISAKMP payload handling remote denial-of-service.
Reference: f8551668-de09-4d7b-9720-f1360929df07.html>

4 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

At this point, since Portaudit found problems in security/racoon, we should upgrade that port immediately.

If Portaudit reports a clean bill of health, it looks like this:

moog:/root# portaudit -F -a
>> Attempting to fetch from ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/eik/.
Receiving auditfile.tbz (4040 bytes): 100%
4040 bytes transferred in 0.2 seconds (19.51 kBps)
new database installed.
0 problem(s) in your installed packages found.

Portaudit works with sysutils/pkg_install-devel to warn sys admins when they try to install vulnerable software. In the following example, I try to install Ethereal using an out-of-date ports tree. The Ethereal port wants to install version 0.10.0a, which has multiple problems.

janney:/usr/ports/net/ethereal# make
===> ethereal-0.10.0a_2 has known vulnerabilities:
>> multiple vulnerabilities in ethereal.
Reference: cdf18ed9-7f4a-11d8-9645-0020ed76ef5a.html>
>> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/net/ethereal.

Portaudit can be used to check the status of a port before it is installed. Here we check for vulnerabilities in the Racoon port. By passing Portaudit the -C flag, we tell it to compare that specific port with the VuXML database.

janney:/usr/ports/security/racoon# portaudit -C

Port racoon-20040116a (security/racoon) should be marked FORBIDDEN:
- http://people.freebsd.org/~eik/portaudit/ccd698df-8e20-11d8-90d1-0020ed76ef5a.html
- http://people.freebsd.org/~eik/portaudit/40fcf20f-8891-11d8-90d1-0020ed76ef5a.html
- http://people.freebsd.org/~eik/portaudit/d8769838-8814-11d8-90d1-0020ed76ef5a.html
- http://people.freebsd.org/~eik/portaudit/f8551668-de09-4d7b-9720-f1360929df07.html

If we ran 'portaudit -A' in the /usr/ports directory, Portaudit would check for vulnerabilities in the entire ports tree.

Update: Jacques Vidrine posted a summary of VuXML to freebsd-security on 19 Apr 04.