3

Today I came across a paragraph on how to Identify vulnerabilities

debsecan was mentioned. I downloaded and executed debsecan and as a result I received a very long and shocking report.

EDIT

  • I did run debsecan --suite=stretch
  • I am running debian stretch 9.9 with kernel 4.9.0-9-amd64
  • My sources.list contains:
deb http://ftp.stw-bonn.de/debian/ stretch main
deb-src http://ftp.stw-bonn.de/debian/ stretch main
deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main
# stretch-updates, previously known as 'volatile'
deb http://ftp.stw-bonn.de/debian/ stretch-updates main
deb-src http://ftp.stw-bonn.de/debian/ stretch-updates main
# Backports ### To install a package from Backports: apt-get -t stretch-backports install "package"
deb http://deb.debian.org/debian stretch-backports main

First I thought using apt update && apt -y upgrade would be enough to be up to date. But this does not seem to be the case when I see that regarding to debsecan I have so many tools with known exploits, especially those on high urgency. Just to mention a few: busybox, unrar, multiarch-support, bsdutils, mount, login, util-linux...

Then I checked CVE-2016-2779 util-linux (high urgency) for example.

bugtracker

Regarding to security-tracker.debian.org there is a fix in version 2.33.1-0.1 (buster, sid).

So I hoped I could upgrade that package somehow.

Do you have any advice how I can achieve that? I tried with apt-get -t stretch-backports install util-linux but that didn't help.

As I have read I could upgrade to debian-testing as one option. Are there any other options?

Like my name already suggests, i am new to linux. This all is new to me. Until yesterday I thought I would always be up to date with my machines and now I see I am not.

I have edited my question because people pointed me to not use debsecan on an ubuntu installation because debsecan is not intended to be used inside ubuntu, although you can download it with apt from ubuntu repositories. No clue why you can download a tool that in the end is not meant to be used inside your distribution, but okay.

asked Apr 28, 2019 at 16:04
7
  • How did you configure debsecan? Looking at CVE-2017-6505 (in QEMU) for example suggests it should be fixed on your system if you’ve updated it, and I imagine many other entries in your report are also false positives. Commented Apr 28, 2019 at 16:23
  • @StephenKitt i did run it from it's src directory with ./debscan. What parameter should I use instead? And is it necessary to reread evey CVE entry to know what to do? Commented Apr 28, 2019 at 16:32
  • 1
    "Am I at risk?" is an extremely broad question. Also, while your question is regarding your specific system, in general your query seems to be about how to read, assess, prioritize, and mitigate findings from a vulnerability scan. This might get a lot more traction over at security.stackexchange.com Commented Apr 28, 2019 at 17:21
  • This question may be akin to read a blood test with all those fancy names, and asking if at risk of all those "diseases". More important than using tools at random, is knowing how to use them and having the background to understand the results. Often the results are purely informative, or at worse, false positives, and without the background, one will not know. Commented Apr 28, 2019 at 17:23
  • 1
    Yes you are right, "am I at risk" is too broad... and yes not knowing how to use such tools is the reason why I ask here. I am pretty sure here are people who will know how debescan works and point me to the right direction to learn on my own. But at least i know now that apt update && apt -y upgrade is not enough to be up to date. Commented Apr 28, 2019 at 17:38

2 Answers 2

6

debsecan uses a series of databases which record vulnerabilities and the availability of fixes; but those databases are only available for Debian suites. If you run it on a Ubuntu system, the results at minimum won’t account for security issues fixed in Ubuntu-specific releases, e.g. QEMU which receives security releases for Ubuntu which are separate from the Debian releases.

In Debian, you would configure debsecan with the --suite option or its package configuration (which you’d see by installing it with sudo apt install debsecan, even in Ubuntu) to track whatever release you’re using; but the required information isn’t available for Ubuntu releases, so debsecan can’t be used in the same way for Ubuntu.

If you look at all the CVEs listed in your report, I think you’ll find that the majority of them (and all the serious ones) are fixed in your release of Ubuntu, but that debsecan doesn’t know about those fixes. You’re using a support release of Ubuntu, apt update && apt upgrade should be enough to keep you up-to-date (you’re always at risk from undiscovered vulnerabilities, and during the — hopefully short — window between discovery and the availability of fixes, and from mis-configuration; but that’s the case with any distribution).

answered Apr 28, 2019 at 20:49
1
  • Thank you for your reply. I have just rewritten my question to fit the requirements. I installed debsecan on my debian machine and have also received a long list ; ( Commented Apr 29, 2019 at 13:19
4

If you want to use debsecan in Ubuntu you have an unofficial set of vulnerabilities databases (built using data from the Ubuntu CVE Tracker).

These unofficial databases are hosted in this Github project and automatically updated every 6 hours.

As the README says, you only have to run this command in your Ubuntu installation:

$ debsecan --suite $(lsb_release --codename --short) --source https://raw.githubusercontent.com/BBVA/ust2dsa/data/

P.S. I am one of the authors of this project.

answered May 27, 2020 at 15:54
1
  • 1
    The GitHub project seems to be archived now and the data isn't updated anymore. Commented Sep 8, 2022 at 4:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.