6

I recently ran the 1st vulnerability scan in my offices network using OpenVAS. We received a great deal of false positives. Mostly I saw that (at least some) tests are unaware of internal patches in a system.

For example we were alerted to these: CVE-2016-6515, CVE-2016-6210 on an Ubuntu 16.04 system. OpenVAS recognized the system to run OpenSSH 7.2p2 but these were updated in 7.2p2-4ubuntu2.1 and we are using something later still. I can see it was patched in the changelog.

We intend to scan again in the future, and not only with OpenVAS. Is there a way to avoid them without increasing the odds of false negatives? Will using an authenticated scan be better? Is there a way to handle the sources for the tests to such an end?

Uberhumus
  • 198
  • 1
  • 7
  • 1
    Authenticated scans will almost always give you a more accurate idea as to the vulnerabilities that lie on a system. Do those moving forward, and as you suggested, run multiple scanners as you'll often notice different results depending on which scanner you use. – DKNUCKLES Oct 24 '17 at 17:24
  • 1
    False positives are always going to happen so long as the scanner doesn't try and exploit every vulnerability. This is why bug bounty programs don't allow vulnerability scans without a PoC. – Allison Oct 24 '17 at 17:26

2 Answers2

4

The NVT is doing a check for both CVEs remotely are not showing a vulnerability against a Linux system by default. If they are showing up I can think of two possibilities:

  1. You have configured your filters to show results of NVTs with a low "Quality of Detection (QoD)". See [1] for a description of the QoD and [2] for the "default" value of 70 in your filter which you might have set to a lower value.

  2. For some reason, the system was detected as Windows and thus a higher QoD is assumed.

I guess the case 1. would be the first thing to check as the "a great deal of false positives" could be a good indicator for this.

While 2. is very unlikely you still could check the "Log" output of the NVT called "OS Detection Consolidation and Reporting" with the OID 1.3.6.1.4.1.25623.1.0.105937 what OS was detected at that host.

Disclaimer: Answer of an NVT Developer @ Greenbone

cfischer
  • 302
  • 1
  • 9
  • 1
    I found the solution in the GSM-Manual you linked to. Specifically in http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#automatic-false-positives. All I needed to do was check the box for "Trust vendor security updates". Thanks! – Uberhumus Feb 12 '18 at 14:20
2

Being able to detect exact installed software versions on a given system, authenticated vulnerability scans are per definition better than unauthenticated scans.

Also, with the help of authenticated scans it is possible to detect configuration weaknesses which otherwise would have gone unnoticed.

I only recommend running unauthenticated scans if you want to have a representative test of what an adversary would be able to detect if they would scan your system (in a black box scenario). The other reason would be when you have a very large network and a time constraint that does not allow you for doing full authenticated scans.

user258572
  • 146
  • 6