/build/static/layout/Breadcrumb_cap_w.png

new to kace - OVAL scan questions

I queued up an oval scan on my PC and found a bunch of vulnerabilities, I was kind of shocked by the ones that it found because alot of them relate back to Microsoft patches that should have been applied.

I've been searching through the vulnerablities an if I check the items they have a portion of what KACE is checking to determine if the PC in question has the vulnerabilitiy. example below





Title:
DataGrid Control Memory Corruption Vulnerability

OVAL-ID:
oval:org.mitre.oval:def:5894 ( ACCEPTED )

Class:
vulnerability

Ref-ID:
CVE-2008-4252

Description:
The DataGrid ActiveX control in Microsoft Visual Basic 6.0 and Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2 does not properly handle errors during access to incorrectly initialized objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to corruption of the "system state," aka "DataGrid Control Memory Corruption Vulnerability."

.inputFormat li {
list-style-type: disc;
margin-left: -2em;
}



Definition:

  • Microsoft Visual Basic 6.0 is installed
  • AND Mscomct2.ocx version is less than 6.1.98.12

The item above under definition states that "Mscomct2.ocx version is less than 6.1.98.12" I don't have VB installed and Mscomct2.ocx does not exist on my PC. If both of these cases are not relevant why should Kace report the vulnerability?

How does KACE determine if a vulnerability exists?

0 Comments   [ + ] Show comments

Answers (4)

Posted by: ktm_2000 13 years ago
Senior Yellow Belt
1
I understand the criteria of how Oval is evaluating, it appears to be using boolean logic, I'm asking how KACE is interpreting these results

from the Oval description it should be evaluating the following items:
Definition:
Microsoft Visual Basic 6.0 is installed
AND Mscomct2.ocx version is less than 6.1.98.12

my evaluation of the criteria by checking the PC
Microsoft Visual Basic 6.0 is installed = Not sure what it is looking for, guessing similar to earlier posting that components are there = True
AND Mscomct2.ocx version is less than 6.1.98.12 = FALSE
Combined statement = FALSE

So If I evaluate those items in a boolean perspective, If I get a False answer and with that the vulnerability should not be applicable.

I am asking how is KACE evaluating these statements because it is returning a True
Posted by: cblake 13 years ago
Red Belt
0
VB is often part of other programs and most likely exists in some way (E.G. Installing MS Office, Autodesk products, etc. almost always adds this functionality). That might be the case here; it's present even if it isn't explicitly being installed by you. VBscripting support is also part of most operating systems as well, so some portions of the VB environment are always present.

My general recommendation is to take the OVAL results with a grain of salt, so to speak. Meaning that if you find things on the list that don't really concern you or don't cause issues they can possibly be ignored -- or remediated with a patch, managed install of newer software, or a script. I try to read the report on some regular basis and determine what's important or potentially harmful to the organization. You will almost always see known exceptions and other items, the exercise here is mostly to determine what makes sense to your company to address. The definitions are defined by MITRE (http://oval.mitre.org), so they'd have to explain the behavior in more detail I think.
Posted by: GillySpy 13 years ago
7th Degree Black Belt
0
How does KACE determine if a vulnerability exists?
We're running the oval scan engine which is using this criteria here:
http://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/5894/DataGrid-Control-Memory-Corruption-Vulnerability.html
Posted by: GillySpy 13 years ago
7th Degree Black Belt
0
The scan engine outputs and XML file. Are you saying:
  1. that the results in the XML file are what you expect but the results in the GUI are not? If so then please open a support ticket?
  2. Or are you saying that you believe those to be false and want to know the details?
If it's the latter then please use the link above to find out what is exactly being evaluated. Using the link above i got here: http://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/1746/Microsoft-Visual-Basic-6.0-is-installed.html and can see the dll it was checking for.

BTW, the xml can be viewed by running this manually:

ovaldi.exe -m -o windows.definitions.xml


A few xml files are spti out
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ