[Openvas-discuss] Plugins / odd vulnerabilities...

Matthew Coene mcoene at Bacardi.com
Fri Mar 18 16:39:02 CET 2011

Another thing I noticed...

Running scans against a known set of systems with documented configs...
e.g. all systems in this case have IE8 installed...

Since putting together my OpenVAS4 server I now see reports coming through
with apparently inflated vuln counts and am seeing some reports of
apparently failing checks that only apply to IE7 and lower...



Also there are other plugin checks of which I can confirm the patches
listed in the References / Solutions section are applied...

Even worse is that these control groups are inconsistent... one fails,
others pass...  with the same config....

Another example...

Looking at the NASL code for secpod-ms09-019 I see the check for Server

else if(hotfix_check_sp(win2003:3) > 0)
  SP = get_kb_item("SMB/Win2003/ServicePack");
  if("Service Pack 2" >< SP)
    # Check for mshtml.dll version 6.0 < 6.0.3790.4504 or 7.0 <
    # or 8.0 < 8.0.6001.18783
    if(version_in_range(version:vers, test_version:"6.0",
                        test_version2:"6.0.3790.4503") ||
      version_in_range(version:vers, test_version:"7.0",
                        test_version2:"7.0.6000.16849") ||
      version_in_range(version:vers, test_version:"8.0",

## Get System Path
sysPath = registry_get_sz(key:"SOFTWARE\Microsoft\Windows NT
dllVer = get_file_version(sysPath, file_name:"System32\mshtml.dll");

One of my Srv2003 systems that isn't reporting this detected vulnerability
has the file mshtml.dll in \windows\system32\ @ version 8.0.6001.19019.

On another system the file 'mshtml.dll' in \windows\system32\ is @ version
8.0.6001.23111 via some manual patching (not relying on WSUS or similar).
This system is reporting as vulnerable.

I've double checked that the plugins can access the guest filesystems /
registries via SMB and WMI.

Otherwise these systems have identical patch loads as they are managed by
WSUS, that is up until out of desperation I started hunting patches
manually on the one reporting the vuln to see if I could stabilize and
normalize the scan results...

Could this perhaps be a case of cached results or similar...

I am really hoping to get the scan results stabilized and consistent...


Matthew Coene

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 

More information about the Openvas-discuss mailing list