Hi Jeremy, As I said in my initial report, if I delete the leftover registry entries, the problem disappears. The false positive still remains.
Also, I am not the administrator for these machines and do not necessarily have the right to delete them. When I am operating as an auditor, this problem makes OpenVAS an unreliable tool. We used to trim out a list of OpenVAS plugins that generated false positives, but we have changed our policy and are pursuing actual bug fixes so that OpenVAS improves so as to become 100% competitive with Nessus, Rapid-7, Qualys, and other vulnerability scanners. Karl On Thu, Mar 1, 2018 at 3:24 PM <openvas-plugins-requ...@wald.intevation.org> wrote: > Send Openvas-plugins mailing list submissions to > openvas-plugins@wald.intevation.org > > To subscribe or unsubscribe via the World Wide Web, visit > > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins > > or, via email, send a message with subject or body 'help' to > openvas-plugins-requ...@wald.intevation.org > > You can reach the person managing the list at > openvas-plugins-ow...@wald.intevation.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Openvas-plugins digest..." > Today's Topics: > > 1. [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong > Mozilla Firefox version (Karl Fox) > 2. Re: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets > wrong Mozilla Firefox version [PUBLIC] (CAMPBELL Jeremy) > > > > ---------- Forwarded message ---------- > From: Karl Fox <k...@lithik.com> > To: openvas-plugins@wald.intevation.org > Cc: > Bcc: > Date: Thu, 01 Mar 2018 18:50:22 +0000 > Subject: [Openvas-plugins] [openvas-Bugs][6942] gb_firefox_detect_win.nasl > gets wrong Mozilla Firefox version > Thank you for your response. > > Yes, I understand that this issue is triggered because Firefox sloppily > leaves behind a registry entry when it uninstalls or upgrades, but Nessus, > for example, doesn't get tripped up by that, and there are thousands of > machines out there that will have these extraneous entries until the end of > time. Would it be possible to modify gb_firefox_detect_win.nasl to not make > this incorrect assumption? Perhaps check the uninstall hive to see if the > software is still actually installed? > > Thanks, > > Karl > > ---------- Forwarded message --------- > From: <nore...@wald.intevation.org> > Date: Thu, Mar 1, 2018 at 1:32 PM > Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong > Mozilla Firefox version > To: <nore...@wald.intevation.org> > > > Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer > You can respond by visiting: > > https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29 > > >Status: Closed > Priority: 3 > Submitted By: Lithik Systems (lithik) > Assigned to: Nobody (None) > Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version > Architecture: 64 bits > Product: OpenVAS > Operating System: Linux > Component: openvas-plugins > Version: None > Severity: normal > >Resolution: Won't Fix > Hardware: PC > URL: > > > Initial Comment: > We have seen many 64-bit machines where OpenVAS throws up to dozens of > Mozilla Firefox (not ESR) vulnerabilities even though Firefox is in fact up > to date. We have tracked this down to what appears to be an incompletely > uninstalled 32-bit version of Firefox where the current 64-bit Firefox is > installed and running. > > The following registry values remain: > > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org (folder) > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla (folder) > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla\CurrentVersion > (REG_SZ) > > OpenVAS reports the value of CurrentVersion as being too old. No other > fields exist under the Wow6432Node\mozilla.org folder. > > The following filesystem items remain: > > C:\Program Files (x86)\Mozilla Firefox > C:\Program Files (x86)\Mozilla Firefox\browser > C:\Program Files (x86)\Mozilla Firefox\browser\defaults > C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences > C:\Program Files (x86)\Mozilla > Firefox\browser\defaults\preferences\disable-autoupdate.js > > No other files or folders exist under C:\Program Files (x86)\Mozilla > Firefox > > The folder C:\Program Files\Mozilla Firefox exists and contains a complete > and current Firefox installation. > > The registry value > HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\Mozilla\CurrentVersion > exists and contains the version number of the current Firefox installation. > > If I remove the old registry entry, OpenVAS does not report false > positives. But I continue to run into hundreds of machines with this > problem. Perhaps gb_firefox_detect_win.nasl can be made to avoid this false > positive. > > In the specific case I am using for this report, the uninstalled version > is 44.0.2 and the currently installed version is 56.0.2. > > ---------------------------------------------------------------------- > > >Comment By: Christian Fischer (cfi) > Date: 2018-03-01 18:32 > > Message: > Hi, > > thanks for your report. Please note that this bugtracker is abandoned and > issues related to NVTs are better placed at > https://lists.wald.intevation.org/pipermail/openvas-plugins/ > > Firefox itself is known to leave traces like this behind causing some > possible false detections. See e.g. > https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html > for some background. > > For now i'm closing this as the false detection will go away once the > Firefox upgrade routines are correctly doing its job or the targets > registry is cleaned up from such traces. > > Suggestions to improve the situation or even patches are still welcome at > the mentioned openvas-plugins mailing list. > > ---------------------------------------------------------------------- > > You can respond by visiting: > > https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29 > > > > ---------- Forwarded message ---------- > From: CAMPBELL Jeremy <jcampb...@scorvelogica.com> > To: "openvas-plugins@wald.intevation.org" < > openvas-plugins@wald.intevation.org> > Cc: > Bcc: > Date: Thu, 1 Mar 2018 20:17:22 +0000 > Subject: Re: [Openvas-plugins] [openvas-Bugs][6942] > gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version [PUBLIC] > > Karl, > > > > You can create a group policy object in your Windows environment to delete > those keys. That makes the problem go away. > > > > Regards, > > Jeremy > > This message was classified *PUBLIC *by CAMPBELL Jeremy on Thursday, > March 1, 2018 at 3:17:16 PM. > > > > *From:* Openvas-plugins [mailto: > openvas-plugins-boun...@wald.intevation.org] *On Behalf Of *Karl Fox > *Sent:* Thursday, March 1, 2018 1:50 PM > *To:* openvas-plugins@wald.intevation.org > *Subject:* [Openvas-plugins] [openvas-Bugs][6942] > gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version > > > > Thank you for your response. > > > > Yes, I understand that this issue is triggered because Firefox sloppily > leaves behind a registry entry when it uninstalls or upgrades, but Nessus, > for example, doesn't get tripped up by that, and there are thousands of > machines out there that will have these extraneous entries until the end of > time. Would it be possible to modify gb_firefox_detect_win.nasl to not make > this incorrect assumption? Perhaps check the uninstall hive to see if the > software is still actually installed? > > > > Thanks, > > > > Karl > > ---------- Forwarded message --------- > From: <nore...@wald.intevation.org> > Date: Thu, Mar 1, 2018 at 1:32 PM > Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong > Mozilla Firefox version > To: <nore...@wald.intevation.org> > > > > Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer > You can respond by visiting: > > https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29 > > >Status: Closed > Priority: 3 > Submitted By: Lithik Systems (lithik) > Assigned to: Nobody (None) > Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version > Architecture: 64 bits > Product: OpenVAS > Operating System: Linux > Component: openvas-plugins > Version: None > Severity: normal > >Resolution: Won't Fix > Hardware: PC > URL: > > > Initial Comment: > We have seen many 64-bit machines where OpenVAS throws up to dozens of > Mozilla Firefox (not ESR) vulnerabilities even though Firefox is in fact up > to date. We have tracked this down to what appears to be an incompletely > uninstalled 32-bit version of Firefox where the current 64-bit Firefox is > installed and running. > > The following registry values remain: > > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org (folder) > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla (folder) > HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla\CurrentVersion > (REG_SZ) > > OpenVAS reports the value of CurrentVersion as being too old. No other > fields exist under the Wow6432Node\mozilla.org folder. > > The following filesystem items remain: > > C:\Program Files (x86)\Mozilla Firefox > C:\Program Files (x86)\Mozilla Firefox\browser > C:\Program Files (x86)\Mozilla Firefox\browser\defaults > C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences > C:\Program Files (x86)\Mozilla > Firefox\browser\defaults\preferences\disable-autoupdate.js > > No other files or folders exist under C:\Program Files (x86)\Mozilla > Firefox > > The folder C:\Program Files\Mozilla Firefox exists and contains a complete > and current Firefox installation. > > The registry value > HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\Mozilla\CurrentVersion > exists and contains the version number of the current Firefox installation. > > If I remove the old registry entry, OpenVAS does not report false > positives. But I continue to run into hundreds of machines with this > problem. Perhaps gb_firefox_detect_win.nasl can be made to avoid this false > positive. > > In the specific case I am using for this report, the uninstalled version > is 44.0.2 and the currently installed version is 56.0.2. > > ---------------------------------------------------------------------- > > >Comment By: Christian Fischer (cfi) > Date: 2018-03-01 18:32 > > Message: > Hi, > > thanks for your report. Please note that this bugtracker is abandoned and > issues related to NVTs are better placed at > https://lists.wald.intevation.org/pipermail/openvas-plugins/ > > Firefox itself is known to leave traces like this behind causing some > possible false detections. See e.g. > https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html > for some background. > > For now i'm closing this as the false detection will go away once the > Firefox upgrade routines are correctly doing its job or the targets > registry is cleaned up from such traces. > > Suggestions to improve the situation or even patches are still welcome at > the mentioned openvas-plugins mailing list. > > ---------------------------------------------------------------------- > > You can respond by visiting: > > https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29 > ------------------------------ > > This message, including attachments, is intended for the above-mentioned > addressees only. It may contain confidential information the review, > dissemination or disclosure of which is strictly prohibited. Should you > receive this message in error, please delete it and notify the sender to > the e-mail address indicated above. > > ------------------------------ > _______________________________________________ > Openvas-plugins mailing list > Openvas-plugins@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
_______________________________________________ Openvas-plugins mailing list Openvas-plugins@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
