My company hosts & operates a Drupal 6 instance that's used to host landing pages for a state government authority, and as such it's required to undergo periodic security scans.
One issue that keeps getting returned as a "High" vulnerability is headlined 'Possible vulnerable package Drupal has been found' -- we've had this in our vulnerability report the past several times. The particular scanner returning this value is N-Stalker. According to their website they scan for "packages" "including Drupal", but it's not clear that they actually scan for anything but the existence of Drupal. We've had this show up in the past several scans, and so far we've been able to say 'we're at the most current version and this doesn't give us anything specific to go on' -- but that may no longer be an acceptable answer to our client.
The report we get includes no details and is worded vaguely. I can't copy & paste because it's delivered in a secure PDF, but the vulnerability description says in part "N-Stalker will search for components or objects to ensure you are using the latest version of the referred package. In this case, your installation have failed to meet a required pattern for the most updated version."
As it happens this particular install is at 6.28 (most current available as I write) and all but two modules are on their most current available version. The two exceptions are not showing security vulnerabilities and are only one release back.
So I guess I have 4 questions:
Has anybody else been given these reports or used this service and seen this vulnerability reported?
Do you know what level of "package" they're looking at -- are they just looking at the Drupal minor-version #? Or are they actually trying to scan for the existence of specific modules? (And if so, how in the world would they do that?)
If there's a way to scan for the existence of specific modules, could it be blocked?
Do you have any suggestions for addressing this issue with the client?
Comments
Security Review
My initial suggestion would be to install the Security Review module, run it and see what that comes back with. It might do a better job at finding whether you have any vulnerabilities in your system and where they are. You can download that here: http://drupal.org/project/security_review
Have you tried using other scanners on your system? It's possible that N-Stalker is giving you a false positive, but does it give you any information other than reporting a vulnerability? Does it say what the vulnerability is? Can it show you how to reproduce it? If all it goes by is revision numbers in a banner, I'd be a little wary of that report.
We don't get to choose the
We don't get to choose the scanner(s). The customer runs N-Stalker, Retina, Grendel and Syhunt, and sends the results to us. N-Stalker is the only one that comes back like this. N-Stalker's documentation is pretty sparse for non-paying customers; all I could find were periodic updates like the one I linked above, saying that they're looking for "package" vulnerabilities now. Similarly, the report we get is limited in the information it provides since we're not the paying customer. They send us a 'free version' of the N-Stalker report because the non-free version apparently contains information our customer's security team isn't allowed to transfer to us, and the PDFs are locked so they can't just copy & paste.
Security Review is a good
Security Review is a good tip, though; it's actually more stringent in some ways than the scans we already go through, inasmuch as it's written with Drupal-specific vulnerabilities in mind, and these other scanners aren't, AFAICS.
Call N-Stalker
Call them up and say: "I work for customer and the security scan gives this message. Can you give me more details?"
That sort of thing works for me except for cases where the support agreement only allows contact by specified individuals.
http://cleaver.ca
Worth a shot, thanks.
Worth a shot, thanks.
Seems like pure nonsense to
Seems like pure nonsense to me. Their site runs WordPress for the blog - I wonder if they also identify WordPress as a vulnerable package as well ;)
One thought: most of these scanners identify "Drupal" sites using pretty basic things. If you can identify how they identify Drupal, maybe you can hide the fact that it's Drupal and get a pass. I see that nstalker.com has a trial version you can download. I would do that, try it out on a test site with no other activity and see which pages it accesses to determine that it's Drupal. Maybe it hits misc/drupal.js or similar that you could hide from the NStalker?
Otherwise, I think you have to get more details on the specific problem by contacting NStalker and/or having the client contact NStalker and asking why its so problematic to have Drupal.
On other thought: often these scanners report "informational" items - like it's possible they are just sharing this information in case the site owner is unaware that their site is running an Open Source package that needs to get periodically updated. If that's the case, hopefully you can get your client to agree that it's OK to ignore the informational warnings.
knaddison blog | Morris Animal Foundation
This is effectively
This is effectively informational, but it's also graded "high", and it's been coming in that way the past couple of scans. I guess that's what's got me so annoyed about it: they grade it as "high", but give us nothing actionable. As I put it to a friend, it's a bit like saying "hey, we noticed your car runs on GASOLINE. That means there's a HIGH PROBABILITY that it might explode!"
Reverse-engineering it is probably a good idea, but it's probably not going to happen as long as I can get them to accept that this is informational; that seems to be the case, this time, but it may not always be, in which case I'll probably set aside an evening when the wife is out of town and do this.
I used to try to think of ways to disguise Drupal as the platform, but accepted eventually that it wasn't worth the effort (from a real security standpoint); having been exposed to these scans for a couple of years now, I'm more impressed than ever about the solidity of the system and the aggressiveness of the security team.