Discussion:
[openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version [PUBLIC]
(too old to reply)
CAMPBELL Jeremy
2018-03-01 20:17:22 UTC
Permalink
Karl,

You can create a group policy object in your Windows environment to delete those keys. That makes the problem go away.

Regards,
Jeremy
This message was classified PUBLIC by CAMPBELL Jeremy on Thursday, March 1, 2018 at 3:17:16 PM.

From: Openvas-plugins [mailto:openvas-plugins-***@wald.intevation.org] On Behalf Of Karl Fox
Sent: Thursday, March 1, 2018 1:50 PM
To: openvas-***@wald.intevation.org
Subject: [Openvas-plugins] [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version

Thank you for your response.

Yes, I understand that this issue is triggered because Firefox sloppily leaves behind a registry entry when it uninstalls or upgrades, but Nessus, for example, doesn't get tripped up by that, and there are thousands of machines out there that will have these extraneous entries until the end of time. Would it be possible to modify gb_firefox_detect_win.nasl to not make this incorrect assumption? Perhaps check the uninstall hive to see if the software is still actually installed?

Thanks,

Karl
---------- Forwarded message ---------
From: <***@wald.intevation.org<mailto:***@wald.intevation.org>>
Date: Thu, Mar 1, 2018 at 1:32 PM
Subject: [openvas-Bugs][6942] gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
To: <***@wald.intevation.org<mailto:***@wald.intevation.org>>


Bugs item #6942, was changed at 2018-01-25 20:17 by Christian Fischer
You can respond by visiting:
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
Status: Closed
Priority: 3
Submitted By: Lithik Systems (lithik)
Assigned to: Nobody (None)
Summary: gb_firefox_detect_win.nasl gets wrong Mozilla Firefox version
Architecture: 64 bits
Product: OpenVAS
Operating System: Linux
Component: openvas-plugins
Version: None
Severity: normal
Resolution: Won't Fix
Hardware: PC
URL:


Initial Comment:
We have seen many 64-bit machines where OpenVAS throws up to dozens of Mozilla Firefox (not ESR) vulnerabilities even though Firefox is in fact up to date. We have tracked this down to what appears to be an incompletely uninstalled 32-bit version of Firefox where the current 64-bit Firefox is installed and running.

The following registry values remain:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org<http://mozilla.org> (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org<http://mozilla.org>\Mozilla (folder)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org<http://mozilla.org>\Mozilla\CurrentVersion (REG_SZ)

OpenVAS reports the value of CurrentVersion as being too old. No other fields exist under the Wow6432Node\mozilla.org<http://mozilla.org> folder.

The following filesystem items remain:

C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\Mozilla Firefox\browser
C:\Program Files (x86)\Mozilla Firefox\browser\defaults
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences\disable-autoupdate.js

No other files or folders exist under C:\Program Files (x86)\Mozilla Firefox

The folder C:\Program Files\Mozilla Firefox exists and contains a complete and current Firefox installation.

The registry value HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org<http://mozilla.org>\Mozilla\CurrentVersion exists and contains the version number of the current Firefox installation.

If I remove the old registry entry, OpenVAS does not report false positives. But I continue to run into hundreds of machines with this problem. Perhaps gb_firefox_detect_win.nasl can be made to avoid this false positive.

In the specific case I am using for this report, the uninstalled version is 44.0.2 and the currently installed version is 56.0.2.

----------------------------------------------------------------------
Comment By: Christian Fischer (cfi)
Date: 2018-03-01 18:32

Message:
Hi,

thanks for your report. Please note that this bugtracker is abandoned and issues related to NVTs are better placed at https://lists.wald.intevation.org/pipermail/openvas-plugins/

Firefox itself is known to leave traces like this behind causing some possible false detections. See e.g. https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011748.html for some background.

For now i'm closing this as the false detection will go away once the Firefox upgrade routines are correctly doing its job or the targets registry is cleaned up from such traces.

Suggestions to improve the situation or even patches are still welcome at the mentioned openvas-plugins mailing list.

----------------------------------------------------------------------

You can respond by visiting:
https://wald.intevation.org/tracker/?func=detail&atid=220&aid=6942&group_id=29
________________________________

This message, including attachments, is intended for the above-mentioned addressees only. It may contain confidential information the review, dissemination or disclosure of which is strictly prohibited. Should you receive this message in error, please delete it and notify the sender to the e-mail address indicated above.

________________________________

Loading...