Topic: Nessus found 9 holes in my server...

[Daniel]

Greetings,

I am doing security audits on various machines at the University where I work using Nessus.  I decided to go ahead and give my e-smith box a go and was very suprised to find vulnerabilities.

I found 9 holes in the machine (according to nessus).  Most of them were in SMTP with no less than like 4 or 5 buffer overflows that allowed attackers to execute code.

I understand that there are changes in file locations under e-smith and that this may confuse nessus into thinking there is something wrong when there isn't, but I would just like to see what people have to say about this.

I wonder if others have had similar results with nessus or iss when doing scans against their e-smith machines.

Thanks for your imput,

Daniel

[Ross Laver]

Once again, we would like to remind e-smith users that any potential security concerns should be reported directly to rather than being posted in a public forum. This is standard security practice -- see, for example http://www.apache.org/security_report.html or the recovery procedures recommended by CERT (http://www.cert.org/nav/recovering.html).

There's a good and very obvious reason for this, in addition to giving us the opportunity to investigate. If you suspected that the door locks on your house didn't work, would you walk around downtown with a sign advertising that fact?

To repeat, e-smith takes security very seriously. We do not believe there are any vulnerabilities in the current version of e-smith. Previous reports of security compromises have been found to have been due to local modifications and not a weakness in the e-smith product as shipped.

This report has been forwarded to security@e-smith.com for further consideration.

Ross

[Ross Laver]

Daniel,

Our developers investigated the Nessus vulnerability reports in detail when they were previously reported to . They found that all of these
reports are false positives.

The SMTP server used by e-smith explicitly guards against the buffer
overflow attempts mentioned in the Nessus scans. The SMTP server also
runs as an unprivileged user in a restricted environment which protects
the system against any compromise attempts. In short, your e-smith system is secure.

If you wish to discuss this further, please contact

Ross

[Daniel]

You are absolutely right about that.  I am sorry for posting that like that; I should have known better.  As I mentioned in the letter however I was pretty sure that the box was secure despite the nessus reports.  Rather than thinking that they were definitely holes I simply wanted someone there at e-smith to confirm that they were false positives.  But in the future I won't go about it in the same way.

Please accept my apologies.

Thank you,

Daniel