Vulnerability Scanners returning false positives due to backporting

Note: We are constantly applying security patches that might affect our customers. You can follow our security page here to keep in on the loop.

In some instances vulnerability scanners will report issues due to outdated versions of a package being detected by the scanner. The oversight made in many cases by these scanners is that vulnerabilities, which are known to exist in the detected version, are often patched through a method known as "backporting".

"Backporting is the action of taking parts from a newer version of a software system or software component and porting them to an older version of the same software. It forms part of the maintenance step in a software development process, and it is commonly used for fixing security issues in older versions of the software and also for providing new features to older versions."

In other words, if the vulnerability scanner simply tries to detect a version and lists associated vulnerabilities, instead of actually trying to find a specific vulnerability, the likelihood of a false positive rises.

Pagely servers run on Ubuntu, a Linux Distribution that uses backporting to patch vulnerabilities. As one of the most common Operating Systems for Web Servers, backports are tested thoroughly and tracked through changelogs. An example can be seen here. 

What are some examples of false positives?

Most instances of false positives shared with us have involved OpenSSL and OpenSSH.

An example we've seen where OpenSSH showed a false positive was with the concern of our usage with version 7.2p2 at the time of writing this article. Here are known vulnerabilities for version is 7.2p2. This version of OpenSSH appears to have multiple vulnerabilities such as  username enumeration, exposed private keys, denial of service attacks, etc.

However, in the changelog we shared above we see that these vulnerabilities has been backported.

-- Martin Pitt <martin.pitt@ubuntu.com> Sun, 31 Jul 2016 10:51:01 +0200 openssh (1:7.2p2-4ubuntu1) xenial; urgency=medium * Backport upstream patch to unbreak authentication using lone certificate keys in ssh-agent: when attempting pubkey auth with a certificate, if no separate private key is found among the keys then try with the certificate key itself (thanks, Paul Querna; LP: #1575961). 

-- Colin Watson <cjwatson@debian.org> Mon, 21 Dec 2015 22:10:07 +0000 openssh (1:7.1p1-4) unstable; urgency=medium * Backport upstream patch to unbreak connections with peers that set first_kex_follows (LP: #1526357).

And about 25 other backports exist in this particular changelog.

What if it's NOT a false positive?

Always better to be safe than sorry, it might be worth checking with the team or company that performed your scan to see if the aforementioned vulnerabilities have been backported. If it appears they are unhelpful, or you are certain this is cause for concern, please don't hesitate to contact support.