...
There are 26 CVEs with a CVSS score >= 9.0. These are exceptions requested here:
...
CVE-ID | CVSS | NVD | Fix/Notes | PACKAGES | ||||||||
CVE-2016-1585 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2016-1585 | No fix available | apparmor | ||||||||
CVE-2017-18201 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-18201 | No fix available | libcdio17 | ||||||||
CVE-2017-7827 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-7827 | No fix availableReported fixed in 58 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||||||
CVE-2018-5090 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-5090 | Reported fixed in 58 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||||||
CVE-2018-5126 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-5126 | Reported fixed in 58 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||||||
CVE-2018-5145 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-5145 | Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||||||
CVE-2018-5151 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-5151 | Reported fixed in 60 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||||||
CVE-2019-17041 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17041 | No fix availableReported fixed in 8.19 and later version (installed), but still reported by Vuls | rsyslog | ||||||||
CVE-2019-17042 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17042 | No fix availableReported fixed in 8.19 and later version (installed), but still reported by Vuls | rsyslog | ||||||||
| CVE-2019-8287 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-8287 | Uninstall tigervncserver $ sudo apt remove tigervnc* $ sudo apt-get remove tightvnc* -y | tightvncserver | ||||||||
| CVE-2022-0318 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-0318 | Uninstall vim $ sudo apt remove vim* | vim | ||||||||
| CVE-2022-23852 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-23852 | Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird* | firefox, thunderbird | ||||||||
| CVE-2022-24791 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-24791 | Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird* | firefox, thunderbird | ||||||||
CVE-2022-25235 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-25235 | Uninstall firefox, thunderbird | firefox, thunderbird | ||||||||
CVE-2022-25236 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-25236 | Uninstall firefox, thunderbird | firefox, thunderbird | ||||||||
CVE-2022-25315 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-25315 | Uninstall firefox, thunderbird | firefox, thunderbird | ||||||||
| CVE-2022-3649 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-3649 | No fix available | linux-image-4.15.0-197-generic | ||||||||
| CVE-2022-37609 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-37609 | Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird* | thunderbird | ||||||||
| CVE-2022-39394 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-39394 | Uninstall thunderbird $ sudo apt remove thunderbird* | thunderbird | ||||||||
| CVE-2016-9180 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2016-9180 | No fix available | libxml-twig-perl TODO: File exception request | ||||||||
CVE-2019-20433 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2019-20433 | No fix available | aspell | ||||||||
| CVE-2022-24303 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2022-24303 | No fix available | python3-pil TODO: File exception request | ||||||||
| CVE-2022-39319 | 9.1 | https://ubuntu.com/security/CVE-2022-39319 | Reported fixed in 2.2.0+dfsg1-0ubuntu0.18.04.4 and later version (installed), but still reported by Vuls | libfreerdp-client2-2, libfreerdp2-2, libwinpr2-2 | ||||||||
| CVE-2022-41877 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2022-41877 | No fix available | libfreerdp-client2-2, libfreerdp2-2, libwinpr2-2 TODO: File exception request | CVE-2019-11707 | 8.9 | https://nvd.nist.gov/vuln/detail/CVE-2019-11707 | No fix available | libmozjs-52-0CVE-2022-23960 | 8.9 | https://nvd.nist.gov/vuln/detail/CVE-2022-23960 | No fix available | linux-image-4.15.0-197-generic
PC/Server for robot control
There are 40 CVEs with a CVSS score >= 9.0. These are exceptions requested here:
Release 57: Akraino CVE and KHV Vulnerability Exception Request
CVE-ID | CVSS | NVD | Fix/Notes | PACKAGES |
CVE-2005-2541 | 10.0 | https://nvd.nist.gov/vuln/detail/CVE-2005-2541 | No fix available | tar |
CVE-2014-2830 | 10.0 | https://nvd.nist.gov/vuln/detail/CVE-2014-2830 | No fix available | cifs-utils |
CVE-2016-1585 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2016-1585 | No fix available | libapparmor1 |
CVE-2017-17479 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-17479 | No fix available | libopenjp2-7 |
CVE-2017-9117 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-9117 | No fix available | libtiff5 |
CVE-2018-13410 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-13410 | No fix available | zip |
CVE-2019-1010022 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-1010022 | No fix available | libc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales |
CVE-2019-8341 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-8341 | No fix available | python3-jinja2 |
CVE-2020-27619 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2020-27619 | No fix available | python3.9 |
CVE-2021-29462 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-29462 | No fix available | libixml10, libupnp13 |
CVE-2021-29921 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-29921 | Reported fixed in python3.9 (installed), but still reported by Vuls | python3.9 |
CVE-2021-30473 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-30473 | No fix available | libaom0 |
CVE-2021-30474 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-30474 | No fix available | libaom0 |
CVE-2021-30475 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-30475 | No fix available | libaom0 |
CVE-2021-3756 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-3756 | install libmysofa 1.2.1 | libmysofa1 |
| CVE-2021-3782 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-3782 | No fix available | libwayland-client0, libwayland-cursor0, libwayland-egl1, libwayland-server0 TODO: File exception request |
CVE-2021-42377 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-42377 | No fix available | busybox |
CVE-2021-45951 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-45951 | No fix available | dnsmasq |
CVE-2021-45952 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-45952 | No fix available | dnsmasq |
CVE-2021-45953 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-45953 | No fix available | dnsmasq |
CVE-2021-45954 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-45954 | No fix available | dnsmasq |
CVE-2021-45955 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-45955 | No fix available | dnsmasq |
CVE-2021-45956 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-45956 | No fix available | dnsmasq |
| CVE-2021-45957 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-45957 | No fix available | dnsmasq TODO: File exception request |
CVE-2022-0318 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-0318 | unistall vim $ sudo apt remove vim* | vim-common, vim-runtime, vim-tiny, xxd |
| CVE-2022-1253 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-1253 | No fix available | libde265-0 |
CVE-2022-23303 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-23303 | No fix available | hostapd, wpasupplicant |
CVE-2022-23304 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-23304 | No fix available | hostapd, wpasupplicant |
| CVE-2022-37454 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-37454 | No fix available | hostapd, wpasupplicant TODO: File exception request |
| CVE-2022-3970 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-3970 | No fix available | python3.9 TODO: File exception request |
| CVE-2019-19391 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2019-19391 | No fix available | libtiff5 TODO: File exception request |
CVE-2021-4048 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2021-4048 | No fix available | libblas3, liblapack3 |
CVE-2021-43400 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2021-43400 | No fix available | bluez |
| CVE-2021-46848 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2021-46848 | No fix available | libtasn1-6
|
| CVE-2022-0670 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2022-0670 | No fix available | librados2, librbd1
|
| CVE-2022-24303 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2022-24303 | No fix available | python3-pil
|
| CVE-2022-26280 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2022-26280 | No fix available | libarchive13
|
| CVE-2022-32213 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2022-32213 | No fix available | nodejs TODO: File exception request |
| CVE-2022-32214 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2022-32214 | No fix available | nodejs
|
| CVE-2022-32215 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-2022-32215 | No fix available | nodejs
|
...
The following list of tests MUST complete as passing
| No. | Test | Result | Fix |
|---|---|---|---|
| 1 | Test: Checking PASS_MAX_DAYS option in /etc/login.defs | Result: password aging limits are not configured | Set PASS_MAX_DAYS 180 in /etc/login.defs |
| 2 | Performing test ID AUTH-9328 (Default umask values) | Test: Checking umask value in /etc/login.defs Result: found umask 022, which could be improved | Set UMASK 027 in /etc/login.defs |
| 3 | Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) | Result: AllowUsers is not set | Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config
$ su root # whoami root # ./lynis audit system ※reference:https://github.com/CISOfy/lynis/blob/master/include/tests_ssh#L54 |
| 4 | Test: checking for file /etc/network/if-up.d/ntpdate | Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 177 points (out of 168) | OK |
| 5 | Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required | N/A | N/A |
| 5a | sysctl key fs.suid_dumpable contains equal expected and current value (0) | sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2 Hardening: assigned partial number of hardening points (0 of 1). Currently having 163 points (out of 253) | Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf |
| 5b | sysctl key kernel.dmesg_restrict contains equal expected and current value (1) | Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0 | Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf |
| 5c | sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0) | Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1 | Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'net.ipv4.conf.default.accept_source_route=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a |grep ipv4.conf.default.accept_source_route |
| 6 | Test: Check if one or more compilers can be found on the system | Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler' Hardening: assigned partial number of hardening points (1 of 3). Currently having 180 points (out of 286 Found known binary: as (compiler) - /usr/bin/as Found known binary: cc (compiler) - /usr/bin/cc Found known binary: g++ (compiler) - /usr/bin/g++ Found known binary: gcc (compiler) - /usr/bin/gcc | Uninstall gcc and remove /usr/bin/as, /usr/bin/cc |