Tag: nessus

Security – ODBC Vuln 175441

Security – ODBC Vuln 175441

Time to make the donuts!
Time to make the donuts!

Time to make the doughnuts again, new Security ODBC Vuln 175441 that needs to be mitigated.  Not sure if you ever saw the commercials, but this is where my mind goes sarcastic humor and all.  Whether you’re using ACAS/Tenable/Nessus for security scans, this may show up with your SCOM servers (MS, DB), and PowerBI Report Servers.

 

 

Let’s get started to upgrade ODBC

Action:  Security scan shows a new ODBC Vuln 175441, that may impact SCOM or PowerBI Report Server talking with SQL servers.

Start with some documentation, to understand what and why…

Tenable/Nessus Link to vulnerability

Download ODBC v18 here, v17 here

Outline of mitigation steps

What servers are vulnerable

Mitigate vulnerability on affected servers

Verify server Control Panel shows update

Have Security run additional scan to verify resolved

 

 

What servers are vulnerable?

We’re focused on the ‘Security – ODBC Vuln 175441’

 

Begin by looking at your Security scanning tool output (PowerBI report pictured).  I am also showcasing the PowerBI report, as this streamlines what the Security Admin has to provide when System Administrators (sysAdmin) reach out for debug/details.

ACAS/Tenable/Nessus scan PowerBI Report
ACAS/Tenable/Nessus scan PowerBI Report

 

In my case, I wanted to see what servers are impacted.  The PowerBI Report has a built-in ‘Deep Dive’ tab to see the details from the scan/check.  Click on the Deep Dive Tab, enter the PlugIn ID (175441 for ODBC) and hit enter.  This breaks out what servers are vulnerable.   Assess what servers are yours (my output simplified to show what I own with SCOM and PowerBI 🙂  Looking at the ‘NetBIOS Name’ column.  Alternatively, the admin typically has the scan tool email XLS files.

Access your ACAS/Tenable/Nessus scan deep dive tab (or PowerBI Report) to see how many systems are vulnerable.
Access your ACAS/Tenable/Nessus scan deep dive tab (or PowerBI Report) to see how many systems are vulnerable.

 

 

Mitigate vulnerability on affected servers

Download ODBC v18 here, v17 here

Save to share or common path to put file on affected server(s).

Once moved, login to affected server(s), typically RDP with Local Administrator equivalent admin ID

Open Windows Explorer > Copy ODBC MSI to server

Open PowerShell (as Admin) window > Go to path > Run ODBCMSI

PowerShell as Administrator steps
PowerShell as Administrator steps

 

 

Now the ODBC popup window for install

Note the screenshots and progress prompts

 

Click ‘I accept’ radio button and then click ‘Next’

ODBC EULA splash screen
ODBC EULA splash screen

 

 

Click Next to move beyond the ODBC features screen

ODBC Features screen
ODBC Features screen

 

 

Click on Install

ODBC Install prompt
ODBC Install prompt

 

 

Watch progress bar  (maybe 1-2 minutes)

ODBC Install Progress bar
ODBC Install Progress bar

 

 

Click Finished

ODBC Install finished
ODBC Install finished

Once the MSI installer window closes, it’s time to verify server Control Panel.

 

Verify server Control Panel shows update

Click on Start > Control Panel > Programs > Programs and Features

In the top right search bar, type ‘ODBC’ and hit enter to filter results.

 

Snapshot of Control Panel before

Control Panel with ODBC as the search string
Control Panel with ODBC as the search string

 

Snapshot of Control Panel after

Hit F5 to refresh screen output

ODBC Control Panel after install
ODBC Control Panel after install

 

The one question is if version 17 has to be removed to clear vulnerability.  Ran into this scenario with Java, as the update left old versions.

I typically reboot the server to reinitialize server to assess any impacts, as well as boot on the new drivers.   For this instance, I coordinated my July server updates were installed to simplify my admin (as both require reboot!)

 

Have Security run additional scan to verify resolved

Typically SME has scheduled scans that run weekly, and can run scans on-demand.  Depending on urgency, you can decide whether or not waiting is relevant.

Enjoy!

 

Microsoft links

Learn article here

Download ODBC v18 here, v17 here

ACAS scan for Java vulns PlugIn ID’s 170161,166316

Java vulnerabilities on your SCOM servers

 

If you’re responsible for security compliance with SCOM servers, there will be times when applications need to be upgraded.   Current effort is Java vulnerabilities on your SCOM servers, current examples are plugIn ID’s  170161,166316.  Compliance and Security are big deals, even in air-gapped networks.   Why – even if external hacking risk is low, the security tools will cause administrative headaches when scanning weekly or more often.  The scans can also be intrusive in nature, causing even more problems.   For the Java vulnerabilities, when running some 3rd party tools, like Cisco UCS monitoring,  Java is installed for the application to run.   Java is like OS updates, comes up with periodic vulnerabilities popping up on your favorite security scanner software/tool (like Nessus/ACAS/Tenable+).

 

 

Oracle Java vulnerability detail links ID 170161, ID 166316

ACAS Java vulnerabilities
ACAS Java vulnerabilities

 

These specific vulnerabilities, the tool is looking for paths for Java 1.8.0+.   Even after upgrading Java, the vulnerabilities still showed, requesting debug output, it showed two paths on C: (64 and 32bit paths).

 

Plugin Output:

Path              : C:\Program Files (x86)\Java\jre1.8.0_341\

Installed version : 1.8.0_341 / build 8.0.341

Fixed version     : Upgrade to version 8.0.361 or greater

 

Path              : C:\Program Files\Java\jre1.8.0_341\

Installed version : 1.8.0_341 / build 8.0.341

Fixed version     : Upgrade to version 8.0.361 or greater

 

In my case, the upgrade completed, but did not remove the old version 1.8.0_341 (vulnerable version)!

 

PS C:\Program Files\java> gci

Directory: C:\Program Files\java

Mode                LastWriteTime         Length Name

—-                ————-         —— —-

da—-        7/28/2022   6:27 AM                jre1.8.0_341

da—-        3/15/2023   6:12 PM                jre1.8.0_361

 

 

Verify Java version on affected server(s)

Verify install – whether you check from Windows Explorer for the C: drive path, or from Control Panel > Programs and Features > Installed

Java application from Programs and Features
Java application from Programs and Features

 

NOTE multiple Java versions show installed on the server.   For resolving the vulnerability, you’ll need to download latest update from Oracle here, install, and then remove the old versions (see that the 32 and 64 bit versions were installed)

 

From PowerShell as admin, go to the path where you saved the Java exe

Java installer splash screen
Java installer splash screen

 

Click Close once Java installed

Java install completed
Java install completed

 

Additional validation step

From Event Viewer, Application Event Log, look for MsiInstaller events to validate Java install successful

Windows Application Event Log, looking for MSIInstaller events to validate Java install successful
Windows Application Event Log, looking for MSIInstaller events to validate Java install successful

 

For me, knowing that Cisco UCS application used java, I wanted to verify the alerts in SCOM, as well as the service restarted without issue.

 

Cisco UCS Service from services.msc
Cisco UCS Service from services.msc

 

Happy trails, being compliant and secure!