USN-3643-2: Wget vulnerability


#1

The USN-3643-2: Wget vulnerability is fixed automatically and installed on SecureDrop production instances. I received the following OSSEC alerts which is not what I was expecting.


Report ‘Daily report: File Changes’ completed.

->Processed alerts: 3
->Post-filtering alerts: 1
->First alert: 2018 May 10 04:11:36
->Last alert: 2018 May 10 04:11:36

Top entries for ‘Level’:

Severity 7 |1 |

Top entries for ‘Group’:

ossec |1 |
syscheck |1 |

Top entries for ‘Location’:

mon->syscheck |1 |

Top entries for ‘Rule’:

551 - Integrity checksum changed again (2nd time). |1 |

Top entries for ‘Filenames’:

/usr/bin/wget |1 |


#2

The file /var/ossec/logs/alerts/2018/May/ossec-alerts-10.log contains the expected alert:

** Alert 1525918296.0: mail  - ossec,syscheck,
2018 May 10 04:11:36 mon->syscheck
Rule: 551 (level 7) -> 'Integrity checksum changed again (XXXXX).'
Integrity checksum changed for: '/usr/bin/wget'
Old md5sum was: '4fae3f5dd189c63f1f5ec4d2649a6ff9'
New md5sum is : '8044033594ed3a2b97bd4eb02770631e'
Old sha1sum was: '64e75194aaa4fcc2a887b08dc9ec4fa2454a65e0'
New sha1sum is : 'a399595018d8c0a1d267538b85d778f952d6c198'

The file /var/ossec/logs/ossec.log does not have any ossec-maild error messages that could indicate it had trouble sending the mail. There also is nothing in the spam folder.

This is the first time it happens and I wonder if anyone else had similar problems?


#3

Hi Loic,

These alerts look nomal. I am unsure what you mean by “not what I was expecting”. Can you clarify @dachary?

Best
Freddy


#4

I expected a mail with the alert related to wget, similar to USN-3628-2: OpenSSL vulnerability but it appears it got lost somewhere.