SYNOPSIS: Nessus requires complete version string information to be written to the Windows registry to ascertain if an application has a known vulnerability. The version of ADE which remediates APSB19-16 does not present full version string information, and thus vulnerability scanning tools falsely claim it is vulnerable to APSB19-16
FIX: The Adobe Digital Editions Product Team needs to release an updated installer for ADE, which correctly inserts the full version data into the registry, so that Nessus can correctly determine the version, and thus differentiate from a vulnerable or non-vulnerable version. Also note that the metadata on the DigitalEditions.exe file also claims that it is 4.5.10.0, so that should be updated as well. (Basically, if the About dialog says the version is 4.5.10.186048, don't tell other system components that the version is something different, such as 4.5.10.)
DISCUSSION:
Adobe Digital Editions v4.5.10.186048 is detected by Nessus as being vulnerable for APSB19-16, in plugin 122815. This is because ADE is not correctly updating the Windows Registry with the full version string during installation, and Nessus is relying on the information reported in the registry to be correct.
I have verified multiple times, on multiple different systems, that the version of ADE being obtained from Adobe's download page is the correct version, and the About dialog box of ADE validates that the installed version is the non-vulnerable version, of 4.5.10.186048. Additionally, Tenable--the creator of Nessus--has been engaged about this false positive detection, and they indicate that they are using industry standard locations (e.g., the Windows registry) to check for version information.
Below is the Nessus plugin code which is from plugin 122815, which indicates that the plugin is indeed checking the registry for the correct version string.
==========
---
include("vcf.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
app_info = vcf::get_app_info(app:"Adobe Digital Editions", win_local:TRUE);
constraints = [
{ "fixed_version" : "4.5.10.186048" }
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints,
severity:SECURITY_HOLE);
---
==========
From a versioning perspective, the version reported in all current metadata indicates that ADE is 4.5.10. As 4.5.10 (or 4.5.10.0) is an earlier version than 4.5.10.186048, Nessus reports that the application is vulnerable, regardless of the fact that it is not.
As a simple overview of the issue, I have attached an image below, showing that ADE is stating that it is the patched version, however the versioning information in Programs and Features is erroneously displaying 4.5.10. Consequently, any tool relying on the data presented by the Programs and Features list (or, rather, the source data of the Windows registry) will--in this specific instance, at least--get incorrect information if they take the version string as fact, and thus may deduce that a vulnerable version of the software is installed.
3
Replies
AdChoices