CVE Status & Mitigation ======================= .. contents:: Table of Contents :local: :depth: 2 Overview -------- Swivel Secure appliances are built on an Enterprise Linux foundation (Oracle Linux). To ensure stability, our operating system vendor utilizes **backporting** for security patches. This means security fixes are applied to existing software versions without changing the major version number. Consequently, automated vulnerability scanners that rely solely on version number comparison (e.g., Nessus, Qualys, Rapid7) often report **False Positives**. This document lists specific vulnerabilities that may flag on your scanners, providing evidence of mitigation or explanation of why the appliance is not affected. .. note:: If you identify a vulnerability on your appliance that is not listed here, please contact Swivel Secure Support for analysis. -------------------------------------------------------------------------------- Known False Positives & Mitigations ----------------------------------- ELSA-2025-20114: NetworkManager Dispatcher Permissions ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **Relevant CVEs:** CVE-2025-20114 (and related) **Scanner Status:** Critical / High **Appliance Status:** **Safe / Mitigated** **Description** A vulnerability exists in NetworkManager where the dispatcher directory may have incorrect permissions (777), potentially allowing local privilege escalation. **Why this is a False Positive** Vulnerability scanners flag this based on the installed RPM version of `NetworkManager` (e.g., versions prior to ``1.48.10-5.0.3``). However, Swivel Secure appliances enforce the correct file permissions via configuration management, regardless of the RPM version installed. The security risk is neutralized by restricting filesystem access. **Verification of Mitigation** You can verify the appliance is secure by checking the directory permissions. Access the appliance command line and run: .. code-block:: bash ls -ld /etc/NetworkManager/dispatcher.d **Expected Output:** The output must show ``drwxr-xr-x`` (755). If the output shows ``drwxrwxrwx`` (777), please contact support immediately. .. code-block:: text drwxr-xr-x. 2 root root 4096 Dec 9 10:00 /etc/NetworkManager/dispatcher.d CVE-2024-38541: Kernel 'of_modalias' Buffer Overflow ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **Relevant CVEs:** CVE-2024-38541 **Scanner Status:** High / Medium **Appliance Status:** **Not Affected** **Description** A buffer overflow vulnerability exists in the Linux kernel's ``of_modalias()`` function. This function is part of the Device Tree (Open Firmware) subsystem, used primarily by embedded architectures (like ARM) to describe hardware components. **Why this is a False Positive** Swivel Secure appliances on x86_64 hardware utilize ACPI for hardware discovery, not Device Trees. The vulnerable subsystem is strictly controlled by the kernel configuration flag ``CONFIG_OF``. On this appliance, this feature is disabled at compile time. This means the vulnerable code is not present in the kernel binary and cannot be executed, rendering the appliance immune to this specific vulnerability. **Verification** You can prove the vulnerable subsystem is not present by checking the running kernel's build configuration. .. code-block:: bash grep "CONFIG_OF" /boot/config-$(uname -r) **Expected Output** The command should return no output (or explicitly state ``is not set``), proving the "module" is not active. .. code-block:: text # CONFIG_OF is not set -------------------------------------------------------------------------------- .. INTERNAL TEMPLATE - COPY AND UN-INDENT TO USE CVE-YYYY-XXXX: Template Entry (Example) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **Relevant CVEs:** CVE-YYYY-XXXX **Scanner Status:** High **Appliance Status:** **Not Affected** **Description** Short description of the vulnerability (e.g., A buffer overflow in the LibFoo component). **Why this is a False Positive** Explain why the appliance is safe. Examples: * The vulnerable component is installed but the service is disabled. * The specific vulnerable function is not used by the Swivel Secure application. * The fix has been backported by the OS vendor, but the version number does not reflect upstream numbering. **Verification** (Optional) Command to prove the service is disabled or configuration is safe. .. code-block:: bash systemctl status vulnerable-service **Expected Output:** .. code-block:: text Active: inactive (dead)