Linux Daemons with Broken Links to Executables -- avahi-daemon--Nessus finding

Latest response

Anyone has experienced this finding from Nessus?

Plugin Output:
The following daemons are associated with broken links to
executables :
- 4**** udp: (/usr/sbin/avahi-daemon)
- Process image does not match prelink verification image. :

Responses

Yes. We also find it. But not sure what solution is. Just raised case with Redhat support for same.

As per my understanding, for e.g. /usr/sbin/avahi-daemon has pre-defined checksum as per Redhat build. File "/usr/sbin/avahi-daemon" on server is not matching with check-sum of default image. That is what Nessus want to highlight assuming, someone may have replaced binaries with their own version.

If you restart the service and rescan the vulnerability will go away. This page has some valuable info: https://owlbearconsulting.com/doku.php?id=linux_wiki:broken_links_to_executables

The above wiki page talks about updating a package with the binary, however the error shown talks about prelinking.

The concept of prelinking and why it modifies binaries is discussed at: Questions about Prelinking in Red Hat Enterprise Linux.

You'll see prelink was a method to link dynamic libaries into a binary to provide faster startup times. This offered some benefit on older slower systems, but we stopped using it from RHEL7 onwards as it's not that useful anymore.

If you would prefer not to use prelink, you can disable it if you want to: How do I disable prelink on my system?

Reading the full message you posted in the support case, it does seem the above wiki page is correct.

If you have a binary running, then update the on-disk executable (like with yum update) but don't restart the binary, then the in-memory running binary is the old version, and the on-disk binary is the new version.

That does appear to be what the scanner is picking up.

Here's another example for a RHEL 6.10 system:

The following daemons are associated with broken links to executables :

  • 143 udp: (/sbin/portreserve)
  • Process image does not match prelink verification image. : Process image md5sum : a542504f9890395782969e249095c6ee Prelink verification image md5sum : 133a2ae2d6233e9b3a211d420b3a54f7
  • 995 udp: (/sbin/portreserve)
  • Process image does not match prelink verification image. : Process image md5sum : a542504f9890395782969e249095c6ee Prelink verification image md5sum : 133a2ae2d6233e9b3a211d420b3a54f7

Here is something that might help:

# needs-restarting -urs
No core libraries or services have been updated.
Reboot is probably not necessary.
#