rpm2cvescan

Original repo

• bigHosting/rpm2cvescan

rpm2cvescan is an RedHat/CentOS 5/6/7/8 rpm cve vulnerability scanner based on

• RedHat's RPM to CVE mapping: rpm-to-cve.xml
• RedHat's OVAL infor for RHEL5,6,7,8: com.redhat.rhsa-RHEL5.xml, com.redhat.rhsa-RHEL6.xml, com.redhat.rhsa-RHEL7.xml, com.redhat.rhsa-RHEL8.xml
• RedHat's RHSA to date mapping rhsamapcpe.txt
• RedHat's CVE 2 DATE cve_dates.txt

How does this work? Based on above files we can create a memory structure associated with an rpm. Each package entry will have an array of vulnerability attributes like cve, cve score, cve2rhsa.

We will get an inventory of the server by running a command that will list all installed packages: # /bin/rpm --nosignature --nodigest -qa --qf '%{N}-%{epochnum}:%{V}-%{R} %{N}\n'

Finally, we will loop through the memory structure and print info ( package name, cve ID and score) on screen. We also print the same information in csv format.

How to run the scanner:

• install package dependencies using:

  yum -y install perl-XML-Simple

• build rpmvercmp

  ./build-libs.sh

• download these files to be sure you have the latest revision:

  ./download.sh

• run the perl program:

  perl rpm2cvescan.pl

This tool will only report information about packages used by RedHat. If custom rpms are used, e.g. php 7.1 or httpd 2.4 , this tool is not capabale of detecting vulnerabilities simply because rpm-to-cve.xml has info on what's installed by default on your distro version, e.g. php 5.3 for EL6.

Output example:

=====  openssh-0:5.3p1-117.el6  =====
CVE-2015-6563                                               6.2
CVE-2015-6564                                               4.0
CVE-2015-5352                                               4.9
CVE-2016-1908                                               4.9

=====  openssh-clients-0:5.3p1-117.el6  =====
CVE-2015-6563                                               6.2
CVE-2015-6564                                               4.0
CVE-2015-5352                                               4.9
CVE-2016-1908                                               4.9

=====  sqlite-0:3.6.20-1.el6_7.2  =====
CVE-2015-3416                                               3.7
[...]

TOTAL_UNIQ_PACKAGES=876, AFFECTED_PACKAGES=67 CVEs=195 HIGHRISK=4

VULN,bind-libs-9.8.2-0.47.rc1.el6,CVE-2016-2776,5.0,RHSA-2016:2099 RHSA-2016:1945 RHSA-2016:1944,20160927,web203c0 VULN,bind-libs-9.8.2-0.47.rc1.el6,CVE-2016-2848,5.0,RHSA-2016:2099 RHSA-2016:2094 RHSA-2016:2093,20161020,web203c0 VULN,bind-libs-9.8.2-0.47.rc1.el6,CVE-2016-8864,5.0,RHSA-2016:2871 RHSA-2016:2615 RHSA-2016:2142 RHSA-2016:2141,20161101,web203c0 VULN,bind-libs-9.8.2-0.47.rc1.el6,CVE-2016-9147,0,RHSA-2017:0064 RHSA-2017:0063 RHSA-2017:0062,20170111,web203c0 VULN,bind-libs-9.8.2-0.47.rc1.el6,CVE-2017-3136,0,RHSA-2017:1105 RHSA-2017:1095,20170412,web203c0 VULN,bind-libs-9.8.2-0.47.rc1.el6,CVE-2017-3137,0,RHSA-2017:1105 RHSA-2017:1095,20170412,web203c0 [....]

TODO:

• sending rpm package list to a web API using JSON format:

  $ export PACKAGES=$(rpm -qa --queryformat='%{N}-%{epochnum}:%{V}-%{R}\n' | sed 's/^/"/; s/$/"/;' | tr '\n' ',' | sed 's/.$//') $ export JSON="{"os":"centos","package":[ ${PACKAGES} ],"version":"6"}" $ echo $JSON | /usr/bin/curl -sk -H "Accept: application/json" -X POST -d "@-" "https://my.web.api/v1/"

• creating the PHP API using Slim2 framework

• generating a unique URL for each server sending the data

• creating a web frontend to view each server's vuln data