-
-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve "ISC DHCP" detection and CVE search #1155
Comments
As a first step we could include fresh identifiers for the dhcpd (server) to identify it in s09 via cpe: "isc:dhcpd:version"
For the server identification just
This will not solve the main issue but will allow us to improve the detection in this area a little bit. What do you think? |
Sounds like a fair solution to me. The vast majority of In practice, I see two cases:
Thank you for your prompt response so far (here and in other PR/Issues). It's nice to see a very-actively maintained project. |
Could you include the new identifiers in the config and provide the binaries for verification testing? |
In the meantime, here are the two binary files. Those are 32-bit ARM ELF. Running them with
|
sorry for the misunderstanding. S09 is the static analysis module for version detection. In comparison to that the modules s115 and s116 are doing dynamic analysis via qemu execution. Both are using the same config file. So, I would recommend to include the version identifiers into the config file and verify them afterwards with a default run of EMBA.
I think we need to deal with both of them.
is the EMBA s115 module able to get the help out of it?
|
after a quick static check we can implement the following rules: dhcpd -> multi_grep rule - see here 1st identifier:
2nd identifier (reflects the version)
This should then give the rules like the following - please take a look and verify/fix them (these are more blind guesses)
If the emulator also prints the version like the following
we can include the additional rules for the emulator:
Does this makes sense for you? |
I made a few tests (about one analysis per day, given the time it takes) and I'm getting results. I'll create a pull request when everything works. So far, I had to:
Then I had issues with F20. I noticed that the So, before I remove all
|
hmm ... we have identifiers in the format |
Indeed, F20 fails to retrieve CVEs for Oddly enough, F20 handles and remove vendor name in other cases, such as in its log for CVE search. In other words, looking at F20 log:
|
Thx for testing ... I need to check this. |
sorry for the delay and lack of intense tests. As I'm out of office I have just limited time ... Currently I'm just poking around and trying to reproduce the issue between long and short version identifier
The following should extract the version: emba/modules/F20_vul_aggregator.sh Line 621 in c590aee
looks good Next it extracts the name: emba/modules/F20_vul_aggregator.sh Line 623 in c590aee
looks also good If we grep for the long identifier here emba/modules/F20_vul_aggregator.sh Line 651 in c590aee
we have a vuln and log it. Otherwise we check for further criteria with the short name of binary which should be fine. |
I think I got it ... emba/modules/F20_vul_aggregator.sh Line 534 in c590aee
|
I think we are done for now. See you next time again :) |
Is your feature request related to a problem? Please describe.
There are missing CVE in results for ISC DHCP Client/Server, and this is in part related to a cpe naming issue in NVD data.
In NVD database cpe strings,
isc:dhcp_client
CVEs seems to apply a DHCP "client", whileisc:dhcpd
CVEs apply to the server component instead. However, in many CVEs the stringisc:dhcp
is used instead, for both client and server components.For example, CVE-2018-5732 applies to the client, while CVE-2018-5733 apply to the server part. Both use
cpe:2.3:a:isc:dhcp:*:...
among others. Only the textual description allows to discriminate.The choice of one or the other might be related to the CVE year, since only a single name is used per year. Of course, that might be a mere coincidence as well:
dhcp_client
dhcpd
dhcp
dhcpd
dhcp
Describe the solution you'd like
First, EMBA could detect "ISC DHCP Server" as well, just like the client currently is.
Second, given that NVD DB does not discriminate between "client" and "server" in using
isc:dhcp
, EMBA could somehow aggreate CVEs using:isc:dhcp_client
andisc_dhcp
for the clientisc:dhcpd
andisc_dhcp
for the serverThis will brings false positives in aggregated CVEs, but the NVD database does not allow to discriminate better. Right now, we have false negatives (missing CVEs) given that EMBA only search for
dhcp_client
.Describe alternatives you've considered
Changing the string replacements in
bin_version_strings.cfg
as in original PR #1150 before changes were reverted. The string replacement mechanism alone does not allow for the above solution.Priority issue
Are you already a Sponsor? N
Additional context
I had to analyze a firmware image that had both client and server DHCP binaries, and the identification string is straightforward. Version however is not detectable from S09 as it is not part of the identification string. S116 can detect it though. In my case, both were version 4.3.4 from 2016. EMBA would report
isc:dhcp_client
for the client, and not report the server at all. In both case, it misses the few CVEs that apply to that version:/sbin/dhclient
file:Internet Systems Consortium DHCP Client
/usr/sbin/dhcpd
file:Internet Systems Consortium DHCP Server
/sbin/dhclient
:Internet Systems Consortium DHCP Client 4.3.4
isc-dhclient-4.3.4
The text was updated successfully, but these errors were encountered: