-
-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version string fixes for isc:dhcp and gnu:glibc #1150
Version string fixes for isc:dhcp and gnu:glibc #1150
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for contributing a pull request!
Welcome to the EMBA firmware analysis community!
We are glad you are here and appreciate your contribution. Please keep in mind our contributing guidelines here and here.
Also, please check existing open issues and consider to open a discussion in the dedicated discussion area.
Additionally, we have collected a lot of details around EMBA, the installation and the usage of EMBA in our Wiki.
If you like EMBA you have the chance to support us by becoming a Sponsor or buying some beer here.
To show your love for EMBA with nice shirts or other merch you can check our Spreadshop.
This is an automatic message. Allow for time for the EMBA community to be able to read the pull request and comment on it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please revert the bin_version.strings.quick.cfg file. Other changes are looking good.
Thanks
config/bin_version_strings_quick.cfg
Outdated
@@ -113,7 +113,7 @@ glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ \(GLIBC\)\ stable\ release\ version\ | |||
glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ stable\ release\ version\ [0-9](\.[0-9]+)+?,\ ";"sed -r 's/GNU\ C\ Library\ stable\ release\ version\ ([0-9](\.[0-9]+)+?),\ .*/gnu:glibc:\1/'"; | |||
glibc;;LGPL-2.1-or-later;"ldconfig\ \(GNU\ libc\)\ [0-9](\.[0-9]+)+?$";"sed -r 's/ldconfig\ \(GNU\ libc\)\ ([0-9](\.[0-9]+)+?)$/gnu:glibc:\1/'"; | |||
glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ development\ release\ version\ [0-9](\.[0-9]+)+?$";"sed -r 's/GNU\ C\ Library\ development\ release\ version\ ([0-9](\.[0-9]+)+?)$/gnu:glibc:\1/'"; | |||
glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ \(.*\)\ stable\ release\ version\ [0-9](\.[0-9]+)+?(\.)?$";"sed -r 's/GNU\ C\ Library\ \(.*\)\ stable\ release\ version\ ([0-9](\.[0-9]+)+?)$/gnu:glibc:\1/'"; | |||
glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ \(.*\)\ stable\ release\ version\ [0-9](\.[0-9]+)+?(\.)?$";"sed -r 's/GNU\ C\ Library\ \(.*\)\ stable\ release\ version\ ([0-9](\.[0-9]+)+?)(\.)?$/gnu:glibc:\1/'"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need for updating this file. We generate it automatically
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't notice it was generated. My bad. Changes are now reverted.
config/bin_version_strings.cfg
Outdated
isc-dhclient;;ISC;"isc-dhclient-[0-9](\.[0-9]+)+?$";"sed -r 's/isc-dhclient-([0-9](\.[0-9]+)+?)$/isc:dhcp_client:\1/'"; | ||
isc-dhclient;;ISC;"isc-dhclient-[0-9](\.[0-9]+)+?-([ABPabp]|rc|RC)[0-3]$";"sed -r 's/isc-dhclient-([0-9](\.[0-9]+)+?(-([ABPabp]|rc|RC)[0-3])?)$/isc:dhcp_client:\1/'"; | ||
isc-dhclient;;ISC;"isc-dhclient-[0-9](\.[0-9]+)+?-ESV-R[0-9]$";"sed -r 's/isc-dhclient-([0-9](\.[0-9]+)+?(-ESV-R[0-9])?)$/isc:dhcp_client:\1/'"; | ||
isc-dhclient;;ISC;"Internet\ Systems\ Consortium\ DHCP\ Client\ [0-9](\.[0-9]+)+?([a-z][0-9])?$";"sed -r 's/Internet\ Systems\ Consortium\ DHCP\ Client\ ([0-9](\.[0-9]+)+?([a-z][0-9])?)$/isc:dhcp:\1/'"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not 100% sure about this change. The search for dhcp_client reveals CVEs for the dhcp_client:
└─$ grep "cpe.*isc:dhcp_client:" external/nvd-json-data-feeds/* -r
external/nvd-json-data-feeds/CVE-1999/CVE-1999-08xx/CVE-1999-0808.json: "criteria": "cpe:2.3:a:isc:dhcp_client:1.0:*:*:*:*:*:*:*",
external/nvd-json-data-feeds/CVE-1999/CVE-1999-08xx/CVE-1999-0808.json: "criteria": "cpe:2.3:a:isc:dhcp_client:2.0:*:*:*:*:*:*:*",
external/nvd-json-data-feeds/CVE-2000/CVE-2000-05xx/CVE-2000-0585.json: "criteria": "cpe:2.3:a:isc:dhcp_client:2.0:*:*:*:*:*:*:*",
external/nvd-json-data-feeds/CVE-2000/CVE-2000-05xx/CVE-2000-0585.json: "criteria": "cpe:2.3:a:isc:dhcp_client:3.0b1:*:*:*:*:*:*:*",
If I search for "isc:dhcp" I get around 1000 issues but these are server related. E.g.: https://nvd.nist.gov/vuln/detail/CVE-2022-2929
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bottom line to start with: I reverted dhcp-related changes and created issue #1155 instead.
In details, it seems that dhcp
and dhcp_client
are both correct and incorrect. Two things here: binaries I have and the naming scheme in NVD database.
Binaries
In a firmware image I have those binaries and the strings they contain:
From /sbin/dhclient
Internet Systems Consortium DHCP Client
Copyright 2004-2016 Internet Systems Consortium
From /usr/sbin/dhcpd
Internet Systems Consortium DHCP Server
Copyright 2004-2016 Internet Systems Consortium
Both are version 4.3.4
from 2016. Neither are detected by S09 as the version does not follow in the string. Only the first one is detected by S116 (server strings are not in bin_versions_string
) with strings
Internet Systems Consortium DHCP Client 4.3.4
isc-dhclient-4.3.4
NVD Naming Scheme
In NVD database, I see that CVE-2018-5732 applies to the client, while CVE-2018-5733 (and many others) apply to the server part. Both apply to version 4.3.4 among others.
Problem is, both of them are linked to isc:dhcp
. Only the textual description allows to discriminate between client and server.
Then I just found that in NVD JSON files, version numbers in CVEs follow smoothly from 1999 through 2022, but with different product names:
- 1999-2000:
dhcp_client
- 2002-2006:
dhcpd
- 2009-2018:
dhcp
- 2019:
dhcpd
- 2021-2022:
dhcp
The "unique name per year" might be a coincidence, but is problematic. While we can probably assume dhcpd
and dhcp_client
are for server and client respectively, dhcp
is used for both.
At least, while there might be new CVEs in the future, there won't be new product versions, as per ISC web site:
ISC has announced the end of maintenance for ISC DHCP as of the end of 2022.
Resolution
It seems that a "version string" to "product:version" conversion is not enough to cope with this messed up case.
glibc
fix is definitely correct IMHO, but isc:dhcp
is a mess on NVD. I reverted the dhcp-related changes and created issue #1155 instead.
Thank you for your contribution. |
Fixes version mismatches
gnu:glibc
can be matched with a string thatsed
fails to replace withgnu:glibc:version
. Later on, in F20,glibc
is ignored because of a "bad version format" and CVEs are not fetchedISC DHCP client binaries match
isc:dhcp_client
product name. No CVE are found, whatever the version, since the NVD database usesisc:dhcp
for the client, notisc:dhcp_client
Proper product:version is returned and corresponding CVEs are reported
No breaking change