Version string fixes for isc:dhcp and gnu:glibc #1150
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thank you for contributing a pull request!
Welcome to the EMBA firmware analysis community!
We are glad you are here and appreciate your contribution. Please keep in mind our contributing guidelines here and here.
Also, please check existing open issues and consider to open a discussion in the dedicated discussion area.
Additionally, we have collected a lot of details around EMBA, the installation and the usage of EMBA in our Wiki.
If you like EMBA you have the chance to support us by becoming a Sponsor or buying some beer here.
To show your love for EMBA with nice shirts or other merch you can check our Spreadshop.
This is an automatic message. Allow for time for the EMBA community to be able to read the pull request and comment on it.
config/bin_version_strings_quick.cfg
Outdated
| @@ -113,7 +113,7 @@ glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ \(GLIBC\)\ stable\ release\ version\ | |||
| glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ stable\ release\ version\ [0-9](\.[0-9]+)+?,\ ";"sed -r 's/GNU\ C\ Library\ stable\ release\ version\ ([0-9](\.[0-9]+)+?),\ .*/gnu:glibc:\1/'"; | |||
| glibc;;LGPL-2.1-or-later;"ldconfig\ \(GNU\ libc\)\ [0-9](\.[0-9]+)+?$";"sed -r 's/ldconfig\ \(GNU\ libc\)\ ([0-9](\.[0-9]+)+?)$/gnu:glibc:\1/'"; | |||
| glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ development\ release\ version\ [0-9](\.[0-9]+)+?$";"sed -r 's/GNU\ C\ Library\ development\ release\ version\ ([0-9](\.[0-9]+)+?)$/gnu:glibc:\1/'"; | |||
| glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ \(.*\)\ stable\ release\ version\ [0-9](\.[0-9]+)+?(\.)?$";"sed -r 's/GNU\ C\ Library\ \(.*\)\ stable\ release\ version\ ([0-9](\.[0-9]+)+?)$/gnu:glibc:\1/'"; | |||
| glibc;;LGPL-2.1-or-later;"GNU\ C\ Library\ \(.*\)\ stable\ release\ version\ [0-9](\.[0-9]+)+?(\.)?$";"sed -r 's/GNU\ C\ Library\ \(.*\)\ stable\ release\ version\ ([0-9](\.[0-9]+)+?)(\.)?$/gnu:glibc:\1/'"; | |||
There was a problem hiding this comment.
no need for updating this file. We generate it automatically
There was a problem hiding this comment.
Didn't notice it was generated. My bad. Changes are now reverted.
config/bin_version_strings.cfg
Outdated
| isc-dhclient;;ISC;"isc-dhclient-[0-9](\.[0-9]+)+?$";"sed -r 's/isc-dhclient-([0-9](\.[0-9]+)+?)$/isc:dhcp_client:\1/'"; | ||
| isc-dhclient;;ISC;"isc-dhclient-[0-9](\.[0-9]+)+?-([ABPabp]|rc|RC)[0-3]$";"sed -r 's/isc-dhclient-([0-9](\.[0-9]+)+?(-([ABPabp]|rc|RC)[0-3])?)$/isc:dhcp_client:\1/'"; | ||
| isc-dhclient;;ISC;"isc-dhclient-[0-9](\.[0-9]+)+?-ESV-R[0-9]$";"sed -r 's/isc-dhclient-([0-9](\.[0-9]+)+?(-ESV-R[0-9])?)$/isc:dhcp_client:\1/'"; | ||
| isc-dhclient;;ISC;"Internet\ Systems\ Consortium\ DHCP\ Client\ [0-9](\.[0-9]+)+?([a-z][0-9])?$";"sed -r 's/Internet\ Systems\ Consortium\ DHCP\ Client\ ([0-9](\.[0-9]+)+?([a-z][0-9])?)$/isc:dhcp:\1/'"; |
There was a problem hiding this comment.
I'm not 100% sure about this change. The search for dhcp_client reveals CVEs for the dhcp_client:
└─$ grep "cpe.*isc:dhcp_client:" external/nvd-json-data-feeds/* -r
external/nvd-json-data-feeds/CVE-1999/CVE-1999-08xx/CVE-1999-0808.json: "criteria": "cpe:2.3:a:isc:dhcp_client:1.0:*:*:*:*:*:*:*",
external/nvd-json-data-feeds/CVE-1999/CVE-1999-08xx/CVE-1999-0808.json: "criteria": "cpe:2.3:a:isc:dhcp_client:2.0:*:*:*:*:*:*:*",
external/nvd-json-data-feeds/CVE-2000/CVE-2000-05xx/CVE-2000-0585.json: "criteria": "cpe:2.3:a:isc:dhcp_client:2.0:*:*:*:*:*:*:*",
external/nvd-json-data-feeds/CVE-2000/CVE-2000-05xx/CVE-2000-0585.json: "criteria": "cpe:2.3:a:isc:dhcp_client:3.0b1:*:*:*:*:*:*:*",
If I search for "isc:dhcp" I get around 1000 issues but these are server related. E.g.: https://nvd.nist.gov/vuln/detail/CVE-2022-2929
There was a problem hiding this comment.
Bottom line to start with: I reverted dhcp-related changes and created issue #1155 instead.
In details, it seems that dhcp and dhcp_client are both correct and incorrect. Two things here: binaries I have and the naming scheme in NVD database.
Binaries
In a firmware image I have those binaries and the strings they contain:
From /sbin/dhclient
Internet Systems Consortium DHCP Client
Copyright 2004-2016 Internet Systems Consortium
From /usr/sbin/dhcpd
Internet Systems Consortium DHCP Server
Copyright 2004-2016 Internet Systems Consortium
Both are version 4.3.4 from 2016. Neither are detected by S09 as the version does not follow in the string. Only the first one is detected by S116 (server strings are not in bin_versions_string) with strings
Internet Systems Consortium DHCP Client 4.3.4isc-dhclient-4.3.4
NVD Naming Scheme
In NVD database, I see that CVE-2018-5732 applies to the client, while CVE-2018-5733 (and many others) apply to the server part. Both apply to version 4.3.4 among others.
Problem is, both of them are linked to isc:dhcp. Only the textual description allows to discriminate between client and server.
Then I just found that in NVD JSON files, version numbers in CVEs follow smoothly from 1999 through 2022, but with different product names:
- 1999-2000:
dhcp_client - 2002-2006:
dhcpd - 2009-2018:
dhcp - 2019:
dhcpd - 2021-2022:
dhcp
The "unique name per year" might be a coincidence, but is problematic. While we can probably assume dhcpd and dhcp_client are for server and client respectively, dhcp is used for both.
At least, while there might be new CVEs in the future, there won't be new product versions, as per ISC web site:
ISC has announced the end of maintenance for ISC DHCP as of the end of 2022.
Resolution
It seems that a "version string" to "product:version" conversion is not enough to cope with this messed up case.
glibc fix is definitely correct IMHO, but isc:dhcp is a mess on NVD. I reverted the dhcp-related changes and created issue #1155 instead.
|
Thank you for your contribution. |
Fixes version mismatches
gnu:glibccan be matched with a string thatsedfails to replace withgnu:glibc:version. Later on, in F20,glibcis ignored because of a "bad version format" and CVEs are not fetchedISC DHCP client binaries match
isc:dhcp_clientproduct name. No CVE are found, whatever the version, since the NVD database usesisc:dhcpfor the client, notisc:dhcp_clientProper product:version is returned and corresponding CVEs are reported
No breaking change