Dhcp version strings and blacklist fix

[gluesmith2021]

• What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

New feature and related fix

• What is the current behavior? (You can also link to an open issue here)

  • See Issue Improve "ISC DHCP" detection and CVE search #1155
  • "Internet System Consortium DHCP Server" product is not detected
  • "Internet System Consortium DHCP Client" (isc:dhcp_client:version) is not properly handled by F20 that looks for isc:version instead of dhcp_client:version
  • S115 blacklists any substring from its list, not only full product names. For instance, it would blacklist a product named dchp if the blacklist configuration contains udhcpd

• What is the new behavior (if this is a feature change)? If possible add a screenshot.

  • Now detects "Internet System Consortium DHCP Server" product (isc:dhcp and isc:dhcpd)
  • isc:dhcp_client:* version string replaced with dhcp_client:* so that F20 can find CVEs
  • S115 fix in blacklist matching: match exact whole names only, not substrings. Without this fix, both server product names are blacklisted from emulation and may prevent detection.

Working example:

[*] Vulnerability details for dhcp / version 4.3.4 / source UEMU:

	BIN NAME            :   BIN VERS    :   CVE ID            :  CVSS VALUE : EPSS :   SOURCE         :   EXPLOIT
	dhcp                :   4.3.4       :  	CVE-2018-5732     :   7.5       :  NA  :   UEMU           :   No exploit available
	dhcp                :   4.3.4       :  	CVE-2022-2929     :   6.5       :  NA  :   UEMU           :   No exploit available
	dhcp                :   4.3.4       :  	CVE-2018-5733     :   7.5       :  NA  :   UEMU           :   No exploit available
	dhcp                :   4.3.4       :  	CVE-2017-3144     :   7.5       :  NA  :   UEMU           :   No exploit available

[+] Found 4 CVEs and 0 exploits (including POC's) in dhcp with version 4.3.4 (source UEMU).

dhcp is found and not blacklisted in S115. Blacklist still function as intended. For example:

[*] Binary ./lib/systemd/systemd (533/673) not emulated - blacklist triggered

• Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)

No

• Other information:

[m-1-k-3]

wondering on these rules as they do not fit the results on my strings output from your binary. They probably match the emulation output (s115) but not teh static checks (s09). Why not using the multi-grep rule from here for static checking?

[m-1-k-3]

btw. ist this a public firmware you are using for testing? Can you provide a download link?

[gluesmith2021]

wondering on these rules as they do not fit the results on my strings output from your binary. They probably match the emulation output (s115) but not teh static checks (s09). Why not using the multi-grep rule from here for static checking?

Indeed, as far as the binaries attached to the issue are concerned, strings can only be found through emulation as static analysis won't find them as is in the binary.

There might be other build of the same binaries in the wild that do include those whole strings for static check. I don't know. But given that we don't have such samples for now, I could add no_static to the rules.

I'm not sure at all about multi_grep. There are other occurrences version-like strings such as 1.1 and 9.10 in dhcpd binary, and we don't want to match those as binary versions. There could be many others in another build of dhcpd. Requiring a three-number version would work in this particular case, but is prone to fail the same way in other builds (and would also fail on genuine two-number versions of dhcpd if there are any)

That firmware is unfortunately not public. I also tried to create a mini-firmware version by keeping only a a few generic binaries that could be shared (also because as it stand now, even when excluding S13, S14 and S16 from sbom-default it still takes 9 hours on a 32-core system), but emulation would never run. Can't tell why.

I'll try with no_static and re-analyze before committing.

[m-1-k-3]

ok, for static analysis it is fine and the dynamic strings are not much different to the already known. So, I think we are fine after adjusting.
"multi_grep" is currently only available in static mode. It is on the todo list for dynamic analysis as well as combining multiple rules (no_static, multi_grep and further rules in the future)

[m-1-k-3]

with #1166 we should be able to add the isc as the vendor to the sed commands of all these dhcp identifiers. Would you be interested to address this in your PR?

[gluesmith2021]

ok, adding isc: prefix back. #1166 makes it work properly (and is now required for this PR)

[m-1-k-3]

I think we do not need the extra echo and grep here:

if [[ "${BIN_BLACKLIST[*]}" == *" $(basename "${FULL_BIN_PATH}") "* ]]; then

Does this fit your solution?

[gluesmith2021]

I don't know if it does. Does it work with the first and last item as well?

Sorry, I don't have time for any more testing. I just know that my proposed solution works. Feel free to implement whichever you like that works.