Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(debian): validate running kernel version #1382

Merged
merged 2 commits into from Feb 11, 2022
Merged

feat(debian): validate running kernel version #1382

merged 2 commits into from Feb 11, 2022

Conversation

MaineK00n
Copy link
Collaborator

@MaineK00n MaineK00n commented Feb 6, 2022
edited

What did you implement:

Fixes #846

If Debian is the scanning target, and docker is used, or if the correct kernel version cannot be obtained for some reason, it will output a warn log and will not detect OVAL or gost in the linux package.

Type of change

  • New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Using the Docker environment, I reproduced the case of an invalid kernel version.

// In the container to be scanned
$ root@a7226e85a420:~# uname -a
Linux a7226e85a420 5.13.0-28-generic #31~20.04.1-Ubuntu SMP Wed Jan 19 14:08:10 UTC 2022 x86_64 GNU/Linux

$ go run cmd/vuls/main.go scan
[Feb  7 06:05:09]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Feb  7 06:05:09]  INFO [localhost] Start scanning
[Feb  7 06:05:09]  INFO [localhost] config: /home/mainek00n/github/github.com/MaineK00n/vuls/config.toml
[Feb  7 06:05:09]  INFO [localhost] Validating config...
[Feb  7 06:05:09]  INFO [localhost] Detecting Server/Container OS... 
[Feb  7 06:05:09]  INFO [localhost] Detecting OS of servers... 
[Feb  7 06:05:09]  INFO [localhost] (1/1) Detected: vuls-target: debian 11.2
[Feb  7 06:05:09]  INFO [localhost] Detecting OS of containers... 
[Feb  7 06:05:09]  INFO [localhost] Checking Scan Modes... 
[Feb  7 06:05:09]  INFO [localhost] Detecting Platforms... 
[Feb  7 06:05:10]  INFO [localhost] (1/1) vuls-target is running on other
[Feb  7 06:05:10]  INFO [vuls-target] Scanning OS pkg in fast mode
[Feb  7 06:05:10]  WARN [vuls-target] kernel running version is invalid. skip kernel vulnerability detection. actual kernel version: Jan, err: upstream_version must start with digit


Scan Summary
================
vuls-target	debian11.2	319 installed





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

$ go run cmd/vuls/main.go report
[Feb  7 06:22:57]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Feb  7 06:22:57]  INFO [localhost] Validating config...
[Feb  7 06:22:57]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/usr/share/vuls-data/cve.sqlite3
[Feb  7 06:22:57]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/home/mainek00n/github/github.com/MaineK00n/goval-dictionary/oval.sqlite3
[Feb  7 06:22:57]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/usr/share/vuls-data/gost.sqlite3
[Feb  7 06:22:57]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/usr/share/vuls-data/go-exploitdb.sqlite3
[Feb  7 06:22:57]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/usr/share/vuls-data/go-msfdb.sqlite3
[Feb  7 06:22:57]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/usr/share/vuls-data/go-kev.sqlite3
[Feb  7 06:22:57]  INFO [localhost] Loaded: /home/mainek00n/github/github.com/MaineK00n/vuls/results/2022-02-07T06:05:10+09:00
[Feb  7 06:22:57]  INFO [localhost] OVAL debian 11.2 found. defs: 0
[Feb  7 06:22:57]  INFO [localhost] Skip OVAL and Scan with gost alone.
[Feb  7 06:22:57]  INFO [localhost] vuls-target: 0 CVEs are detected with OVAL
[Feb  7 06:22:57]  WARN [localhost] Since the exact kernel version is not available, the vulnerability in the linux package is not detected.
[Feb  7 06:22:58]  INFO [localhost] vuls-target: 128 CVEs are detected with gost
[Feb  7 06:22:58]  INFO [localhost] vuls-target: 0 CVEs are detected with CPE
[Feb  7 06:22:58]  INFO [localhost] vuls-target: 2 PoC are detected
[Feb  7 06:22:58]  INFO [localhost] vuls-target: 0 exploits are detected
[Feb  7 06:22:58]  INFO [localhost] vuls-target: total 128 CVEs detected
[Feb  7 06:22:58]  INFO [localhost] vuls-target: 0 CVEs filtered by --confidence-over=80
vuls-target (debian11.2)
========================
Total: 128 (Critical:14 High:42 Medium:50 Low:12 ?:10)
0/128 Fixed, 31 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
319 installed

master report shows that there are 203 cases, and about 75 cases may be false positives for vulnerabilities related to the linux package.

$ vuls report --refresh-cve
[Feb  7 06:23:40]  INFO [localhost] vuls-v0.19.2-build-20220128_200342_b4c23c1
[Feb  7 06:23:40]  INFO [localhost] Validating config...
[Feb  7 06:23:40]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/usr/share/vuls-data/cve.sqlite3
[Feb  7 06:23:40]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/home/mainek00n/github/github.com/MaineK00n/goval-dictionary/oval.sqlite3
[Feb  7 06:23:40]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/usr/share/vuls-data/gost.sqlite3
[Feb  7 06:23:40]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/usr/share/vuls-data/go-exploitdb.sqlite3
[Feb  7 06:23:40]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/usr/share/vuls-data/go-msfdb.sqlite3
[Feb  7 06:23:40]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/usr/share/vuls-data/go-kev.sqlite3
[Feb  7 06:23:40]  INFO [localhost] Loaded: /home/mainek00n/github/github.com/MaineK00n/vuls/results/2022-02-07T06:05:10+09:00
[Feb  7 06:23:40]  INFO [localhost] OVAL debian 11.2 found. defs: 0
[Feb  7 06:23:40]  INFO [localhost] Skip OVAL and Scan with gost alone.
[Feb  7 06:23:40]  INFO [localhost] vuls-target: 0 CVEs are detected with OVAL
[Feb  7 06:23:42]  INFO [localhost] vuls-target: 203 CVEs are detected with gost
[Feb  7 06:23:42]  INFO [localhost] vuls-target: 0 CVEs are detected with CPE
[Feb  7 06:23:42]  INFO [localhost] vuls-target: 3 PoC are detected
[Feb  7 06:23:42]  INFO [localhost] vuls-target: 0 exploits are detected
[Feb  7 06:23:42]  INFO [localhost] vuls-target: total 203 CVEs detected
[Feb  7 06:23:42]  INFO [localhost] vuls-target: 0 CVEs filtered by --confidence-over=80
vuls-target (debian11.2)
========================
Total: 203 (Critical:15 High:64 Medium:89 Low:16 ?:19)
0/203 Fixed, 34 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 3 alerts
319 installed

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@MaineK00n MaineK00n self-assigned this Feb 6, 2022
@MaineK00n MaineK00n marked this pull request as draft February 6, 2022 21:19
@MaineK00n MaineK00n force-pushed the MaineK00n/check-running-kernel-version branch from 5683764 to a992e19 Compare February 6, 2022 21:22
@MaineK00n MaineK00n marked this pull request as ready for review February 6, 2022 21:28
@kotakanbe kotakanbe self-requested a review February 11, 2022 03:36
kotakanbe
kotakanbe approved these changes Feb 11, 2022
View reviewed changes
Copy link
Member

@kotakanbe kotakanbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kotakanbe kotakanbe merged commit fe8d252 into master Feb 11, 2022
@kotakanbe kotakanbe deleted the MaineK00n/check-running-kernel-version branch February 11, 2022 03:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kotakanbe kotakanbe kotakanbe approved these changes

Assignees

@MaineK00n MaineK00n

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

What is the utility of the X-Vuls-Kernel-Version header when debian?
2 participants
@MaineK00n @kotakanbe