update CVE reference in where modules report_vuln #8518
Conversation
| @@ -21,6 +21,7 @@ def initialize(info = {}) | |||
| 'License' => MSF_LICENSE, | |||
| 'References' => | |||
| [ | |||
| ['CVE', 'CVE-2016-10073'], # validate, an instance of a described attack approach from the original reference | |||
There was a problem hiding this comment.
['CVE', '2016-10073'], # validate, an instance of a described attack approach from the original reference
remove CVE-, this will also fix travis
There was a problem hiding this comment.
Will do thanks.
| @@ -20,6 +20,7 @@ def initialize | |||
| 'License' => MSF_LICENSE, | |||
| 'References' => | |||
| [ | |||
| ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb | |||
There was a problem hiding this comment.
The vulnerability and abuse/exploitation is definitely similar, but this is not the same protocol, so IMO referencing this CVE here will cause more problems than it solves. What am I missing here?
|
I'm not sure I agree with using CVE-2013-5211 as a reference for all of the UDP-amplification related modules. Yes, the CVSS would likely be the same, and maybe by following this CVE reference users might get additional information that is truly relevant to the module in question, however I wonder if this will cause more problems than it solves. I'd be OK with using CVE-2013-5211 for all of the NTP module as a compromise, but CVE-2013-5211 as written is for two very specific and similar vulnerabilities in NTP. These other modules are for other similar issues. If a CVE for generic UDP amplification issues existed, we should use that. Perhaps one way to look at this is what are the pros/cons of reusing this CVE. On one hand, users will get more information, but on the other, used incorrectly this additional information may lead users astray. |
|
The references are used for correlation of modules to vulns associated to them and in framework are not always specific, currently attempted interactions are only reported when a CVE is associated and the module is in the exploit tree. This is a first phase to prepare for expanding attempts to be reported in scanner and auxiliary modules. The CVE filter may be lifted but for now peeling the issues into layers. From an offensive perspective a reference gives possible approach to consider and is not necessarily a direct mapping. In framework references are often used to search for a module that may work for an approach but no guarantees are made, the idea here is to reference a CVE that arose from the attack vector to provide ideas on how to approach gaining further access. I am following that logic here and using references as a hint to possible usage of the reported finding (vuln). Possible misinterpretation of the information is there, I think it is out weighed by the value of reference to a known instance of the attack vector. |
|
Thanks, @jmartin-r7. That background helps. |
Release NotesWhere appropriate, scanner modules have been updated to include more CVE references. You can use these references to correlate a module to a vulnerability, which provides a jumping off point for your approach to gaining further access. |
Update references to include CVE where one can be associated when report_vuln is used.
Verification
List the steps needed to make sure this thing works
msfconsole