Linux Vulnerability Audit with Vulners.com
Vulners was conceived as a search engine for Security Content: vulnerabilities, security bulletins, exploits, detection plugins and other useful information. But we thought: if we already have parsed security bulletins for the main Linux distributions, why don't we make a service that will take data about the system and return a list of vulnerabilities in the output. Also, as usual vulnerability scanners do, only faster and for free.
Where do we get information about Linux vulnerabilities? To do this, we parse newsletter vendors. Let us show the parsing procedure using the example of the Debian DSA-3638 security bulletin.
Initial information on the vendor page:
')
https://security-tracker.debian.org/tracker/DSA-3638-1
We see that the source curl package on the jessie version operating system is vulnerable and the vulnerability is fixed in the version 7.38.0-4 + deb8u4 package. But this information is not enough to correctly identify the vulnerability. curl in this case is a source package, that is, binary packages are built on its basis. Therefore, you need to find all binary packages compiled from the curl package:
packages.debian.org/source/jessie/curl
As a result, we believe that there is a vulnerability for all the listed packages of the version less than 7.38.0-4 + deb8u4
https://vulners.com/api/v3/search/id?id=DSA-3638
How does the audit work? First we need to collect and send information about packages and OS to the server. The OS version is contained in the / etc / os-release, / etc / centos-release files and other files specific to one or another operating system. As a source of information about installed packages for rpm-based systems, the standard rpm -qa command is sufficient. In the case of a deb-based system, the command output is more complicated - dpkg-query -W -f = '$ {Package} $ {Version} $ {Architecture} \ n'
In response, the server will return us information about the found vulnerabilities. Calculation occurs very quickly. We handle 750 packages for 160ms! You might think that some kind of magic happens on the server. But this is not the case; everything is actually very simple and this is how I work almost all vulnerability scanners.
Consider the package - curl 7.38.0-4 + deb8u3 amd64 for Debian Linux. The package name is curl. We search the system for all the bulletins that contain this package among the list of vulnerable packages. After all such bulletins are found, you need to go through each of them and check whether at least one of the conditions listed in the affectedPackage field is met. Take for example the DSA-3638 package:
It states that a vulnerability occurs if:
- Operating System - Debian GNU / Linux ("OS": "Debian GNU / Linux")
- The version of this operating system is 8 (“OSVersion”: “8”)
- Installed a package named libcurl3-nss ("packageName": "libcurl3-nss")
- Vulnerable package architecture - any
- And the version of this package is less than 7.38.0-4 + deb8u4 ("operator": "lt" and "packageVersion": "7.38.0-4 + deb8u4")
If all conditions are met - the package is subject to this vulnerability DSA-3638. For each package in the system we check all the conditions from the bulletins and get a list of vulnerabilities for the system. As you can see, there is no difficulty or magic in this.
It is important to note that in no case can versions be compared as numbers or strings. For each system (debian, redhat, solaris) the version structure is different. And the mechanics of their comparison differs accordingly. In order to ensure the accuracy of the scan, it is necessary to implement a version comparison exactly according to the same algorithm as it is made in the operating system itself. Fortunately, there is no secret in this, there are ready-made examples of comparison functions for the same debian .
Today we are ready to offer you a web interface with which you can check your server for vulnerabilities, a full-fledged API for automation and a PoC agent for our future cloud-based vulnerability management solution. The following Linux distributions are supported: RedHat, CentOS, Fedora, Oracle Linux, Ubuntu, Debian.
The graphical interface is available on the Audit tab .
Vulnerabilities found:
Similarly, you can work through the Audit API. Specify the list of installed packages and the OS version, and in response you will receive a list of vulnerabilities and a description of why we believe that there is a vulnerability. You can compare the results with the results of your scanner and ask your vendor to explain the discrepancies. Well, or kick us, that we have somewhere messed up ;-)
And finally, an agent for the future cloud solution for managing vulnerabilities. We stand for the transparency of the work of all components, therefore the agent has made the agent fully functional. It not only collects data from the system and sends it to the Vulners server for analysis and display, but also receives calculated lists of vulnerabilities from the server and displays them in the console. Agent solution was not chosen randomly. It gives the most rapid and reliable result if you once solve problems with automatic casting agents. No need to create any accounts, open network accesses for scanners and figure out, calculate the parameters, and the time when the scan will not clog the channel and so on. Currently, this is just a python script, but in the future there will be a complete package for the system.
As you can see, the analysis of Linux security can be done more efficiently and faster and without expensive vulnerability scanners. We certainly recommend Vulners. But if you do not want to send anything to our server, for example, you are worried about privacy, you can implement this functionality yourself. This is not difficult to do. You will be able to implement the comparison function, download the full set of data on the operating system from us, for example, the set for CentOS , and process your data as we showed above. How to do the data collection, you can see in the source code of our agent. Our agent is open and we would be happy to share it with you! Pull requests welcome! We are waiting for suggestions and wishes!
Where do we get information about Linux vulnerabilities? To do this, we parse newsletter vendors. Let us show the parsing procedure using the example of the Debian DSA-3638 security bulletin.
Initial information on the vendor page:
')
https://security-tracker.debian.org/tracker/DSA-3638-1
We see that the source curl package on the jessie version operating system is vulnerable and the vulnerability is fixed in the version 7.38.0-4 + deb8u4 package. But this information is not enough to correctly identify the vulnerability. curl in this case is a source package, that is, binary packages are built on its basis. Therefore, you need to find all binary packages compiled from the curl package:
packages.debian.org/source/jessie/curl
As a result, we believe that there is a vulnerability for all the listed packages of the version less than 7.38.0-4 + deb8u4
https://vulners.com/api/v3/search/id?id=DSA-3638
{ "result": "OK", "data": { "documents": { "DSA-3638": { "objectVersion": "1.0", "modified": "2016-08-03T00:00:00", "affectedPackage": [ { "packageName": "libcurl3-nss", "packageVersion": "7.38.0-4+deb8u4", "packageFilename": "libcurl3-nss_7.38.0-4+deb8u4_all.deb", "arch": "all", "operator": "lt", "OSVersion": "8", "OS": "Debian GNU/Linux" }, { "packageName": "curl", "packageVersion": "7.38.0-4+deb8u4", "packageFilename": "curl_7.38.0-4+deb8u4_all.deb", "arch": "all", "operator": "lt", "OSVersion": "8", "OS": "Debian GNU/Linux" ... How does the audit work? First we need to collect and send information about packages and OS to the server. The OS version is contained in the / etc / os-release, / etc / centos-release files and other files specific to one or another operating system. As a source of information about installed packages for rpm-based systems, the standard rpm -qa command is sufficient. In the case of a deb-based system, the command output is more complicated - dpkg-query -W -f = '$ {Package} $ {Version} $ {Architecture} \ n'
In response, the server will return us information about the found vulnerabilities. Calculation occurs very quickly. We handle 750 packages for 160ms! You might think that some kind of magic happens on the server. But this is not the case; everything is actually very simple and this is how I work almost all vulnerability scanners.
Consider the package - curl 7.38.0-4 + deb8u3 amd64 for Debian Linux. The package name is curl. We search the system for all the bulletins that contain this package among the list of vulnerable packages. After all such bulletins are found, you need to go through each of them and check whether at least one of the conditions listed in the affectedPackage field is met. Take for example the DSA-3638 package:
{ "OS": "Debian GNU/Linux", "operator": "lt", "packageFilename": "libcurl3-nss_7.38.0-4+deb8u4_all.deb", "OSVersion": "8", "packageVersion": "7.38.0-4+deb8u4", "packageName": "libcurl3-nss", "arch": "all" }
It states that a vulnerability occurs if:
- Operating System - Debian GNU / Linux ("OS": "Debian GNU / Linux")
- The version of this operating system is 8 (“OSVersion”: “8”)
- Installed a package named libcurl3-nss ("packageName": "libcurl3-nss")
- Vulnerable package architecture - any
- And the version of this package is less than 7.38.0-4 + deb8u4 ("operator": "lt" and "packageVersion": "7.38.0-4 + deb8u4")
If all conditions are met - the package is subject to this vulnerability DSA-3638. For each package in the system we check all the conditions from the bulletins and get a list of vulnerabilities for the system. As you can see, there is no difficulty or magic in this.
It is important to note that in no case can versions be compared as numbers or strings. For each system (debian, redhat, solaris) the version structure is different. And the mechanics of their comparison differs accordingly. In order to ensure the accuracy of the scan, it is necessary to implement a version comparison exactly according to the same algorithm as it is made in the operating system itself. Fortunately, there is no secret in this, there are ready-made examples of comparison functions for the same debian .
Today we are ready to offer you a web interface with which you can check your server for vulnerabilities, a full-fledged API for automation and a PoC agent for our future cloud-based vulnerability management solution. The following Linux distributions are supported: RedHat, CentOS, Fedora, Oracle Linux, Ubuntu, Debian.
The graphical interface is available on the Audit tab .
Vulnerabilities found:
Similarly, you can work through the Audit API. Specify the list of installed packages and the OS version, and in response you will receive a list of vulnerabilities and a description of why we believe that there is a vulnerability. You can compare the results with the results of your scanner and ask your vendor to explain the discrepancies. Well, or kick us, that we have somewhere messed up ;-)
curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"os":"centos","package":["pcre-8.32-15.el7.x86_64", "samba-common-4.2.3-11.el7_2.noarch", "gnu-free-fonts-common-20120503-8.el7.noarch", "libreport-centos-2.1.11-32.el7.centos.x86_64", "libacl-2.2.51-12.el7.x86_64", "sos-3.2-35.el7.centos.noarch" ],"version":"7"}' https://vulners.com/api/v3/audit/audit/ { "result": "OK", "data": { "reasons": [ { "providedPackage": "sos-3.2-35.el7.centos.noarch", "operator": "lt", "bulletinID": "CESA-2016:0188", "providedVersion": "0:3.2-35.el7.centos", "bulletinPackage": "sos-3.2-35.el7.centos.3.noarch.rpm", "bulletinVersion": "3.2-35.el7.centos.3", "package": "sos-3.2-35.el7.centos.noarch" }, { "providedPackage": "pcre-8.32-15.el7.x86_64", "operator": "lt", "bulletinID": "CESA-2016:1025", "providedVersion": "0:8.32-15.el7", "bulletinPackage": "pcre-8.32-15.el7_2.1.x86_64.rpm", "bulletinVersion": "8.32-15.el7_2.1", "package": "pcre-8.32-15.el7.x86_64" }, { "providedPackage": "samba-common-4.2.3-11.el7_2.noarch", "operator": "lt", "bulletinID": "CESA-2016:1486", "providedVersion": "0:4.2.3-11.el7_2", "bulletinPackage": "samba-common-4.2.10-7.el7_2.noarch.rpm", "bulletinVersion": "4.2.10-7.el7_2", "package": "samba-common-4.2.3-11.el7_2.noarch" }, { "providedPackage": "samba-common-4.2.3-11.el7_2.noarch", "operator": "lt", "bulletinID": "CESA-2016:0612", "providedVersion": "0:4.2.3-11.el7_2", "bulletinPackage": "samba-common-4.2.10-6.el7_2.noarch.rpm", "bulletinVersion": "4.2.10-6.el7_2", "package": "samba-common-4.2.3-11.el7_2.noarch" }, { "providedPackage": "samba-common-4.2.3-11.el7_2.noarch", "operator": "lt", "bulletinID": "CESA-2016:0448", "providedVersion": "0:4.2.3-11.el7_2", "bulletinPackage": "samba-common-4.2.3-12.el7_2.noarch.rpm", "bulletinVersion": "4.2.3-12.el7_2", "package": "samba-common-4.2.3-11.el7_2.noarch" } ], "vulnerabilities": [ "CESA-2016:1486", "CESA-2016:1025", "CESA-2016:0448", "CESA-2016:0612", "CESA-2016:0188" ], "cvelist": [ "CVE-2015-5370", "CVE-2015-7560", "CVE-2016-2119", "CVE-2016-2118", "CVE-2015-7529", "CVE-2016-2112", "CVE-2016-2113", "CVE-2016-3191", "CVE-2015-8386", "CVE-2015-8388", "CVE-2015-8385", "CVE-2016-2110", "CVE-2015-5073", "CVE-2015-8391", "CVE-2015-2328", "CVE-2016-2115", "CVE-2015-3217", "CVE-2016-2114", "CVE-2016-2111" ], "cvss": { "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:COMPLETE/", "score": 9.0 }, "packages": { "pcre-8.32-15.el7.x86_64": { "CESA-2016:1025": [ { "providedPackage": "pcre-8.32-15.el7.x86_64", "operator": "lt", "bulletinID": "CESA-2016:1025", "providedVersion": "0:8.32-15.el7", "bulletinPackage": "pcre-8.32-15.el7_2.1.x86_64.rpm", "bulletinVersion": "8.32-15.el7_2.1", "package": "pcre-8.32-15.el7.x86_64" } ] }, "sos-3.2-35.el7.centos.noarch": { "CESA-2016:0188": [ { "providedPackage": "sos-3.2-35.el7.centos.noarch", "operator": "lt", "bulletinID": "CESA-2016:0188", "providedVersion": "0:3.2-35.el7.centos", "bulletinPackage": "sos-3.2-35.el7.centos.3.noarch.rpm", "bulletinVersion": "3.2-35.el7.centos.3", "package": "sos-3.2-35.el7.centos.noarch" } ] }, "samba-common-4.2.3-11.el7_2.noarch": { "CESA-2016:1486": [ { "providedPackage": "samba-common-4.2.3-11.el7_2.noarch", "operator": "lt", "bulletinID": "CESA-2016:1486", "providedVersion": "0:4.2.3-11.el7_2", "bulletinPackage": "samba-common-4.2.10-7.el7_2.noarch.rpm", "bulletinVersion": "4.2.10-7.el7_2", "package": "samba-common-4.2.3-11.el7_2.noarch" } ], "CESA-2016:0448": [ { "providedPackage": "samba-common-4.2.3-11.el7_2.noarch", "operator": "lt", "bulletinID": "CESA-2016:0448", "providedVersion": "0:4.2.3-11.el7_2", "bulletinPackage": "samba-common-4.2.3-12.el7_2.noarch.rpm", "bulletinVersion": "4.2.3-12.el7_2", "package": "samba-common-4.2.3-11.el7_2.noarch" } ], "CESA-2016:0612": [ { "providedPackage": "samba-common-4.2.3-11.el7_2.noarch", "operator": "lt", "bulletinID": "CESA-2016:0612", "providedVersion": "0:4.2.3-11.el7_2", "bulletinPackage": "samba-common-4.2.10-6.el7_2.noarch.rpm", "bulletinVersion": "4.2.10-6.el7_2", "package": "samba-common-4.2.3-11.el7_2.noarch" } ] } } }
And finally, an agent for the future cloud solution for managing vulnerabilities. We stand for the transparency of the work of all components, therefore the agent has made the agent fully functional. It not only collects data from the system and sends it to the Vulners server for analysis and display, but also receives calculated lists of vulnerabilities from the server and displays them in the console. Agent solution was not chosen randomly. It gives the most rapid and reliable result if you once solve problems with automatic casting agents. No need to create any accounts, open network accesses for scanners and figure out, calculate the parameters, and the time when the scan will not clog the channel and so on. Currently, this is just a python script, but in the future there will be a complete package for the system.
$ git clone https://github.com/videns/vulners-scanner $ cd vulners-scanner $ ./linuxScanner.py _ __ ___ _| |_ __ ___ _ __ ___ \ \ / / | | | | '_ \ / _ \ '__/ __| \ V /| |_| | | | | | __/ | \__ \ \_/ \__,_|_|_| |_|\___|_| |___/ ========================================== Host info - Host machine OS Name - centos, OS Version - 7 Total found packages: 1026 Vulnerable packages: krb5-libs-1.13.2-10.el7.x86_64 CESA-2016:0532 - 'Moderate krb5 Security Update', cvss.score - 6.8 openssh-server-6.6.1p1-23.el7_2.x86_64 CESA-2016:0465 - 'Moderate openssh Security Update', cvss.score - 7.7 libtdb-1.3.6-2.el7.x86_64 CESA-2016:0612 - 'Critical ipa Security Update', cvss.score - 0.0 kernel-tools-3.10.0-327.4.5.el7.x86_64 CESA-2016:1033 - 'Important kernel Security Update', cvss.score - 0.0 CESA-2016:1633 - 'Important kernel Security Update', cvss.score - 4.3 CESA-2016:0185 - 'Important kernel Security Update', cvss.score - 7.2 CESA-2016:1539 - 'Important kernel Security Update', cvss.score - 7.2 CESA-2016:1277 - 'Important kernel Security Update', cvss.score - 7.2 openssl-libs-1.0.1e-51.el7_2.2.x86_64 CESA-2016:0301 - 'Important openssl Security Update', cvss.score - 0.0 CESA-2016:0722 - 'Important openssl Security Update', cvss.score - 10.0 nss-softokn-3.16.2.3-13.el7_1.x86_64 CESA-2016:0685 - 'Moderate nss-softokn Security Update', cvss.score - 6.8 ...
As you can see, the analysis of Linux security can be done more efficiently and faster and without expensive vulnerability scanners. We certainly recommend Vulners. But if you do not want to send anything to our server, for example, you are worried about privacy, you can implement this functionality yourself. This is not difficult to do. You will be able to implement the comparison function, download the full set of data on the operating system from us, for example, the set for CentOS , and process your data as we showed above. How to do the data collection, you can see in the source code of our agent. Our agent is open and we would be happy to share it with you! Pull requests welcome! We are waiting for suggestions and wishes!
Source: https://habr.com/ru/post/308236/
All Articles