search

Secure-Compliance-Solutions-LLC / GVM-Docker

Greenbone Vulnerability Management Docker Image with OpenVAS
https://securecompliance.gitbook.io/projects/
MIT License
246 stars 91 forks source link

[Enhancement] Log4Shell Scan #325

Closed zimbres closed 10 months ago

zimbres commented 2 years ago

Is your feature request related to a problem? Please describe. The option of Log4Shell scan is sending a command to target machine that point to Container IP, so this way its a invalid IP in the network.

Describe the solution you'd like A explanation of how to correct use it.

Describe alternatives you've considered Some ENV variables to tell the container the IP and port to be used.

Additional context Besides looks like the port is random, is this case if the port is not mapped to Container is not going to work either. "${jndi:ldap://172.19.0.2:11812/a}"

Dexus commented 2 years ago

you need to allow the docker run on host network.

As of /2021/apache/gb_log4j_CVE-2021-44228_udp_active.nasl feed file shows:

# Copyright (C) 2021 Greenbone Networks GmbH
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-or-later
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
...
ownip = this_host();
targetip = get_host_ip();
rnd_port = rand() % 65535;
payload = "${jndi:ldap://" + ownip + ":" + rnd_port + "/a}";

filter = string( "tcp and dst port ", rnd_port, " and src host ", targetip, " and dst host ", ownip );
res = send_capture( socket:soc, data:payload + '\r\n', timeout:5, pcap_filter:filter );

we are not able to limit the ports here, the only possible option is to run on a own IP with all open ports or you have to run with host network.

Dexus commented 2 years ago

macvlan would also do help here.

Dexus commented 2 years ago
  1. your container need a fqdn (hostname and domainname)
  2. you need to use network mode of host, ipvlan or macvlan
  3. if you don't run the 2 point before your openvas creates some errors like cloud not get bpf and will not scan correctly. also you will never receive any incoming tcp/udp dumps, which will the log4j scanner create to match the vulnerability of the network service.

If you need future support check out the up2date https://github.com/DeineAgenturUG/greenbone-gvm-openvas-for-docker Best regards, Josef