What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
New feature and related fix
What is the current behavior? (You can also link to an open issue here)
See Issue #1155
"Internet System Consortium DHCP Server" product is not detected
"Internet System Consortium DHCP Client" (isc:dhcp_client:version) is not properly handled by F20 that looks for isc:version instead of dhcp_client:version
S115 blacklists any substring from its list, not only full product names. For instance, it would blacklist a product named dchp if the blacklist configuration contains udhcpd
What is the new behavior (if this is a feature change)? If possible add a screenshot.
Now detects "Internet System Consortium DHCP Server" product (isc:dhcp and isc:dhcpd)
isc:dhcp_client:* version string replaced with dhcp_client:* so that F20 can find CVEs
S115 fix in blacklist matching: match exact whole names only, not substrings. Without this fix, both server product names are blacklisted from emulation and may prevent detection.
Working example:
[*] Vulnerability details for dhcp / version 4.3.4 / source UEMU:
BIN NAME : BIN VERS : CVE ID : CVSS VALUE : EPSS : SOURCE : EXPLOIT
dhcp : 4.3.4 : CVE-2018-5732 : 7.5 : NA : UEMU : No exploit available
dhcp : 4.3.4 : CVE-2022-2929 : 6.5 : NA : UEMU : No exploit available
dhcp : 4.3.4 : CVE-2018-5733 : 7.5 : NA : UEMU : No exploit available
dhcp : 4.3.4 : CVE-2017-3144 : 7.5 : NA : UEMU : No exploit available
[+] Found 4 CVEs and 0 exploits (including POC's) in dhcp with version 4.3.4 (source UEMU).
dhcp is found and not blacklisted in S115. Blacklist still function as intended. For example:
[*] Binary ./lib/systemd/systemd (533/673) not emulated - blacklist triggered
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
New feature and related fix
What is the current behavior? (You can also link to an open issue here)
isc:dhcp_client:version
) is not properly handled by F20 that looks forisc:version
instead ofdhcp_client:version
dchp
if the blacklist configuration containsudhcpd
What is the new behavior (if this is a feature change)? If possible add a screenshot.
isc:dhcp
andisc:dhcpd
)isc:dhcp_client:*
version string replaced withdhcp_client:*
so that F20 can find CVEsWorking example:
dhcp
is found and not blacklisted in S115. Blacklist still function as intended. For example:No