search

infobyte / faraday_plugins

Security tools report parsers for Faradaysec.com
https://www.faradaysec.com/
GNU General Public License v3.0
50 stars 18 forks source link

openvas failing to import due to CVSS3 tags #30

Open bruman opened 3 months ago

bruman commented 3 months ago

openvas Version 23.2.1 faraday community edition: 5.5.0 Running the community docker

I failing to import reports from openvas using the option to export reports from openvas community edition as xml

Looking at the logs i see the following when i try to import. 

==> celery.log <==
[2024-08-15 14:28:55,653: ERROR/ForkPoolWorker-5] Could not create cvss2
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/faraday/server/api/modules/bulk_create.py", line 756, in set_cvss2
    cvss_instance = cvss.CVSS2(vs2)
  File "/usr/local/lib/python3.8/site-packages/cvss/cvss2.py", line 100, in __init__
    self.parse_vector()
  File "/usr/local/lib/python3.8/site-packages/cvss/cvss2.py", line 141, in parse_vector
    raise CVSS2MalformedError(
cvss.exceptions.CVSS2MalformedError: Unknown metric "CVSS" in field "CVSS:3.1"
[2024-08-15 14:28:55,674: ERROR/ForkPoolWorker-2] Could not create cvss2
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/faraday/server/api/modules/bulk_create.py", line 756, in set_cvss2
    cvss_instance = cvss.CVSS2(vs2)
  File "/usr/local/lib/python3.8/site-packages/cvss/cvss2.py", line 100, in __init__
    self.parse_vector()
  File "/usr/local/lib/python3.8/site-packages/cvss/cvss2.py", line 141, in parse_vector
    raise CVSS2MalformedError(
cvss.exceptions.CVSS2MalformedError: Unknown metric "CVSS" in field "CVSS:3.1"

when i run faraday-plugins process-report i see the following entries with cvss2 of "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"

{
    "name": "cpe:/a:ietf:transport_layer_security:1.3",
    "protocol": "tcp",
    "port": 8443,
    "status": "open",
    "version": "",
    "description": "",
    "credentials": [],
    "vulnerabilities": [
        {
            "name": "SSL/TLS: Report Vulnerable Cipher Suites for HTTPS",
            "desc": "This routine reports all SSL/TLS cipher suites accepted by a service where attack vectors exists only on HTTPS services. These rules are applied for the evaluation of the vulnerable cipher suites: - 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).",
            "severity": "high",
            "refs": [
                {
                    "name": "cpe:/a:ietf:transport_layer_security",
                    "type": "other"
                },
                {
                    "name": "SEVERITY NUMBER: 7.5",
                    "type": "other"
                },
                {
                    "name": "THREAT: High",
                    "type": "other"
                }
            ],
            "external_id": "OPENVAS-1.3.6.1.4.1.25623.1.0.108031",
            "type": "Vulnerability",
            "resolution": "The configuration of this services should be changed so that it does not accept the listed cipher suites anymore. Please see the references for more resources supporting you with this task.",
            "data": "\n\nid 5abd2194-5e6f-4550-9df2-ab6632322cb5",
            "custom_fields": {},
            "status": "open",
            "impact": {},
            "policyviolations": [],
            "cve": [],
            "cvss3": {},
            "cvss2": {
                "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
            },
            "easeofresolution": null,
            "confirmed": false,
            "tags": [],
            "cwe": []
        },

the original xml looks like 

       <result id="5abd2194-5e6f-4550-9df2-ab6632322cb5">
        <name>SSL/TLS: Report Vulnerable Cipher Suites for HTTPS</name>
        <owner>
          <name>admin</name>
        </owner>
        <modification_time>2024-08-09T22:50:21Z</modification_time>
        <comment/>
        <creation_time>2024-08-09T22:50:21Z</creation_time>
        <detection>
          <result id="52811c30-efb1-4e7a-ae89-1e171bc5d83d">
            <details>
              <detail>
                <name>product</name>
                <value>cpe:/a:ietf:transport_layer_security</value>
              </detail>
              <detail>
                <name>location</name>
                <value>8443/tcp</value>
              </detail>
              <detail>
                <name>source_oid</name>
                <value>1.3.6.1.4.1.25623.1.0.802067</value>
              </detail>
              <detail>
                <name>source_name</name>
                <value>SSL/TLS: Report Supported Cipher Suites</value>
              </detail>
            </details>
          </result>
        </detection>
        <host>1.1.1.1<asset asset_id="4a2957ed-1848-4f26-a498-9c587d3a7fe9"/><hostname>redacted.redacted.com</hostname></host>
        <port>8443/tcp</port>
        <nvt oid="1.3.6.1.4.1.25623.1.0.108031">
          <type>nvt</type>
          <name>SSL/TLS: Report Vulnerable Cipher Suites for HTTPS</name>
          <family>SSL and TLS</family>
          <cvss_base>7.5</cvss_base>
          <severities score="7.5">
            <severity type="cvss_base_v3">
              <origin>NVD</origin>
              <date>2022-07-28T11:27:00Z</date>
              <score>7.5</score>
              <value>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</value>
            </severity>
          </severities>
          <tags>cvss_base_vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N|summary=This routine reports all SSL/TLS cipher suites accepted by a service
  where attack vectors exists only on HTTPS services.|insight=These rules are applied for the evaluation of the vulnerable cipher suites:

  - 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).|affected=Services accepting vulnerable SSL/TLS cipher suites via HTTPS.|impact=|solution=The configuration of this services should be changed so
  that it does not accept the listed cipher suites anymore.

  Please see the references for more resources supporting you with this task.|vuldetect=|solution_type=Mitigation</tags>
          <solution type="Mitigation">The configuration of this services should be changed so
  that it does not accept the listed cipher suites anymore.

  Please see the references for more resources supporting you with this task.</solution>
          <refs>
            <ref type="cve" id="CVE-2016-2183"/>
            <ref type="cve" id="CVE-2016-6329"/>
            <ref type="cve" id="CVE-2020-12872"/>
            <ref type="url" id="https://bettercrypto.org/"/>
            <ref type="url" id="https://mozilla.github.io/server-side-tls/ssl-config-generator/"/>
            <ref type="url" id="https://sweet32.info/"/>
            <ref type="cert-bund" id="WID-SEC-2024-1277"/>
            <ref type="cert-bund" id="WID-SEC-2024-0209"/>
            <ref type="cert-bund" id="WID-SEC-2024-0064"/>
            <ref type="cert-bund" id="WID-SEC-2022-2226"/>
            <ref type="cert-bund" id="WID-SEC-2022-1955"/>
            <ref type="cert-bund" id="CB-K21/1094"/>
            <ref type="cert-bund" id="CB-K20/1023"/>
            <ref type="cert-bund" id="CB-K20/0321"/>
            <ref type="cert-bund" id="CB-K20/0314"/>
            <ref type="cert-bund" id="CB-K20/0157"/>
            <ref type="cert-bund" id="CB-K19/0618"/>
            <ref type="cert-bund" id="CB-K19/0615"/>
            <ref type="cert-bund" id="CB-K18/0296"/>
            <ref type="cert-bund" id="CB-K17/1980"/>
            <ref type="cert-bund" id="CB-K17/1871"/>
            <ref type="cert-bund" id="CB-K17/1803"/>
            <ref type="cert-bund" id="CB-K17/1753"/>
            <ref type="cert-bund" id="CB-K17/1750"/>
            <ref type="cert-bund" id="CB-K17/1709"/>
            <ref type="cert-bund" id="CB-K17/1558"/>
            <ref type="cert-bund" id="CB-K17/1273"/>
            <ref type="cert-bund" id="CB-K17/1202"/>
            <ref type="cert-bund" id="CB-K17/1196"/>
            <ref type="cert-bund" id="CB-K17/1055"/>
            <ref type="cert-bund" id="CB-K17/1026"/>
            <ref type="cert-bund" id="CB-K17/0939"/>
            <ref type="cert-bund" id="CB-K17/0917"/>
            <ref type="cert-bund" id="CB-K17/0915"/>
            <ref type="cert-bund" id="CB-K17/0877"/>
            <ref type="cert-bund" id="CB-K17/0796"/>
            <ref type="cert-bund" id="CB-K17/0724"/>
            <ref type="cert-bund" id="CB-K17/0661"/>
            <ref type="cert-bund" id="CB-K17/0657"/>
            <ref type="cert-bund" id="CB-K17/0582"/>
            <ref type="cert-bund" id="CB-K17/0581"/>
            <ref type="cert-bund" id="CB-K17/0506"/>
            <ref type="cert-bund" id="CB-K17/0504"/>
            <ref type="cert-bund" id="CB-K17/0467"/>
            <ref type="cert-bund" id="CB-K17/0345"/>
            <ref type="cert-bund" id="CB-K17/0098"/>
            <ref type="cert-bund" id="CB-K17/0089"/>
            <ref type="cert-bund" id="CB-K17/0086"/>
            <ref type="cert-bund" id="CB-K17/0082"/>
            <ref type="cert-bund" id="CB-K16/1837"/>
            <ref type="cert-bund" id="CB-K16/1830"/>
            <ref type="cert-bund" id="CB-K16/1635"/>
            <ref type="cert-bund" id="CB-K16/1630"/>
            <ref type="cert-bund" id="CB-K16/1624"/>
            <ref type="cert-bund" id="CB-K16/1622"/>
            <ref type="cert-bund" id="CB-K16/1500"/>
            <ref type="cert-bund" id="CB-K16/1465"/>
            <ref type="cert-bund" id="CB-K16/1307"/>
            <ref type="cert-bund" id="CB-K16/1296"/>
            <ref type="dfn-cert" id="DFN-CERT-2021-1618"/>
            <ref type="dfn-cert" id="DFN-CERT-2021-0775"/>
            <ref type="dfn-cert" id="DFN-CERT-2021-0770"/>
            <ref type="dfn-cert" id="DFN-CERT-2021-0274"/>
            <ref type="dfn-cert" id="DFN-CERT-2020-2141"/>
            <ref type="dfn-cert" id="DFN-CERT-2020-0368"/>
            <ref type="dfn-cert" id="DFN-CERT-2019-1455"/>
            <ref type="dfn-cert" id="DFN-CERT-2019-0068"/>
            <ref type="dfn-cert" id="DFN-CERT-2018-1296"/>
            <ref type="dfn-cert" id="DFN-CERT-2018-0323"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-2070"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1954"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1885"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1831"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1821"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1785"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1626"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1326"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1239"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1238"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1090"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-1060"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0968"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0947"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0946"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0904"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0816"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0746"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0677"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0675"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0611"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0609"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0522"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0519"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0482"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0351"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0090"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0089"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0088"/>
            <ref type="dfn-cert" id="DFN-CERT-2017-0086"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1943"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1937"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1732"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1726"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1715"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1714"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1588"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1555"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1391"/>
            <ref type="dfn-cert" id="DFN-CERT-2016-1378"/>
          </refs>
        </nvt>
        <scan_nvt_version>2024-06-14T05:05:48Z</scan_nvt_version>
        <threat>High</threat>
        <severity>7.5</severity>
        <qod>
          <value>98</value>
          <type/>
        </qod>
        <description>'Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

</description>
        <original_threat>High</original_threat>
        <original_severity>7.5</original_severity>
        <overrides>
          <override id="f4356011-97b8-4bbc-b0f9-960faf598b59">
            <permissions>
              <permission>
                <name>Everything</name>
              </permission>
            </permissions>
            <owner>
              <name>ian</name>
            </owner>
            <nvt oid="1.3.6.1.4.1.25623.1.0.108031">
              <name>SSL/TLS: Report Vulnerable Cipher Suites for HTTPS</name>
              <type>nvt</type>
            </nvt>
            <creation_time>2024-06-18T21:33:56Z</creation_time>
            <modification_time>2024-06-18T21:33:56Z</modification_time>
            <writable>1</writable>
            <in_use>0</in_use>
            <active>1</active>
            <text excerpt="0">Hubspot</text>
            <threat>Alarm</threat>
            <severity>0.1</severity>
            <new_threat>False Positive</new_threat>
            <new_severity>-1</new_severity>
            <orphan>0</orphan>
          </override>
        </overrides>
      </result>

so it looks like some logic needs to be added to detect CVSS3 and parse as CVSS3 verse 2?

bruman commented 3 months ago

possible fix, not sure how you like pull requests for this project :)

diff --git a/faraday_plugins/plugins/repo/openvas/plugin.py b/faraday_plugins/plugins/repo/openvas/plugin.py
index 734551e..09f20e3 100644
--- a/faraday_plugins/plugins/repo/openvas/plugin.py
+++ b/faraday_plugins/plugins/repo/openvas/plugin.py
@@ -185,6 +185,7 @@ class Item:
         self.description = ''
         self.resolution = ''
         self.cvss_vector = ''
+        self.cvss3_vector = ''
         self.tags = self.get_text_from_subnode('tags')
         self.data = self.get_text_from_subnode('description')
         self.data += f'\n\nid {item_node.attrib.get("id")}'
@@ -192,7 +193,10 @@ class Item:
             tags_data = self.get_data_from_tags(self.tags)
             self.description = tags_data['description']
             self.resolution = tags_data['solution']
-            self.cvss_vector = tags_data['cvss_base_vector']
+            if "CVSS:3" in tags_data['cvss_base_vector']:
+                self.cvss3_vector = tags_data['cvss_base_vector']
+            else:
+                self.cvss_vector = tags_data['cvss_base_vector']
             if tags_data['impact']:
                 self.data += f'\n\nImpact: {tags_data["impact"]}'

@@ -347,6 +351,7 @@ class OpenvasPlugin(PluginXMLFormat):
                 ref = []
                 cve = []
                 cvss2 = {}
+                cvss3 = {}
                 if item.cve:
                     cves = item.cve.split(',')
                     for i in cves:
@@ -359,6 +364,8 @@ class OpenvasPlugin(PluginXMLFormat):
                     ref.append(item.xref)
                 if item.tags and item.cvss_vector:
                     cvss2["vector_string"] = item.cvss_vector
+                if item.tags and item.cvss3_vector:
+                    cvss3["vector_string"] = item.cvss3_vector
                 if item.cpe:
                     ref.append(f"{item.cpe}")
                 if item.severity_nr:
@@ -390,7 +397,8 @@ class OpenvasPlugin(PluginXMLFormat):
                             data=item.data,
                             cve=cve,
                             cwe=item.cwe,
-                            cvss2=cvss2
+                            cvss2=cvss2,
+                            cvss3=cvss3
                         )
                 else:
                     if item.service:
@@ -425,7 +433,8 @@ class OpenvasPlugin(PluginXMLFormat):
                                 data=item.data,
                                 cve=cve,
                                 cwe=item.cwe,
-                                cvss2=cvss2
+                                cvss2=cvss2,
+                                cvss3=cvss3
                             )
                     elif item.severity not in self.ignored_severities:
                         self.createAndAddVulnToService(
@@ -440,7 +449,8 @@ class OpenvasPlugin(PluginXMLFormat):
                             data=item.data,
                             cve=cve,
                             cwe=item.cwe,
-                            cvss2=cvss2
+                            cvss2=cvss2,
+                            cvss3=cvss3
                         )
         del parser