Closed p0lr closed 3 years ago
tsellers-r7
commented
3 years ago Thanks for the heads up. I should be able to take a look early next week. We run CPE checks whenever we land new commits. I'll have to look at the deprecated flag and see what should be done there.
tsellers-r7
commented
3 years ago Hey @p0lr I've a PR up to address this. Thanks for bringing this to our attention. We already had processes for adding CPEs but we were totally ignoring the deprecated flag.
I should be able to take a look early next week.
I should quit saying things like that.. it's never next week..
p0lr
commented
3 years ago Excellent! That fix is going to provide an uplift to all of the platforms that use Recog for CPE detection. Looking forward to seeing the positive impact this fix has across the industry.
Thanks!
On May 12, 2021, at 2:44 PM, Tom Sellers @.***> wrote:
Hey @p0lr I've a PR up to address this. Thanks for bringing this to our attention. We already had processes for adding CPEs but we were totally ignoring the deprecated flag.
I should be able to take a look early next week.
I should quit saying things like that.. it's never next week..
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
hdm
commented
3 years ago Maybe rename this issue to CPEs vs CVEs? :)
p0lr
commented
3 years ago Great suggestion! Done.
On May 12, 2021, at 4:23 PM, HD Moore @.***> wrote:
Maybe rename this issue to CPEs vs CVEs? :)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
tsellers-r7
commented
3 years ago The fix has been landed and Recog v2.3.20 has been released. Thanks for letting us know about this!
Describe the bug I noticed deprecated CPEs in the XML fingerprints.
Looking at /xml/http_servers.xml Definition for IIS 8.5 (for example) includes:
As stated in the other bug I opened, this is in cpe 2.2 format. Converting it to CPE 2.3 as follows:
cpe:2.3:a:microsoft:iis:8.5:::::::*
Submit it to NVD: https://services.nvd.nist.gov/rest/json/cpes/1.0?cpeMatchString=cpe:2.3:a:microsoft:iis:8.5:::::::*
Response is as follows: {"resultsPerPage":20,"startIndex":0,"totalResults":0,"result":{"dataType":"CPE","feedVersion":"1.0","cpeCount":0,"feedTimestamp":"2021-02-19T03:40","cpes":[]}}
Essentially unrecognized. There was a deprecation window where the service returned a "deprecatedBy" flag that told how to update the CPE.
Using the replacement CPE: https://services.nvd.nist.gov/rest/json/cpes/1.0?cpeMatchString=cpe:2.3:a:microsoft:internet_information_services:8.5:::::::*
Response: {"resultsPerPage":20,"startIndex":0,"totalResults":1,"result":{"dataType":"CPE","feedVersion":"1.0","cpeCount":1,"feedTimestamp":"2021-02-19T03:43","cpes":[{"deprecated":false,"cpe23Uri":"cpe:2.3:a:microsoft:internet_information_services:8.5:::::::*","lastModifiedDate":"2018-12-11T18:56Z","titles":[{"title":"Microsoft Internet Information Services (IIS) 8.5","lang":"en_US"}],"refs":[{"ref":"https://www.iis.net/","type":"Product"}],"deprecatedBy":[],"vulnerabilities":[]}]}}
If cpeCount is 0, there is a problem with the CPE. Might also be good to keep an eye on the deprecatedBy response when performing validation checking.
You can pull down the entire CPE 2.3 dictionary for validation checking here: https://nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
If you decide to stick with CPE 2.2 format, you can validate against the diction located here: https://nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
Hope this is helpful info. Cheers!