Closed artvorlov closed 5 months ago
Nothing I can't do here... IIS is defined as internet_information_services
in NVD data
cpe:2.3:a:microsoft:internet_information_services:7.5:*:*:*:*:*:*:*
but NMAP returns
cpe:/a:microsoft:iis:7.5
Obv, querying
iis
in the database yields 0 rows
Maybe would be possible to build some kind of heuristic, but that would be overkill in the long term.
This is one of the shortcomings of this method, CPE weren't standardized (and I think, still aren't). Some CVEs use different vendor-product-version than others, so you end up with multiple entries referring to the same product.
product_id vendor product version version_update
80024 microsoft iis 7.5 *
486471 microsoft internet_information_services 7.5 *
Two different entries for the same product yet only one is linked in NVD.
Yes, I understand the problem. For myself, I decided to add a file with product aliases. Here is my solution, maybe it will be useful to someone:
products-aliases.json
{
"iis": ["internet_information_services"]
}
cvescannerv2.nse
...
local regex_arg = stdnse.get_script_args('regex') or 'http-regex-vulnerscom.json'
local products_aliases_arg = stdnse.get_script_args('products-aliases') or 'products-aliases.json'
local service_arg = stdnse.get_script_args('service') or 'all'
...
if not exists(db_arg) then
ret = fmt("Database %s not found. " ..
"Run ./databases.py before running nmap script.",
db_arg)
elseif not exists(path_arg) then
ret = fmt("Paths file %s not found.", path_arg)
elseif not valid_json(path_arg, 'path') then
ret = fmt("Invalid json %s.", path_arg)
elseif not exists(regex_arg) then
ret = fmt("Regexes file %s not found.", regex_arg)
elseif not valid_json(regex_arg, 'regex') then
ret = fmt("Invalid json %s.", regex_arg)
elseif not exists(products_aliases_arg) then
ret = fmt("CPE products aliases file %s not found.", products_aliases_arg)
elseif not valid_json(products_aliases_arg, 'products-aliases') then
ret = fmt("Invalid json %s.", products_aliases_arg)
end
...
local function valid_json (arg, type)
local f = io.open(arg, 'r')
local status, data = json.parse(f:read('*all'))
if status then
if type == 'path' then
registry.path = data
elseif type == 'regex' then
registry.regex = data
elseif type == 'products-aliases' then
registry.products_aliases = data
end
end
f:close()
return status
end
...
tmp_vulns = vulnerabilities(host, port, cpe, product, info)
-- Product aliases
if registry.products_aliases[product] then
for _, alias in pairs(registry.products_aliases[product]) do
local tmp_alias_vulns = vulnerabilities(host, port, cpe, alias, info)
if tmp_alias_vulns then
tmp_vulns[1] = tmp_vulns[1] + table.remove(tmp_alias_vulns, 1)
for _, v in pairs(tmp_alias_vulns) do
table.insert(tmp_vulns, v)
end
end
end
end
local nvulns = table.remove(tmp_vulns, 1)
I think this can be a good workaround. We can improve the json with the most common services, maybe people can improve the list over time opening an ISSUE. Would you mind doing a PR with your implementation? I'll check NMAP code, maybe I can kind of automate the generation of the first initial list.
Hi, thanks for the PR, I've merged it. I relocated your code to leverage the logging functionality, otherwise the new CVEs wouldn't be logged.
I've seen this https://nvd.nist.gov/products/cpe/detail/A43289F0-8E95-4C9E-A0BC-A906D3CA0325, it seems that NVD kind of knows the deprecated CPEs, maybe I can check the API and obtain this information and build the json. I need to check it.
cpe:2.3:a:microsoft:iis:7.5 - NVD - Detail
This CPE has been deprecated to:
cpe:2.3:a:microsoft:internet_information_server:7.5:*:*:*:*:*:*:*
Hey, I've been checking the code of NMAP, it seems that the latest version (7.94) has the correct CPEs. After rechecking your comments, it seems that you're running a very outdated version (7.80). I'll try to setup a container with IIS to test again with CVEScannerV2 3.1.2, but I think the problem here was your NMAP version. Anyway, this feature should improve the scan quality overall.
You're right, it looks like it's time for me to upgrade. Version 7.80 is the latest for my ubuntu release - 20.04.5 LTS
You could run NMap from a container (only 36MB). I'm currently working on migrating all of my CI/CD running on a self-hosted GitLab to GitHub. I expect to have a working action in the following days to build docker containers with CVEScannerV2 (no db) and another one with the database embedded. I'm also planning to detach entirely CVEScannerV2DB (removed as submodule) to keep "small" the main repository but still build the database automatically.
Closed as completed in c957afa05410e91bbd0ac83f0a6d14c0a0cb3286. New containers can be found in dockerhub under scmanjarrez/cvescanner
, variants db and nodb.
Greetings! The script does not find vulnerabilities CVE-2010-2730, CVE-2010-3972 and CVE-2010-1899. On the port, the Microsoft server is IIS/7.5.