search

scmanjarrez / CVEScannerV2

Nmap script that scans for probable vulnerabilities based on services discovered in open ports.
https://hub.docker.com/r/scmanjarrez/cvescanner
GNU General Public License v3.0
106 stars 13 forks source link

Cve returned seems wrong for Windows services #13

Open Anthony-76 opened 1 month ago

Anthony-76 commented 1 month ago

Hi,

for Windows services, after nmap scan, CVEs returns are false in somes cases.

For Example :

Nmap scan a Windows server with Ms-SQL.

The version detected by nmap is : 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.4100; SP1

Then cvescannerV2 scan like this:

| cvescannerv2: | product: sql_server | version: 2014 | vupdate: * | cves: 18

So cvescannerv2 analyze the MS-SQL service with version 2014 but it doesn't take the build release. So, the cve returns are often wrong or inexacts?

this issue appears with Windows and rarely with Linux .

Is there a solution to avoid theses falses positives?

Best regards Anthony

scmanjarrez commented 1 month ago

Hi, thank you for reaching out to me. I think this is a limitation of nmap, the script uses the values set by nmap for version and version_update. In this case, nmap isn't setting the variable version_update correctly, so the script tries to guess it (incorrectly). Can you provide a trace using -vv and -d flags? Anyway, I'll try to setup a VM to check if something can be done.

Anthony-76 commented 1 month ago

Hi, thank you for your reply.

You can find the log at https://pastebin.com/8g0d1k8Z

The link will expire in one week

If you wan that I test something, tell me it

Anthony

scmanjarrez commented 1 month ago

Is the trace from the same machine? The output from nmap here is nmap cpe: cpe:/a:microsoft:sql_server:2014 | version: 12.00.6329 which seems different than the previous Microsoft SQL Server 2014 12.00.4100; SP1

Anthony-76 commented 1 month ago

No, it's not the same machine but I have the same problem.

The build release 12.00.6329 is nearly uptodate and cvescannverv2 returns CVE of 2014, 2015, 2016

scmanjarrez commented 3 weeks ago

Mmmm, the only solution I see here is creating a pseudo database with the relation between build numbers and each service pack (still lot of CVEs). The information from the database is retrieved from NVD, and it's very simple and sometimes inconsistent e.g.

245876  microsoft   sql_server  2014    sp3
280999  microsoft   sql_server  2014    sp1
285102  microsoft   sql_server  2014    *
287871  microsoft   sql_server  2014    sp2
514180  microsoft   sql_server  2014    -
926117  microsoft   sql_server  2008_r2 sp3
1011923 microsoft   sql_server  2008    r2_sp3