Closed artvorlov closed 6 months ago
I also noticed that there are no references to the vulnerability CVE-2023-51767 in the multiaffected table. Although in https://nvd.nist.gov/vuln/detail/CVE-2023-51767 it is indicated that OpenSSH is vulnerable before 9.6.
Hi, thanks for reporting it, I'll take a look
Are you running an outdated database? I've checked the latest gitlab-generated version found in a automated container, and all cves mentioned here are present:
CVE-2020-1025
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',455035);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',217511);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',33189);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',516267);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',127824);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',217922);
./data_0.sql:INSERT INTO cves VALUES('CVE-2020-1025',7.5,9.8000000000000007105,2020);
CVE-2019-0624
./data_6.sql:INSERT INTO affected VALUES('CVE-2019-0624',1033877);
./data_0.sql:INSERT INTO cves VALUES('CVE-2019-0624',3.5,5.4000000000000003552,2019);
CVE-2022-33633
./data_6.sql:INSERT INTO affected VALUES('CVE-2022-33633',598260);
./data_6.sql:INSERT INTO affected VALUES('CVE-2022-33633',713509);
./data_6.sql:INSERT INTO affected VALUES('CVE-2022-33633',716608);
./data_0.sql:INSERT INTO cves VALUES('CVE-2022-33633',6.5,7.2000000000000001776,2022);
CVE-2023-51767
./data_6.sql:INSERT INTO multiaffected VALUES('CVE-2023-51767',1132188,NULL,NULL,'9.6',NULL);
./data_6.sql:INSERT INTO multiaffected VALUES('CVE-2023-51767',1132188,NULL,NULL,'9.6',NULL);
./data_0.sql:INSERT INTO cves VALUES('CVE-2023-51767',NULL,7.0,2023);
That are matched in the cve.db with the correct sql query:
SELECT affected.cve_id, cves.cvss_v2, cves.cvss_v3,
products.product, products.version, products.version_update,
(SELECT EXISTS (SELECT 1 FROM referenced_exploit WHERE cve_id = affected.cve_id)) as edb,
(SELECT EXISTS (SELECT 1 FROM referenced_metasploit WHERE cve_id = affected.cve_id)) as msf
FROM products
INNER JOIN affected ON products.product_id = affected.product_id
INNER JOIN cves ON affected.cve_id = cves.cve_id
WHERE affected.cve_id = 'CVE-2022-33633';
SELECT multiaffected.cve_id, cves.cvss_v2, cves.cvss_v3,
multiaffected.versionStartIncluding, multiaffected.versionStartExcluding,
multiaffected.versionEndIncluding, multiaffected.versionEndExcluding, products.product, products.version, products.version_update,
(SELECT EXISTS (SELECT 1 FROM referenced_exploit WHERE cve_id = multiaffected.cve_id)) as edb,
(SELECT EXISTS (SELECT 1 FROM referenced_metasploit WHERE cve_id = multiaffected.cve_id)) as msf
FROM multiaffected
INNER JOIN cves ON multiaffected.cve_id = cves.cve_id
INNER JOIN products where multiaffected.product_id = products.product_id
AND multiaffected.cve_id = 'CVE-2023-51767';
I'm apologize I made a mistake. All mentioned CVEs are in the database. But for some reason the scanner did not return threats related to "cpe:/a:microsoft:skype_for_business:2015".
The program generated a query that returned an empty result.
SELECT multiaffected.cve_id, cves.cvss_v2, cves.cvss_v3, multiaffected.versionStartIncluding, multiaffected.versionStartExcluding, multiaffected.versionEndIncluding, multiaffected.versionEndExcluding, (SELECT EXISTS (SELECT 1 FROM referenced_exploit WHERE cve_id = multiaffected.cve_id)) as edb, (SELECT EXISTS (SELECT 1 FROM referenced_metasploit WHERE cve_id = multiaffected.cve_id)) as msf FROM multiaffected INNER JOIN cves ON multiaffected.cve_id = cves.cve_id WHERE product_id IN (SELECT product_id FROM products WHERE product = 'skype_for_business' AND version = '*')
This is dump of parameters coming in the "vulnerabilities" function:
[1] = {
["reason"] = syn-ack,
["interface_mtu"] = 0,
["reason_ttl"] = 0,
["ip"] = 217.14.25.41,
["registry"] = <EMPTY_TABLE>,
["times"] = {
["timeout"] = 1.332448,
["srtt"] = 0.32554,
["rttvar"] = 0.251727,
},
["name"] = access.fundayshop.com,
["bin_ip"] = �),
},
[2] = {
["reason"] = syn-ack,
["service"] = sip,
["version"] = {
["service_tunnel"] = ssl,
["name_confidence"] = 10.0,
["version"] = 2015,
["cpe"] = {
[1] = cpe:/a:microsoft:skype_for_business:2015,
},
["service_dtype"] = probed,
["name"] = sip,
["product"] = Microsoft Skype for Business SIP,
},
["state"] = open,
["reason_ttl"] = 0,
["number"] = 443,
["protocol"] = tcp,
},
[3] = cpe:/a:microsoft:skype_for_business:2015,
[4] = skype_for_business,
[5] = {
["vup"] = *,
["range"] = false,
["empty"] = false,
["ver"] = 2015,
}
But in the case of CVE-2023-51767, there really is no binding in the "multiaffected" table.
I used the latest version from the repository https://github.com/scmanjarrez/CVEScannerV2DB .
I'm sorry, I was inattentive again. Git pull didn't work for me, so the database was old. There are no problems with CVE-2023-51767 in the new database.
However, the problem with "cpe:/a:microsoft:skype_for_business:2015" is still relevant.
I don't see the problem. That CVE affects a specific version, not multiple versions:
SELECT affected.cve_id, cves.cvss_v2, cves.cvss_v3,
products.product, products.version, products.version_update,
(SELECT EXISTS (SELECT 1 FROM referenced_exploit WHERE cve_id = affected.cve_id)) as edb,
(SELECT EXISTS (SELECT 1 FROM referenced_metasploit WHERE cve_id = affected.cve_id)) as msf
FROM products
INNER JOIN affected ON products.product_id = affected.product_id
INNER JOIN cves ON affected.cve_id = cves.cve_id
WHERE products.product = 'skype_for_business' AND products.version = '2015';
Oh, I'll check the code for cvescanner.nse, I see what you're referring there.
Can you provide the full trace of nmap --script cvescannerv2 -sV -p 8080 localhost -d -vvv
, redacting senstive info ofc. I need to see the debug messages of cvescannerv2.nse
nmap --script cvescannerv2 -sV -p 443 X.X.X.X -d -vvv
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-29 19:10 +07
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI:
NSE: Loaded 46 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:11
NSE: Starting cvescannerv2.
NSE: [cvescannerv2] Timestamp: 2024-02-29T12:11:00+00:00
NSE: [cvescannerv2] CVE data source: nvd.nist.gov
NSE: [cvescannerv2] Script version: 3.1
NSE: Finished cvescannerv2.
Completed NSE at 19:11, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:11
Completed NSE at 19:11, 0.00s elapsed
Initiating Ping Scan at 19:11
Scanning X.X.X.X [2 ports]
Completed Ping Scan at 19:11, 0.30s elapsed (1 total hosts)
Overall sending rates: 6.65 packets / s.
mass_rdns: Using DNS server 127.0.0.53
Initiating Parallel DNS resolution of 1 host. at 19:11
mass_rdns: 0.85s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 19:11, 0.85s elapsed
DNS resolution of 1 IPs took 0.85s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:11
Scanning sip.domain.com (X.X.X.X) [1 port]
Discovered open port 443/tcp on X.X.X.X
Completed Connect Scan at 19:11, 0.30s elapsed (1 total ports)
Overall sending rates: 3.36 packets / s.
Initiating Service scan at 19:11
Scanning 1 service on sip.domain.com (X.X.X.X)
Completed Service scan at 19:11, 55.32s elapsed (1 service on 1 host)
NSE: Script scanning X.X.X.X.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:11
NSE: Starting http-trane-info against X.X.X.X:443.
NSE: Starting vmware-version against X.X.X.X:443.
NSE: Starting cvescannerv2 against X.X.X.X:443.
NSE: [cvescannerv2 X.X.X.X:443] nmap cpe: cpe:/a:microsoft:skype_for_business:2015 | version: 2015
NSE: Starting cvescannerv2 against X.X.X.X.
NSE: Finished cvescannerv2 against X.X.X.X.
NSE: Starting hnap-info against X.X.X.X:443.
NSE: [cvescannerv2 X.X.X.X:443] http.request socket error: The script encountered an error:
- tcp failed:
- Failed to connect:
- Could not connect:
- TIMEOUT
NSE: [cvescannerv2 X.X.X.X:443] Error processing request http://X.X.X.X:443/ => Error creating socket.
NSE: [cvescannerv2 X.X.X.X:443] cpe => cpe:/a:microsoft:skype_for_business:2015 | version => 2015
NSE: [cvescannerv2 X.X.X.X:443] product => skype_for_business | version => 2015
NSE: Finished cvescannerv2 against X.X.X.X:443.
NSE: [http-trane-info X.X.X.X:443] http.request socket error: The script encountered an error:
- tcp failed:
- receive failed:
- TIMEOUT
NSE: [http-trane-info X.X.X.X:443] Unexpected response returned for 404 check: creating socket.
NSE: [vmware-version X.X.X.X:443] http.request socket error: The script encountered an error:
- tcp failed:
- receive failed:
- TIMEOUT
NSE: [vmware-version X.X.X.X:443] Couldn't download file: /sdk
NSE: Finished vmware-version against X.X.X.X:443.
NSE: Finished http-trane-info against X.X.X.X:443.
NSE: [hnap-info X.X.X.X:443] HTTP: Host returns proper 404 result.
NSE: Finished hnap-info against X.X.X.X:443.
Completed NSE at 19:12, 14.75s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:12
NSE: Starting http-server-header against X.X.X.X:443.
NSE: Finished http-server-header against X.X.X.X:443.
Completed NSE at 19:12, 10.46s elapsed
Nmap scan report for sip.domain.com (X.X.X.X)
Host is up, received syn-ack (0.30s latency).
Scanned at 2024-02-29 19:11:00 +07 for 82s
PORT STATE SERVICE REASON VERSION
443/tcp open ssl/sip syn-ack Microsoft Skype for Business SIP 2015
|_cvescannerv2:
Final times for host: srtt: 300244 rttvar: 226409 to: 1205880
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:12
NSE: Starting cvescannerv2.
NSE: Finished cvescannerv2.
Completed NSE at 19:12, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.37 seconds
I've already found the problem, I'll do some tests and apply the fix
Can you check latest cvescanner.nse version? Now it should include every product version when product version is not detected from nmap https://github.com/scmanjarrez/CVEScannerV2/commit/9552c18d22b9803399ccf36598236682caeda126
Thank you very much! The problem is now fixed!
PORT STATE SERVICE VERSION
443/tcp open ssl/sip Microsoft Skype for Business SIP 2015
| cvescannerv2:
| product: skype_for_business
| version: 2015
| vupdate: *
| cves: 3
| CVE ID CVSSv2 CVSSv3 ExploitDB Metasploit
| CVE-2020-1025 7.5 9.8 No No
| CVE-2022-33633 6.5 7.2 No No
| CVE-2019-0624 3.5 5.4 No No
|_
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.68 seconds
You have only made a change to the "scoped_multi_versions" function. It seems the same changes need to be applied to the "scoped_versions" function.
I added the fix to https://github.com/scmanjarrez/CVEScannerV2/blob/master/cvescannerv2.nse#L640, which is scoped_versions
. The scoped_multi_versions
code works a bit differently, NMAP sometimes returns a string like 4.X - 5.X
, in that case I compare the version
returned from the database, version_update
isn't compared because every product-version-version_update
is included by default if it's in the range of versions.
Hello, the database is missing the following vulnerabilities CVE-2020-1025 CVE-2019-0624 CVE-2022-33633. How could this happen?