Closed artvorlov closed 6 months ago
artvorlov
commented
6 months ago I also noticed that there are no references to the vulnerability CVE-2023-51767 in the multiaffected table. Although in https://nvd.nist.gov/vuln/detail/CVE-2023-51767 it is indicated that OpenSSH is vulnerable before 9.6.
scmanjarrez
commented
6 months ago Hi, thanks for reporting it, I'll take a look
scmanjarrez
commented
6 months ago Are you running an outdated database? I've checked the latest gitlab-generated version found in a automated container, and all cves mentioned here are present:
CVE-2020-1025
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',455035);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',217511);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',33189);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',516267);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',127824);
./data_6.sql:INSERT INTO affected VALUES('CVE-2020-1025',217922);
./data_0.sql:INSERT INTO cves VALUES('CVE-2020-1025',7.5,9.8000000000000007105,2020);CVE-2019-0624
./data_6.sql:INSERT INTO affected VALUES('CVE-2019-0624',1033877);
./data_0.sql:INSERT INTO cves VALUES('CVE-2019-0624',3.5,5.4000000000000003552,2019);CVE-2022-33633
./data_6.sql:INSERT INTO affected VALUES('CVE-2022-33633',598260);
./data_6.sql:INSERT INTO affected VALUES('CVE-2022-33633',713509);
./data_6.sql:INSERT INTO affected VALUES('CVE-2022-33633',716608);
./data_0.sql:INSERT INTO cves VALUES('CVE-2022-33633',6.5,7.2000000000000001776,2022);CVE-2023-51767
./data_6.sql:INSERT INTO multiaffected VALUES('CVE-2023-51767',1132188,NULL,NULL,'9.6',NULL);
./data_6.sql:INSERT INTO multiaffected VALUES('CVE-2023-51767',1132188,NULL,NULL,'9.6',NULL);
./data_0.sql:INSERT INTO cves VALUES('CVE-2023-51767',NULL,7.0,2023);That are matched in the cve.db with the correct sql query:
SELECT affected.cve_id, cves.cvss_v2, cves.cvss_v3,
products.product, products.version, products.version_update,
(SELECT EXISTS (SELECT 1 FROM referenced_exploit WHERE cve_id = affected.cve_id)) as edb,
(SELECT EXISTS (SELECT 1 FROM referenced_metasploit WHERE cve_id = affected.cve_id)) as msf
FROM products
INNER JOIN affected ON products.product_id = affected.product_id
INNER JOIN cves ON affected.cve_id = cves.cve_id
WHERE affected.cve_id = 'CVE-2022-33633';SELECT multiaffected.cve_id, cves.cvss_v2, cves.cvss_v3,
multiaffected.versionStartIncluding, multiaffected.versionStartExcluding,
multiaffected.versionEndIncluding, multiaffected.versionEndExcluding, products.product, products.version, products.version_update,
(SELECT EXISTS (SELECT 1 FROM referenced_exploit WHERE cve_id = multiaffected.cve_id)) as edb,
(SELECT EXISTS (SELECT 1 FROM referenced_metasploit WHERE cve_id = multiaffected.cve_id)) as msf
FROM multiaffected
INNER JOIN cves ON multiaffected.cve_id = cves.cve_id
INNER JOIN products where multiaffected.product_id = products.product_id
AND multiaffected.cve_id = 'CVE-2023-51767';I'm apologize I made a mistake. All mentioned CVEs are in the database. But for some reason the scanner did not return threats related to "cpe:/a:microsoft:skype_for_business:2015".
The program generated a query that returned an empty result.
SELECT multiaffected.cve_id, cves.cvss_v2, cves.cvss_v3, multiaffected.versionStartIncluding, multiaffected.versionStartExcluding, multiaffected.versionEndIncluding, multiaffected.versionEndExcluding, (SELECT EXISTS (SELECT 1 FROM referenced_exploit WHERE cve_id = multiaffected.cve_id)) as edb, (SELECT EXISTS (SELECT 1 FROM referenced_metasploit WHERE cve_id = multiaffected.cve_id)) as msf FROM multiaffected INNER JOIN cves ON multiaffected.cve_id = cves.cve_id WHERE product_id IN (SELECT product_id FROM products WHERE product = 'skype_for_business' AND version = '*')
This is dump of parameters coming in the "vulnerabilities" function:
[1] = {
["reason"] = syn-ack,
["interface_mtu"] = 0,
["reason_ttl"] = 0,
["ip"] = 217.14.25.41,
["registry"] = <EMPTY_TABLE>,
["times"] = {
["timeout"] = 1.332448,
["srtt"] = 0.32554,
["rttvar"] = 0.251727,
},
["name"] = access.fundayshop.com,
["bin_ip"] = �),
},
[2] = {
["reason"] = syn-ack,
["service"] = sip,
["version"] = {
["service_tunnel"] = ssl,
["name_confidence"] = 10.0,
["version"] = 2015,
["cpe"] = {
[1] = cpe:/a:microsoft:skype_for_business:2015,
},
["service_dtype"] = probed,
["name"] = sip,
["product"] = Microsoft Skype for Business SIP,
},
["state"] = open,
["reason_ttl"] = 0,
["number"] = 443,
["protocol"] = tcp,
},
[3] = cpe:/a:microsoft:skype_for_business:2015,
[4] = skype_for_business,
[5] = {
["vup"] = *,
["range"] = false,
["empty"] = false,
["ver"] = 2015,
}But in the case of CVE-2023-51767, there really is no binding in the "multiaffected" table.
I used the latest version from the repository https://github.com/scmanjarrez/CVEScannerV2DB .
artvorlov
commented
6 months ago I'm sorry, I was inattentive again. Git pull didn't work for me, so the database was old. There are no problems with CVE-2023-51767 in the new database.
However, the problem with "cpe:/a:microsoft:skype_for_business:2015" is still relevant.
scmanjarrez
commented
6 months ago I don't see the problem. That CVE affects a specific version, not multiple versions:
SELECT affected.cve_id, cves.cvss_v2, cves.cvss_v3,
products.product, products.version, products.version_update,
(SELECT EXISTS (SELECT 1 FROM referenced_exploit WHERE cve_id = affected.cve_id)) as edb,
(SELECT EXISTS (SELECT 1 FROM referenced_metasploit WHERE cve_id = affected.cve_id)) as msf
FROM products
INNER JOIN affected ON products.product_id = affected.product_id
INNER JOIN cves ON affected.cve_id = cves.cve_id
WHERE products.product = 'skype_for_business' AND products.version = '2015';Oh, I'll check the code for cvescanner.nse, I see what you're referring there.
scmanjarrez
commented
6 months ago Can you provide the full trace of nmap --script cvescannerv2 -sV -p 8080 localhost -d -vvv, redacting senstive info ofc. I need to see the debug messages of cvescannerv2.nse
artvorlov
commented
6 months ago nmap --script cvescannerv2 -sV -p 443 X.X.X.X -d -vvv
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-29 19:10 +07
--------------- Timing report ---------------
hostgroups: min 1, max 100000
rtt-timeouts: init 1000, min 100, max 10000
max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
parallelism: min 0, max 0
max-retries: 10, host-timeout: 0
min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Using Lua 5.3.
NSE: Arguments from CLI:
NSE: Loaded 46 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:11
NSE: Starting cvescannerv2.
NSE: [cvescannerv2] Timestamp: 2024-02-29T12:11:00+00:00
NSE: [cvescannerv2] CVE data source: nvd.nist.gov
NSE: [cvescannerv2] Script version: 3.1
NSE: Finished cvescannerv2.
Completed NSE at 19:11, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:11
Completed NSE at 19:11, 0.00s elapsed
Initiating Ping Scan at 19:11
Scanning X.X.X.X [2 ports]
Completed Ping Scan at 19:11, 0.30s elapsed (1 total hosts)
Overall sending rates: 6.65 packets / s.
mass_rdns: Using DNS server 127.0.0.53
Initiating Parallel DNS resolution of 1 host. at 19:11
mass_rdns: 0.85s 0/1 [#: 1, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
Completed Parallel DNS resolution of 1 host. at 19:11, 0.85s elapsed
DNS resolution of 1 IPs took 0.85s. Mode: Async [#: 1, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:11
Scanning sip.domain.com (X.X.X.X) [1 port]
Discovered open port 443/tcp on X.X.X.X
Completed Connect Scan at 19:11, 0.30s elapsed (1 total ports)
Overall sending rates: 3.36 packets / s.
Initiating Service scan at 19:11
Scanning 1 service on sip.domain.com (X.X.X.X)
Completed Service scan at 19:11, 55.32s elapsed (1 service on 1 host)
NSE: Script scanning X.X.X.X.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:11
NSE: Starting http-trane-info against X.X.X.X:443.
NSE: Starting vmware-version against X.X.X.X:443.
NSE: Starting cvescannerv2 against X.X.X.X:443.
NSE: [cvescannerv2 X.X.X.X:443] nmap cpe: cpe:/a:microsoft:skype_for_business:2015 | version: 2015
NSE: Starting cvescannerv2 against X.X.X.X.
NSE: Finished cvescannerv2 against X.X.X.X.
NSE: Starting hnap-info against X.X.X.X:443.
NSE: [cvescannerv2 X.X.X.X:443] http.request socket error: The script encountered an error:
- tcp failed:
- Failed to connect:
- Could not connect:
- TIMEOUT
NSE: [cvescannerv2 X.X.X.X:443] Error processing request http://X.X.X.X:443/ => Error creating socket.
NSE: [cvescannerv2 X.X.X.X:443] cpe => cpe:/a:microsoft:skype_for_business:2015 | version => 2015
NSE: [cvescannerv2 X.X.X.X:443] product => skype_for_business | version => 2015
NSE: Finished cvescannerv2 against X.X.X.X:443.
NSE: [http-trane-info X.X.X.X:443] http.request socket error: The script encountered an error:
- tcp failed:
- receive failed:
- TIMEOUT
NSE: [http-trane-info X.X.X.X:443] Unexpected response returned for 404 check: creating socket.
NSE: [vmware-version X.X.X.X:443] http.request socket error: The script encountered an error:
- tcp failed:
- receive failed:
- TIMEOUT
NSE: [vmware-version X.X.X.X:443] Couldn't download file: /sdk
NSE: Finished vmware-version against X.X.X.X:443.
NSE: Finished http-trane-info against X.X.X.X:443.
NSE: [hnap-info X.X.X.X:443] HTTP: Host returns proper 404 result.
NSE: Finished hnap-info against X.X.X.X:443.
Completed NSE at 19:12, 14.75s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:12
NSE: Starting http-server-header against X.X.X.X:443.
NSE: Finished http-server-header against X.X.X.X:443.
Completed NSE at 19:12, 10.46s elapsed
Nmap scan report for sip.domain.com (X.X.X.X)
Host is up, received syn-ack (0.30s latency).
Scanned at 2024-02-29 19:11:00 +07 for 82s
PORT STATE SERVICE REASON VERSION
443/tcp open ssl/sip syn-ack Microsoft Skype for Business SIP 2015
|_cvescannerv2:
Final times for host: srtt: 300244 rttvar: 226409 to: 1205880
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:12
NSE: Starting cvescannerv2.
NSE: Finished cvescannerv2.
Completed NSE at 19:12, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:12
Completed NSE at 19:12, 0.00s elapsed
Read from /usr/bin/../share/nmap: nmap-payloads nmap-service-probes nmap-services.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.37 secondsI've already found the problem, I'll do some tests and apply the fix
scmanjarrez
commented
6 months ago Can you check latest cvescanner.nse version? Now it should include every product version when product version is not detected from nmap https://github.com/scmanjarrez/CVEScannerV2/commit/9552c18d22b9803399ccf36598236682caeda126
artvorlov
commented
6 months ago Thank you very much! The problem is now fixed!
PORT STATE SERVICE VERSION
443/tcp open ssl/sip Microsoft Skype for Business SIP 2015
| cvescannerv2:
| product: skype_for_business
| version: 2015
| vupdate: *
| cves: 3
| CVE ID CVSSv2 CVSSv3 ExploitDB Metasploit
| CVE-2020-1025 7.5 9.8 No No
| CVE-2022-33633 6.5 7.2 No No
| CVE-2019-0624 3.5 5.4 No No
|_
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.68 secondsYou have only made a change to the "scoped_multi_versions" function. It seems the same changes need to be applied to the "scoped_versions" function.
scmanjarrez
commented
6 months ago I added the fix to https://github.com/scmanjarrez/CVEScannerV2/blob/master/cvescannerv2.nse#L640, which is scoped_versions. The scoped_multi_versions code works a bit differently, NMAP sometimes returns a string like 4.X - 5.X, in that case I compare the version returned from the database, version_update isn't compared because every product-version-version_update is included by default if it's in the range of versions.
Hello, the database is missing the following vulnerabilities CVE-2020-1025 CVE-2019-0624 CVE-2022-33633. How could this happen?