Discussion:
NVT does not detect the vulnerable package in Debian dictro
(too old to reply)
Uğur ÇİL
2018-05-29 12:13:57 UTC
Permalink
Hi,

First is first; I am a newbie to openvas plugins.
I have developed my own NVT and successfully added it to the openvas. I can
see it under the NVTs on Web UI and the "Configuration->Scan Configs->Full
and Fast->Debian Local Security Checks"

Also I have set ssh credentials for a Debian server and start a task. That
server includes *"openjdk-7-jre:amd64
7u171-2.6.13-1~deb8u1 amd64 OpenJDK Java
runtime, using Hotspot JIT" *package. BUT my NVT cannot detect that package
so that there was no result about this.

I cannot understand the problem, maybe my NVT has something missing...

If you guys take a look it, I will be very appreciated...

Here is the NVT:

if(description)
{
script_summary("Vulnerability in the Java SE, Java SE Embedded component
of Oracle Java SE (subcomponent: Hotspot). Supported versions that are
affected are Java SE: 6u181, 7u171, 8u162 and 10; Java SE Embedded: 8u161.
Difficult to exploit vulnerability allows unauthenticated attacker with
network access via multiple protocols to compromise Java SE, Java SE
Embedded. Successful attacks require human interaction from a person other
than the attacker and while the vulnerability is in Java SE, Java SE
Embedded, attacks may significantly impact additional products. Successful
attacks of this vulnerability can result in takeover of Java SE, Java SE
Embedded. Note: This vulnerability applies to Java deployments, typically
in clients running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability
does not apply to Java deployments, typically in servers, that load and run
only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base
Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).");

script_oid("1.3.6.1.4.1.25623.1.1.303709.00809628");
script_version("$Revision: 35 $");
script_tag(name:"last_modification", value:"$Date: 2018-01-15 10:03:42
+0100 (Mon, 15 Jan 2018) $");
script_tag(name:"creation_date", value:"$Date: 2018-01-10 10:03:42 +0100
(Mon, 15 Jan 2018) $");
script_tag(name:"cvss_base", value:"5.1");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");

script_tag(name:"qod_type", value:"package");

script_tag(name:"solution_type", value:"VendorFix");

script_cve_id("CVE-2018-2814");

script_name("NVT-2018-809628");

script_category(ACT_GATHER_INFO);

script_copyright("Ugur Copyright (c)");
script_family("Debian Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages");

exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-deb.inc");

res = "";
report = "";
if ((res = isdpkgvuln(pkg:"icedtea-7-jre-jamvm",
ver:"7u171-2.6.13-1~deb8u1", rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE ))
!= NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"openjdk-7-dbg", ver:"7u171-2.6.13-1~deb8u1",
rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE )) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"openjdk-7-demo", ver:"7u171-2.6.13-1~deb8u1",
rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE )) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"openjdk-7-doc", ver:"7u171-2.6.13-1~deb8u1",
rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE )) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"openjdk-7-jdk", ver:"7u171-2.6.13-1~deb8u1",
rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE )) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"openjdk-7-jre", ver:"7u171-2.6.13-1~deb8u1",
rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE )) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"openjdk-7-jre-headless",
ver:"7u171-2.6.13-1~deb8u1", rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE ))
!= NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"openjdk-7-jre-lib", ver:"7u171-2.6.13-1~deb8u1",
rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE )) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"openjdk-7-jre-zero",
ver:"7u171-2.6.13-1~deb8u1", rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE ))
!= NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"openjdk-7-source", ver:"7u171-2.6.13-1~deb8u1",
rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE )) != NULL) {
report += res;
}

if (report != "") {
security_message(data:report);
} else if (__pkg_match) {
exit(99); # Not vulnerable.
}
Christian Fischer
2018-06-07 10:23:31 UTC
Permalink
Hi,
Thank you very much. I have been dealing with this issue for a long time.
Is there any reference document for this kind of tricky points. I mean, if
didn't explain 'ver' argument I would never understand that it should be
fixed version number..
Thanks again..
there is no real documentation about things like this available. It
The best start is to learn from existing NASL scripts.
from http://openvas.org/nvt-dev.html#how_to_start applies here.

Regards,
On Sun, Jun 3, 2018 at 3:54 PM, Christian Fischer <
Hi,
That server includes *"openjdk-7-jre:amd64
7u171-2.6.13-1~deb8u1 amd64 OpenJDK Java
*snip*
if ((res = isdpkgvuln(pkg:"openjdk-7-jre",
ver:"7u171-2.6.13-1~deb8u1", rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE
the "ver" argument of the isdpkgvuln() function takes the version of the
package containing a fix for the specific vulnerability.
If you have version 7u171-2.6.13-1~deb8u1 of openjdk-7-jre installed at
the target then it is expected that no vulnerability is showing up with
your current NVT.
As the https://security-tracker.debian.org/tracker/CVE-2018-2814 seems
to be "unfixed" in Debian 8/Jessie you need to assume a higher version
like 7u171-2.6.13-1~deb8u2 in isdpkgvuln until a fixed package is
available.
Regards,
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Uğur ÇİL
2018-09-27 11:59:01 UTC
Permalink
Ok, thanks.

On Thu, Jun 7, 2018 at 1:23 PM Christian Fischer <
Post by Christian Fischer
Hi,
Thank you very much. I have been dealing with this issue for a long time.
Is there any reference document for this kind of tricky points. I mean,
if
didn't explain 'ver' argument I would never understand that it should be
fixed version number..
Thanks again..
there is no real documentation about things like this available. It
The best start is to learn from existing NASL scripts.
from http://openvas.org/nvt-dev.html#how_to_start applies here.
Regards,
On Sun, Jun 3, 2018 at 3:54 PM, Christian Fischer <
Hi,
That server includes *"openjdk-7-jre:amd64
7u171-2.6.13-1~deb8u1 amd64 OpenJDK Java
*snip*
if ((res = isdpkgvuln(pkg:"openjdk-7-jre",
ver:"7u171-2.6.13-1~deb8u1", rls_regex:"DEB8\.[0-9]+", remove_arch:TRUE
the "ver" argument of the isdpkgvuln() function takes the version of the
package containing a fix for the specific vulnerability.
If you have version 7u171-2.6.13-1~deb8u1 of openjdk-7-jre installed at
the target then it is expected that no vulnerability is showing up with
your current NVT.
As the https://security-tracker.debian.org/tracker/CVE-2018-2814 seems
to be "unfixed" in Debian 8/Jessie you need to assume a higher version
like 7u171-2.6.13-1~deb8u2 in isdpkgvuln until a fixed package is
available.
Regards,
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 OsnabrÃŒck, Germany | AG OsnabrÃŒck, HR B 202460
GeschÀftsfÌhrer: Lukas Grunwald, Dr. Jan-Oliver Wagner
--
Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 OsnabrÃŒck, Germany | AG OsnabrÃŒck, HR B 202460
GeschÀftsfÌhrer: Lukas Grunwald, Dr. Jan-Oliver Wagner
Loading...