1cvechecker(1)                  cvechecker Manual                 cvechecker(1)
2
3
4

NAME

6       cvechecker  -  Attempt  to identify possible vulnerable software on the
7       system
8

SYNOPSIS

10       cvechecker [-i] [-l version.dat] [-b binlist.txt] [-c] [-C] [-r] [-s]
11       [-S] [-d] [-D] [-H] [-w watchlist.txt] [-f filename]
12

DESCRIPTION

14       cvechecker  is a tool that, simply stated, matches your installed soft‐
15       ware versus an online database of potential vulnerable software and re‐
16       port the results back to you.
17
18       To  be  able  to  identify  which software is installed on your system,
19       cvechecker asks you to load a list of filenames (such as the output  of
20       a  find command) into the tool using the -b (or --binlist) argument. It
21       will then try to match the files against  an  internal  list  of  known
22       softwares.  If it finds a known software title, it will attempt to dis‐
23       cover the version of this software title. This internal list can be up‐
24       dated using the -l (or --loaddata) arguments.
25
26       To identify potential vulnerable software, cvechecker downloads the CVE
27       entries from the Mitre site and stores it in the database. The  results
28       of the CVE data and the scanned software on the system then provides us
29       with the means to generate a report, listing software/version sets that
30       have one (or more) CVE entries assigned to them.
31
32       cvechecker  also supports a watchlist. This is a file that contains the
33       CPEs for which you want to watch for CVEs. The watchlist behaves as  if
34       the selected software is indeed installed on your system (so it will be
35       visible in the reports that you pull from cvechecker). Using  a  watch‐
36       list  allows  administrators  to add software that is not detectable by
37       cvechecker (yet).
38

USAGE

40   INITIALIZATION
41       To use cvechecker, you first need to initialize the the databases.   If
42       your installation uses a server RDBMS (instead of sqlite) this requires
43       database owner privileges. Please consult the user guide for  more  in‐
44       formation on how to initialize the database using SQL files (instead of
45       database owner) if this is not allowed on your system.
46
47       cvechecker -i
48
49       Next, download the CVE entries from the Internet as well as the version
50       detection rules and load them in the database.
51
52       pullcves pull
53
54   LOAD SOFTWARE LIST
55       Every  time your system changes, you need to (re)load the software list
56       in the database. Otherwise, cvechecker will  keep  on  reporting  about
57       software  and  versions  that you might not have anymore (or not report
58       about software that you have). A possible method  is  to  use  find  to
59       identify  all  executable  commands  and  libraries  and  load those in
60       cvechecker. I also  recommend  to  add  /proc/version  as  this  allows
61       cvechecker to validate Linux kernel vulnerabilities as well.
62
63       find / -path /mnt -prune -o -path /media -prune -o -type f -perm -o+x > scanlist.txt
64       echo "/proc/version" >> scanlist.txt
65       cvechecker -b filelist.txt
66
67       It  is possible to only update a part of the file database when you add
68       the  -d  (--deltaonly)  option.  This  is  useful  when  you  integrate
69       cvechecker with your package management system. It also supports remov‐
70       ing a part of the entries in the database (such as when  you  uninstall
71       software) when you add the -D (--deletedeltaonly) option.
72
73   LOAD WATCHLIST
74       Like the software list, you can have cvechecker load a watchlist.  This
75       load can happen concurrently with the filelist and  also  supports  the
76       delta  options.  Be  aware though that, if you do not use the delta op‐
77       tion, loading a watchlist will reload the database (clearing  your  de‐
78       tected  software).  As  such, it is recommended to use the watchlist at
79       the same time with your binary file listing, like so:pr
80
81       cvechecker -b filelist.txt -w watchlist.txt
82
83       In the reports, watchlist-provided software will have a filename start‐
84       ing with "<<provided>>" and named after the CPE they represent.
85
86   LOAD LATEST CVE ENTRIES
87       Pull  in  the  latest CVE entries from the Internet (see also man pull‐
88       cves)
89
90       pullcves pull
91
92   REPORT ON POTENTIAL VULNERABILITIES
93       To get a report on potential vulnerabilities, run cvechecker  with  the
94       -r argument.
95
96       cvechecker -r
97
98       If  you want cvechecker to report on vulnerabilities that have been ex‐
99       posed with higher versions of software that you have installed, you can
100       add  the  -H (--reporthigher) option. However, be warned that this will
101       give lots of false positives. The upside is that you can find potential
102       vulnerabilities  in  software whose CVE entries doesn't contain all af‐
103       fected software versions (some CVEs only - falsely - contain the  high‐
104       est version where the vulnerability was present).
105
106       cvechecker -r -H
107
108       If  you  want  to use the output of the command as input for other com‐
109       mands (for instance, to create a nice report), you can add the -C argu‐
110       ment which makes the output csv-like:
111
112       cvechecker -r -C
113
114   REPORT ON DETECTED SOFTWARE
115       To  get  a  report on the detected software, run cvechecker with the -s
116       (only software) or -S (software with files that lead  to  the  software
117       detection) argument.
118
119       cvechecker -s
120
121       If  you  want  to use the output of the command as input for other com‐
122       mands (for instance, to create a nice report), you can add the -C argu‐
123       ment which makes the output csv-like:
124
125       cvechecker -s -C
126

COMMAND REFERENCE

128       cvechecker supports the following arguments:
129
130       -i, --initdbs
131              Initialize the databases
132
133       -l <datafile>, --loaddata=<datafile>
134              Load the version detection rules
135
136       -b <binlist>, --binlist=<binlist>
137              Load the list of binaries available on the system. Accepts stan‐
138              dard input if "-" is given.
139
140       -c <cvelist>, --cvedata=<cvelist>
141              Load the CSV file with CVE data. The CSV file can  be  generated
142              with  nvd2simple,  part of the cvechecker package.  Normally you
143              don't need to call this argument as it will be done by  pullcves
144              anyway.
145
146       -f <binfilepath>, --fileinfo=<binfilepath>
147              Load a single file path in cvechecker. This allows you to verify
148              if cvechecker can identify the binary or not (as it will display
149              the CPE data if it can)
150
151       -r, --runcheck
152              Match the identified software and versions against the known CVE
153              entries and report it on the screen
154
155       -C, --csvoutput
156              Report using CSV-like output.
157
158              Only interesting when used with -r or -s
159
160       -s, --showinstalled
161              Show the detected software/version sets of this system
162
163       -S, --showinstalledfiles
164              Show the detected software/version sets of this system  together
165              with the files that are used to detect this software/version set
166
167       -d, --deltaonly
168              The  file  passed on through the -b (--binlist) option only con‐
169              tains files that need to be added  to  the  file  database  (and
170              checked for versions) rather than a full file system dump
171
172       -D, --deletedeltaonly
173              The  file  passed on through the -b (--binlist) option only con‐
174              tains files that have been uninstalled from the system, and thus
175              can be removed from the database
176
177       -H, --reporthigher
178              Do  not  only  report  on CVEs that affect software installed on
179              your system, but also on CVEs that affect higher versions of the
180              software that is installed on your system
181
182       -w <watchlist>, --watchlist=<watchlist>
183              Load  the watchlist information (a file containing CPE entries -
184              one per line - using the official CPE syntax)
185

CONFIGURATION FILE

187       cvechecker will read the configuration  file  pointed  towards  by  the
188       CVECHECKER_CONFFILE variable. If that variable is not set, ~/.cvecheck‐
189       er.rc, /usr/local/etc/cvechecker.conf or  /etc/cvechecker.conf,  which‐
190       ever  comes  first.  This  file contains the locations as well as other
191       static parameters for the cvechecker application. An example configura‐
192       tion file is:
193
194       #
195       # Generic settings
196       #
197       dbtype = "mysql";
198       #dbtype = "sqlite3";
199       cvecache = "/var/lib/cvechecker/cache";
200       datadir = "/usr/share/cvechecker";
201       stringcmd = "/usr/bin/strings -n 3 '@file@'";
202       version_url = "https://raw.github.com/sjvermeu/cvechecker/master/versions.dat";
203       #userkey = "servertag";
204
205       #
206       # For SQLite3
207       #
208       sqlite3: {
209         localdb = "/var/lib/cvechecker/local";
210         globaldb = "/var/lib/cvechecker/global.db";
211       }
212
213       #
214       # For MySQL
215       #
216       mysql: {
217         dbname = "cvechecker";
218         dbuser = "cvechecker_rw";
219         dbpass = "passwordforcvechecker_rw";
220         dbhost = "mysql.company.com";
221       };
222
223       The following options are supported:
224
225       · dbtype  tells the cvechecker application which back-end to use.  Cur‐
226         rently, "sqlite", "sqlite3" and "mysql"  are  supported  (sqlite  and
227         sqlite3 result in the same back-end)
228
229       · cvecache  is  a  (cvechecker writeable) directory where pullcves will
230         download all XML files and store the transformed XML2CSV files  (con‐
231         taining  the  CVE  entry data). Although it is not used anymore after
232         being imported into the  local  databases,  pullcves  relies  on  the
233         availability of the XML files to find out if it needs to (re)download
234         and import CVE entries. So if you want to clean  out  the  directory,
235         make  (empty)  files  named after the XML files so that pullcves does
236         not redownload and reimport the CVE entry data (not  that  this  will
237         render the application unusable, but it takes a while)
238
239       · datadir is a directory where cvechecker-related files are stored, in‐
240         cluding the XSLT transformation files used to convert CVE  XML  files
241         in  CSV  files  as well as the sample reporting files as used in this
242         document
243
244       · stringcmd is the command that cvechecker launches against a  file  to
245         get  the files' content. Currently, this is the only supported method
246         for cvechecker to identify the software/version.
247
248       · version_url is the location where pullcves can find the latest  soft‐
249         ware/version  matching  rules  to  identify installed software on the
250         system.
251
252       · servertag is an optional setting that is used in case of server RDBMS
253         backends  to  differentiate between the cvechecker clients. It is op‐
254         tional, because cvechecker already uses the clients'  hostname  as  a
255         key, but users can define a second one. This can be both because they
256         want to run multiple clients from the same  system/hostname,  or  be‐
257         cause they want a more proper key for their identification (such as a
258         server serial id or asset tag). This key is displayed in the reports.
259
260       · sqlite3: combines all sqlite specific settings, which are:
261
262         · localdb is a (cvechecker writeable) directory where cvechecker will
263           store its sqlite3 databases containing the CPE data (identification
264           information of software/versions) as well  as  the  local  systems'
265           matching file/software pairs and all downloaded CVE entries
266
267         · globaldb  is  a  (cvechecker writeable) sqlite3 database containing
268           the software/version matching rules and CPEs associated with  these
269           rules
270
271       · mysql: combines all mysql specific settings, which are:
272
273         · dbname is the name of the cvechecker database
274
275         · dbuser is the user that cvechecker uses to connect to the database
276
277         · dbpass is the password that cvechecker uses to connect to the data‐
278           base and authenticate itself
279
280         · dbhost is the hostname where the database resides
281

CVECHECKER IS NOT COMPLETE

283       The strength of cvechecker can only be fully used if the list  of  sup‐
284       ported software is huge. Currently, the list is too small to cover most
285       systems. However, if you want to help us out in creating a larger data‐
286       base, please read on.
287
288       The format used to import software detection rules is as follows:
289
290       ,[filepart],1,[fileregexp],[contentregexp],a,[vendor],[product],[version],[update],[edition],[language]
291
292       The first comma tells cvechecker what the field separator is, so if you
293       need to use the comma in a regular expression, you can use a  different
294       field separator. Just start the line with the separator.
295
296       · filepart is a string which cvechecker will match against the filename
297         (not fully qualified). If it matches, cvechecker will  continue  with
298         this file's investigation. This is merely for performance reasons
299
300       · 1 is the type of check that cvechecker will execute to find out about
301         the software's version. Currently, only 1 is supported.  In  the  fu‐
302         ture, more methods will be added.
303
304         · The  "1"  method  uses  the output of strings <file>. The output is
305           then matched against a regular expression (with grouping)  and  the
306           results  of the matches are then used to identify the version, edi‐
307           tion, ... of the software
308
309       · fileregexp is a regular expression statement that cvechecker will run
310         against the filename (not fully qualified). If it matches, cvechecker
311         will continue with this file's investigation.
312
313       · contextregexp is a regular expression statement that cvechecker  will
314         run  against the output of the strings <file> command. If it matches,
315         the same regular expressions' grouping output will be used to fill up
316         the metadata about the software
317
318       · a  means that this is an application match. Other values are h (hard‐
319         ware) or o (operating system). From  this  point  onwards,  all  next
320         fields are part of the CPE specification
321
322       · vendor  is the vendor name of the software. You can deduce the vendor
323         name by surfing to the software's  homepage/vendor's  homepage.   The
324         vendor  name is the domainname, without any prefix or suffix. For in‐
325         stance, www.redhat.com yields "redhat". If no vendor exists, then the
326         vendor is the name of the author. For instance, Sven Vermeulen yields
327         "sven_vermeulen".
328
329       · product is the name of the software title itself
330
331       · version is the version of the  software.  It  will  most  likely  use
332         grouping references (\1, \2, ...) from the regular expression
333
334       · update is the update of the software. It will either be empty, or use
335         the grouping references (\1, \2, ...) from the regular expression
336
337       · edition is the edition of the software. It will either be  empty,  or
338         use the grouping references (\1, \2, ...) from the regular expression
339
340       · language is the language of the software. It will either be empty, or
341         use the grouping references (\1, \2, ...) from the regular expression
342
343       I have mentioned CPE. CPE stands for Common Platform Enumeration and is
344       a  standard for identifying a product with version. More information on
345       CPE    can    be    found    at     http://nvd.nist.gov/cpe.cfm     and
346       http://cpe.mitre.org/specification/index.html.
347
348       A few examples of these detection rules:
349
350       ,ncftp,1,ncftp,^.*NcFTP ([0-9\.]+)/([0-9]+) .*,a,ncftp_software,ncftp,\1,\2,,
351       ,libflashplayer.so,1,libflashplayer.so,FlashPlayer_([0-9]+)_([0-9]+)_([0-9]+)_([0-9]+)_FlashPlayer,a,adobe,flash_player,\1.\2.\3.\4,,,
352       ,perl,1,perl.*,/usr/lib/perl5/site_perl/([^/]+)/,a,perl,perl,\1,,,
353

AUTHOR

355       cvechecker was written by Sven Vermeulen <sven.vermeulen@siphos.be>.
356
357
358
359August 17, 2013                 17 August 2013                   cvechecker(1)
Impressum