1cvechecker(1) cvechecker Manual cvechecker(1)
2
6 cvechecker - Attempt to identify possible vulnerable software on the
7 system
8
10 cvechecker [-i] [-l version.dat] [-b binlist.txt] [-c] [-C] [-r] [-s]
11 [-S] [-d] [-D] [-H] [-w watchlist.txt] [-f filename]
12
14 cvechecker is a tool that, simply stated, matches your installed soft‐
15 ware versus an online database of potential vulnerable software and re‐
16 port the results back to you.
17 To be able to identify which software is installed on your system,
19 cvechecker asks you to load a list of filenames (such as the output of
20 a find command) into the tool using the -b (or --binlist) argument. It
21 will then try to match the files against an internal list of known
22 softwares. If it finds a known software title, it will attempt to dis‐
23 cover the version of this software title. This internal list can be up‐
24 dated using the -l (or --loaddata) arguments.
25 To identify potential vulnerable software, cvechecker downloads the CVE
27 entries from the Mitre site and stores it in the database. The results
28 of the CVE data and the scanned software on the system then provides us
29 with the means to generate a report, listing software/version sets that
30 have one (or more) CVE entries assigned to them.
31 cvechecker also supports a watchlist. This is a file that contains the
33 CPEs for which you want to watch for CVEs. The watchlist behaves as if
34 the selected software is indeed installed on your system (so it will be
35 visible in the reports that you pull from cvechecker). Using a watch‐
36 list allows administrators to add software that is not detectable by
37 cvechecker (yet).
38
40 INITIALIZATION
41 To use cvechecker, you first need to initialize the the databases. If
42 your installation uses a server RDBMS (instead of sqlite) this requires
43 database owner privileges. Please consult the user guide for more in‐
44 formation on how to initialize the database using SQL files (instead of
45 database owner) if this is not allowed on your system.
46 cvechecker -i
48 Next, download the CVE entries from the Internet as well as the version
50 detection rules and load them in the database.
51 pullcves pull
53 LOAD SOFTWARE LIST
55 Every time your system changes, you need to (re)load the software list
56 in the database. Otherwise, cvechecker will keep on reporting about
57 software and versions that you might not have anymore (or not report
58 about software that you have). A possible method is to use find to
59 identify all executable commands and libraries and load those in
60 cvechecker. I also recommend to add /proc/version as this allows
61 cvechecker to validate Linux kernel vulnerabilities as well.
62 find / -path /mnt -prune -o -path /media -prune -o -type f -perm -o+x > scanlist.txt
64 echo "/proc/version" >> scanlist.txt
65 cvechecker -b filelist.txt
66 It is possible to only update a part of the file database when you add
68 the -d (--deltaonly) option. This is useful when you integrate
69 cvechecker with your package management system. It also supports remov‐
70 ing a part of the entries in the database (such as when you uninstall
71 software) when you add the -D (--deletedeltaonly) option.
72 LOAD WATCHLIST
74 Like the software list, you can have cvechecker load a watchlist. This
75 load can happen concurrently with the filelist and also supports the
76 delta options. Be aware though that, if you do not use the delta op‐
77 tion, loading a watchlist will reload the database (clearing your de‐
78 tected software). As such, it is recommended to use the watchlist at
79 the same time with your binary file listing, like so:pr
80 cvechecker -b filelist.txt -w watchlist.txt
82 In the reports, watchlist-provided software will have a filename start‐
84 ing with "<<provided>>" and named after the CPE they represent.
85 LOAD LATEST CVE ENTRIES
87 Pull in the latest CVE entries from the Internet (see also man pull‐
88 cves)
89 pullcves pull
91 REPORT ON POTENTIAL VULNERABILITIES
93 To get a report on potential vulnerabilities, run cvechecker with the
94 -r argument.
95 cvechecker -r
97 If you want cvechecker to report on vulnerabilities that have been ex‐
99 posed with higher versions of software that you have installed, you can
100 add the -H (--reporthigher) option. However, be warned that this will
101 give lots of false positives. The upside is that you can find potential
102 vulnerabilities in software whose CVE entries doesn't contain all af‐
103 fected software versions (some CVEs only - falsely - contain the high‐
104 est version where the vulnerability was present).
105 cvechecker -r -H
107 If you want to use the output of the command as input for other com‐
109 mands (for instance, to create a nice report), you can add the -C argu‐
110 ment which makes the output csv-like:
111 cvechecker -r -C
113 REPORT ON DETECTED SOFTWARE
115 To get a report on the detected software, run cvechecker with the -s
116 (only software) or -S (software with files that lead to the software
117 detection) argument.
118 cvechecker -s
120 If you want to use the output of the command as input for other com‐
122 mands (for instance, to create a nice report), you can add the -C argu‐
123 ment which makes the output csv-like:
124 cvechecker -s -C
126
128 cvechecker supports the following arguments:
129 -i, --initdbs
131 Initialize the databases
132 -l <datafile>, --loaddata=<datafile>
134 Load the version detection rules
135 -b <binlist>, --binlist=<binlist>
137 Load the list of binaries available on the system. Accepts stan‐
138 dard input if "-" is given.
139 -c <cvelist>, --cvedata=<cvelist>
141 Load the CSV file with CVE data. The CSV file can be generated
142 with nvd2simple, part of the cvechecker package. Normally you
143 don't need to call this argument as it will be done by pullcves
144 anyway.
145 -f <binfilepath>, --fileinfo=<binfilepath>
147 Load a single file path in cvechecker. This allows you to verify
148 if cvechecker can identify the binary or not (as it will display
149 the CPE data if it can)
150 -r, --runcheck
152 Match the identified software and versions against the known CVE
153 entries and report it on the screen
154 -C, --csvoutput
156 Report using CSV-like output.
157 Only interesting when used with -r or -s
159 -s, --showinstalled
161 Show the detected software/version sets of this system
162 -S, --showinstalledfiles
164 Show the detected software/version sets of this system together
165 with the files that are used to detect this software/version set
166 -d, --deltaonly
168 The file passed on through the -b (--binlist) option only con‐
169 tains files that need to be added to the file database (and
170 checked for versions) rather than a full file system dump
171 -D, --deletedeltaonly
173 The file passed on through the -b (--binlist) option only con‐
174 tains files that have been uninstalled from the system, and thus
175 can be removed from the database
176 -H, --reporthigher
178 Do not only report on CVEs that affect software installed on
179 your system, but also on CVEs that affect higher versions of the
180 software that is installed on your system
181 -w <watchlist>, --watchlist=<watchlist>
183 Load the watchlist information (a file containing CPE entries -
184 one per line - using the official CPE syntax)
185
187 cvechecker will read the configuration file pointed towards by the
188 CVECHECKER_CONFFILE variable. If that variable is not set, ~/.cvecheck‐
189 er.rc, /usr/local/etc/cvechecker.conf or /etc/cvechecker.conf, which‐
190 ever comes first. This file contains the locations as well as other
191 static parameters for the cvechecker application. An example configura‐
192 tion file is:
193 #
195 # Generic settings
196 #
197 dbtype = "mysql";
198 #dbtype = "sqlite3";
199 cvecache = "/var/lib/cvechecker/cache";
200 datadir = "/usr/share/cvechecker";
201 stringcmd = "/usr/bin/strings -n 3 '@file@'";
202 version_url = "https://raw.github.com/sjvermeu/cvechecker/master/versions.dat";
203 #userkey = "servertag";
204 #
206 # For SQLite3
207 #
208 sqlite3: {
209 localdb = "/var/lib/cvechecker/local";
210 globaldb = "/var/lib/cvechecker/global.db";
211 }
212 #
214 # For MySQL
215 #
216 mysql: {
217 dbname = "cvechecker";
218 dbuser = "cvechecker_rw";
219 dbpass = "passwordforcvechecker_rw";
220 dbhost = "mysql.company.com";
221 };
222 The following options are supported:
224 · dbtype tells the cvechecker application which back-end to use. Cur‐
226 rently, "sqlite", "sqlite3" and "mysql" are supported (sqlite and
227 sqlite3 result in the same back-end)
228 · cvecache is a (cvechecker writeable) directory where pullcves will
230 download all XML files and store the transformed XML2CSV files (con‐
231 taining the CVE entry data). Although it is not used anymore after
232 being imported into the local databases, pullcves relies on the
233 availability of the XML files to find out if it needs to (re)download
234 and import CVE entries. So if you want to clean out the directory,
235 make (empty) files named after the XML files so that pullcves does
236 not redownload and reimport the CVE entry data (not that this will
237 render the application unusable, but it takes a while)
238 · datadir is a directory where cvechecker-related files are stored, in‐
240 cluding the XSLT transformation files used to convert CVE XML files
241 in CSV files as well as the sample reporting files as used in this
242 document
243 · stringcmd is the command that cvechecker launches against a file to
245 get the files' content. Currently, this is the only supported method
246 for cvechecker to identify the software/version.
247 · version_url is the location where pullcves can find the latest soft‐
249 ware/version matching rules to identify installed software on the
250 system.
251 · servertag is an optional setting that is used in case of server RDBMS
253 backends to differentiate between the cvechecker clients. It is op‐
254 tional, because cvechecker already uses the clients' hostname as a
255 key, but users can define a second one. This can be both because they
256 want to run multiple clients from the same system/hostname, or be‐
257 cause they want a more proper key for their identification (such as a
258 server serial id or asset tag). This key is displayed in the reports.
259 · sqlite3: combines all sqlite specific settings, which are:
261 · localdb is a (cvechecker writeable) directory where cvechecker will
263 store its sqlite3 databases containing the CPE data (identification
264 information of software/versions) as well as the local systems'
265 matching file/software pairs and all downloaded CVE entries
266 · globaldb is a (cvechecker writeable) sqlite3 database containing
268 the software/version matching rules and CPEs associated with these
269 rules
270 · mysql: combines all mysql specific settings, which are:
272 · dbname is the name of the cvechecker database
274 · dbuser is the user that cvechecker uses to connect to the database
276 · dbpass is the password that cvechecker uses to connect to the data‐
278 base and authenticate itself
279 · dbhost is the hostname where the database resides
281
283 The strength of cvechecker can only be fully used if the list of sup‐
284 ported software is huge. Currently, the list is too small to cover most
285 systems. However, if you want to help us out in creating a larger data‐
286 base, please read on.
287 The format used to import software detection rules is as follows:
289 ,[filepart],1,[fileregexp],[contentregexp],a,[vendor],[product],[version],[update],[edition],[language]
291 The first comma tells cvechecker what the field separator is, so if you
293 need to use the comma in a regular expression, you can use a different
294 field separator. Just start the line with the separator.
295 · filepart is a string which cvechecker will match against the filename
297 (not fully qualified). If it matches, cvechecker will continue with
298 this file's investigation. This is merely for performance reasons
299 · 1 is the type of check that cvechecker will execute to find out about
301 the software's version. Currently, only 1 is supported. In the fu‐
302 ture, more methods will be added.
303 · The "1" method uses the output of strings <file>. The output is
305 then matched against a regular expression (with grouping) and the
306 results of the matches are then used to identify the version, edi‐
307 tion, ... of the software
308 · fileregexp is a regular expression statement that cvechecker will run
310 against the filename (not fully qualified). If it matches, cvechecker
311 will continue with this file's investigation.
312 · contextregexp is a regular expression statement that cvechecker will
314 run against the output of the strings <file> command. If it matches,
315 the same regular expressions' grouping output will be used to fill up
316 the metadata about the software
317 · a means that this is an application match. Other values are h (hard‐
319 ware) or o (operating system). From this point onwards, all next
320 fields are part of the CPE specification
321 · vendor is the vendor name of the software. You can deduce the vendor
323 name by surfing to the software's homepage/vendor's homepage. The
324 vendor name is the domainname, without any prefix or suffix. For in‐
325 stance, www.redhat.com yields "redhat". If no vendor exists, then the
326 vendor is the name of the author. For instance, Sven Vermeulen yields
327 "sven_vermeulen".
328 · product is the name of the software title itself
330 · version is the version of the software. It will most likely use
332 grouping references (\1, \2, ...) from the regular expression
333 · update is the update of the software. It will either be empty, or use
335 the grouping references (\1, \2, ...) from the regular expression
336 · edition is the edition of the software. It will either be empty, or
338 use the grouping references (\1, \2, ...) from the regular expression
339 · language is the language of the software. It will either be empty, or
341 use the grouping references (\1, \2, ...) from the regular expression
342 I have mentioned CPE. CPE stands for Common Platform Enumeration and is
344 a standard for identifying a product with version. More information on
345 CPE can be found at http://nvd.nist.gov/cpe.cfm and
346 http://cpe.mitre.org/specification/index.html.
347 A few examples of these detection rules:
349 ,ncftp,1,ncftp,^.*NcFTP ([0-9\.]+)/([0-9]+) .*,a,ncftp_software,ncftp,\1,\2,,
351 ,libflashplayer.so,1,libflashplayer.so,FlashPlayer_([0-9]+)_([0-9]+)_([0-9]+)_([0-9]+)_FlashPlayer,a,adobe,flash_player,\1.\2.\3.\4,,,
352 ,perl,1,perl.*,/usr/lib/perl5/site_perl/([^/]+)/,a,perl,perl,\1,,,
353
355 cvechecker was written by Sven Vermeulen <sven.vermeulen@siphos.be>.
356August 17, 2013 17 August 2013 cvechecker(1)