cvechecker - Man Page

Attempt to identify possible vulnerable software on the system

Synopsis

cvechecker [-i] [-l version.dat] [-b binlist.txt] [-c] [-C] [-r] [-s] [-S] [-d] [-D] [-H] [-w watchlist.txt] [-f filename]

Description

cvechecker is a tool that, simply stated, matches your installed software versus an online database of potential vulnerable software and report the results back to you.

To be able to identify which software is installed on your system, cvechecker asks you to load a list of filenames (such as the output of a find command) into the tool using the -b (or --binlist) argument. It will then try to match the files against an internal list of known softwares. If it finds a known software title, it will attempt to discover the version of this software title. This internal list can be updated using the -l (or --loaddata) arguments.

To identify potential vulnerable software, cvechecker downloads the CVE entries from the Mitre site and stores it in the database. The results of the CVE data and the scanned software on the system then provides us with the means to generate a report, listing software/version sets that have one (or more) CVE entries assigned to them.

cvechecker also supports a watchlist. This is a file that contains the CPEs for which you want to watch for CVEs. The watchlist behaves as if the selected software is indeed installed on your system (so it will be visible in the reports that you pull from cvechecker). Using a watchlist allows administrators to add software that is not detectable by cvechecker (yet).

Usage

Initialization

To use cvechecker, you first need to initialize the the databases. If your installation uses a server RDBMS (instead of sqlite) this requires database owner privileges. Please consult the user guide for more information on how to initialize the database using SQL files (instead of database owner) if this is not allowed on your system.

cvechecker -i

Next, download the CVE entries from the Internet as well as the version detection rules and load them in the database.

pullcves pull

Load Software List

Every time your system changes, you need to (re)load the software list in the database. Otherwise, cvechecker will keep on reporting about software and versions that you might not have anymore (or not report about software that you have). A possible method is to use find to identify all executable commands and libraries and load those in cvechecker. I also recommend to add /proc/version as this allows cvechecker to validate Linux kernel vulnerabilities as well.

find / -path /mnt -prune -o -path /media -prune -o -type f -perm -o+x > scanlist.txt 
echo "/proc/version" >> scanlist.txt
cvechecker -b filelist.txt

It is possible to only update a part of the file database when you add the -d (--deltaonly) option. This is useful when you integrate cvechecker with your package management system. It also supports removing a part of the entries in the database (such as when you uninstall software) when you add the -D (--deletedeltaonly) option.

Load Watchlist

Like the software list, you can have cvechecker load a watchlist. This load can happen concurrently with the filelist and also supports the delta options. Be aware though that, if you do not use the delta option, loading a watchlist will reload the database (clearing your detected software). As such, it is recommended to use the watchlist at the same time with your binary file listing, like so:pr

cvechecker -b filelist.txt -w watchlist.txt

In the reports, watchlist-provided software will have a filename starting with "<<provided>>" and named after the CPE they represent.

Load Latest Cve Entries

Pull in the latest CVE entries from the Internet (see also man pullcves)

pullcves pull

Report on Potential Vulnerabilities

To get a report on potential vulnerabilities, run cvechecker with the -r argument.

cvechecker -r

If you want cvechecker to report on vulnerabilities that have been exposed with higher versions of software that you have installed, you can add the -H (--reporthigher) option. However, be warned that this will give lots of false positives. The upside is that you can find potential vulnerabilities in software whose CVE entries doesn't contain all affected software versions (some CVEs only - falsely - contain the highest version where the vulnerability was present).

cvechecker -r -H

If you want to use the output of the command as input for other commands (for instance, to create a nice report), you can add the -C argument which makes the output csv-like:

cvechecker -r -C

Report on Detected Software

To get a report on the detected software, run cvechecker with the -s (only software) or -S (software with files that lead to the software detection) argument.

cvechecker -s

If you want to use the output of the command as input for other commands (for instance, to create a nice report), you can add the -C argument which makes the output csv-like:

cvechecker -s -C

Command Reference

cvechecker supports the following arguments:

-i,  --initdbs

Initialize the databases

-l <datafile>, --loaddata=<datafile>

Load the version detection rules

-b <binlist>, --binlist=<binlist>

Load the list of binaries available on the system. Accepts standard input if "-" is given.

-c <cvelist>, --cvedata=<cvelist>

Load the CSV file with CVE data. The CSV file can be generated with nvd2simple, part of the cvechecker package. Normally you don't need to call this argument as it will be done by pullcves anyway.

-f <binfilepath>, --fileinfo=<binfilepath>

Load a single file path in cvechecker. This allows you to verify if cvechecker can identify the binary or not (as it will display the CPE data if it can)

-r,  --runcheck

Match the identified software and versions against the known CVE entries and report it on the screen

-C,  --csvoutput

Report using CSV-like output.

Only interesting when used with -r or -s

-s,  --showinstalled

Show the detected software/version sets of this system

-S,  --showinstalledfiles

Show the detected software/version sets of this system together with the files that are used to detect this software/version set

-d,  --deltaonly

The file passed on through the -b (--binlist) option only contains files that need to be added to the file database (and checked for versions) rather than a full file system dump

-D,  --deletedeltaonly

The file passed on through the -b (--binlist) option only contains files that have been uninstalled from the system, and thus can be removed from the database

-H,  --reporthigher

Do not only report on CVEs that affect software installed on your system, but also on CVEs that affect higher versions of the software that is installed on your system

-w <watchlist>, --watchlist=<watchlist>

Load the watchlist information (a file containing CPE entries - one per line - using the official CPE syntax)

Configuration File

cvechecker will read the configuration file pointed towards by the CVECHECKER_CONFFILE variable. If that variable is not set, ~/.cvechecker.rc, /usr/local/etc/cvechecker.conf or /etc/cvechecker.conf, whichever comes first. This file contains the locations as well as other static parameters for the cvechecker application. An example configuration file is:

#
# Generic settings
#
dbtype = "mysql";
#dbtype = "sqlite3";
cvecache = "/var/lib/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "https://raw.github.com/sjvermeu/cvechecker/master/versions.dat";
#userkey = "servertag";

#
# For SQLite3
#
sqlite3: {
  localdb = "/var/lib/cvechecker/local";
  globaldb = "/var/lib/cvechecker/global.db";
}

#
# For MySQL
#
mysql: {
  dbname = "cvechecker";
  dbuser = "cvechecker_rw";
  dbpass = "passwordforcvechecker_rw";
  dbhost = "mysql.company.com";
};

The following options are supported:

Cvechecker is Not Complete

The strength of cvechecker can only be fully used if the list of supported software is huge. Currently, the list is too small to cover most systems. However, if you want to help us out in creating a larger database, please read on.

The format used to import software detection rules is as follows:

,[filepart],1,[fileregexp],[contentregexp],a,[vendor],[product],[version],[update],[edition],[language]

The first comma tells cvechecker what the field separator is, so if you need to use the comma in a regular expression, you can use a different field separator. Just start the line with the separator.

I have mentioned CPE. CPE stands for Common Platform Enumeration and is a standard for identifying a product with version. More information on CPE can be found at http://nvd.nist.gov/cpe.cfm and http://cpe.mitre.org/specification/index.html.

A few examples of these detection rules:

,ncftp,1,ncftp,^.*NcFTP ([0-9\.]+)/([0-9]+) .*,a,ncftp_software,ncftp,\1,\2,,
,libflashplayer.so,1,libflashplayer.so,FlashPlayer_([0-9]+)_([0-9]+)_([0-9]+)_([0-9]+)_FlashPlayer,a,adobe,flash_player,\1.\2.\3.\4,,,
,perl,1,perl.*,/usr/lib/perl5/site_perl/([^/]+)/,a,perl,perl,\1,,,

Author

cvechecker was written by Sven Vermeulen <sven.vermeulen@siphos.be>.

Info

17 August 2013 August 17, 2013 cvechecker Manual