Not find some vulnerabilities for Microsoft-IIS/7.5 about cvescannerv2 HOT 8 CLOSED

I think this can be a good workaround. We can improve the json with the most common services, maybe people can improve the list over time opening an ISSUE. Would you mind doing a PR with your implementation? I'll check NMAP code, maybe I can kind of automate the generation of the first initial list.

from cvescannerv2.

Hi, thanks for the PR, I've merged it. I relocated your code to leverage the logging functionality, otherwise the new CVEs wouldn't be logged.

I've seen this https://nvd.nist.gov/products/cpe/detail/A43289F0-8E95-4C9E-A0BC-A906D3CA0325, it seems that NVD kind of knows the deprecated CPEs, maybe I can check the API and obtain this information and build the json. I need to check it.

cpe:2.3:a:microsoft:iis:7.5 - NVD - Detail

This CPE has been deprecated to:
    cpe:2.3:a:microsoft:internet_information_server:7.5:*:*:*:*:*:*:*

from cvescannerv2.

Nothing I can't do here... IIS is defined as internet_information_services in NVD data

cpe:2.3:a:microsoft:internet_information_services:7.5:*:*:*:*:*:*:*

but NMAP returns

cpe:/a:microsoft:iis:7.5

Obv, querying iis in the database yields 0 rows

Maybe would be possible to build some kind of heuristic, but that would be overkill in the long term.

This is one of the shortcomings of this method, CPE weren't standardized (and I think, still aren't). Some CVEs use different vendor-product-version than others, so you end up with multiple entries referring to the same product.

product_id	vendor	product	version	version_update
80024	microsoft	iis	7.5	*

486471	microsoft	internet_information_services	7.5	*

Two different entries for the same product yet only one is linked in NVD.

from cvescannerv2.

Yes, I understand the problem. For myself, I decided to add a file with product aliases. Here is my solution, maybe it will be useful to someone:

products-aliases.json

{
  "iis": ["internet_information_services"]
}

cvescannerv2.nse

...
local regex_arg = stdnse.get_script_args('regex') or 'http-regex-vulnerscom.json'
local products_aliases_arg = stdnse.get_script_args('products-aliases') or 'products-aliases.json'
local service_arg = stdnse.get_script_args('service') or 'all'
...
if not exists(db_arg) then
      ret = fmt("Database %s not found. " ..
                "Run ./databases.py before running nmap script.",
                db_arg)
   elseif not exists(path_arg) then
      ret = fmt("Paths file %s not found.", path_arg)
   elseif not valid_json(path_arg, 'path') then
      ret = fmt("Invalid json %s.", path_arg)
   elseif not exists(regex_arg) then
      ret = fmt("Regexes file %s not found.", regex_arg)
   elseif not valid_json(regex_arg, 'regex') then
      ret = fmt("Invalid json %s.", regex_arg)
   elseif not exists(products_aliases_arg) then
      ret = fmt("CPE products aliases file %s not found.", products_aliases_arg)
   elseif not valid_json(products_aliases_arg, 'products-aliases') then
      ret = fmt("Invalid json %s.", products_aliases_arg)
   end
...
local function valid_json (arg, type)
   local f = io.open(arg, 'r')
   local status, data = json.parse(f:read('*all'))
   if status then
      if type == 'path' then
         registry.path = data
      elseif type == 'regex' then
        registry.regex = data
      elseif type == 'products-aliases' then
        registry.products_aliases = data
      end
   end
   f:close()
   return status
end
...
tmp_vulns = vulnerabilities(host, port, cpe, product, info)
-- Product aliases
if registry.products_aliases[product] then
    for _, alias in pairs(registry.products_aliases[product]) do
    local tmp_alias_vulns = vulnerabilities(host, port, cpe, alias, info)
    if tmp_alias_vulns then
        tmp_vulns[1] = tmp_vulns[1] + table.remove(tmp_alias_vulns, 1)
        for _, v in pairs(tmp_alias_vulns) do
        table.insert(tmp_vulns, v)
        end
    end
    end
end
local nvulns = table.remove(tmp_vulns, 1)

from cvescannerv2.

Hey, I've been checking the code of NMAP, it seems that the latest version (7.94) has the correct CPEs. After rechecking your comments, it seems that you're running a very outdated version (7.80). I'll try to setup a container with IIS to test again with CVEScannerV2 3.1.2, but I think the problem here was your NMAP version. Anyway, this feature should improve the scan quality overall.

from cvescannerv2.

You're right, it looks like it's time for me to upgrade. Version 7.80 is the latest for my ubuntu release - 20.04.5 LTS

from cvescannerv2.

You could run NMap from a container (only 36MB). I'm currently working on migrating all of my CI/CD running on a self-hosted GitLab to GitHub. I expect to have a working action in the following days to build docker containers with CVEScannerV2 (no db) and another one with the database embedded. I'm also planning to detach entirely CVEScannerV2DB (removed as submodule) to keep "small" the main repository but still build the database automatically.

from cvescannerv2.

Closed as completed in c957afa. New containers can be found in dockerhub under scmanjarrez/cvescanner, variants db and nodb.

from cvescannerv2.