emba icon indicating copy to clipboard operation
emba copied to clipboard

Published 20 hours ago verified publisher icon e-m-b-a

Improve "ISC DHCP" detection and CVE search

Open gluesmith2021 opened this issue 9 months ago • 6 comments

Is your feature request related to a problem? Please describe.

There are missing CVE in results for ISC DHCP Client/Server, and this is in part related to a cpe naming issue in NVD data.

In NVD database cpe strings, isc:dhcp_client CVEs seems to apply a DHCP "client", while isc:dhcpd CVEs apply to the server component instead. However, in many CVEs the string isc:dhcp is used instead, for both client and server components.

For example, CVE-2018-5732 applies to the client, while CVE-2018-5733 apply to the server part. Both use cpe:2.3:a:isc:dhcp:*:... among others. Only the textual description allows to discriminate.

The choice of one or the other might be related to the CVE year, since only a single name is used per year. Of course, that might be a mere coincidence as well:

  • 1999-2000: dhcp_client
  • 2002-2006: dhcpd
  • 2009-2018: dhcp
  • 2019: dhcpd
  • 2021-2022: dhcp

Describe the solution you'd like

First, EMBA could detect "ISC DHCP Server" as well, just like the client currently is.

Second, given that NVD DB does not discriminate between "client" and "server" in using isc:dhcp, EMBA could somehow aggreate CVEs using:

  • isc:dhcp_client and isc_dhcp for the client
  • isc:dhcpd and isc_dhcp for the server

This will brings false positives in aggregated CVEs, but the NVD database does not allow to discriminate better. Right now, we have false negatives (missing CVEs) given that EMBA only search for dhcp_client.

Describe alternatives you've considered

Changing the string replacements in bin_version_strings.cfg as in original PR #1150 before changes were reverted. The string replacement mechanism alone does not allow for the above solution.

Priority issue Are you already a Sponsor? N

Additional context

I had to analyze a firmware image that had both client and server DHCP binaries, and the identification string is straightforward. Version however is not detectable from S09 as it is not part of the identification string. S116 can detect it though. In my case, both were version 4.3.4 from 2016. EMBA would report isc:dhcp_client for the client, and not report the server at all. In both case, it misses the few CVEs that apply to that version:

  • In /sbin/dhclient file: Internet Systems Consortium DHCP Client
  • In/usr/sbin/dhcpd file: Internet Systems Consortium DHCP Server
  • From S116 on /sbin/dhclient:
    • Internet Systems Consortium DHCP Client 4.3.4
    • isc-dhclient-4.3.4

gluesmith2021 avatar May 13 '24 20:05 gluesmith2021