logo
DATABASE RESOURCES PRICING ABOUT US

Vulners NASL Plugin Feeds for OpenVAS 9

Description

As I already wrote earlier, you can easily [ add third party nasl plugins to OpenVAS](<https://avleonov.com/2017/06/30/adding-third-party-nasl-plugins-to-openvas/>). So, my friends from [Vulners.com](<http://vulners.com>) realised generation of NASL plugins for OpenVAS using own security content. I've tested it for scanning CentOS 7 host. And it works =) [![Vulners OpenVAS vulnerabilities](https://avleonov.com/wp-content/uploads/2017/10/vulners_openvas_vulnerabilities_logo.png)](<https://avleonov.com/wp-content/uploads/2017/10/vulners_openvas_vulnerabilities_logo.png>) Let's see the whole process. I assume that we have [installed OpenVAS 9 from sources](<https://avleonov.com/2017/04/10/installing-openvas-9-from-the-sources/>) using [openvas-commander](<https://github.com/leonov-av/openvas-commander>) script. I am going to the OpenVAS server and run all commands as root: `ssh vmuser@192.168.56.120 su` #### Cleaning NVT cache and updating plugins from Greenbone feed If you already were experimenting with own NASL scripts, it's may be a good clear the OpenVAS vulnerability base. Deleting cache and plugins for 2017: `find /usr/local/var/lib/openvas/plugins/2017/ | grep "nasl" | xargs -i rm '{}' find /usr/local/var/cache/openvas/2017/ | grep ".nvti" | xargs -i rm '{}'` Updating Greenbone content: `wget https://raw.githubusercontent.com/leonov-av/openvas-commander/master/openvas_commander.sh chmod +x openvas_commander.sh ./openvas_commander.sh --update-content-nvt ./openvas_commander.sh --kill-all ./openvas_commander.sh --start-all ps -aux | grep "openvassd" # Wait untill openvassd 100% reloaded ` Rebuilding cache: `openvasmd --rebuild --progress` Output: Rebuilding NVT cache... | done. And restart once again: `./openvas_commander.sh --kill-all ./openvas_commander.sh --start-all ps -aux | grep "openvassd" # Wait untill openvassd 100% reloaded ` Checking that there is no third-party plugins in GSM: [![Only Greenbone NVTs](https://avleonov.com/wp-content/uploads/2017/10/only_greenbone_nvt.png)](<https://avleonov.com/wp-content/uploads/2017/10/only_greenbone_nvt.png>) Seems good. #### Adding Vulners NASL scripts You can get a link to an archive at <https://vulners.com/stats> (icon with gear) ![Get a link to NASL plugins](https://avleonov.com/wp-content/uploads/2017/10/get_a_link_to_NASL_plugins.png) `curl -k https://vulners.com/api/v3/archive/nasl/?type=centos > vulners_nasl.zip unzip vulners_nasl.zip -d vulners_nasl cp vulners_nasl/* /usr/local/var/lib/openvas/plugins/2017/` Restart OpenVAS: `./openvas_commander.sh --kill-all ./openvas_commander.sh --start-all ps -aux | grep "openvassd" # Wait untill openvassd 100% reloaded ` And rebuild NVT cache: `openvasmd --rebuild --progress` Output: Rebuilding NVT cache... | done. Checking Vulners plugins in GSM: [![Vulners NASL](https://avleonov.com/wp-content/uploads/2017/10/vulners_nasl.png)](<https://avleonov.com/wp-content/uploads/2017/10/vulners_nasl.png>) Both Greenbone and [Vulners.com](<http://Vulners.com>) plugins here. Great! #### Scanning CentOS host I created a simple authenticated scanning task and launched it: [![Launched OpenVAS scan](https://avleonov.com/wp-content/uploads/2017/10/launched_openvas_scan.png)](<https://avleonov.com/wp-content/uploads/2017/10/launched_openvas_scan.png>) Some minutes letter I have the results, that I can easily filter. For example, show vulnerabilities detected by Vulners nasl plugins: `vulnerability~"VulnersDB"` [![Vulners OpenVAS vulnerabilities](https://avleonov.com/wp-content/uploads/2017/10/vulners_openvas_vulnerabilities.png)](<https://avleonov.com/wp-content/uploads/2017/10/vulners_openvas_vulnerabilities.png>) Plugin data: [![Vulner description part1](https://avleonov.com/wp-content/uploads/2017/10/vulner_description_part1.png)](<https://avleonov.com/wp-content/uploads/2017/10/vulner_description_part1.png>)…[![Vulner description part2](https://avleonov.com/wp-content/uploads/2017/10/vulner_description_part2.png)](<https://avleonov.com/wp-content/uploads/2017/10/vulner_description_part2.png>) Plugin text on Vulners.com website: <https://vulners.com/api/v3/nasl/id/?id=CESA-2017:1842> ############################################################################### # OpenVAS centos Vulnerability Test # # kernel, perf, python security update # # Authors: # Kir Ermakov # Igor Bulatenko # Ivan Elkin # Alex Leonov # # Copyright: # Copyright (C) 2017 Vulners.com, https://vulners.com # # This program is free software; you can redistribute it and/or modify ... # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ############################################################################### if(description) { script_oid("1.3.6.1.4.1.25623.1.1.51337.5133700027808229620542704492639841805966348423"); script_version("$Revision: 1 $"); script_tag(name:"last_modification", value:"$Date: 2017-08-24T01:38:33 $"); script_tag(name:"creation_date", value:"$Date: 2017-08-24T01:38:33 $"); script_cve_id("CVE-2016-9604",...,"CVE-2014-7970"); script_tag(name:"cvss_base", value:"10.0"); script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_tag(name:"qod_type", value:"package"); script_name("VulnersDB: CESA-2017:1842 kernel, perf, python security update"); script_tag(name: "summary", value: "**CentOS Errata and Security Advisory** CESA-2017:1842 The kernel packages contain the Linux kernel, the core of any Linux operating system. Security Fix(es): * An use-after-free flaw was found in the Linux kernel which enables a race condition in the L2TPv3 IP Encapsulation feature. A local user could use this flaw to escalate their privileges or crash the system. (CVE-2016-10200, Important) ... **Affected packages:** kernel ... python-perf **Upstream details at:** "); script_tag(name: "vuldetect", value: "Get the installed version with the help of detect NVT and check if the version is vulnerable or not."); script_tag(name: "affected", value: " kernel-tools on CentOS 7 , ... kernel-debug-devel on CentOS 7 , kernel-headers on CentOS 7 , perf on CentOS 7 ,"); script_tag(name: "solution", value: "Please Install the Updated Packages."); script_tag(name:"solution_type", value:"VendorFix"); script_xref(name: "URL" , value: "http://lists.centos.org/pipermail/centos-cr-announce/2017-August/004249.html"); script_category(ACT_GATHER_INFO); script_copyright("Copyright (C) 2017 Vulners"); script_xref(name: "CESA", value: "CESA-2017:1842"); script_family("CentOS Local Security Checks"); script_dependencies("gather-package-list.nasl"); script_mandatory_keys("HostDetails/OS/cpe:/o:centos:centos", "login/SSH/success", "ssh/login/release"); exit(0); } include("revisions-lib.inc"); include("pkg-lib-rpm.inc"); release = get_kb_item("ssh/login/release"); res = ""; if(release == NULL){ exit(0); } if(release == "CentOS7") { if ((res = isrpmvuln(pkg:"kernel-tools", rpm:"kernel-tools~3.10.0~693.el7", rls:"CentOS7")) != NULL) { security_message(data:res); exit(0); } } ... if (__pkg_match) exit(99); # Not vulnerable. exit(0); I can also filter vulnerabilities detected only by Greenbone plugins. `vulnerability~"CentOS Update"` [![Greenbone vulnerabilities](https://avleonov.com/wp-content/uploads/2017/10/greenbone_vulners.png)](<https://avleonov.com/wp-content/uploads/2017/10/greenbone_vulners.png>) As you can see on dashboards the results are not fully the same. Some vulnerabilities both Greenbone and Vulners found. `vulnerability~"CESA-2017:1481"` [![Two feeds](https://avleonov.com/wp-content/uploads/2017/10/two_feeds.png)](<https://avleonov.com/wp-content/uploads/2017/10/two_feeds.png>) But, for example, CESA-2017:1842 that I have shown above on a sreenshot was detected only by Vulners plugins. The plugin says that kernel-tools-3.10.0-514.el7 is vulnerable. And it is, according to bulletin <https://vulners.com/centos/CESA-2017:1842>: CentOS 7 x86_64 kernel-tools < 3.10.0-693.el7 kernel-tools-3.10.0-693.el7.x86_64.rpm The answer is that Greenbone feed doesn't contain this plugin (yet): `# ls /usr/local/var/lib/openvas/plugins/2017/gb_CESA-2017_1842* ls: cannot access /usr/local/var/lib/openvas/plugins/2017/gb_CESA-2017_1842*: No such file or directory` ![](http://feeds.feedburner.com/~r/avleonov/~4/Dhh-m0ErpgY)


Related