CVE scans not matching the expected CVE-2021-23017

@cfi

Hi and thanks for your help with this. Unfortunately I now have a follow up question, because even with the updated NVTs I’m unable to see the expected CVE match.

Let me know it you’d prefer this in a new ticket.

I’ve updated and ran another OpenVAS scan against the same server. I did this today 11 Feb (and also did a ‘gvmd --rebuild’ to be sure).

greenbone-nvt-sync --feedversion                    -> 202202101102
greenbone-feed-sync --type SCAP --feedversion       -> 202202090230
greenbone-feed-sync --type CERT --feedversion       -> 202202090130
greenbone-feed-sync --type GVMD_DATA --feedversion  -> 202201281556

I’m pleased to report the new VTs are registering both the “nginx” and “f5” CPEs. Here’s a small fragment of the results showing this:

  <result id="b2b98965-2e3c-438e-8d3c-44ce508d0adb">
    <name>CPE Inventory</name>
    ...
    <description>xxx.xxx.xxx.xxx|cpe:/a:f5:nginx:1.18.0
xxx.xxx.xxx.xxx|cpe:/a:nginx:nginx:1.18.0
xxx.xxx.xxx.xxx|cpe:/o:canonical:ubuntu_linux

</description>

Unfortunately subsequent CVE scans still aren’t matching the expected CVE-2021-23017 against cpe:/a:f5:nginx:1.18.0.

I believe I’m using the scanners correctly, e.g. adding results to Assets, and do get CVE matches for other software on other servers.

Further below is another XML fragment with part of the CVE-2021-23017 definition.

I admit I don’t know how to read this, but notice there’s only the one exact NGINX product “cpe:/a:f5:nginx:0.6.18” that’s listed. Other CVE definitions seem to have long lists individual product CPEs (and/or maybe even have ranges?) so I wonder if this is why it’s not matching.

So, my question:

  • Are you able to see why the GVM isn’t reporting CVE-2021-23017 against cpe:/a:f5:nginx:1.18.0? E.g. are there other changes to the feed that need to be made, or is it more likely it’s my GVM installation or how I’m using it?

Thanks again for you help (and the usual apologies if I’m doing something daft)!

<get_info_response status="200" status_text="OK">
  <info id="CVE-2021-23017">
    <owner>
      <name/>
    </owner>
    <name>CVE-2021-23017</name>
    <comment/>
    <creation_time>2021-06-01T13:15:00Z</creation_time>
    <modification_time>2022-02-07T16:15:00Z</modification_time>
    <writable>0</writable>
    <in_use>0</in_use>
    <permissions/>
    <update_time>2022-02-09T02:30:00.000+0000</update_time>
    <cve>
      <severity>9.4</severity>
      <cvss_vector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L</cvss_vector>
      <description>A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.</description>
      <products>cpe:/a:f5:nginx:0.6.18 cpe:/a:openresty:openresty:1.19.3.1:rc1 cpe:/o:fedoraproject:fedora:33 cpe:/o:fedoraproject:fedora:34 cpe:/a:netapp:ontap_select_deploy_administration_utility:- cpe:/a:oracle:communications_control_plane_monitor:3.4 cpe:/a:oracle:communications_control_plane_monitor:4.2 cpe:/a:oracle:communications_control_plane_monitor:4.3 cpe:/a:oracle:communications_control_plane_monitor:4.4 cpe:/a:oracle:communications_fraud_monitor:3.4 cpe:/a:oracle:communications_fraud_monitor:4.4 cpe:/a:oracle:communications_operations_monitor:3.4 cpe:/a:oracle:communications_operations_monitor:4.2 cpe:/a:oracle:communications_operations_monitor:4.3 cpe:/a:oracle:communications_operations_monitor:4.4 cpe:/a:oracle:enterprise_telephony_fraud_monitor:3.4 cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.2 cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.3 cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.4 </products>
      <nvts>
        ...
      </nvts>
      <cert>
        ...
      </cert>
      <raw_data><entry xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:cvss3="https://www.first.org/cvss/cvss-v3.1.xsd" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="CVE-2021-23017">
    <vuln:vulnerable-software-list>
      <vuln:product>cpe:/a:f5:nginx:0.6.18</vuln:product>
      <vuln:product>cpe:/a:openresty:openresty:1.19.3.1:rc1</vuln:product>
      <vuln:product>cpe:/o:fedoraproject:fedora:33</vuln:product>
      <vuln:product>cpe:/o:fedoraproject:fedora:34</vuln:product>
      <vuln:product>cpe:/a:netapp:ontap_select_deploy_administration_utility:-</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_control_plane_monitor:3.4</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_control_plane_monitor:4.2</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_control_plane_monitor:4.3</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_control_plane_monitor:4.4</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_fraud_monitor:3.4</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_fraud_monitor:4.4</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_operations_monitor:3.4</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_operations_monitor:4.2</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_operations_monitor:4.3</vuln:product>
      <vuln:product>cpe:/a:oracle:communications_operations_monitor:4.4</vuln:product>
      <vuln:product>cpe:/a:oracle:enterprise_telephony_fraud_monitor:3.4</vuln:product>
      <vuln:product>cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.2</vuln:product>
      <vuln:product>cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.3</vuln:product>
      <vuln:product>cpe:/a:oracle:enterprise_telephony_fraud_monitor:4.4</vuln:product>
    </vuln:vulnerable-software-list>
1 Like

(Quick moderator note, I’ve broken out this post from a different thread and moved it to the Feed Services category. @khesterproton, I titled it from your post, but you can update the title if you’d like. Thanks!)

2 Likes

Yes, indeed it seems that this is originating from the following and has nothing to do with your setup or the VT / detection side:

NVD - CVE-2021-23017 is using a range From (including) 0.6.18 to Up to (excluding) 1.20.1 which seems to be not reflected in the posted .xml snippet.

IIRC there is already an internal ticket to evaluate that but not sure about the status and outcome. But there is a completely re-write of the feed deployment process ongoing so the published data could be more accurate when this is finished.

2 Likes

Great, thanks again for your help.

I’ll mark this as solved, because you’ve answered my question and confirmed where the issue lies.

1 Like