Differences in gvm11 output and old Kali's linux OpenVAS output on <get_results/> command

kgardas · April 21, 2020, 9:07pm

Hi,

I’m using latest gvm 11 release and I’m trying to port my scripts from old Kali’s linux based OpenVAS (gvm9) into a new and supported gvm11. My scripts are using get_tasks, get_reports and get_results messages and it looks like there is some difference on results obtained from gvm9 and from gvm11. E.g.

gvm9 output looks (get_result, one result of many):

<result id="28f39ab2-4f23-477f-9630-be7120fdbfdd">
  <name>SSH Weak Encryption Algorithms Supported</name>
  <owner>
    <name>raocs</name>
  </owner>
  <comment/>
  <creation_time>2020-04-21T18:35:14Z</creation_time>
  <modification_time>2020-04-21T18:35:14Z</modification_time>
  <user_tags>
    <count>0</count>
  </user_tags>
  <host>10.0.30.26<asset asset_id="ee539aae-a0bd-4409-8d16-2b015e8e7fe6"/></host>
  <port>22/tcp</port>
  <nvt oid="1.3.6.1.4.1.25623.1.0.105611">
    <type>nvt</type>
    <name>SSH Weak Encryption Algorithms Supported</name>
    <family>General</family>
    <cvss_base>4.3</cvss_base>
    <cve>NOCVE</cve>
    <bid>NOBID</bid>
    <xref>URL:https://tools.ietf.org/html/rfc4253#section-6.3, URL:https://www.kb.cert.org/vuls/id/958563</xref>
    <tags>cvss_base_vector=AV:N/AC:M/Au:N/C:P/I:N/A:N|insight=The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys.
  The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems
  with weak keys, and should not be used anymore.

  The `none` algorithm specifies that no encryption is to be done.
  Note that this method provides no confidentiality protection, and it
  is NOT RECOMMENDED to use it.

  A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.|vuldetect=Check if 
remote ssh service supports Arcfour, none or CBC ciphers.|summary=The remote SSH server is configured to allow weak encryption algorithms.|solution=Disable t
he weak encryption algorithms.|solution_type=Mitigation|qod_type=remote_active</tags>
    <cert/>
  </nvt>
  <scan_nvt_version>2020-03-26T13:48:10+0000</scan_nvt_version>
  <threat>Medium</threat>
  <severity>4.3</severity>
  <qod>
    <value>95</value>
    <type>remote_active</type>
  </qod>
  <description>The following weak client-to-server encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se


The following weak server-to-client encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se</description>
  <original_threat>Medium</original_threat>
  <original_severity>4.3</original_severity>
  <notes/>
  <overrides/>
</result>

and when I scan the same host with gvm11 and when I obtain the equivalent result it looks like:

<result id="897d3097-efe1-476c-ab9a-12915c29de8e">
  <name>SSH Weak Encryption Algorithms Supported</name>
  <creation_time>2020-04-20T21:30:35Z</creation_time>
  <host>10.0.30.26<asset asset_id="830dbe3f-9085-477f-820d-7c439cb6e99b"/><hostname>power-sc.localdomain</hostname></host>
  <port>22/tcp</port>
  <nvt oid="1.3.6.1.4.1.25623.1.0.105611">
    <type>nvt</type>
    <name>SSH Weak Encryption Algorithms Supported</name>
    <family>General</family>
    <cvss_base>4.3</cvss_base>
    <tags>cvss_base_vector=AV:N/AC:M/Au:N/C:P/I:N/A:N|solution=Disable the weak encryption algorithms.|solution_type=Mitigation</tags>
    <refs>
      <ref type="url" id="https://tools.ietf.org/html/rfc4253#section-6.3"/>
      <ref type="url" id="https://www.kb.cert.org/vuls/id/958563"/>
    </refs>
  </nvt>
  <severity>4.3</severity>
  <qod>
    <value>95</value>
  </qod>
  <description>The following weak client-to-server encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following weak server-to-client encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

Please note:

threat value missing there
various tags value missing (especially summary)

As at least threat value should be there following gvm11 protocol spec (as far as I understand it), I’d consider this to be a bug and the question is if I shall report it somewhere (github?) and if so, then to what project? If however this is all right and there is some special way how to obtain summary and threat values, then I would appreciate if someone let me know that.

Thanks!
Karel

When posting you should provide information about your environment using the following template:

GVM versions

gsa: (‘gsad --version’):

$ gsad --version
Greenbone Security Assistant 9.0

gvm: (‘gvmd --version’)

$ gvmd --version
Greenbone Vulnerability Manager 9.0.0
Manager DB revision 221

openvas-scanner: (‘openvassd --version’)

$ openvas --version
OpenVAS 7.0.0

gvm-libs:
$ ls -la /usr/local/lib/libgvm*
lrwxrwxrwx 1 root root 21 Apr 13 19:18 /usr/local/lib/libgvm-pg-server.so -> libgvm-pg-server.so.0
lrwxrwxrwx 1 root root 25 Apr 13 19:18 /usr/local/lib/libgvm-pg-server.so.0 -> libgvm-pg-server.so.9.0.0
-rw-r–r-- 1 root root 47272 Apr 13 19:17 /usr/local/lib/libgvm-pg-server.so.9.0.0
lrwxrwxrwx 1 root root 17 Apr 13 19:14 /usr/local/lib/libgvm_base.so -> libgvm_base.so.11
lrwxrwxrwx 1 root root 21 Apr 13 19:14 /usr/local/lib/libgvm_base.so.11 -> libgvm_base.so.11.0.0
-rw-r–r-- 1 root root 87800 Apr 13 19:14 /usr/local/lib/libgvm_base.so.11.0.0
lrwxrwxrwx 1 root root 16 Apr 13 19:14 /usr/local/lib/libgvm_gmp.so -> libgvm_gmp.so.11
lrwxrwxrwx 1 root root 20 Apr 13 19:14 /usr/local/lib/libgvm_gmp.so.11 -> libgvm_gmp.so.11.0.0
-rw-r–r-- 1 root root 30832 Apr 13 19:14 /usr/local/lib/libgvm_gmp.so.11.0.0
lrwxrwxrwx 1 root root 16 Apr 13 19:14 /usr/local/lib/libgvm_osp.so -> libgvm_osp.so.11
lrwxrwxrwx 1 root root 20 Apr 13 19:14 /usr/local/lib/libgvm_osp.so.11 -> libgvm_osp.so.11.0.0
-rw-r–r-- 1 root root 32240 Apr 13 19:14 /usr/local/lib/libgvm_osp.so.11.0.0
lrwxrwxrwx 1 root root 17 Apr 13 19:14 /usr/local/lib/libgvm_util.so -> libgvm_util.so.11
lrwxrwxrwx 1 root root 21 Apr 13 19:14 /usr/local/lib/libgvm_util.so.11 -> libgvm_util.so.11.0.0
-rw-r–r-- 1 root root 109016 Apr 13 19:14 /usr/local/lib/libgvm_util.so.11.0.0

Environment

Operating system:
Kernel: (‘uname -a’)

This is docker of ubuntu 18.04 running on top of ubuntu 18.04.
$ uname -a
Linux dfc5540148c2 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Installation method / source:
Compiled from release source code.

Steffen · April 22, 2020, 2:51pm

Whether a specific severity (in your example 4.3) is a medium threat or not, partly depends on which severity class you are applying to calculate the threat (for example, NVD, Schwachstellenampel or PCI-DSS can be chosen in the user settings). For the client, GVM-11 can take this class into account to come up with a proper threat level. <severity> of 4.3 is a reliable value, <threat> would not be.

kgardas · April 22, 2020, 6:33pm

Thanks a lot for clarification. However if this is the case, then shouldn’t be result_threat marked as option in the protocol specification? https://docs.greenbone.net/API/GMP/gmp-9.0.html#command_get_results

Another thing is, why is “summary” missing from the tags value?

Thanks!
Karel