OS Detection improvement

Hi, as requested by @cfi in Operating System is in use? I report two detections which might be improved?:

Best matching OS:

OS:           Ubuntu
CPE:          cpe:/o:canonical:ubuntu_linux
Found by NVT: 1.3.6.1.4.1.25623.1.0.105586 (SSH OS Identification)
Concluded from SSH banner on port 22/tcp: SSH-2.0-OpenSSH_8.3p1 Ubuntu-1
Setting key "Host/runs_unixoide" based on this information

Other OS detections (in order of reliability):

OS:           Debian GNU/Linux
CPE:          cpe:/o:debian:debian_linux
Found by NVT: 1.3.6.1.4.1.25623.1.0.100292 (apcupsd / apcnisd Detection)
Concluded from apcupsd Banner on port 3551/tcp: VERSION  : 3.14.14 (31 May 2016) debian

apcupsd running on Ubuntu is detected as debian…

Best matching OS:

OS:           Debian GNU/Linux 10
Version:      10
CPE:          cpe:/o:debian:debian_linux:10
Found by NVT: 1.3.6.1.4.1.25623.1.0.105586 (SSH OS Identification)
Concluded from SSH banner on port 22/tcp: SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
Setting key "Host/runs_unixoide" based on this information

Other OS detections (in order of reliability):

OS:           Linux/Unix
CPE:          cpe:/o:linux:kernel
Found by NVT: 1.3.6.1.4.1.25623.1.0.111067 (HTTP OS Identification)
Concluded from HTTP Server banner on port 8006/tcp: Server: pve-api-daemon/3.0

This is actually Proxmox (“pve” = Proxmox virtual environment https://www.proxmox.com/proxmox-ve)
Yes, its Debian-based and there is probably no way of telling if it was installed as package(s) or from iso…

2 Likes

Thanks a lot for providing this information / doing this posting :+1:

From VT side the only result which counts is the “Best matching OS” which is correctly detected as Ubuntu. Other less unreliable ones are mentioned below which is the case for apcupsd.

As the banner reports “debian” and not “ubuntu” there is unfortunately no detection improvement possible for the less reliable results.

We have a HTTP based OS detection covered by the following VTs:

Name: Proxmox Virtual Environment Detection
OID: 1.3.6.1.4.1.25623.1.0.111090

Name: HTTP OS Identification
OID: 1.3.6.1.4.1.25623.1.0.111067

but indeed not sure if it is possible to somehow differ between the ISO and the package installation. Any further details on such detection possibilities of PVE are very welcome.

The first VT was not present in my results - dont know why…

The second VT is the one that identified Proxmox as “cpe:/o:linux:kernel” which should be something more like “cpe:/o:debian:proxmox”!?

Just thinking: If it has the package installed it is a virtualization node.
So the installation method should not matter and it probably should “override” the “Best matching OS”

Sorry it was deteced based on the TCP-Stack that a Linux Kernel takes care of TCP/IP, nothing more. The detection was and is correct. There is no Proxmox TCP-Stack :wink:

The VT is checking for a pattern in the response:

if( egrep( pattern:"^Server: pve-api-daemon/[0-9.]+", string:banner, icase:TRUE ) ) {
  register_and_report_os( os:"Linux/Unix", cpe:"cpe:/o:linux:kernel", banner_type:banner_type, port:port, banner:banner, desc:SCRIPT_DESC, runs_key:"unixoide" );
  return;
}

If it matches it says “hey its Linux”, but the software is only running on Proxmox so it should say “hey its Proxmox”

Another check in the same VT looks like this:

if( "Nginx centOS" >< banner ) {
  register_and_report_os( os:"CentOS", cpe:"cpe:/o:centos:centos", banner_type:banner_type, port:port, banner:banner, desc:SCRIPT_DESC, runs_key:"unixoide" );
  return;
}

This does the same thing (except its not an abbreviation) and it says “hey its Centos”

Ah, indeed. I had missed that this VT currently isn’t doing any OS detection. And after having a look at it i noticed that i had written that myself and can now remember that i wasn’t sure back then if Proxmox VE is really an OS (cpe:/o:) or just an application used by an OS like Debian (cpe:/a:) and decided to go for the latter.

But after reading the following in https://www.proxmox.com/en/proxmox-ve/get-started :

you’ll get a complete operating system based on Debian GNU/Linux

it really could make sense to update both VTs to register Proxmox VE as an OS. I have raised an internal ticket about this task.

3 Likes

Mhhh, i was in contact with the NVD because of a typo in a Proxmox VE CPE used by them (cpe:/a:proxmov:virtual_environment instead of cpe:/a:proxmox:virtual_environment) and also mentioned in the conversation that the CPE could be a cpe:/o: for an Operating System instead.

They disagreed on that because they think that Proxmox VE isn’t an Operating System at all. As we need to stay as near as possible with the official CPEs used by the NVD we’re now going for the following in the next few weeks:

  • Keeping the cpe:/a for Proxmox VE
  • Registering an Debian operating system CPE if Proxmox was detected
1 Like