OS End of Life detection NVT 1.3.6.1.4.1.25623.1.0.103674 not showing up in reports

VolkerS · February 7, 2019, 11:47am

hello,

I have the problem that the OS End of Life chech is not showing up in the reports.

I scanned Win2k8 und Win7 clients with “Full and Fast” and there are multiple vulnerabilites, but OS end of Life does not show up.

I checked the “Full and Fast” Scan config and 1.3.6.1.4.1.25623.1.0.103674 is part of it.

Any advice would be welcome.

Best regards

Volker

cfi · February 8, 2019, 2:16pm

The End of Life Detection of a Operating System heavily depends on the detail grade the OS was detected during the scan.

As an example the extended support of Windows 7 with an installed SP1 ends in January 2020 so a Windows 7 can’t be reported generally as End Of Life because it isn’t if SP1 installed.

If it was not possible to detect if a SP is installed on the target no EOL message will be reported.

Have a look at the output of the following two VTs how and in which detail the OS was detected:

OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937)
Unknown OS and Service Banner Reporting (OID: 1.3.6.1.4.1.25623.1.0.108441)

You also might want to consider to configure Authenticated Scans against your Windows.

VolkerS · February 8, 2019, 2:55pm

Hi cfi,

thanks for the info!

The scan revealed this in 1.3.6.1.4.1.25623.1.0.105937 :

OS: Windows Server 2003 3790 Service Pack 2
CPE: cpe:/o:microsoft:windows_server_2003:-:sp2
Found by NVT: 1.3.6.1.4.1.25623.1.0.102011 (SMB NativeLanMan)
Concluded from SMB/Samba banner on port 445/tcp: OS String: Windows Server 2003 3790 Service Pack 2; SMB String: Windows Server 2003 5.2
Setting key “Host/runs_windows” based on this information

when I understand the logic correctly, the script does use os_eol.inc to determine the EOL. But in that include file is no “cpe:/o:microsoft:windows_server_2003:-:sp2” only an “cpe:/o:microsoft:windows_server_2003::sp2” (the hiven is missing). Thats why the EOL warning is not triggered?

Best regards

Volker

cfi · February 21, 2019, 1:19pm

@VolkerS

Nice catch, it seems there where indeed some inconsistencies through the whole feed on how the Windows CPEs where used / built (probably due to historical reasons because even in the NVD, specifically for Windows Server 2003 the CPEs are a little bit mixed up).

All VTs setting/registering an OS as well as the os_eol.inc have been updated today to use one single / consistent syntax. The changes should be available with one of the next feed updates and at least the Server 2003 as shown above should be detected as EOL again.

VolkerS · February 27, 2019, 7:06am

Hi cfi,

ok, OS EOL detection is now working as intended. Thanks for the quick fix.

Volker