Hi All,
I have 2 twin VMs.
ON 17 Jan I have done a scan on VM "A"and the result describes 2 vulnerabilities named
“PHP Multiple Vulnerabilities - Dec19 (Linux)” and
“PHP ‘CVE-2018-19935’ - ‘imap_mail’ Denial of Service Vulnerability (Linux)”
2 days ago I have updates my feed
scap
nvt
cert
and I have done a scan on VM “B” and magically vulnerabilities are not showed on this VM.
For double check I have done again a scan on VM “A” (with updated feeds) and vulnerabilities disappeared as well.
Checking on plugins, the nasl that do the check is gb_php_imap_mail_dos_vuln_lin.nasl saved in my path “/var/lib/openvas/plugins/2018/php”.
Launching this nasl with openvas_nasl it does nothing; putting some display(“Here”); in tyhe nasl to log something, I noticed that for example the variable port is not set.
Before the update it works, so my question is: anyone have noticed this?
Is there a problem in the new nasl updates?
Have I done some mistakes?
The command I used to launch manually the nasl is:
UPDATE:
I found the way to launch correctly the NASL via CLI: i didn’t included gb_php_detect.nasl and
os_detection.nasl as specified in: script_dependencies(“gb_php_detect.nasl”, “os_detection.nasl”);
Most “Linux” VTs which are checking for a Banner of a software (especially PHP) have a QoD of remote_banner_unreliable (See Overview on QoD values and types).
This means vulnerabilities of such VTs are not showing up by default in your reports. To show them you need to update your filter to show results for VTs having a QoD < 70 %.
Your seen difference is most likely caused by either different used filters or the manager not having build up its internal metadata database at the first scan which caused a fallback to a QoD of 75 %.
As both topics are not related to the Vulnerability Test at all i’m moving this to the GSE category for now.
The remote_banner_unreliable is 30%, do this means it will not be checked?
By the way, in the previous scan, the vulnerabilities were present in the report; they disappear after my Feed status update.
UPDATE 3
Scan is finished and vulnerabilities are not present in the report.
I think the problem is not the database.
I try to set a lower QoD on the Task, but I don’t think this will be a solution/workaround
And he prints in openvassd.dump 1 of the “trovato”, so it means he recognize the version and the vulnerability.
But in the vulnerabilities report, it’s still absent.
One thing I don’t understand is that the vulnerability has a QoD about 75, but in nasl I have seen
cfi:
or the manager not having build up its internal metadata database at the first scan which caused a fallback to a QoD of 75 %.
The previously used openvasmd --rebuild probably has corrected this.
I have done the rebuild, but the Vulnerability’s QoD is still 75%
An explanation for this was given previously as well:
cfi:
This means vulnerabilities of such VTs are not showing up by default in your reports. To show them you need to update your filter to show results for VTs having a QoD < 70 %.
I created a Task with min QoD=29% but the vulnerability still not appear in the report.
Now I have created a Task with QoD=10%, I’ll post the result after it finish.
Anyway, after the rebuild, nothing has changed for now.
But if the vulnearability still remain with a 75% QoD, should be it present in the report?
I have read the document u sent (thank you, they are very useful), but I still don’t understand why vulnerability are not visible in the report.
Should I miss something?
Hi.
the task with QoD=10% is finished and the vulnerability is not visible in the report
Here the screenshot about my task:
My new question is:
In the task report, I have the vulnerability “PHP Multiple Vulnerabilities - Dec19 (Linux)” with a QoD=75% but in NVT the same vulnerability has QoD=30%
It may be possible that the report details view applies a different min qod filter. You should try to add min_qod>=30 or similar to the powerfilter at your report details page.
Hi bricks and thank you for the answer,
I modified the report QoD to 28% and now the vulnerability appears.
But this cause a lot of questions
Why in the previous report it showed the vulnerability? (I didn’t modified nothing)
As you can see in the screenshot, the “PHP Multiple Vulnerabilities - Dec19 (Linux)” has a 75% QoD, instead the other 30%. Is this an error?
the other vulnerability that has QoD=75% is “PHP ‘CVE-2018-19935’ - ‘imap_mail’ Denial of Service Vulnerability (Linux)”: this is the other vulnerability that has the same visibility problem
as @cfi already wrote. That means the min qod seems to be preserved for a report and isn’t updated afterwards. Because each report should never update its data surprisingly this behavior is intended.
The behavior may seem surprising but have you any idea to solve this?
I tried openvasmd --rebuild as suggested but, surprisingly, it doesn’t resolve the problem…
It may be possible that the scanner still uses the old data. There should be some command line switch to update its data too. Can’t remember the exact command currently.
Hi bricks,
sorry for the misunderstanding: these are NEW scans.
It may be possible that the scanner still uses the old data. There should be some command line switch to update its data too. Can’t remember the exact command currently.