Question about multiple plugins detect one vulnerability

panajo1017 · January 17, 2022, 10:53am

Hi, I noticed that there are many plugins in the feed that detect the same vulnerability of an application such as Apache HTTP server for each operating system, why don’t you just check the version of the application alone? If the scanner can’t detect the operating system, will there be false negatives?

cfi · January 17, 2022, 11:14am

This is due to a limitation on GVM side:

A VT is only allowed to have a single “Quality of Detection” (QoD) value (e.g. script_tag(name:"qod_type", value:"remote_banner"); and isn’t allowed to change it during it’s runtime.

But as products like e.g. Apache HTTP Server running on Linux/Unix are covered via “Backports” (which are not raising the application version but still fixing security vulnerabilities by a “backported” patch) related version checks for such products needs a low QoD like remote_banner_unreliable as they would cause false positives otherwise.

On Windows no such thing like Backports exists and thus VTs running against Windows hosts can have a higher QoD like remote_banner.

Because of these difference and due to the previous mentioned limitation on GVM side you often see two VTs for the same flaw where the only difference is the QoD value.

You can read more about the QoD topic / concept here:

https://docs.greenbone.net/GSM-Manual/gos-21.04/en/reports.html#quality-of-detection-concept

panajo1017 · January 17, 2022, 11:32am

@cfi Thank you for the explanation. But how about when the host’s operating system is unknown? Should we still check for the vulnerability with a low QoD also?
About backport, I think it’s better to check for known backport versions, is it possible?

cfi · January 17, 2022, 11:39am

In this case a fallback to the “low” QoD variant of the VT in question is done (example from “os_detection.nasl”):

if( ! found_best ) {
  report += "No Best matching OS identified. Please see the VT 'Unknown OS and Service Banner Reporting' (OID: 1.3.6.1.4.1.25623.1.0.108441) ";
  report += "for possible ways to identify this OS.";
  # nb: Setting the runs_key to unixoide makes sure that we still schedule VTs using Host/runs_unixoide as a fallback
  set_kb_item( name:"Host/runs_unixoide", value:TRUE );

About backport, I think it’s better to check for known backport versions, is it possible?

This probably would be possible for a few products like OpenSSH / Apache HTTPd if they are exposing their specific distro version suffix (like deb9u11). But this is not done from our side due to various reasons for which i can’t go into details.