Merge branch 'master' of github.com:diego-treitos/linux-smart-enumera…

…tion
diego-treitos · Jun 18, 2022 · fb2f084 · fb2f084
2 parents 3aed7e5 + 51a3a68
commit fb2f084
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 1 deletion.
diff --git a/cve/README.md b/cve/README.md
@@ -0,0 +1,44 @@
+# linux-smart-enumeration CVE checks
+
+LSE can test the host for certain CVEs that might allow privilege escalation.
+
+Each CVE is tested by a specific script, stored in this folder.
+To enable CVE checking for LSE, these scripts need to be bundled with `lse.sh`.
+This is accomplished by the tool `tools/package_cvs_into_lse.sh`, which creates `lse_cve.sh`.
+For LSE on the GitHub Releases page, this has already been done.
+
+
+## Adding and improving CVE checks
+
+To add a new CVE check, just create a copy of the `skel.sh` script in this folder and fill out the metadata.
+Then implement the `lse_cve_test()` function for the specific CVE (get inspiration from existing scripts).
+Usually this involves checking and comparing the version of the affected software.
+If it looks vulnerable, output something to stdout, otherwise do not.
+
+LSE aims to minimize false positives but for CVE tests, this might require checking backported patches for certain Linux distributions.
+This is where improvements are always possible.
+If you encounter a false positive, just add the fixed package version for the affected distribution to the script and submit a pull request.
+
+The general workflow for a `lse_cve_test()` function is:
+- get the version of the affected software
+- if the version is too old or too new to be affected, output nothing and exit
+- for some important distributions, list the package version shipping the backported fix
+- if installed package version is recent enough, output nothing and exit
+- otherwise, it looks vulnerable: output something like "Vulnerable!" and the software version
+
+LSE supports this process with a few helper functions and variables, most notably:
+- `lse_is_version_bigger` is true if the first argument is larger than the second according to version sort
+- `lse_get_pkg_version` obtains the version of an installed software package
+- `$lse_distro_codename` contains the distribution name like `ubuntu`, `debian`, `redhat`, ...
+
+
+### Sources for researching affected versions
+
+Checking package versions with backported fixes is somewhat optional and nearly impossible to be complete for all existing distributions.
+However, it is crucial to eliminate false positives.
+The following sources help to determine in which version a distribution patched something.
+
+- Debian: [Security Bug Tracker](https://security-tracker.debian.org/tracker/) allows to search for CVEs and patched versions
+- Ubuntu: [Ubuntu Security CVEs](https://ubuntu.com/security/cves) lists CVEs affecting Ubuntu and patched versions
+- Fedora: [Koji buildserver](https://koji.fedoraproject.org/koji/) contains a changelog for each package build
+- Amazon Linux: [Amazon Linux Security Center](https://alas.aws.amazon.com/) lists patched versions in their advisories
diff --git a/cve/cve-2021-3156.sh b/cve/cve-2021-3156.sh
@@ -91,10 +91,24 @@ lse_cve_test() { #(
             ;;
         esac
         ;;
+      amzn)
+        [ -r "/etc/os-release" ] && distro_release=$(grep -E '^VERSION_ID=' /etc/os-release | cut -f2 -d= | tr -d '"')
+        case "$distro_release" in
+          1)
+            package_fixed="1.8.23-9.56.amzn1"
+            ;;
+          2)
+            package_fixed="1.8.23-4.amzn2.2.1"
+            ;;
+        esac
+        ;;
     esac
     if [ -n "$package_fixed" ] && [ -n "$package_version" ] && ! lse_is_version_bigger "$package_fixed" "$package_version"; then
       exit 1
     fi
   fi
   $vulnerable && echo "Vulnerable! sudo version: $sudo_version"
 } #)
+
+# Uncomment this line for testing the lse_cve_test function
+#lse_NO_EXEC=true . ../lse.sh ; lse_cve_test
diff --git a/lse.sh b/lse.sh
@@ -638,7 +638,7 @@ lse_get_pkg_version() { #(
     debian|ubuntu)
       pkg_version=`dpkg -l "$pkg_name" 2>/dev/null | grep -E '^ii' | tr -s ' ' | cut -d' ' -f3`
       ;;
-    centos|redhat|fedora|opsuse|rocky)
+    centos|redhat|fedora|opsuse|rocky|amzn)
       pkg_version=`rpm -q "$pkg_name" 2>/dev/null`
       pkg_version="${pkg_version##$pkg_name-}"
       pkg_version=`echo "$pkg_version" | sed -E 's/\.(aarch64|armv7hl|i686|noarch|ppc64le|s390x|x86_64)$//'`