Vuls Major Update - user friendly and new feature custom advisory @ Black Hat MEA 2022

Transcript

1. Vuls Major Update - user friendly and new feature custom

   advisory MaineK00n, KotaKanbe @ Black Hat MEA 2022 Arsenal

2. $whoami Norihiro Nakaoka • Twitter: @MaineK00n • Japanese • Vuls

   committer

3. Vuls OSS vulnerability scanner for Linux/FreeBSD published by @kotakanbe in

   2016 Collected 9,500+ Stars on GitHub Currently, the following features have been added • Vulnerability detection of network routers using CPE • Show whether there is publicly available Exploit information on the detected vulnerabilities https://github.com/future-architect/vuls

4. I just spoke at CODE BLUE 2022!

5. Stable Vuls Architecture

6. Nightly Vuls Architecture

7. Demo1: basic usage

8. 1. Nightly Vuls install Installation is very easy and can

   be done with go install. Special distribution on Google Drive Linux: https://onl.bz/6it3MAD Windows: https://onl.bz/5KMVf9U

9. 2. DB Fetch Prepare the DB needed for detection. With

   Vuls, you can simply run `vuls db fetch` and use the latest DB we have prepared.

10. 3. Configuration for Scan Target Create a config for the

    scan target. `vuls config init` creates a config template. Modify the template to suit your environment.

11. Scan Target Scan two hosts. 1. localhost (Ubuntu 22.04) 2.

    remote host that can be connected to with 127.0.0.1:2222 (Debian 11)

12. Optional. add to Known Hosts for remote host Vuls connects

    to the remote host via SSH, so it should be registered in known_hosts.

13. 4. Scan Scan targets. On operating systems that use dpkg,

    such as Ubuntu and Debian, package information is collected using dpkg-query. The scan result is as follows.

14. 5. Detect Detect vulnerabilities based on the scan results. The

    result is as follows.

15. 6. Report Use `vuls report -format list` to see the

    detection results in an easy-to-read format.

16. local scan architecture

17. remote scan architecture

18. Demo 2: Custom Advisory

19. CVE-2021-44228 Timeline the timeline for the first registration of a

    CPE Configuration to the NVD - 2021/11/25: Alibaba Cloud Security Team reports vulnerability to The Apache Software Foundation (The ASF) - 2021/12/10: PoC released, Fix version 2.15.0 released, CVE information posted on NVD - 2021/12/11: JPCERT/CC observes PoC abuse - 2021/12/13: CPE Configuration registered for the first time at NVD

20. Custom Advisory If a data source for detection was not

    provided, it could not be detected. We want to freely customize the vulnerability DB for our own use.

21. Assumed Scenario You have received information that apache log4j is

    vulnerable. You would like to be alerted to this vulnerability by issuing an advisory, BLACKHAT-2022-0001, early. At first, you do not know which versions are affected, so you create an advisory 1 to be on the lookout for all versions of apache log4j. Next, assuming that the affected version is known up to 2.19.0, create advisory 2.

22. Create DB containing custom advisories Just prepare the advisory in

    a fixed location and run `vuls db create`.

23. Scan Target There are two hosts. 1. cpe1: apache log4j

    2.19.1 installed 2. cpe2: apache log4j 2.16.0 is installed

24. Scan & Detect & Report

25. Other use cases like this To use paid vulnerability data

    feeds for vulnerability detection

26. Demo 3: Scan for Windows

27. server scan architecture

28. Scan 1. Prepare config.json with the path to vuls.db and

    start the server mode． 2. Request systeminfo information to the server．

29. Detect Just request the result of the scan to /detect

30. Of course, vuls.exe can also do local scan!

31. That's all for now • Try Vuls on your machine

    If you are using Ubuntu, Debian or Windows, you can get Vuls from the following link and run it now! Linux: https://onl.bz/6it3MAD Windows: https://onl.bz/5KMVf9U • Vuls hands-on space If you want to run the actual flow from db fetch to scan, detect, and report, or if you want to see the contents of vuls.db and results, please go to the space. • If you have any questions. I will answer, but I am not good at English ...... I will do my best to respond, but if you want a more accurate response, please contact me at Twitter: @MaineK00n E-mail: [email protected]