Skip to content

Vulnerability detection

Michael Messner edited this page Nov 21, 2023 · 2 revisions

As the complete vulnerability detection is getting more and more complex, we try to document a short overview in here:

  • The SBOM detection mechanism is based on the version detection regex rules defined here
  • The detected version identifiere are modified with sed (same config) to query the cve database via cve-search
  • For the version (and CVE) detection by itself we have multiple modules:
    • s06 for distribution identification (rules are coded in the module)
    • s08 for package management
    • s09 for static detection
    • s24/s25 for kernel version detection
    • s26 for kernel vulnerbility detection/verification based on the kernel config or extracted symbols
    • s115/s116 for user-mode emulation
    • L10/L15 for detection in system mode emulation via Nmap scanning
    • L25 for web server detection (in system mode emulation)
    • L35 for CVE detection via exploitation from Metasploit
  • F20 is finally the aggregator module which brings everything together

As you can see the CVE/version detection is not that easy. Every module has its own advantages and disadvantages. Some are only running for special firmwares and if some special conditions are met.