The goal of cvechecker is to report about possible vulnerabilities on your system, by scanning the installed software and matching the results with the CVE database. Indeed, this is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn't able to detect the revision itself), yet it is still better than nothing, especially if you are running a distribution with little security coverage.
Still, the tool remains useful. With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system. You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).
The tool however needs your help as well. The most work is to tell cvechecker how to detect which software is installed and what version. For more information, see the cvechecker man-page.
Install required packages:
Compilation Process:
root@coresec:~# tar -zxvf cvechecker-3.1.tar.gz root@coresec:~# cd cvechecker-3.1/ root@coresec:~/cvechecker-3.1# ./configure --enable-sqlite3 root@coresec:~/cvechecker-3.1# make root@coresec:~/cvechecker-3.1# make install
Initialize SQLite3 Database:
To pull the necessary data from the Internet:
root@coresec:~/cvechecker-3.1# pullcves pull Downloading nvdcve-2.0-2002.xml... ok Converting nvdcve-2.0-2002.xml to CSV... ok Loading in nvdcve-2.0-2002.csv in cvechecker. I am missing the index cveidx2. This is to be expected if this is the first run of cvechecker since an upgrade. I will now create cveidx2 for you, no further actions are needed. Some updates have occurred which might affect the database initialization. Please restart the command. Downloading nvdcve-2.0-2003.xml... ok Converting nvdcve-2.0-2003.xml to CSV... ok Loading in nvdcve-2.0-2003.csv in cvechecker. Loading CVE data from /usr/local/var/cvechecker/cache/nvdcve-2.0-2003.csv into database 100 records processed (0 already in db)... 200 records processed (0 already in db)... 300 records processed (0 already in db)... .....
Generate List of Files:
root@coresec:~/cvechecker-3.1# find / -type f -perm -o+x > scanlist.txt root@coresec:~/cvechecker-3.1# echo "/proc/version" >> scanlist.txt
Gather List of Installed Software/Versions:
root@coresec:~/cvechecker-3.1# cvechecker -b scanlist.txt Searching for known software titles... - Found match for /lib/libpthread-2.12.1.so: cpe:/a:gnu:glibc:2.12.1::: - Found match for /sbin/resize2fs: cpe:/a:ext2_filesystems_utilities:e2fsprogs:1.41.12::: - Found match for /sbin/mkfs.ext4: cpe:/a:ext2_filesystems_utilities:e2fsprogs:1.41.12::: - Found match for /sbin/iptables-save: cpe:/a:netfilter_core_team:iptables:1.4.4::: - Found match for /sbin/iptables-save: cpe:/a:netfilter_core_team:iptables:1.4.4::: .....
Output Matching CVE Entries:
root@coresec:~/cvechecker-3.1# cvechecker -r File "/bin/dbus-daemon" (CPE = cpe:/a:freedesktop:dbus:1.4.0:::) on host coresec (key coresec) Potential vulnerability found (CVE-2010-4352) Full vulnerability match (incl. edition/language) File "/bin/dbus-uuidgen" (CPE = cpe:/a:freedesktop:dbus:1.4.0:::) on host coresec (key coresec) Potential vulnerability found (CVE-2010-4352) Full vulnerability match (incl. edition/language) File "/usr/bin/dbus-launch" (CPE = cpe:/a:freedesktop:dbus:1.4.0:::) on host coresec (key coresec) Potential vulnerability found (CVE-2010-4352) Full vulnerability match (incl. edition/language) ......
Export to CSV format:
Documentation: http://cvechecker.sourceforge.net/documentation.html
Download: http://cvechecker.sourceforge.net/download.html