目的
ubuntuのkernelをOne Liner Scan Modeでマッチングする際の内容確認
方法
- Ubuntu 20.04 にインストールされるkernelを確認
- OVALデータを確認し、対象となるパッケージ名を確認
- One Liner Scan Modeでマッチング処理がどのように動くか確認
- 公式のコマンドで動作確認
Ubuntu 20.04 にインストールされるkernelを確認
すでに109と119が混ざってて理解を超える
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
$ uname -r
5.4.0-105-generic
$ dpkg -l | grep linux
ii console-setup-linux 1.194ubuntu3 all Linux specific part of console-setup
ii libselinux1:amd64 3.0-1build2 amd64 SELinux runtime shared libraries
ii linux-base 4.5ubuntu3.7 all Linux image base package
ii linux-firmware 1.187.29 all Firmware for Linux kernel drivers
ii linux-generic 5.4.0.105.109 amd64 Complete Generic Linux kernel and headers
ii linux-headers-5.4.0-105 5.4.0-105.119 all Header files related to Linux kernel version 5.4.0
ii linux-headers-5.4.0-105-generic 5.4.0-105.119 amd64 Linux kernel headers for version 5.4.0 on 64 bit x86 SMP
ii linux-headers-generic 5.4.0.105.109 amd64 Generic Linux kernel headers
ii linux-image-5.4.0-105-generic 5.4.0-105.119 amd64 Signed kernel image generic
ii linux-image-generic 5.4.0.105.109 amd64 Generic Linux kernel image
ii linux-modules-5.4.0-105-generic 5.4.0-105.119 amd64 Linux kernel extra modules for version 5.4.0 on 64 bit x86 SMP
ii linux-modules-extra-5.4.0-105-generic 5.4.0-105.119 amd64 Linux kernel extra modules for version 5.4.0 on 64 bit x86 SMP
ii util-linux 2.34-0.1ubuntu9.3 amd64 miscellaneous system utilities
OVALデータを確認し、対象となるパッケージ名を確認
$ curl http://127.0.0.1:1324/cves/ubuntu/20.04/CVE-2022-0847 | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0{"time":"2022-03-27T15:46:39.7548662+09:00","id":"","remote_ip":"127.0.0.1","host":"127.0.0.1:1324","method":"GET","uri":"/cves/ubuntu/20.04/CVE-2022-0847","user_agent":"curl/7.68.0","status":200,"error":"","latency":880200,"latency_human":"880.2µs","bytes_in":0,"bytes_out":7290}
100 7290 0 7290 0 0 2373k 0 --:--:-- --:--:-- --:--:-- 2373k
[
{
"DefinitionID": "oval:com.ubuntu.focal:def:202208470000000",
"Title": "CVE-2022-0847 on Ubuntu 20.04 (focal) - high.",
"Description": "A flaw was found in the way the \"flags\" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. Max Kellermann discovered that the Linux kernel incorrectly handled Unix pipes. A local attacker could potentially use this to modify any file that could be opened for reading.",
"Advisory": {
"Severity": "High",
"Cves": [
{
"CveID": "CVE-2022-0847",
"Cvss2": "",
"Cvss3": "",
"Cwe": "",
"Impact": "",
"Href": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847",
"Public": ""
}
],
"Bugzillas": [],
"AffectedCPEList": [],
"Issued": "2022-03-07T00:00:00Z",
"Updated": "2022-03-07T00:00:00Z"
},
"Debian": null,
"AffectedPacks": [
{
"Name": "linux",
"Version": "5.4.0-9.12",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-aws",
"Version": "5.4.0-1005.5",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-aws-5.13",
"Version": "5.13.0-1017.19~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-azure",
"Version": "5.4.0-1006.6",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-azure-5.13",
"Version": "5.13.0-1017.19~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-azure-fde",
"Version": "5.4.0-1063.66+cvm2.2",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-bluefield",
"Version": "5.4.0-1007.10",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-gcp",
"Version": "5.4.0-1005.5",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-gcp-5.13",
"Version": "5.13.0-1019.23~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-gke",
"Version": "5.4.0-1033.35",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-gkeop",
"Version": "5.4.0-1008.9",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-hwe-5.13",
"Version": "5.13.0-35.40~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-ibm",
"Version": "5.4.0-1003.4",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-kvm",
"Version": "5.4.0-1004.4",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta",
"Version": "5.4.0-9.12",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-aws",
"Version": "5.4.0-1005.5",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-aws-5.13",
"Version": "5.13.0-1017.19~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-azure",
"Version": "5.4.0-1006.6",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-azure-5.13",
"Version": "5.13.0-1017.19~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-azure-fde",
"Version": "5.4.0-1063.66+cvm2.2",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-bluefield",
"Version": "5.4.0-1007.10",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-gcp",
"Version": "5.4.0-1005.5",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-gcp-5.13",
"Version": "5.13.0-1019.23~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-gke",
"Version": "5.4.0-1033.35",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-gkeop",
"Version": "5.4.0-1008.9",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-hwe-5.13",
"Version": "5.13.0-35.40~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-ibm",
"Version": "5.4.0-1003.4",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-kvm",
"Version": "5.4.0-1004.4",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-oem-5.14",
"Version": "5.14.0-1027.30",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-oracle",
"Version": "5.4.0-1005.5",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-oracle-5.13",
"Version": "5.13.0-1021.26~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-meta-raspi",
"Version": "5.4.0-1007.7",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-oem-5.14",
"Version": "5.14.0-1027.30",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-oracle",
"Version": "5.4.0-1005.5",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-oracle-5.13",
"Version": "5.13.0-1021.26~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-raspi",
"Version": "5.4.0-1007.7",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed",
"Version": "5.4.0-9.12",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-aws",
"Version": "5.4.0-1005.5",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-aws-5.13",
"Version": "5.13.0-1017.19~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-azure",
"Version": "5.4.0-1006.6",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-azure-5.13",
"Version": "5.13.0-1017.19~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-azure-fde",
"Version": "5.4.0-1063.66+cvm2.2",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-bluefield",
"Version": "5.4.0-1007.10",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-gcp",
"Version": "5.4.0-1005.5",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-gcp-5.13",
"Version": "5.13.0-1019.23~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-gke",
"Version": "5.4.0-1033.35",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-gkeop",
"Version": "5.4.0-1008.9",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-hwe-5.13",
"Version": "5.13.0-35.40~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-ibm",
"Version": "5.4.0-1003.4",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-kvm",
"Version": "5.4.0-1004.4",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-oem-5.14",
"Version": "5.14.0-1027.30",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-oracle",
"Version": "5.4.0-1005.5",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
},
{
"Name": "linux-signed-oracle-5.13",
"Version": "5.13.0-1021.26~20.04.1",
"Arch": "",
"NotFixedYet": false,
"ModularityLabel": ""
}
],
"References": [
{
"Source": "CVE",
"RefID": "CVE-2022-0847",
"RefURL": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847"
},
{
"Source": "Ref",
"RefID": "",
"RefURL": "http://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0847.html"
},
{
"Source": "Ref",
"RefID": "",
"RefURL": "https://dirtypipe.cm4all.com/"
},
{
"Source": "Ref",
"RefID": "",
"RefURL": "https://www.openwall.com/lists/oss-security/2022/03/07/1"
},
{
"Source": "Ref",
"RefID": "",
"RefURL": "https://ubuntu.com/security/notices/USN-5317-1"
},
{
"Source": "Ref",
"RefID": "",
"RefURL": "https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/DirtyPipe"
}
]
}
]
One Liner Scan Modeでマッチング処理がどのように動くか確認
goval-dictionaryのレスポンスを見ると、linux-imageはパッケージ名として使われていない??
Server · Vuls を参考にこんな感じのjsonを用意
{
"family": "ubuntu",
"release": "20.04",
"runningKernel": {
"release": "",
"rebootRequired": false
},
"packages": {
"test": {
"name": $package,
"version": $version
}
}
}
OVALの書式を見る限り、途中で-を挟むのが正しそう
| $package | $version | CVE件数 |
|---|---|---|
| linux-image | 5.4.0.105.109 | 0 |
| linux | 5.4.0.105.109 | 62 |
| linux-meta | 5.4.0.105.109 | 62 |
| linux-image | 5.4.0-105.109 | 0 |
| linux | 5.4.0-105.109 | 75 |
| linux-meta | 5.4.0-105.109 | 75 |
Ubuntu – focal の linux-generic パッケージに関する詳細 の変更履歴を見ると、changelogs.ubuntu.com/changelogs/pool/main/l/linux-meta/linux-meta_5.4.0.105.109/changelog にリンクされている。
linux-metaとして取り扱うのがいいのだろうか?
いくつかバージョンを戻しながら検知数の遷移を見てみる
| $version | linux | linux-meta |
|---|---|---|
| 5.4.0-105.119 | 62 | 62 |
| 5.4.0-104.108 | 79 | 79 |
| 5.4.0-96.100 | 91 | 91 |
| 5.4.0.105.119 | 62 | 62 |
| 5.4.0.104.108 | 62 | 62 |
| 5.4.0.96.100 | 62 | 62 |
公式のコマンドで動作確認
$ export VULS_SERVER=[Your Vuls Server]
$ curl -X POST -H "Content-Type: text/plain" -H "X-Vuls-OS-Family: `lsb_release -si | awk '{print tolower($1)}'`" -H "X-Vuls-OS-Release: `lsb_release -sr | awk '{print $1}'`" -H "X-Vuls-Kernel-Release: `uname -r`" -H "X-Vuls-Server-Name: `hostname`" --data-binary "$(dpkg-query -W -f="\${binary:Package},\${db:Status-Abbrev},\${Version},\${Source},\${source:Version}\n")" http://${VULS_SERVER}:5515/vuls > $LOCAL_REPORT
パッケージ情報を送る部分を抜き出して
$ dpkg-query -W -f="\${binary:Package},\${db:Status-Abbrev},\${Version},\${Source},\${source:Version}\n"|grep ^linux
linux-base,ii ,4.5ubuntu3.7,,4.5ubuntu3.7
linux-firmware,ii ,1.187.29,,1.187.29
linux-generic,ii ,5.4.0.105.109,linux-meta,5.4.0.105.109
linux-headers-5.4.0-105,ii ,5.4.0-105.119,linux,5.4.0-105.119
linux-headers-5.4.0-105-generic,ii ,5.4.0-105.119,linux,5.4.0-105.119
linux-headers-generic,ii ,5.4.0.105.109,linux-meta,5.4.0.105.109
linux-image-5.4.0-105-generic,ii ,5.4.0-105.119,linux-signed,5.4.0-105.119
linux-image-generic,ii ,5.4.0.105.109,linux-meta,5.4.0.105.109
linux-modules-5.4.0-105-generic,ii ,5.4.0-105.119,linux,5.4.0-105.119
linux-modules-extra-5.4.0-105-generic,ii ,5.4.0-105.119,linux,5.4.0-105.119
これをもとに、パッケージ情報を送ったときの動作を確認すると、
linux-image-{バージョンの一部}-generic パッケージのみ検知がある。
またrunning kernelを空にしたりマッチしないバージョンにすると件数が出てこない模様。
$ curl -s POST -H "Content-Type: text/plain" -H "X-Vuls-OS-Family: ubuntu" -H "X-Vuls-OS-Release: 20.04" -H "X-Vuls-Kernel-Release: 5.4.0-105-generic" -H "X-Vuls-Server-Name: ubuntu" --data-binary "linux-generic,ii ,5.4.0.105.109,linux-meta,5.4.0.105.109" http://localhost:5515/vuls|jq . |tr -d ' '|grep cveID|sort|uniq|lv|wc -l
0
$ curl -s POST -H "Content-Type: text/plain" -H "X-Vuls-OS-Family: ubuntu" -H "X-Vuls-OS-Release: 20.04" -H "X-Vuls-Kernel-Release: 5.4.0-105-generic" -H "X-Vuls-Server-Name: ubuntu" --data-binary "linux-image-generic,ii ,5.4.0.105.109,linux-meta,5.4.0.105.109" http://localhost:5515/vuls|jq . |tr -d ' '|grep cveID|sort|uniq|lv|wc -l
0
$ curl -s POST -H "Content-Type: text/plain" -H "X-Vuls-OS-Family: ubuntu" -H "X-Vuls-OS-Release: 20.04" -H "X-Vuls-Kernel-Release: 5.4.0-105-generic" -H "X-Vuls-Server-Name: ubuntu" --data-binary "linux-image-5.4.0-105-generic,ii ,5.4.0-105.119,linux-signed,5.4.0-105.119" http://localhost:5515/vuls|jq . |tr -d ' '|grep cveID|sort|uniq|lv|wc -l
62
$ curl -s POST -H "Content-Type: text/plain" -H "X-Vuls-OS-Family: ubuntu" -H "X-Vuls-OS-Release: 20.04" -H "X-Vuls-Kernel-Release: " -H "X-Vuls-Server-Name: ubuntu" --data-binary "linux-image-5.4.0-105-generic,ii ,5.4.0-105.119,linux-signed,5.4.0-105.119" http://localhost:5515/vuls|jq . |tr -d ' '|grep cveID|sort|uniq|lv|wc -l
0
$ curl -s POST -H "Content-Type: text/plain" -H "X-Vuls-OS-Family: ubuntu" -H "X-Vuls-OS-Release: 20.04" -H "X-Vuls-Kernel-Release: 5.4.0-96-generic" -H "X-Vuls-Server-Name: ubuntu" --data-binary "linux-image-5.4.0-96-generic,ii ,5.4.0-96.100,linux-signed,5.4.0-96.100" http://localhost:5515/vuls|jq . |tr -d ' '|grep cveID|sort|uniq|lv|wc -l
91
$ curl -s POST -H "Content-Type: text/plain" -H "X-Vuls-OS-Family: ubuntu" -H "X-Vuls-OS-Release: 20.04" -H "X-Vuls-Kernel-Release: 5.4.0-105-generic" -H "X-Vuls-Server-Name: ubuntu" --data-binary "linux-image-5.4.0-96-generic,ii ,5.4.0-96.100,linux-signed,5.4.0-96.100" http://localhost:5515/vuls|jq . |tr -d ' '|grep cveID|sort|uniq|lv|wc -l
0
おまけ:One Liner Scan Mode で dpkg 結果を送ったときのレスポンス確認
inputに使った要素のみ抜粋
これをそのままファイルに保存すれば、JSONを使ったOne Liner Scan Modeで同じ結果が得られる
事前の確認通りrunningKernelを省略することはできないが、確認した数パターンでは、SrcPackagesの省略は可能だった。
SrcPackagesを検知に使うケースでは差が出るのかもしれない
{
"serverName": "ubuntu",
"family": "ubuntu",
"release": "20.04",
"runningKernel": {
"release": "5.4.0-105-generic",
"version": "",
"rebootRequired": false
},
"packages": {
"linux-image-5.4.0-105-generic": {
"name": "linux-image-5.4.0-105-generic",
"version": "5.4.0-105.119",
"release": "",
"newVersion": "",
"newRelease": "",
"arch": "",
"repository": ""
}
},
"SrcPackages": {
"linux-signed": {
"name": "linux-signed",
"version": "5.4.0-105.119",
"arch": "",
"binaryNames": [
"linux-image-5.4.0-105-generic"
]
}
}
こちらも、linuxやlinux-metaの時と件数が一致した。
kernel上を入れてlinux-image-{バージョンの一部}-generic パッケージを指定したするのが適切な対応かな。
kernelを指定しないでlinuxやlinux-metaパッケージを指定しても同様の数値が得られるだろうけど、こちらは正当な方法ではなさそう。