Checks a list of packages against the "active" (not yet patched) CVE's as listed in the Ubuntu CVE Tracker.
CVE information is fetched from the cve.circl.lu API.
The original project was posted here: https://github.com/davbo/active-cve-check I am in the process of adding CLI options for automating the process of grabbing commands from a server via SSH, as well as adding some minor improvements to the output for my usage.
- Automate the apt-list command with paramiko
- Make passphrase option secure with getPass()
- Set jumpbox private IP programmatically, maybe have to ask user for correct IP after giving options (if multiple network interfaces exist)
- Output data to a file
- Output CVE Severity, CVE number and useful URLs ordered by severity
- Auto download the CVE Tracker repo
Get the Ubuntu CVE Tracker repository (this will need to be updated periodically):
git clone https://git.launchpad.net/ubuntu-cve-tracker or git clone git://git.launchpad.net/ubuntu-cve-tracker
or
bzr branch lp:ubuntu-cve-tracker
It's wise to use a virtual environment like any python script due to dependency hell. Make sure you use pip3.
$ python3 -m venv <name>
$ pip3 install -r requirements.txtIf you prefer pipenv you can just run a pipenv install.
$ pipenv installRun the apt-list installed command and pass it your SSH credentials to do it automatically.
Note that you have the option to either give the --server option for a single host, or the --hosts option to pass it a file with a list of hosts to scan. The script will read whichever option you give and get the private IP address of your jumpbox automatically as it's required by paramiko.
Usage: scan_packages.py apt_list_installed [OPTIONS]
SSH into server for package listing
Options:
--user TEXT
--server TEXT The IP or domain name of the server you want to
connect to, this can be the internal IP if
you're using a jumpbox. Should be left when
hosts is used.
--jumpbox_public_addr TEXT The public IP or domain name of your jumpbox.
--jumpbox_private_addr TEXT The private IP of your jumpbox (Optional - done automatically by reading --server or --hosts).
--ssh_key TEXT Full path to your SSH key.
--hosts FILENAME The file containing a list of hosts to get
package lists from.
--key_passphrase TEXT Passphrase for your SSH key.
--help Show this message and exit.Or grab a list of installed packages from your Ubuntu host manually:
apt list --installed > installed_packages.txt
Scan the packages against the known active CVE's
Usage: scan_packages.py scan [OPTIONS] PACKAGES_LISTING ACTIVE_CVE_DIRECTORY
Scan your packages listing for CVE numbers
Options:
--ubuntu-version TEXT
--priority-threshold [low|medium|high|critical]
--any-status
--help Show this message and exit.python3 scan_packages.py scan installed_packages_{IP_ADDRESS}.txt ../ubuntu-cve-tracker/active --ubuntu-version=xenial
CVE: CVE-2017-1000368
Package: sudo
CVSS: 7.2
CVSS 2.0 Severity: High Risk
Published: 2017-06-05T12:29:00.200000
Modified: 2017-06-05T12:29:00.217000
Summary: Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an input validation (embedded newlines) in the get_process_ttyname() function resulting in information disclosure and command execution.
References: http://www.securityfocus.com/bid/98838 https://www.sudo.ws/alerts/linux_tty.html
CVE: CVE-2017-13049
Package: tcpdump
CVSS: None
CVSS 2.0 Severity: Low Risk
Published: 2017-09-14T02:29:03.030000
Modified: 2017-09-14T02:29:03.030000
Summary: The Rx protocol parser in tcpdump before 4.9.2 has a buffer over-read in print-rx.c:ubik_print().
References: http://www.securitytracker.com/id/1039307 http://www.tcpdump.org/tcpdump-changes.txt https://github.com/the-tcpdump-group/tcpdump/commit/aa0858100096a3490edf93034a80e66a4d61aad5
...Running the scan command will output a file for each severity, with CVE, severity, CVSS and comments separated by a tab. It will also output a file for each severity containing useful links for each CVE.