PHP CPEs not matching with detection

FairFight · September 27, 2022, 9:42am

I started investigating this because I would expect NVT OID 1.3.6.1.4.1.25623.1.0.147657 or 1.3.6.1.4.1.25623.1.0.147658 to be triggered on CPE cpe:/a:php:php:7.4.26.

I think that the issue is that there is a mismatch between CPEs and the PHP detection.
The PHP Detection NVT detects CPE as cpe:/a:php:php:7.4.26. On the latest feeds there is no CPE for cpe:/a:php:php:7.4.26 - there is however a cpe:/a:php:php:7.4.26:- CPE.

It seems like PHP CPEs from 7.4.25 and up only exists with :- appended. I suspect that the issue is the NVTs are not able to make a match between detected CPEs without the leading :- and the ones with the leading :-

ckuerste · September 27, 2022, 10:17am

Hi,

Not sure if I understand it correctly. AFAIU does the detection report it correctly with the cpe:/a:php:php:7.4.26 or is there already a mismatch? In case of a mismatch could you provide the output of the detection report?

What I’m currently not sure is where you get/see the cpe:/a:php:php:7.4.26:- from. Could you elaborate on this? As well what kind of scan config are you using (e.g. “Full and Fast”, or anything else)?

Thanks,
Chris

FairFight · September 27, 2022, 10:56am

Hi Chris,

Thank you for your swift answer. Yes I think the detection report is reporting as it should.
But I suspect the issue is that it does find a match in the CPE list.

I have not been able to verify this, but I just noticed that while searching the CPE list with this filter: Applied filter: name~php:php:7\.4\.2 rows=100 sort=name first=1, there is no CPE listed for cpe:/a:php:php:7.4.26 - there is however one with :- appended.

I am however not sure this is the issue with previously mentioned NVTs, but as far as I understand from them, they make a look up in the CPE-list.
I guess it would be solved by just adding the CPEs without the :- appended. There is however no forum for the feeds anymore, so that is why I tried reporting it in this forum.

ckuerste · September 28, 2022, 7:39am

Okay, the detection works as expected

The CPE list you mentioned above is using the annotation as used by NIST. However an actual scan (e.g. via Full and Fast) will always use the shortened/base CPE (in this case cpe:/a:php:php or cpe:/a:php:php:7.4.26).

Not sure if you have a possible false-negative from the mentioned VTs above ( 147657 and 147658). Note that they report with different QoDs (Quality of Detection) depending what OS was detected during the scan. E.g. on a Linux host you will have to lower the QoD to actually see the finding in a report.

Best regards,
Chris

FairFight · September 28, 2022, 9:23am

I see, thanks ckuerste. I have now noticed the 147657 VT is triggered with a QoD of 30.

Sorry for all the confusion about CPE matching

cfi · September 29, 2022, 7:20am

Some additional background which could help to understand some of the previously mentioned points:

All CPEs which are shown in the Web GUI / GSA via SecInfo -> CPEs are not used by any .nasl / VT based checks
The CPEs shown there are only used for the non-NASL based CVE scanner: 10 Scanning a System — Greenbone Enterprise Appliance 22.04.2 documentation
More info on the QoD concept is available at 11 Reports and Vulnerability Management — Greenbone Enterprise Appliance 22.04.2 documentation