The in_use field of overrides

Building from Source and Advanced Topics Greenbone Management Protocol (GMP)
1

When we review overrides and consider discarding old ones it would be very helpful to know if an override currently has matching results.

I note that at least in the interface exposed by python-gvm there is a field in_use, unfortunately it is invariably 0.

Is this field meant for something else or is it just not populated for some reason?

If it is just not populated which part of Greenbone could i open an issue in?

As an example we have this result (as formatted by a locally developed program using python-gvm):

c8abf65a-2ef4-4e05-a8e8-70a0bdc966f2: 5.0/10 [192.0.2.17]:9000/tcp Embedthis GoAhead 2.5.0 HTTP Header Injection Vulnerability - Active Check (CVE-2019-16645)
nvt oid: 1.3.6.1.4.1.25623.1.0.114133
nvt name: Embedthis GoAhead 2.5.0 HTTP Header Injection Vulnerability - Active Check
nvt type: nvt
nvt family: Web Servers
nvt cvss base: 8.6
nvt tags: cvss_base_vector=CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
  summary=Embedthis GoAhead is prone to an HTTP header injection
    vulnerability.
  insight=For certain pages, Embedthis GoAhead creates links containing a
    hostname obtained from an arbitrary HTTP Host header sent by an attacker.
  affected=Embedthis GoAhead version 2.5.0 is known to be affected. Other
    versions might be affected as well.
  impact=An attacker can potentially use this vulnerability in a phishing
    attack.
  solution=No known solution was made available for at least one year
    since the disclosure of this vulnerability. Likely none will be provided anymore. General solution
    options are to upgrade to a newer release, disable respective features, remove the product or
    replace the product by another one.
  vuldetect=Send multiple crafted HTTP POST requests and checks the
    responses.
  solution_type=WillNotFix
nvt ref cve: CVE-2019-16645
nvt ref url: https://github.com/Ramikan/Vulnerabilities/blob/master/GoAhead%20Web%20server%20HTTP%20Header%20Injection
qod: 99 ()
owner: admin
permissions: 
override: Vulnerability on port with very limited access in firewall
  active: 1
  new severity: 5
user tags: 1
modification_time: 2025-08-18T12:11:51+02:00
comment: None
creation_time: 2025-08-18T12:11:51+02:00
host: 192.0.2.17
port: 9000/tcp
scan_nvt_version: 2024-09-25T07:06:11+02:00
severity: 5.0
description: It was possible to inject a host header and create a manipulated link via a HTTP POST-request to:
  
  URL:         http://lm.example.net:9000/
  Response(s): Location: http://openvasvt325172539/home.asp
                This document has moved to a new <a href="http://openvasvt325172539/home.asp">location</a>.
  
original_severity: 8.6

And this override (formatted the same way):

77eb9931-869a-4075-87e4-79cfb4c95bc2: Embedthis GoAhead 2.5.0 HTTP Header Injection Vulnerability - Active Check
nvt oid: 1.3.6.1.4.1.25623.1.0.114133
nvt name: Embedthis GoAhead 2.5.0 HTTP Header Injection Vulnerability - Active Check
nvt type: nvt
active: True
applies on
  hosts: 192.0.2.17
  port: 9000/tcp
  minimum severity: any
  task: any
  result: any
new severity: 5
text: Vulnerability on port with very limited access in firewall
orphan: 0
owner: admin
permissions: Everything
creation_time: 2024-02-20T14:31:45+01:00
modification_time: 2024-11-28T17:00:21+01:00
in_use: 0

(Identifiers changed to protect the guilty.)

Versions of installed components:

  • greenbone-feed-sync 25.1.0
  • gsa 26.0.0
  • gsad 24.5.4
  • gvm-libs 22.28.1
  • gvmd 26.3.0
  • openvas-scanner 23.25.0
  • openvas-smb 22.5.10
  • ospd-openvas 22.9.0
  • pg-gvm 22.6.11
  • python-gvm 26.6.0

Best regards

2

My quick assessment is that this feature is not yet implemented for overrides. If you serach for the string in_use in gvmd’s manage.h file, you will see function declarations for which return in_use status for various objects (targets, alerts, credentials, filter, schedule, etc.). However, there is no function indicating overrides (i.e. override_in_use()).

3

Thanks, that helps a lot!

4

I’ve tried adding an override_in_use to manage_sql now. I tried to figure out where the *_in_use functions are hooked but i can’t find anything.

Just adding the override_in_use function and header to gvmd does not produce the change i’d hoped for. Does anyone know where the in_use fields hook their respective functions?

5

Well, these are obviously implemented wherever they are needed. Try searching for _in_use and you will find many locations where they are implemented. Mostly in files with names like src/manage_*.c .

6

Furthermore, if you look at the src/gmp.c file you will see a struct for creating an override:

typedef struct
{
  char *active;       ///< Whether the override is active.
  char *copy;         ///< UUID of resource to copy.
  char *hosts;        ///< Hosts to which to limit override.
  char *new_threat;   ///< New threat value of overridden results.
  char *new_severity; ///< New severity score of overridden results.
  char *nvt_oid;      ///< NVT to which to limit override.
  char *port;         ///< Port to which to limit override.
  char *result_id;    ///< ID of result to which to limit override.
  char *severity;     ///< Severity score of results to override.
  char *task_id;      ///< ID of task to which to limit override.
  char *text;         ///< Text of override.
  char *threat;       ///< Threat to which to limit override.
} create_override_data_t;

From this you can glean which other objects should be used to determine if an override is active. For example if the following limiting resources do not exist anymore, then the override may be considered NOT in use.

  • hosts
  • nvt_oid
  • result_id
  • task_id

Furthermore the buffer_override_xml() function is likely the place where you want to implement this hook here. Otherwise, the status will not be returned in the XML response. Maybe it’s enough to add a buffer_xml_append_printf() section with a call to your function.

Take this assistance for what it is - a quick look at the problem. :slight_smile: This is actually depends on your own analysis.

7

Thanks again! That got me all the way but of course, filling in the in_use field of overrides makes them not deleteable until modified to not apply to any results. That’s too big a surprise for the small gain this could provide for us.

8

Nothing prevents overrides in-use from being deleted. This limitation would make no sense.

9

I’d really like to agree with you but reality doesn’t permit that. :confused:

In the screenshot below i’ve created some test overrides one of witch matches a result thereby making the trashcan for that override grey.

This is on a gvmd with this patch: Add override_in_use · qha/gvmd@48e2afd · GitHub

Screenshot_2025-10-01_16-31-31
Screenshot_2025-10-01_16-31-311117×1273 104 KB

10

This topic was automatically closed after 90 days. New replies are no longer allowed.