Wednesday, April 13, 2011

CVEchecker: Tool to Report About Possible Vulnerabilities on Your System!

The goal of cvechecker is to report about possible vulnerabilities on your system, by scanning the installed software and matching the results with the CVE database. Indeed, this is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn’t able to detect the revision itself), yet it is still better than nothing, especially if you are running a distribution with little security coverage.

CVEchecker is very useful for for small organization system auditors. You can quickly scan and gather information and present it to the higher ops! Still, the tool remains useful. With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system. You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).

The tool however needs your help as well. The most work is to tell cvechecker how to detect which software is installed and what version.

The cvechecker tool requires the following packages to be installed-

libxslt – needed for the XSLT transformations (the online CVE database exists of XML files and we need to convert those to CSV so that we can easily import it into our own, local database)
libconfig – a C library that offers a simple way for applications to read and handle configuration files
sqlite3 – a local, embedded yet powerful database (for the time being, cvechecker only supports sqlite3, but in the future additional databases will be supported)
wget – a command-line tool to fetch online resources

download tools in : http://www.pentestit.com/

No comments: