Skip to content

Commit

Permalink
Merge branch 'kgrant_cve_2022_3602' into 'master'
Browse files Browse the repository at this point in the history 
Initial script for CVE-2022-3602

See merge request Insights/vulnerability-detection-scripts!42
  • Loading branch information
@kgrant-rh
kgrant-rh committed Oct 31, 2022
2 parents ba22a9e + 161935a commit 6c2b0d7
Show file tree
Hide file tree
Showing 7 changed files with 511 additions and 0 deletions.
254 changes: 254 additions & 0 deletions CVE-2022-3602_openssl/CVE-2022-3602.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,254 @@
#!/bin/bash

# Copyright (c) 2022 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

VERSION="1.0"

# Warning! Be sure to download the latest version of this script from its primary source:

BULLETIN="https://access.redhat.com/security/vulnerabilities/RHSB-2022-004"

# DO NOT blindly trust any internet sources and NEVER do `curl something | bash`!

# This script is meant for simple detection of the vulnerability. Feel free to modify it for your
# environment or needs. For more advanced detection, consider Red Hat Insights:
# https://access.redhat.com/products/red-hat-insights#getstarted

# Checking against the list of vulnerable packages is necessary because of the way how features
# are back-ported to older versions of packages in various channels.


VULNERABLE_VERSIONS=(
'openssl-3.0.0-0.beta2.7.el9'
'openssl-3.0.0-4.el9'
'openssl-3.0.0-5.el9'
'openssl-3.0.0-6.el9'
'openssl-3.0.1-5.el9'
'openssl-3.0.1-20.el9_0'
'openssl-3.0.1-23.el9_0'
'openssl-3.0.1-41.el9_0'
)

get_installed_packages() {
# Checks for installed packages. Compatible with RHEL5.
#
# Args:
# package_names - an array of package name strings
#
# Prints:
# Lines with N-V-R.A strings of the installed packages.

local package_names=( "$@" )

rpm -qa --queryformat="%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n" "${package_names[@]}"
}


check_package() {
# Checks if installed package is in list of vulnerable packages.
#
# Args:
# installed_packages - installed packages string as returned by 'rpm -qa package'
# (may be multiline)
# vulnerable_versions - an array of vulnerable versions
#
# Prints:
# First vulnerable package string as returned by 'rpm -qa package', or nothing

# Convert to array, use word splitting on purpose
# shellcheck disable=SC2206
local installed_packages=( $1 )
shift
local vulnerable_versions=( "$@" )

for tested_package in "${vulnerable_versions[@]}"; do
for installed_package in "${installed_packages[@]}"; do
installed_package_without_arch="${installed_package%.*}"
if [[ "$installed_package_without_arch" == "$tested_package" ]]; then
echo "$installed_package"
return 0
fi
done
done
}


basic_args() {
# Parses basic commandline arguments and sets basic environment.
#
# Args:
# parameters - an array of commandline arguments
#
# Side effects:
# Exits if --help parameters is used
# Sets COLOR constants and debug variable

local parameters=( "$@" )

RED="\\033[1;31m"
GREEN="\\033[1;32m"
BOLD="\\033[1m"
RESET="\\033[0m"
for parameter in "${parameters[@]}"; do
if [[ "$parameter" == "-h" || "$parameter" == "--help" ]]; then
echo "Usage: $( basename "$0" ) [-n | --no-colors] [-d | --debug]"
exit 1
elif [[ "$parameter" == "-n" || "$parameter" == "--no-colors" ]]; then
RED=""
GREEN=""
BOLD=""
RESET=""
elif [[ "$parameter" == "-d" || "$parameter" == "--debug" ]]; then
debug=true
fi
done
}


basic_reqs() {
# Prints common disclaimer and checks basic requirements.
#
# Args:
# CVE - string printed in the disclaimer
#
# Side effects:
# Exits when 'rpm' command is not available

local CVE="$1"

# Disclaimer
echo
echo -e "${BOLD}This script (v$VERSION) is primarily designed to detect $CVE on supported"
echo -e "Red Hat Enterprise Linux systems and kernel packages."
echo -e "Result may be inaccurate for other RPM based systems."
echo -e "Result may be inaccurate for affected RPM packages not compiled by Red Hat.${RESET}"
echo

# RPM is required
if ! command -v rpm &> /dev/null; then
echo "'rpm' command is required, but not installed. Exiting."
exit 1
fi
}


check_supported_kernel() {
# Checks if running kernel is supported.
#
# Args:
# running_kernel - kernel string as returned by 'uname -r'
#
# Side effects:
# Exits when running kernel is obviously not supported

local running_kernel="$1"

# Check supported platform
if [[ "$running_kernel" != *".el"[6-9]* ]]; then
echo -e "${RED}This script is meant to be used only on RHEL 6, 7, 8, and 9.${RESET}"
echo
echo -e "Follow $BULLETIN for advice."
exit 1
fi
}


get_rhel() {
# Gets RHEL number.
#
# Args:
# running_kernel - kernel string as returned by 'uname -r'
#
# Prints:
# RHEL number, e.g. '5', '6', '7', '8', or '9'

local running_kernel="$1"

local rhel
rhel=$( sed -r -n 's/^.*el([[:digit:]]).*$/\1/p' <<< "$running_kernel" )
echo "$rhel"
}


set_default_values() {
result=0
}


parse_facts() {
# Gathers all available information and stores it in global variables. Only store facts and
# do not draw conclusion in this function for better maintainability.
#
# Side effects:
# Sets many global boolean flags and content variables

result_installed_packages=$( get_installed_packages "openssl" )
}

draw_conclusions() {
# Draws conclusions based on available system data.
#
# Side effects:
# Sets many global boolean flags and content variables

vulnerable_package=$( check_package "$result_installed_packages" "${VULNERABLE_VERSIONS[@]}" )

if [[ "$vulnerable_package" ]]; then
result=1
fi
}


debug_print() {
# Prints selected variables when debugging is enabled.

variables=( running_kernel rhel result_installed_packages vulnerable_package result )
for variable in "${variables[@]}"; do
echo "$variable = *${!variable}*"
done
echo
}


if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
basic_args "$@"
basic_reqs "CVE-2022-3602"
running_kernel=$( uname -r )
check_supported_kernel "$running_kernel"

rhel=$( get_rhel "$running_kernel" )
if (( rhel == 5 )); then
export PATH="/sbin:/usr/sbin:$PATH"
fi

set_default_values
parse_facts
draw_conclusions

# Debug prints
if [[ "$debug" ]]; then
debug_print
fi

# Results
# (This should never happen -- glibc, bash, etc. require openssl)
if [[ ! "$result_installed_packages" ]]; then
echo -e "${GREEN}'openssl' is not installed${RESET}."
exit 0
fi

echo -e "Detected the following packages: $result_installed_packages"
if ((result)); then
echo -e "${RED}The installed openssl version is vulnerable.${RESET}"
echo -e "Follow $BULLETIN for advice."
else
echo -e "${GREEN}The installed openssl version is not vulnerable.${RESET}"
fi

exit "$result"
fi
3 changes: 3 additions & 0 deletions CVE-2022-3602_openssl/test_harness
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash

. CVE-2022-3602.sh
65 changes: 65 additions & 0 deletions CVE-2022-3602_openssl/tests_basic_args.bats
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#!/usr/bin/env bats

. test_harness


@test "basic_args -- Help" {
run basic_args -h
[[ "$output" == *"Usage"* ]]
(( status == 1 ))
}


@test "basic_args -- Debug #1" {
basic_args -d; run basic_args -d
(( status == 0 ))
[[ "$debug" ]]
[[ "$RED" == "\033[1;31m" ]]
[[ "$GREEN" == "\033[1;32m" ]]
[[ "$BOLD" == "\033[1m" ]]
[[ "$RESET" == "\033[0m" ]]
}


@test "basic_args -- Debug #2" {
basic_args --debug; run basic_args --debug
(( status == 0 ))
[[ "$debug" ]]
[[ "$RED" == "\033[1;31m" ]]
[[ "$GREEN" == "\033[1;32m" ]]
[[ "$BOLD" == "\033[1m" ]]
[[ "$RESET" == "\033[0m" ]]
}


@test "basic_args -- No colors #1" {
basic_args -n; run basic_args -n
(( status == 0 ))
[[ ! "$debug" ]]
[[ ! "$RED" ]]
[[ ! "$GREEN" ]]
[[ ! "$BOLD" ]]
[[ ! "$RESET" ]]
}


@test "basic_args -- No colors #2" {
basic_args --no-colors; run basic_args --no-colors
(( status == 0 ))
[[ ! "$debug" ]]
[[ ! "$RED" ]]
[[ ! "$GREEN" ]]
[[ ! "$BOLD" ]]
[[ ! "$RESET" ]]
}


@test "basic_args -- Regular" {
basic_args; run basic_args
(( status == 0 ))
[[ ! "$debug" ]]
[[ "$RED" == "\033[1;31m" ]]
[[ "$GREEN" == "\033[1;32m" ]]
[[ "$BOLD" == "\033[1m" ]]
[[ "$RESET" == "\033[0m" ]]
}
21 changes: 21 additions & 0 deletions CVE-2022-3602_openssl/tests_basic_reqs.bats
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
#!/usr/bin/env bats

. test_harness


@test "basic_reqs -- Disclaimer" {
run basic_reqs TEST
[[ "$output" == *"is primarily designed to detect TEST on supported"* ]]
}


@test "basic_reqs -- RPM not available" {
command() {
return 1
}

run basic_reqs
(( status == 1 ))
[[ "$output" == *"'rpm' command is required"* ]]
}

40 changes: 40 additions & 0 deletions CVE-2022-3602_openssl/tests_check_supported_kernel.bats
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
#!/usr/bin/env bats

. test_harness


@test "check_supported_kernel -- RHEL5" {
run check_supported_kernel "2.6.18-8.1.1.el5.x86_64"
(( status == 1 ))
}


@test "check_supported_kernel -- RHEL6" {
run check_supported_kernel "2.6.32-131.30.2.el6.x86_64"
(( status == 0 ))
}


@test "check_supported_kernel -- RHEL7" {
run check_supported_kernel "3.10.0-229.28.1.el7.x86_64"
(( status == 0 ))
}


@test "check_supported_kernel -- RHEL8" {
run check_supported_kernel "4.18.0-240.el8.x86_64"
(( status == 0 ))
}


@test "check_supported_kernel -- RHEL9" {
run check_supported_kernel "5.14.0-70.13.1.el9_0.x86_64"
(( status == 0 ))
}


@test "check_supported_kernel -- Fedora 25" {
run check_supported_kernel "4.9.12-200.fc25.x86_64"
(( status == 1 ))
}

Loading

0 comments on commit 6c2b0d7

Please sign in to comment.