-
Notifications
You must be signed in to change notification settings - Fork 160
CLI Usage
Elías Grande edited this page Aug 2, 2018
·
37 revisions
Dagda has a single CLI that allows to perform several sub-commands. Each sub-command has a single target, such as perform the static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers, perform monitoring over docker daemon and running containers for detecting anomalous activities, retrieve the analysis history of a concrete docker image/container or perform queries over the CVEs, BIDs, RHBAs, RHSAs & Exploits database which Dagda needs for working. Below, the dagda.py usage message is shown:
usage: dagda.py [--version] [--help] <command> [args]
Dagda Commands:
agent run a remote agent for performing the analysis of known
vulnerabilities, trojans, viruses, malware & other
malicious threats in docker images/containers
check perform the analysis of known vulnerabilities, trojans,
viruses, malware & other malicious threats in docker
images/containers
docker list all docker images/containers and all docker daemon
events
history retrieve the analysis history for the docker images
monitor perform the monitoring of anomalous activities in
running docker containers
start start the Dagda server
vuln perform operations over your personal CVE, BID &
ExploitDB database
Optional Arguments:
-h, --help show this help message and exit
-v, --version show the version message and exitFirst, you must start the Dagda server, and then, before the Dagda CLI usage, you must set the next environment variables as you need:
export DAGDA_HOST='127.0.0.1'
export DAGDA_PORT=5000In the next subsections, the dagda sub-commands will be described in depth.
Thanks to this sub-command, Dagda can perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in a remote way, such as the check sub-command does in local way. Below, the dagda.py agent usage message is shown:
usage: dagda.py agent [-h] DAGDA_HOST:DAGDA_PORT [-i DOCKER_IMAGE]
[-c CONTAINER_ID]
Your remote agent for analyzing docker images/containers.
Positional Arguments:
DAGDA_HOST:DAGDA_PORT
hostname and port where the Dagda server is listening. Only
"<DAGDA_HOST>:<DAGDA_PORT>" is accepted
Optional Arguments:
-h, --help show this help message and exit
-i DOCKER_IMAGE, --docker_image DOCKER_IMAGE
the input docker image name
-c CONTAINER_ID, --container_id CONTAINER_ID
the input docker container idOne of the main Dagda targets is perform the static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers. That is way, Dagda supports both, docker images which can be in the local machine o in a remote docker registries and docker running containers. Below, the dagda.py check usage message is shown:
usage: dagda.py check [-h] [-i DOCKER_IMAGE] [-c CONTAINER_ID]
Your personal docker security analyzer.
Optional Arguments:
-h, --help show this help message and exit
-i DOCKER_IMAGE, --docker_image DOCKER_IMAGE
the input docker image name
-c CONTAINER_ID, --container_id CONTAINER_ID
the input docker container idFor example, if you want perform an static analysis over a docker image/container, you must type:
python3 dagda.py check -i jboss/wildflyThe expected output looks like as shown below:
{
"id": "58667994ed253915723c50e7",
"msg": "Accepted the analysis of <jboss/wildfly>"
}The analysis can take several minutes for finishing, so be patient. If you want review the analysis report, see the history command.
Dagda has a simple docker sub-command for listing all docker images/containers and getting all docker daemon events. Below, the dagda.py docker usage message is shown:
usage: dagda.py docker [-h] <command> [--event_action ACTION]
[--event_from FROM] [--event_type TYPE]
Your personal docker API.
Dagda Commands:
containers list all running docker containers
events list all docker daemon events
images list all docker images
Optional Arguments:
-h, --help show this help message and exit
--event_from FROM Filter for docker daemon events
--event_type TYPE Filter for docker daemon events
--event_action ACTION
Filter for docker daemon eventsIf you want review the expected output for each command, see the docker service REST API.
When you use Dagda for performing static analysis in docker images/containers in a CI environment or for monitoring running containers to detect anomalous activity, maybe you want to compare the reports performed in different times of a concrete docker image. That is way, the docker analysis history is supported by Dagda. Below, the dagda.py history usage message is shown:
usage: dagda.py history [-h] [IMAGE_NAME] [--fp PRODUCT_NAME[:PRODUCT_VERSION]]
[--is_fp PRODUCT_NAME[:PRODUCT_VERSION]] [--id REPORT_ID]
Your personal docker security analyzer history.
Positional Arguments:
IMAGE_NAME the full analysis history for the requested docker image name
will be shown ordered by descending date. If the image name is
not present, a full analysis history resume will be shown
Optional Arguments:
-h, --help show this help message and exit
--id REPORT_ID the report with this id will be shown
--fp PRODUCT_NAME[:PRODUCT_VERSION]
tags the product vulnerability as false positive. Both,
"<PRODUCT_NAME>" and "<PRODUCT_NAME>:<PRODUCT_VERSION>" are
accepted
--is_fp PRODUCT_NAME[:PRODUCT_VERSION]
checks if the product vulnerability is a false positive. Both,
"<PRODUCT_NAME>" and "<PRODUCT_NAME>:<PRODUCT_VERSION>" are
accepted For example, if you want review the full history of a concrete docker analysis, included all static analysis and all runtime monitoring, you must type:
python3 dagda.py history <DOCKER_IMAGE_NAME_HERE>On the other hand, if you have the 58667994ed253915723c50e7 analysis id for the jboss/wildfly docker image name, when you type python3 dagda.py history jboss/wildfly --id 58667994ed253915723c50e7, the expected output looks like as shown below.
{
"id": "58667994ed253915723c50e7",
"image_name": "jboss/wildfly",
"status": "Completed",
"timestamp": "2016-12-14 13:17:12.802486",
"static_analysis": {
"malware_binaries": [
{
"file": "/tmp/test/removal-tool.exe",
"malware": "Worm.Sober"
},
{
"file": "/tmp/test/error.hta",
"malware": "VBS.Inor.D"
}
],
"os_packages": {
"total_os_packages": 182,
"vuln_os_packages": 41,
"ok_os_packages": 141,
"os_packages_details": [
{
"product": "sed",
"version": "4.2.2",
"is_vulnerable": false,
"is_false_positive": false,
"vulnerabilities": []
},
{
"product": "grep",
"version": "2.20",
"is_vulnerable": true,
"is_false_positive": false,
"vulnerabilities": [
{
"CVE-2015-1345": {
"cveid": "CVE-2015-1345",
"cvss_access_complexity": "Low",
"cvss_access_vector": "Local access",
"cvss_authentication": "None required",
"cvss_availability_impact": "Partial",
"cvss_base": 2.1,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 3.9,
"cvss_impact": 2.9,
"cvss_integrity_impact": "None",
"cvss_vector": [
"AV:L",
"AC:L",
"Au:N",
"C:N",
"I:N",
"A:P"
],
"cweid": "CWE-119",
"mod_date": "23-12-2016",
"pub_date": "12-02-2015",
"summary": "The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option."
}
}
]
},
{
"product": "lua",
"version": "5.1.4",
"is_vulnerable": true,
"is_false_positive": false,
"vulnerabilities": [
{
"CVE-2014-5461": {
"cveid": "CVE-2014-5461",
"cvss_access_complexity": "Low",
"cvss_access_vector": "Network",
"cvss_authentication": "None required",
"cvss_availability_impact": "Partial",
"cvss_base": 5.0,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 10.0,
"cvss_impact": 2.9,
"cvss_integrity_impact": "None",
"cvss_vector": [
"AV:N",
"AC:L",
"Au:N",
"C:N",
"I:N",
"A:P"
],
"cweid": "CWE-119",
"mod_date": "06-01-2017",
"pub_date": "04-09-2014",
"summary": "Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments."
}
},
{
"BID-34237": {
"bugtraq_id": 34237,
"class": "Unknown",
"cve": [],
"local": "no",
"remote": "yes",
"title": "Lua Unspecified Bytecode Verifier Security Vulnerability"
}
}
]
},
[...]
, {
"product": "sqlite",
"version": "3.7.17",
"is_vulnerable": false,
"is_false_positive": false,
"vulnerabilities": []
}
]
},
"prog_lang_dependencies": {
"vuln_dependencies": 9,
"dependencies_details": {
"java": [
{
"product": "xalan-java",
"version": "2.5.2",
"product_file_path": "/opt/jboss/java/xalan.2.5.2.jar",
"is_vulnerable": true,
"is_false_positive": false,
"vulnerabilities": [
{
"CVE-2014-0107": {
"cveid": "CVE-2014-0107",
"cvss_access_complexity": "Low",
"cvss_access_vector": "Network",
"cvss_authentication": "None required",
"cvss_availability_impact": "Partial",
"cvss_base": 7.5,
"cvss_confidentiality_impact": "Partial",
"cvss_exploit": 10.0,
"cvss_impact": 6.4,
"cvss_integrity_impact": "Partial",
"cvss_vector": [
"AV:N",
"AC:L",
"Au:N",
"C:P",
"I:P",
"A:P"
],
"cweid": "CWE-264",
"mod_date": "06-01-2017",
"pub_date": "15-04-2014",
"summary": "The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function."
}
},
{
"BID-66397": {
"bugtraq_id": 66397,
"class": "Input Validation Error",
"cve": [
"CVE-2014-0107"
],
"local": "no",
"remote": "yes",
"title": "Apache Xalan-Java Library CVE-2014-0107 Security Bypass Vulnerability"
}
}
]
},
{
"product": "jboss_wildfly_application_server",
"version": "-",
"product_file_path": "/opt/jboss/java/jboss_wildfly_application_server.jar",
"is_vulnerable": true,
"is_false_positive": false,
"vulnerabilities": [
{
"CVE-2014-0018": {
"cveid": "CVE-2014-0018",
"cvss_access_complexity": "Medium",
"cvss_access_vector": "Local access",
"cvss_authentication": "None required",
"cvss_availability_impact": "None",
"cvss_base": 1.9,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 3.4,
"cvss_impact": 2.9,
"cvss_integrity_impact": "Partial",
"cvss_vector": [
"AV:L",
"AC:M",
"Au:N",
"C:N",
"I:P",
"A:N"
],
"cweid": "CWE-264",
"mod_date": "06-01-2017",
"pub_date": "14-02-2014",
"summary": "Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container (MSC) service registry, which allows local users to modify the server via a crafted deployment."
}
}
]
},
[...]
, {
"product": "jboss_weld",
"version": "3.0.0",
"product_file_path": "/opt/jboss/java/jboss_weld.3.0.0.jar",
"is_vulnerable": true,
"is_false_positive": false,
"vulnerabilities": [
{
"CVE-2014-8122": {
"cveid": "CVE-2014-8122",
"cvss_access_complexity": "Medium",
"cvss_access_vector": "Network",
"cvss_authentication": "None required",
"cvss_availability_impact": "None",
"cvss_base": 4.3,
"cvss_confidentiality_impact": "Partial",
"cvss_exploit": 8.6,
"cvss_impact": 2.9,
"cvss_integrity_impact": "None",
"cvss_vector": [
"AV:N",
"AC:M",
"Au:N",
"C:P",
"I:N",
"A:N"
],
"cweid": "CWE-362",
"mod_date": "13-05-2015",
"pub_date": "13-02-2015",
"summary": "Race condition in JBoss Weld before 2.2.8 and 3.x before 3.0.0 Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state."
}
}
]
}
],
"js": [],
"nodejs": [],
"php": [],
"python": [
{
"product": "lxml",
"version": "1.0.1",
"product_file_path": "/opt/jboss/python/lxml.1.0.1.py",
"is_vulnerable": true,
"is_false_positive": false,
"vulnerabilities": [
{
"CVE-2014-3146": {
"cveid": "CVE-2014-3146",
"cvss_access_complexity": "Medium",
"cvss_access_vector": "Network",
"cvss_authentication": "None required",
"cvss_availability_impact": "None",
"cvss_base": 4.3,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 8.6,
"cvss_impact": 2.9,
"cvss_integrity_impact": "Partial",
"cvss_vector": [
"AV:N",
"AC:M",
"Au:N",
"C:N",
"I:P",
"A:N"
],
"cweid": "CWE-0",
"mod_date": "14-04-2015",
"pub_date": "14-05-2014",
"summary": "Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function."
}
}
]
}
],
"ruby": []
}
}
}
}Finally, if you want retrieve a resume of the full history including static and runtime analysis, you must type python3 dagda.py history (without any arguments). The expected output looks like as shown below:
[{
"anomalies": 0,
"image_name": "jboss/wildfly",
"libs_vulns": 9,
"malware_bins": 2,
"os_vulns": 42,
"reportid": "58790707ed253944951ec5ba",
"start_date": "2017-01-13 17:01:09.072675",
"status": "Completed"
}, {
"anomalies": 0,
"image_name": "mongo",
"libs_vulns": 0,
"malware_bins": 0,
"os_vulns": 0,
"reportid": "58790611ed25393b1b299558",
"start_date": "2017-01-13 16:53:37.001113",
"status": "Analyzing"
}, {
"anomalies": 2,
"image_name": "jboss/wildfly",
"libs_vulns": 0,
"malware_bins": 0,
"os_vulns": 0,
"reportid": "586f7a48ed25397777c67dea",
"start_date": "2017-01-06 11:06:48.541235",
"status": "Monitoring"
}]See the History REST API documentation for knowing more funcionalities about this sub-command.
Another of the main Dagda targets is perform the monitoring of running docker containers for detecting anomalous activities. Below, the dagda.py monitor usage message is shown:
usage: dagda.py monitor [-h] CONTAINER_ID [--start] [--stop]
Your personal docker security monitor.
Positional Arguments:
CONTAINER_ID the input docker container id
Optional Arguments:
-h, --help show this help message and exit
--start start the monitoring over the container with
the input id
--stop stop the monitoring over the container with the
input id For example, if you want perform the monitoring over a running docker container, you must type:
python3 dagda.py monitor 69dbf26ab368 --startThe expected output looks like as shown below:
{
"id": "586f7631ed25396a829baaf4",
"image_name": "jboss/wildfly",
"msg": "Monitoring of docker container with id <69dbf26ab368> started"
}You can stop the monitoring when you want if you type:
python3 dagda.py monitor 69dbf26ab368 --stopThe expected output when you stop the monitoring over a running container looks like as shown below:
{
"id": "586f7631ed25396a829baaf4",
"image_name": "jboss/wildfly",
"timestamp": "2017-01-06 10:49:21.212508",
"status": "Completed",
"runtime_analysis": {
"container_id": "69dbf26ab368",
"start_timestamp": "2017-01-06 10:49:21.212508",
"stop_timestamp": "2017-01-06 10:50:16.343847",
"anomalous_activities_detected": {
"anomalous_counts_by_severity": {
"Warning": 2
},
"anomalous_activities_details": [{
"output": "10:49:47.492517329: Warning Unexpected setuid call by non-sudo, non-root program (user=<NA> command=ping 8.8.8.8 uid=<NA>) container=thirsty_spence (id=69dbf26ab368)",
"priority": "Warning",
"rule": "Non sudo setuid",
"time": "2017-01-06 10:49:47.492516"
}, {
"output": "10:49:53.181654702: Warning Unexpected setuid call by non-sudo, non-root program (user=<NA> command=ping 8.8.4.4 uid=<NA>) container=thirsty_spence (id=69dbf26ab368)",
"priority": "Warning",
"rule": "Non sudo setuid",
"time": "2017-01-06 10:49:53.181653"
}]
}
}
}If you want review all your reports, see the history command.
Dagda can run in a standalone server mode and allows its use by REST API. Below, the dagda.py start usage message is shown:
usage: dagda.py start [-h] [-d] [--server_host SERVER_HOST] [--server_port SERVER_PORT]
[--mongodb_host MONGODB_HOST] [--mongodb_port MONGODB_PORT]
[--mongodb_ssl]
[--mongodb_user MONGODB_USER] [--mongodb_pass MONGODB_PASS]
[--falco_rules_file RULES_FILE] [--external_falco OUTPUT_FILE]
The Dagda server.
Optional Arguments:
-h, --help show this help message and exit
-d, --debug enable debug logging
-s SERVER_HOST, --server_host SERVER_HOST
address/interface where the server binds itself. By
default, Dagda server binds to '127.0.0.1'
-p SERVER_PORT, --server_port SERVER_PORT
port where the server binds itself. By default, the
Dagda server port is 5000
-m MONGODB_HOST, --mongodb_host MONGODB_HOST
address/interface where the MongoDB is listening. By
default, MongoDB server is set to '127.0.0.1'
-mp MONGODB_PORT, --mongodb_port MONGODB_PORT
port where the MongoDB is listening. By default, the
MongoDB port is set to 27017
--mongodb_ssl creates the connection to the MongoDB server using
SSL/TLS. By default, SSL/TLS connection is disabled
--mongodb_user username for basic authentication with MongoDB. By
default, authentication is disabled
--mongodb_pass password for basic authentication with MongoDB. By
default, authentication is disabled
--falco_rules_file RULES_FILE
sysdig/falco custom rules file (See 'Falco Rules' wiki
page [https://github.com/draios/falco/wiki/Falco-Rules]
for details)
-ef OUTPUT_FILE, --external_falco OUTPUT_FILE
Dagda doesn't start its own sysdig/falco and it will
read the external sysdig/falco output file passed by
parameter. The external sysdig/falco must be started
with the next parameters (See Falco wiki for details
[https://github.com/draios/falco/wiki]):
-pc
-o json_output=true
-o file_output.enabled=trueIf you want know the Dagda REST API, see the REST API wiki page.
Dagda needs its own CVEs, BIDs, RHBAs, RHSAs & Exploits database for performing queries over it during the docker images/containers analysis and, in this way, be able to generate the report for each analysis. That is way, the dagda.py vuln --init command must be executed the first for populating the database.
On the other hand, you can perform queries over the database in the same way that Dagda. Below, the dagda.py vuln usage message is shown:
usage: dagda.py vuln [-h] [--init] [--init_status]
[--bid BID] [--bid_info BID] [--cve CVE] [--cve_info CVE]
[--exploit_db EXPLOIT_DB] [--exploit_db_info EXPLOIT_DB]
[--rhba RHBA] [--rhba_info RHBA] [--rhsa RHSA] [--rhsa_info RHSA]
[--product PRODUCT] [--product_version PRODUCT_VERSION]
Your personal CVE, BID, RHBA, RHSA & ExploitDB database.
Optional Arguments:
-h, --help show this help message and exit
--init initializes your local database with all CVEs provided
by NIST publications, all BugTraqs Ids (BIDs)
downloaded from the "http://www.securityfocus.com/"
pages (See my "bidDB_downloader" project for details
[https://github.com/eliasgranderubio/bidDB_downloader]
for details), all RHSAs (Red Hat Security Advisories)
and RHBAs (Red Hat Bug Advisories) provided by Red Hat
publications, and all exploits from Offensive Security
Exploit Database. If this argument is present, all
CVEs, BIDs, RHBAs, RHSAs and exploits of your local
database will be updated.
--init_status retrieves the initialization status
--bid BID all product with this BugTraq Id (BID) vulnerability
will be shown
--bid_info BID shows all details about this BugTraq Id (BID)
--cve CVE all products with this CVE vulnerability will be shown
--cve_info CVE shows all details about this CVE vulnerability
--exploit_db EXPLOIT_DB
all products with this Exploit_DB Id vulnerability
will be shown
--exploit_db_info EXPLOIT_DB
shows all details about this exploit
--rhba RHBA all products with this RHBA vulnerability will be shown
--rhba_info RHBA shows all details about this RHBA vulnerability
--rhsa RHSA all products with this RHSA vulnerability will be shown
--rhsa_info RHSA shows all details about this RHSA vulnerability
--product PRODUCT all CVE/BID/RHBA/RHSA vulnerabilities and exploits of this
product will be shown
--product_version PRODUCT_VERSION
extra filter for product query about CVE/BID/RHBA/RHSA
vulnerabilities and exploits. If this argument is
present, the "--product" argument must be present tooAs you can see in the previous usage message, you can perform queries by CVE, BID, RHBA, RHSA or Exploit_DB, or by product and product version (Keep in mind that --product_version is a optional argument when you query by --product). A usage example would be the next one:
python3 dagda.py vuln --product openldap --product_version 2.2.20The expected output for the previous query is shown below:
[
{
"CVE-2005-4442": {
"cveid": "CVE-2005-4442",
"cvss_access_complexity": "Low",
"cvss_access_vector": "Local access",
"cvss_authentication": "None required",
"cvss_availability_impact": "Complete",
"cvss_base": 7.2,
"cvss_confidentiality_impact": "Complete",
"cvss_exploit": 3.9,
"cvss_impact": 10.0,
"cvss_integrity_impact": "Complete",
"cvss_vector": [
"AV:L",
"AC:L",
"Au:N",
"C:C",
"I:C",
"A:C"
],
"cweid": "CWE-0",
"mod_date": "05-09-2008",
"pub_date": "20-12-2005",
"summary": "Untrusted search path vulnerability in OpenLDAP before 2.2.28-r3 on Gentoo Linux allows local users in the portage group to gain privileges via a malicious shared object in the Portage temporary build directory, which is part of the RUNPATH."
}
},
{
"CVE-2006-2754": {
"cveid": "CVE-2006-2754",
"cvss_access_complexity": "Low",
"cvss_access_vector": "Network",
"cvss_authentication": "None required",
"cvss_availability_impact": "None",
"cvss_base": 5.0,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 10.0,
"cvss_impact": 2.9,
"cvss_integrity_impact": "Partial",
"cvss_vector": [
"AV:N",
"AC:L",
"Au:N",
"C:N",
"I:P",
"A:N"
],
"cweid": "CWE-0",
"mod_date": "07-03-2011",
"pub_date": "01-06-2006",
"summary": "Stack-based buffer overflow in st.c in slurpd for OpenLDAP before 2.3.22 might allow attackers to execute arbitrary code via a long hostname."
}
},
{
"CVE-2006-5779": {
"cveid": "CVE-2006-5779",
"cvss_access_complexity": "Low",
"cvss_access_vector": "Network",
"cvss_authentication": "None required",
"cvss_availability_impact": "Partial",
"cvss_base": 5.0,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 10.0,
"cvss_impact": 2.9,
"cvss_integrity_impact": "None",
"cvss_vector": [
"AV:N",
"AC:L",
"Au:N",
"C:N",
"I:N",
"A:P"
],
"cweid": "CWE-399",
"mod_date": "26-08-2011",
"pub_date": "07-11-2006",
"summary": "OpenLDAP before 2.3.29 allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure."
}
},
{
"CVE-2006-6493": {
"cveid": "CVE-2006-6493",
"cvss_access_complexity": "High",
"cvss_access_vector": "Network",
"cvss_authentication": "None required",
"cvss_availability_impact": "Partial",
"cvss_base": 5.1,
"cvss_confidentiality_impact": "Partial",
"cvss_exploit": 4.9,
"cvss_impact": 6.4,
"cvss_integrity_impact": "Partial",
"cvss_vector": [
"AV:N",
"AC:H",
"Au:N",
"C:P",
"I:P",
"A:P"
],
"cweid": "CWE-0",
"mod_date": "07-03-2011",
"pub_date": "12-12-2006",
"summary": "Buffer overflow in the krbv4_ldap_auth function in servers/slapd/kerberos.c in OpenLDAP 2.4.3 and earlier, when OpenLDAP is compiled with the --enable-kbind (Kerberos KBIND) option, allows remote attackers to execute arbitrary code via an LDAP bind request using the LDAP_AUTH_KRBV41 authentication method and long credential data."
}
},
{
"CVE-2007-5707": {
"cveid": "CVE-2007-5707",
"cvss_access_complexity": "Medium",
"cvss_access_vector": "Network",
"cvss_authentication": "None required",
"cvss_availability_impact": "Complete",
"cvss_base": 7.1,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 8.6,
"cvss_impact": 6.9,
"cvss_integrity_impact": "None",
"cvss_vector": [
"AV:N",
"AC:M",
"Au:N",
"C:N",
"I:N",
"A:C"
],
"cweid": "CWE-399",
"mod_date": "07-03-2011",
"pub_date": "30-10-2007",
"summary": "OpenLDAP before 2.3.39 allows remote attackers to cause a denial of service (slapd crash) via an LDAP request with a malformed objectClasses attribute. NOTE: this has been reported as a double free, but the reports are inconsistent."
}
},
{
"CVE-2007-5708": {
"cveid": "CVE-2007-5708",
"cvss_access_complexity": "Medium",
"cvss_access_vector": "Network",
"cvss_authentication": "None required",
"cvss_availability_impact": "Complete",
"cvss_base": 7.1,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 8.6,
"cvss_impact": 6.9,
"cvss_integrity_impact": "None",
"cvss_vector": [
"AV:N",
"AC:M",
"Au:N",
"C:N",
"I:N",
"A:C"
],
"cweid": "CWE-399",
"mod_date": "07-03-2011",
"pub_date": "30-10-2007",
"summary": "slapo-pcache (overlays/pcache.c) in slapd in OpenLDAP before 2.3.39, when running as a proxy-caching server, allocates memory using a malloc variant instead of calloc, which prevents an array from being initialized properly and might allow attackers to cause a denial of service (segmentation fault) via unknown vectors that prevent the array from being null terminated."
}
},
{
"CVE-2011-4079": {
"cveid": "CVE-2011-4079",
"cvss_access_complexity": "Low",
"cvss_access_vector": "Network",
"cvss_authentication": "Requires single instance",
"cvss_availability_impact": "Partial",
"cvss_base": 4.0,
"cvss_confidentiality_impact": "None",
"cvss_exploit": 8.0,
"cvss_impact": 2.9,
"cvss_integrity_impact": "None",
"cvss_vector": [
"AV:N",
"AC:L",
"Au:S",
"C:N",
"I:N",
"A:P"
],
"cweid": "CWE-189",
"mod_date": "06-01-2017",
"pub_date": "27-10-2011",
"summary": "Off-by-one error in the UTF8StringNormalize function in OpenLDAP 2.4.26 and earlier allows remote attackers to cause a denial of service (slapd crash) via a zero-length string that triggers a heap-based buffer overflow, as demonstrated using an empty postalAddressAttribute value in an LDIF entry."
}
},
{
"BID-83610": {
"bugtraq_id": 83610,
"class": "Failure to Handle Exceptional Conditions",
"cve": [
"CVE-2006-6493"
],
"local": "no",
"remote": "yes",
"title": "OpenLDAP CVE-2006-6493 Remote Security Vulnerability"
}
},
{
"BID-83843": {
"bugtraq_id": 83843,
"class": "Failure to Handle Exceptional Conditions",
"cve": [
"CVE-2006-2754"
],
"local": "no",
"remote": "yes",
"title": "OpenLDAP CVE-2006-2754 Remote Security Vulnerability"
}
}
]When you perform the dagda.py vuln --init command for populating the database, a MongoDB database called vuln_database is created. In this database there are 10 collections:
- cve (Common Vulnerabilities and Exposure items) - source NVD NIST
- cve_info (Extends the information about CVE items)
- bid (BugTraqs Ids items from
http://www.securityfocus.com/) - source bidDB_downloader- bid_info (Extends the information about BugTraqs Ids items)
- exploit_db (Offensive Security - Exploit Database) - source Offensive Security
- exploit_db_info (Extends the information about exploits)
- rhba (Red Hat Bug Advisory) - source OVAL definitions for Red Hat Enterprise Linux 3 and above
- rhba_info (Extends the information about RHBAs)
- rhsa (Red Hat Security Advisory) - source OVAL definitions for Red Hat Enterprise Linux 3 and above
- rhsa_info (Extends the information about RHSAs)