這兩年英國、新加坡、歐盟都有滿多資安相關的議題,例如英國 Product Security and Telecommunications Infrastructure (PSTI) 產品安全和電信基礎設施法案在 2024.04 生效,現在則幫忙公司處理歐盟 2025年夏天要推進的無線設備指令—委託法案 (Radio Equipment Directive – Delegated Act, 簡稱 RED-DA )
已知的粗略資訊:
- 商品若有聯網功能,需要依照 RED-DA 的要求自我檢驗一番,才能把商品賣進歐盟國家
- 尚未有中央單位負責檢驗,各大品牌找一些值得信任檢驗單位,請他們檢驗商品出檢驗報告,未來商品進歐盟時,被要求提供報告時,可以拿出來用
因此,產品負責人或銷售業務,其實要做的是趕緊找一間信任的資安檢驗公司,提出商品檢驗的需求,價格通常也不便宜,最重要檢驗的時程也不短,通常簽約繳件後也要數個月才會產出報告的,而報告其實是會高度依賴商品的使用情境跟品牌/廠牌,基本上代工廠不能公版做完一份就沒事,是品牌商也得依序產報告(找同一間資安公司,應當有些優惠吧?可以讓資安公司省去摸索商品,且相似的商品可以讓驗證機制加速)
總之,就會進行一些聯網設備(IoT)的處理,通常,資安公司也高度依賴產品公司的 IT 部門或負責研發的開發者提供的資訊。
為了加速檢驗報告的產生,公司可以先自行體檢:
- 使用 OpenVAS Scanner 等類似工具對聯網設備進行弱點掃描
- 請開發者整理產品用到了相關 libraries ,透過 CVE 資料庫進行查詢,若發現有漏洞就評估該怎樣更新
- 若像 WIFI AP 提供 http://192.168.1.1 登入後台使用,那至少必須改提供 https://192.168.1.1 自簽憑證方案
由於檢驗報告項目眾多,單純先列一下可以自我檢驗的部分,其他的部分,還是交給資安業者,讓專業的來吧
筆記一下,怎樣用 OpenVAS 來掃設備,當然,這是個 Docker 當道的時代,直接跑 Docker 即可,收工(誤),實測在 macOS 15 和 Windows 11 都可以正常運作的:
C:\Users\User>docker run -p 8443:443 --name openvas mikesplain/openvas
Unable to find image 'mikesplain/openvas:latest' locally
latest: Pulling from mikesplain/openvas
34667c7e4631: Pull complete
d18d76a881a4: Pull complete
119c7358fbfc: Pull complete
2aaf13f3eff0: Pull complete
67b182362ac2: Pull complete
c878d3d5e895: Pull complete
ec12cc49fe18: Pull complete
c4c454aeebef: Pull complete
27d3410150b2: Pull complete
e08d578dc278: Pull complete
44951337cd32: Pull complete
8c7fe885e62a: Pull complete
a4f833680e45: Pull complete
Digest: sha256:23c8412b5f9f370ba71e5cd3db36e6f2e269666cd8a3e3e7872f20f8063b2752
Status: Downloaded newer image for mikesplain/openvas:latest
Testing redis status...
Redis not yet ready...
Redis ready.
Checking for empty volume
Restarting services
* Restarting openvas-scanner openvassd
...done.
* Restarting openvas-manager openvasmd
...done.
* Restarting openvas-gsa gsad
...done.
Reloading NVTs
Rebuilding NVT cache... done.
Checking setup
openvas-check-setup 2.3.3
Test completeness and readiness of OpenVAS-9
Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.
Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.
Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.1.3.
OK: OpenVAS Scanner CA Certificate is present as .
接著就在本機開啟 https://localhost:8443/ 來運作:
添加一則 task (左上角的紫色 icon ) -> 指定設備的 IP -> 右下角有 Actions 記得按下 Play icon
運行好一陣子後,就會看到一些報告了,像是幫你檢驗 Web server 的版本是否有漏洞、網頁上是否有需要更新的 js libraries,例如:
在那邊去輸入資訊查詢,像是 curl 啊,等等
當然,這邊純人工檢查極累 Orz 所以,也有 API 服務可以申請,就能夠批次詢問了,細節請參考:
最後,把玩一下小工具:pypi.org/project/cve-vulnerability-scanner/
% NVD_API_KEY='XXXX-XXXX-XXXX-XXXX' cve-vulnerability-scanner -p zlib -v 1.2.13 -o /tmp/output.md ; cat /tmp/output.md
Scanning zlib version 1.2.13
Loading cached data for zlib
Scan complete. Report generated in /tmp/output.md
# Security Vulnerability Report
Generated on: 2024-11-09 08:53:47
## zlib 1.2.13
### CVE-2023-45853
Severity: CRITICAL
CVSS Score: 9.8
Version Range: * to 1.3
Published: 2023-10-14T02:15:09.323
Last Modified: 2024-08-01T13:44:58.990
Description: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
### CVE-2023-48106
Severity: HIGH
CVSS Score: 8.8
Version Range: * to *
Published: 2023-11-22T18:15:09.630
Last Modified: 2023-12-02T00:27:03.327
Description: Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_resolve function in the mz_os.c file.
### CVE-2023-48107
Severity: HIGH
CVSS Score: 8.8
Version Range: * to *
Published: 2023-11-22T23:15:10.663
Last Modified: 2023-12-27T04:15:07.277
Description: Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_has_slash function in the mz_os.c file.
### CVE-2023-6992
Severity: MEDIUM
CVSS Score: 5.5
Version Range: * to 2023-11-16
Published: 2024-01-04T12:15:23.690
Last Modified: 2024-01-10T01:14:35.027
Description: Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow.
A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software.
Patches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.
### CVE-2003-0107
Severity: UNKNOWN
CVSS Score: 0.0
Version Range: * to *
Published: 2003-03-07T05:00:00.000
Last Modified: 2022-06-22T16:40:46.327
Description: Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.
### CVE-2004-0797
Severity: UNKNOWN
CVSS Score: 0.0
Version Range: * to *
Published: 2004-10-20T04:00:00.000
Last Modified: 2022-06-22T16:40:46.360
Description: The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).
### CVE-2005-2096
Severity: UNKNOWN
CVSS Score: 0.0
Version Range: * to *
Published: 2005-07-06T04:00:00.000
Last Modified: 2022-06-22T16:40:46.413
Description: zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.
### CVE-2005-1849
Severity: UNKNOWN
CVSS Score: 0.0
Version Range: * to *
Published: 2005-07-26T04:00:00.000
Last Modified: 2022-06-22T16:40:46.380
Description: inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.
### CVE-2009-1391
Severity: UNKNOWN
CVSS Score: 0.0
Version Range: * to 2.015
Published: 2009-06-16T23:30:00.203
Last Modified: 2018-10-03T22:00:28.997
Description: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.
### CVE-2009-1391
Severity: UNKNOWN
CVSS Score: 0.0
Version Range: * to *
Published: 2009-06-16T23:30:00.203
Last Modified: 2018-10-03T22:00:28.997
Description: Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009.
這工具純把玩,困難之處就是做 version 和 library name 比對,這工具純示意,仍有非常大進步的空間,甚至該把這空間交給專業的資安公司就好,畢竟這是個分工的時代,且需要大量的人力檢視 Orz