Skip to main content

A tool to check linux kernel source dump for known CVEs

Project description

GitHub Actions status Supported Versions of Python PyPI package version

CVEhound

CVEhound is a tool for checking linux sources for known CVEs. The tool is based on coccinelle rules and grep patterns. The tool checks sources for vulnerable code patterns of known CVEs and missing fixes for them.

  • What: The tool tries to find "unfixed" code of known CVEs;
  • How: The tool uses coccinelle/grep rules with patterns that helps to detect known CVE bugs or their fixes. Thus, sources are checked either for a presence of "unfixed" code pieces (e.g. CVE-2020-12912), or for an absence of a fix (e.g. CVE-2020-26088);
  • Why: If you have a git log then it's easier to check what CVEs are fixed based on a git history. However, many vendors (samsung, huawei, various iot, routers manufacturers) publish kernel sources as archives without a development log. In most cases their kernels are based on LTS kernels, but versions are far from upstream. Linux version string from Makefile will only give you an information about what CVEs were fixed by kernel developers upto this version. It will not help you to understand what fixes were backported by a vendor itself. In this case it's possible to apply the tool and check "missing" CVE fixes.

CVEHound: Audit Kernel Sources for Missing CVE Fixes

Linux Security Summit 2021 Presentation (EN)

Linux Security Summit 2021 Presentation

ZeroNights 2021 Presentation (RU)

ZeroNights 2021 Presentation

Found issues in stable trees

Prerequisites

  • Python 3 (>=3.5)
  • pip (Python package manager)
  • grep with pcre support (-P flag)
  • coccinelle (>= 1.0.7)

Install prerequisites:

# Ubuntu, coccinelle uses libpython2.7 internally
# Seems like some ppas mark libpython dependency as optional
$ sudo add-apt-repository ppa:npalix/coccinelle
$ sudo apt install python3-pip coccinelle libpython2.7

# Fedora
$ sudo dnf install python3-pip coccinelle

# macOS
$ brew install coccinelle

Installation

To install the latest stable version just run the following command:

$ python3 -m pip install --user cvehound

For development purposes you may install cvehound in "editable" mode directly from the repository (clone it on your computer beforehand):

$ pip install -e .

To update the cve rules from github repository:

$ cvehound_update_rules

How to use

The simplest way to start using CVEhound is to run the following command:

$ cvehound --kernel ~/linux
Found: CVE-2020-27830
Found: CVE-2020-27152
Found: CVE-2020-29371
Found: CVE-2020-26088

where dir should point to linux kernel sources. CVEhound will check the sources for all cve patterns that you can find in cve dir. To check the sources for particular CVEs one can use:

$ cvehound --kernel ./linux --kernel-config --cve CVE-2020-27194 CVE-2020-29371
Checking: CVE-2020-27194
Found: CVE-2020-27194
MSG: bpf: Fix scalar32_min_max_or bounds tracking
CWE: Improper Restriction of Operations within the Bounds of a Memory Buffer
FIX DATE: 2020-10-08 09:02:53
https://www.linuxkernelcves.com/cves/CVE-2020-27194
Affected Files:
 - linux/kernel/bpf/verifier.c: CONFIG_BPF & CONFIG_BPF_SYSCALL
   linux/.config: affected
Config: ./linux/.config affected

Checking: CVE-2020-29371
Found: CVE-2020-29371
MSG: romfs: fix uninitialized memory leak in romfs_dev_read()
CWE: Use of Uninitialized Resource
FIX DATE: 2020-08-21 16:52:53
https://www.linuxkernelcves.com/cves/CVE-2020-29371
Affected Files:
 - linux/fs/romfs/storage.c: CONFIG_ROMFS_FS
   linux/.config: not affected
Config: ./linux/.config not affected

Other args:

  • --report - will produce json file with found CVEs Most of metainformation in generated report is taken from linuxkernelcves.com
  • --kernel-config or --kernel-config <file> - will infer the kernel configuration required to build the affected code (based on Kbuild/Makefiles, ifdefs are not checked) and check kernel .config file if there is one
  • --files, --cwe - will limit the scope of checked cves to the kernel files of interest or specific CWE classes
  • --exploit - check only for CVEs that are known to be exploitable (according to the FSTEC BDU database)

LICENSE

Python code is licensed under GPLv3. All rules in cvehound/cve folder are licensed under GPLv2.

Acknowledgements

I would like to thank the following projects and people behind them:

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cvehound-1.2.1.tar.gz (2.9 MB view details)

Uploaded Source

Built Distribution

cvehound-1.2.1-py3-none-any.whl (1.3 MB view details)

Uploaded Python 3

File details

Details for the file cvehound-1.2.1.tar.gz.

File metadata

  • Download URL: cvehound-1.2.1.tar.gz
  • Upload date:
  • Size: 2.9 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.11.9

File hashes

Hashes for cvehound-1.2.1.tar.gz
Algorithm Hash digest
SHA256 3c6c0cb02e11d6862cb77764bae1b8545b4f8babdc950778f2a1edfda3d4339d
MD5 8e93b7570ce8a31af1d6be809616ceba
BLAKE2b-256 e054fdc7df3613ac9b2cd61597e00fb52ca0f10e089cf7ebe36a11026136fc11

See more details on using hashes here.

File details

Details for the file cvehound-1.2.1-py3-none-any.whl.

File metadata

  • Download URL: cvehound-1.2.1-py3-none-any.whl
  • Upload date:
  • Size: 1.3 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.11.9

File hashes

Hashes for cvehound-1.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 a174a7a96294dde8e66c0de421cd8371418e9bbb92979ebaff56644753e82274
MD5 a15c33523c3358400e1c8f456a255daa
BLAKE2b-256 7d8b2bb18a66c32d537abf0e4903beef2309fc91c59158d0fe4491b6fe07d921

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page