Detecting Backported Software (Versions) with Ident
February 16, 2020
One common challenge with version detection and inference-based vulnerability analysis – the kind we do in Ident and Core- is graceful handling of versions which appear to be vulnerable baed on their versions, but in reality have been backported.
What do we mean by backporting? Well, some operating systems (*ahem* Red Hat *ahem*) will apply security fixes and patches to previous version of a software package, but not update the software version. Rather, they update their own package version. The software keeps reporting the vulnerable version, but users are protected. This is commonly referred to as backporting.
This is actually a good thing for users, in general, but can result in some false positives when performing unauthenticated vulnerability assessments. So we need to prepare for it. To address this, we added a bit of sophistication to the ident library, which allows us to detect this behavior in cases where we know the operating system, and respond accordingly.
Below, you can see how our dynamic version detection for PHP, OpenSSL and Apache, all handle this by looking for the existence of RHEL, Red Hat or CentOS, and appending the “(Backported)” bit to the version string. Note that this might result in some false negatives, so we retain the version string for users.
You can see the full set of changes in the Ident repository on Github.
Now, we politely decline to infer these results, while retaining the version information and appending “(Backported)” to the version string. Which results in the following:
Core now gives the same result, as it uses the Ident project as a library, and benefits from changes in fingerprinting capabilities, automatically. .
The current Gem version is 0.92 and can be installed directly from Github. This change is also now live on Ident’s master branch, and you can quickly test it out using the pre-built docker image.