-
-
Notifications
You must be signed in to change notification settings - Fork 238
Vulnerability detection
As the complete vulnerability detection is getting more and more complex, we try to document a short overview in here:
- The SBOM detection mechanism is based on the version detection regex rules defined here
- The detected version identifiere are modified with sed (same config) to query the cve database from here
- For the version (and CVE) detection by itself we have multiple modules:
- s06 for distribution identification (rules are coded in the module)
- s08 for package management
- s09 for static detection
- s24/s25 for kernel version detection
- s26 for kernel vulnerbility detection/verification based on the kernel config or extracted symbols
- s115/s116 for user-mode emulation
- L10/L15 for detection in system mode emulation via Nmap scanning
- L25 for web server detection (in system mode emulation)
- L35 for CVE detection via exploitation from Metasploit
- F20 is finally the aggregator module which brings everything together
As you can see the CVE/version detection is not that easy. Every module has its own advantages and disadvantages. Some are only running for special firmwares and if some special conditions are met.
EMBA - firmware security scanning at its best
Sponsor EMBA and EMBArk:
The EMBA environment is free and open source!
We put a lot of time and energy into these tools and related research to make this happen. It's now possible for you to contribute as a sponsor!
If you like EMBA you have the chance to support future development by becoming a Sponsor
Thank You ❤️ Get a Sponsor
You can also buy us some beer here ❤️ Buy me a coffee
To show your love for EMBA with nice shirts or other merch you can check our Spreadshop
EMBA - firmware security scanning at its best