A lot of Linux vulnerabilities are located in a particular driver or subsystem, i.e. only afffect kernels with a particular configuration. Checking things manually is a tedious task, therefore licc aims to automatically check which CVEs apply to a particular kernel version and config.
licc takes the following inputs to work:
- the kernel version
- your kernel config
- the system cpu architecture
- (optionally) the kernel source
from these inputs, licc checks the NVD database and crosschecks all retrieved vulnerabilities for applicability for the specific kernel and generates a report.
In case you don't supply a custom source, licc will automatically fetch the kernel source for the supplied kernel version from kernel.org.
You can skip this part if you are familiar with running python scripts.
git clone https://github.com/vpav/licc
cd licc
pip install -r requirements.txt
Edit the example licc.ini.
All the following lines are expected to be present in the file.
[dirs]
# the base directory where licc will save downloaded kernel sources to
# each downloaded kernel takes ~500MB of space
KERNEL_SRC_DIR = /home/liccusr/local_data/kernel_source/
[kernel]
# edit parameters for the kernel you which to analyze
# KERNEL_CONFIG_FILE should point to the kernels build configuration
KERNEL_CONFIG_FILE = /path/to/your/kernel-config-5.4.0-122-generic
KERNEL_VERSION = "4.14.290"
KERNEL_ARCH = "aarch64"
[NIST]
# NIST NVD API Key
# Leave value empty if you don't have a key, requests will be slower though
APIKEY = 12345678-90ab-cdef-fedc-ba0987654321
[console]
# enable colored output - you might want to disable this if you
# are piping to a log file
CONSOLE_COLOR = TrueThese are your input parameters wich will change for every unique kernel you like to analyze. Provide the path to your kernel config file, your kernel version and the system architecture (x86, x64, ...).
You don't need a NIST API key but it is recommended as it will allow for faster CVE lookups. If you don't have an API key, leave the setting present but empty: APIKEY =
python licc.py
You can overwrite some of the settings using command-line options.
By default, licc loads ./licc.ini. If you want to work with multiple, preconfigured kernels you can change the config with
python licc.py --lconfig /path/to/a/different_config.ini
You can manually override one or more of the kernel specific-settings:
python licc.py --kversion 3.18.144 --arch arm32 --kconfig /path/to/my/3.18-config
licc currently supports reports as csv or xlsx files.
By default, licc creates a CSV report and saves it to ./export.csv
You can supply format and location:
python licc.py --out kernel-3.18.xslx --outformat xls
If you are using a vanilla kernel, i.e. an unmodified kernel using only the official sources from kernel.org, licc can automatically download the kernel source for you (default behavior)
If you are using a customized kernel, i.e. a modified kernel with code parts that are not available upstream, Richard Stallman is obviously not amused and puts you on his naughty-list. Nevertheless, you can specify the kernel sources manually:
python licc.py --src /path/to/my/custom/kernelsrc/
licc will list all vulnerabilities that apply to the supplied kernel version in general. For each of those, licc will give three relevant statements:
- verdict
- confidence
- reason
- APPLICABLE - The vulnerability applies to the specified kernel & config
- NOT APPLICABLE - The vulnerability does not apply to the specified kernel & config
- INCONCLUSIVE - Licc does not make a statement about applicability, i.e. you need to check
As some checks are not working precisely (yet) licc provides you with a statement about the result confidence, indicating low-confidence statements.
If a statement is given, the reason is outlined.
licc is primarily developed for people who are configuring and integrating kernels for their projects. I.e. those who compile the kernel.
In these cases your kernel config is the result of make menuconfig, make config or what ever flavor of make process you are using.
If you like to use licc to check a kernel you have not built yourself, you can check if one of the following files is present in your system:
/proc/config.gz/boot/config/boot/config-${kernel-version}
If present, that file is your kernel build config. Note: licc expects the config in plaintext, so in case of the first option you'd need to extract first:
zcat /proc/config.gz > kernelbuildconfig.txt
- as there is no formal way how components and subsystems are identified within the CVE/CPE system (i.e. it only sees the kernel is an atomic entity), therefore the matching currently only works on such vulnarabilities that mention a particular source file
- the CPE matching is lazily written it is possible that CVEs are included that are not affecting your kernel or any kernel at all
- kernel architecture is not considered yet
- the makefile parsing is also lazily written and does not account for conditional statements (
ifeq) yet. The user is warned though via a low confidence indication, if such makefile is encountered.