Attacking CVE data with automation

Transcript

1. Gareth Rushgrove Attacking CVE data with automation

2. None

3. sdsd @garethr

4. - An introduction to CVEs - Sources of CVE data

   - Existing tools - Automation example

5. Common Vulnerabilities and Exposures

6. CVE is a list of information security vulnerabilities and exposures

   that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."
7. None

8. - CVE-2014-6271 - CVSS v2 Base Score: 10.0 HIGH -

   Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
9. None

10. Sources of CVE data

11. None
12. None
13. None
14. None

15. And lots more...

16. Many operating system vendors publish CVE data for system packages

17. None
18. None

19. Naming things And other common problems

20. I posit that CVE Information is really only useful if

    you can tie it to a software product and version

21. CPE is a structured naming scheme for information technology systems,

    software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.

22. How do you link installed software to a CPE?

23. How do you link installed software to a CPE? Manually

24. Software packaging and distribution vs upstream versioning

25. Systemd v220 vs 215-17+deb8u7

26. The CVE dataset is centered around CVEs, not around software

27. sdsd Normalising data sets and Libraries.io

28. Programmatically retrieving a list of CVEs for a given software

    product is unfortunately non-trivial

29. High-level tools Applications you can use today

30. Lots of high-level tools exist to try and help with

    answering the question “am I vulnerable?”

31. sdsd Local CVE database

32. sdsd Windows developer tools

33. sdsd Java packages

34. sdsd Application dependencies

35. sdsd Containers

36. sdsd System scanner

37. And lots more...

38. However, very few security tools adhere to the unix philosophy

39. - Write programs that do one thing - Write programs

    to work together - Write programs to handle text streams

40. Automation example The live demo part

41. I have a list of installed software packages and their

    versions

42. I can get package and version information from puppet $

    puppet resource package

43. $ puppet resource package --param provider package: acl: ensure :

    '2.2.52-2' provider: 'apt' adduser: ensure : '3.113+nmu3' provider: 'apt' apt: ensure : '1.0.9.8.4' provider: 'apt'
44. None

45. I can get package and version information about containers with

    $ lumogon scan
46. None

47. $ lumogon scan {"$schema":"http://puppet.com/lumogon/core/draf t-01/schema#1","generated":"2017-08-07 11:35:16.6517922 +0000 UTC","owner":"default","group":["default"],"cli ent_version":{"BuildVersion":"development","Bui ldTime":"2017-05-11

    08:24:20 UTC","BuildSHA":"a7f2943697f83ba74514a0169890ec f8ad1cfacb"},"reportid":"c6a8731e-9681-4758-915 1-9c2699769418","containers":{"8c8024760f3e4692 e93c6f4f76dc56eaab879e56ace06f876afeccc5c615ac2 8":{"$schema":"http://puppet.com/lumogon/contai nerreport/draft-01/schema#1","generated":"2017- 08-07 11:35:16.1308581 +0000 UTC","container_report_id":"2e65f6e7-371d-4bae-

48. I’d like to know if any of those packages have

    known CVEs
49. None

50. Query our package list for known CVEs $ lumogon scan

    | findcve lumogon

51. Live Demo Klaxon

52. Summary If all you remember is...

53. - A central list of vulnerabilities is useful - Naming

    things is hard - CPE vs package managers vs GitHub - Still possible to build useful things - Requires work to normalize datasets

54. Questions? And thanks for listening