Attacking CVE data with automation

Attacking CVE data with automation

Talk about CVE data from CamSec. Discusses what CVEs are, problems with naming and versioning software, examples of tools which use the CVE database and how you can use it in your own custom tooling.

98234c645fe8c935edc0fec0186d28b8?s=128

Gareth Rushgrove

August 10, 2017
Tweet

Transcript

  1. Gareth Rushgrove Attacking CVE data with automation

  2. None
  3. sdsd @garethr

  4. - An introduction to CVEs - Sources of CVE data

    - Existing tools - Automation example
  5. Common Vulnerabilities and Exposures

  6. CVE is a list of information security vulnerabilities and exposures

    that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."
  7. None
  8. - CVE-2014-6271 - CVSS v2 Base Score: 10.0 HIGH -

    Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
  9. None
  10. Sources of CVE data

  11. None
  12. None
  13. None
  14. None
  15. And lots more...

  16. Many operating system vendors publish CVE data for system packages

  17. None
  18. None
  19. Naming things And other common problems

  20. I posit that CVE Information is really only useful if

    you can tie it to a software product and version
  21. CPE is a structured naming scheme for information technology systems,

    software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name.
  22. How do you link installed software to a CPE?

  23. How do you link installed software to a CPE? Manually

  24. Software packaging and distribution vs upstream versioning

  25. Systemd v220 vs 215-17+deb8u7

  26. The CVE dataset is centered around CVEs, not around software

  27. sdsd Normalising data sets and Libraries.io

  28. Programmatically retrieving a list of CVEs for a given software

    product is unfortunately non-trivial
  29. High-level tools Applications you can use today

  30. Lots of high-level tools exist to try and help with

    answering the question “am I vulnerable?”
  31. sdsd Local CVE database

  32. sdsd Windows developer tools

  33. sdsd Java packages

  34. sdsd Application dependencies

  35. sdsd Containers

  36. sdsd System scanner

  37. And lots more...

  38. However, very few security tools adhere to the unix philosophy

  39. - Write programs that do one thing - Write programs

    to work together - Write programs to handle text streams
  40. Automation example The live demo part

  41. I have a list of installed software packages and their

    versions
  42. I can get package and version information from puppet $

    puppet resource package
  43. $ puppet resource package --param provider package: acl: ensure :

    '2.2.52-2' provider: 'apt' adduser: ensure : '3.113+nmu3' provider: 'apt' apt: ensure : '1.0.9.8.4' provider: 'apt'
  44. None
  45. I can get package and version information about containers with

    $ lumogon scan
  46. None
  47. $ lumogon scan {"$schema":"http://puppet.com/lumogon/core/draf t-01/schema#1","generated":"2017-08-07 11:35:16.6517922 +0000 UTC","owner":"default","group":["default"],"cli ent_version":{"BuildVersion":"development","Bui ldTime":"2017-05-11

    08:24:20 UTC","BuildSHA":"a7f2943697f83ba74514a0169890ec f8ad1cfacb"},"reportid":"c6a8731e-9681-4758-915 1-9c2699769418","containers":{"8c8024760f3e4692 e93c6f4f76dc56eaab879e56ace06f876afeccc5c615ac2 8":{"$schema":"http://puppet.com/lumogon/contai nerreport/draft-01/schema#1","generated":"2017- 08-07 11:35:16.1308581 +0000 UTC","container_report_id":"2e65f6e7-371d-4bae-
  48. I’d like to know if any of those packages have

    known CVEs
  49. None
  50. Query our package list for known CVEs $ lumogon scan

    | findcve lumogon
  51. Live Demo Klaxon

  52. Summary If all you remember is...

  53. - A central list of vulnerabilities is useful - Naming

    things is hard - CPE vs package managers vs GitHub - Still possible to build useful things - Requires work to normalize datasets
  54. Questions? And thanks for listening