Attacking CVE data with automation

Transcript

1. Gareth Rushgrove
   Attacking CVE data
   with automation
   

   View Slide

2. View Slide

3. sdsd
   @garethr
   

   View Slide

4. - An introduction to CVEs
   - Sources of CVE data
   - Existing tools
   - Automation example
   

   View Slide

5. Common Vulnerabilities
   and Exposures
   

   View Slide

6. CVE is a list of information security vulnerabilities and
   exposures that aims to provide common names for
   publicly known cyber security issues. The goal of CVE
   is to make it easier to share data across separate
   vulnerability capabilities (tools, repositories, and
   services) with this "common enumeration."
   

   View Slide

7. View Slide

8. - CVE-2014-6271
   - CVSS v2 Base Score: 10.0 HIGH
   - Access Vector: Network exploitable
   Access Complexity: Low
   Authentication: Not required to exploit
   Impact Type: Allows unauthorized disclosure of information; Allows
   unauthorized modification; Allows disruption of service
   

   View Slide

9. View Slide

10. Sources of CVE data
    

    View Slide

11. View Slide

12. View Slide

13. View Slide

14. View Slide

15. And lots more...
    

    View Slide

16. Many operating system
    vendors publish CVE data
    for system packages
    

    View Slide

17. View Slide

18. View Slide

19. Naming things
    And other common problems
    

    View Slide

20. I posit that CVE Information is
    really only useful if you can tie it
    to a software product and version
    

    View Slide

21. CPE is a structured naming scheme for information
    technology systems, software, and packages. Based
    upon the generic syntax for Uniform Resource
    Identifiers (URI), CPE includes a formal name format, a
    method for checking names against a system, and a
    description format for binding text and tests to a name.
    

    View Slide

22. How do you link installed
    software to a CPE?
    

    View Slide

23. How do you link installed
    software to a CPE? Manually
    

    View Slide

24. Software packaging and
    distribution vs upstream versioning
    

    View Slide

25. Systemd v220 vs 215-17+deb8u7
    

    View Slide

26. The CVE dataset is centered
    around CVEs, not around software
    

    View Slide

27. sdsd
    Normalising data sets and Libraries.io
    

    View Slide

28. Programmatically retrieving a list
    of CVEs for a given software
    product is unfortunately non-trivial
    

    View Slide

29. High-level tools
    Applications you can use today
    

    View Slide

30. Lots of high-level tools exist to
    try and help with answering the
    question “am I vulnerable?”
    

    View Slide

31. sdsd
    Local CVE database
    

    View Slide

32. sdsd
    Windows developer tools
    

    View Slide

33. sdsd
    Java packages
    

    View Slide

34. sdsd
    Application dependencies
    

    View Slide

35. sdsd
    Containers
    

    View Slide

36. sdsd
    System scanner
    

    View Slide

37. And lots more...
    

    View Slide

38. However, very few security tools
    adhere to the unix philosophy
    

    View Slide

39. - Write programs that do one thing
    - Write programs to work together
    - Write programs to handle text streams
    

    View Slide

40. Automation example
    The live demo part
    

    View Slide

41. I have a list of installed software
    packages and their versions
    

    View Slide

42. I can get package and version
    information from puppet
    $ puppet resource package
    

    View Slide

43. $ puppet resource package --param provider
    package:
    acl:
    ensure : '2.2.52-2'
    provider: 'apt'
    adduser:
    ensure : '3.113+nmu3'
    provider: 'apt'
    apt:
    ensure : '1.0.9.8.4'
    provider: 'apt'
    

    View Slide

44. View Slide

45. I can get package and version
    information about containers with
    $ lumogon scan
    

    View Slide

46. View Slide

47. $ lumogon scan
    {"$schema":"http://puppet.com/lumogon/core/draf
    t-01/schema#1","generated":"2017-08-07
    11:35:16.6517922 +0000
    UTC","owner":"default","group":["default"],"cli
    ent_version":{"BuildVersion":"development","Bui
    ldTime":"2017-05-11 08:24:20
    UTC","BuildSHA":"a7f2943697f83ba74514a0169890ec
    f8ad1cfacb"},"reportid":"c6a8731e-9681-4758-915
    1-9c2699769418","containers":{"8c8024760f3e4692
    e93c6f4f76dc56eaab879e56ace06f876afeccc5c615ac2
    8":{"$schema":"http://puppet.com/lumogon/contai
    nerreport/draft-01/schema#1","generated":"2017-
    08-07 11:35:16.1308581 +0000
    UTC","container_report_id":"2e65f6e7-371d-4bae-
    

    View Slide

48. I’d like to know if any of those
    packages have known CVEs
    

    View Slide

49. View Slide

50. Query our package list
    for known CVEs
    $ lumogon scan | findcve lumogon
    

    View Slide

51. Live Demo Klaxon
    

    View Slide

52. Summary
    If all you remember is...
    

    View Slide

53. - A central list of vulnerabilities is useful
    - Naming things is hard
    - CPE vs package managers vs GitHub
    - Still possible to build useful things
    - Requires work to normalize datasets
    

    View Slide

54. Questions?
    And thanks for listening
    

    View Slide